RE: Exploit or trojan
From: Gordon Ewasiuk (gordon.ewasiuk_at_verizon.net)
Date: 12/13/03
- Previous message: Darren Young: "Exploit or trojan"
- In reply to: Darren Young: "Exploit or trojan"
- Next in thread: Felipe Franciosi: "Re: Exploit or trojan"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <focus-sun@securityfocus.com> Date: Fri, 12 Dec 2003 22:52:05 -0500
Hi Darren,
In-line...
> -----Original Message-----
> From: Darren Young [mailto:darren_young@yahoo.com]
> Sent: Friday, December 12, 2003 9:10 AM
> To: focus-sun@securityfocus.com
> Subject: Exploit or trojan
>
>
> Anyone know of any exploits that create the following tree in /tmp?
>
> The user for id 59659 is in NIS as "oracle", however we're not running
> Oracle anywhere. I believe they had the Oracle account out
> there for a test
> of some type.
>
> How can I grab a copy of the file, cp won't work on it.:
>
> ./ / / / \ \ /.admin/.noremove/ /thx/-- 15000 ---
Have you tried putting the filename in quotes?
"./ / / / \ \ /.admin/.noremove/ /thx/-- 15000 ---"
Also, you might try using bash for a shell and using the bash auto-complete
feature. You type in a the first few letters of a file/dir, hit tab, then
bash will try to fill in the rest of the name. If bash can parse the
directory, bash will add the necessary characters.
> gsbnufac:[root]> find . -exec ls -lan {} \;
> total 40
[snip directory list]
> total 26516
> -rw-r--r-- 1 59659 10 13565952 Nov 19 01:14 -- 15000 ---
> drwxr-xr-x 2 59659 10 512 Nov 19 01:14 .
> drwxr-xr-x 3 59659 10 512 Nov 19 01:11 ..
> -rw-r--r-- 1 59659 10 13565952 Nov 19 01:14 ./ /
> / / \ \
> /.admin/.noremove/ /thx/-- 15000 ---
Based on the name and the size of the file, I'd bet that someone was looking
for a new ftp server to abuse. Warez junkies (software pirates, people who
like to share commerical software) like to test newly discovered ftp servers
by uploading a test file of a certain size. The name of the file might also
suggest the speed of the connection.
The fact that the bad guy asked the admin to not remove directory also
supports this. These types of comments are seen on M$ servers that are
abused.
[snip process list]
You might run a full port scan against the compromised server from a known
good server. Look for open ports (usually above 10000 but can vary based on
the exploit/ftp server used) then try to connect to them using an ftp
client. Not sure if you can trust any binary on the compromised server. If
the bad guy uploaded a rootkit, processes could be hidden...along with
additional directories or filenames.
At a minimum, you probably want to take that server offline, if it isn't
already, to identify how the bad guy got in, what they did, etc.
Hey, can you post the output from an lsof on the compromised server? The
output might not be reliable but it couldn't hurt.
Good luck,
-gordon
- Previous message: Darren Young: "Exploit or trojan"
- In reply to: Darren Young: "Exploit or trojan"
- Next in thread: Felipe Franciosi: "Re: Exploit or trojan"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
