RE: Exploit or trojan

From: Gordon Ewasiuk (gordon.ewasiuk_at_verizon.net)
Date: 12/13/03

  • Next message: Felipe Franciosi: "Re: Exploit or trojan"
    To: <focus-sun@securityfocus.com>
    Date: Fri, 12 Dec 2003 22:52:05 -0500
    
    

    Hi Darren,

    In-line...

    > -----Original Message-----
    > From: Darren Young [mailto:darren_young@yahoo.com]
    > Sent: Friday, December 12, 2003 9:10 AM
    > To: focus-sun@securityfocus.com
    > Subject: Exploit or trojan
    >
    >
    > Anyone know of any exploits that create the following tree in /tmp?
    >
    > The user for id 59659 is in NIS as "oracle", however we're not running
    > Oracle anywhere. I believe they had the Oracle account out
    > there for a test
    > of some type.
    >
    > How can I grab a copy of the file, cp won't work on it.:
    >
    > ./ / / / \ \ /.admin/.noremove/ /thx/-- 15000 ---

    Have you tried putting the filename in quotes?

    "./ / / / \ \ /.admin/.noremove/ /thx/-- 15000 ---"

    Also, you might try using bash for a shell and using the bash auto-complete
    feature. You type in a the first few letters of a file/dir, hit tab, then
    bash will try to fill in the rest of the name. If bash can parse the
    directory, bash will add the necessary characters.

    > gsbnufac:[root]> find . -exec ls -lan {} \;
    > total 40
    [snip directory list]
    > total 26516
    > -rw-r--r-- 1 59659 10 13565952 Nov 19 01:14 -- 15000 ---
    > drwxr-xr-x 2 59659 10 512 Nov 19 01:14 .
    > drwxr-xr-x 3 59659 10 512 Nov 19 01:11 ..
    > -rw-r--r-- 1 59659 10 13565952 Nov 19 01:14 ./ /
    > / / \ \
    > /.admin/.noremove/ /thx/-- 15000 ---

    Based on the name and the size of the file, I'd bet that someone was looking
    for a new ftp server to abuse. Warez junkies (software pirates, people who
    like to share commerical software) like to test newly discovered ftp servers
    by uploading a test file of a certain size. The name of the file might also
    suggest the speed of the connection.

    The fact that the bad guy asked the admin to not remove directory also
    supports this. These types of comments are seen on M$ servers that are
    abused.
     
    [snip process list]

    You might run a full port scan against the compromised server from a known
    good server. Look for open ports (usually above 10000 but can vary based on
    the exploit/ftp server used) then try to connect to them using an ftp
    client. Not sure if you can trust any binary on the compromised server. If
    the bad guy uploaded a rootkit, processes could be hidden...along with
    additional directories or filenames.

    At a minimum, you probably want to take that server offline, if it isn't
    already, to identify how the bad guy got in, what they did, etc.

    Hey, can you post the output from an lsof on the compromised server? The
    output might not be reliable but it couldn't hurt.

    Good luck,

    -gordon


  • Next message: Felipe Franciosi: "Re: Exploit or trojan"

    Relevant Pages

    • recommended book/guide for /bin/sh shell programming
      ... server based tasks. ... am looking for recommendations for a good guide/book or two for shell ... Given that there is a seperate bash shell port available, ... I would prefer to use plain ol /bin/sh since most of the ...
      (freebsd-questions)
    • Re: Server remembers old name?
      ... The production database on BASH does not have a table ... The original name of the box was 'BASH' and has been renamed ... The new production server is now named 'BASH' ... I created a Linked Server on BASHDEV server to the BASH server. ...
      (microsoft.public.sqlserver.setup)
    • Re: File/folder access HELP!
      ... To get more info do a man on tcsh or bash and look for umask. ... > I am in an office that has a server running Redhat, Samba, and MySQL. ... > three of them creates a new file or folder in their server folder, ...
      (linux.redhat)
    • Re: Initializing X clients
      ... xterm disappeared as soon as there was keyboard input. ... Ctl-Alt-Backspace to close the X server causes bash to terminate. ...
      (Debian-User)
    • Re: Invoking ldconfig without arguments wipes all hints and makes me very sad
      ... At 02:30 PM 4/10/2008, Shelby Cain wrote: ... Would a patch that changes the behavior of ldconfig to assume -r in the ... I myself made the common mistake of doing rm -rf while in the / directory on a server. ... As for bash, you can compile and install it statically linked from the ports. ...
      (freebsd-questions)