[I'm sending this anonymously. I think it's only fair game if this was left lying around on my system. To the group I believe responsible for this, I wasn't aware there was any tough blood between us 8-).] Aside from this, the attackers were rather methodical. I believe the files left lying around may have been a gimmick to fool me into thinking I was indeed compromised with a remote kernel exploit. Although I'm unable to ascertain the method of entry, I believe it could have been as something as trivial as a guessed user password. But Just In Case 8-). There was also a file that I believe may have been created by the attackers. It contained the following text, which is not clear to me: I am the Dragon and you call me insane? My movements are followed and recorded as avidly as those of a mighty nebula. Before me, you are a slug in the sun. You are privy to a great becoming and you recognize nothing. You are an ant in the afterbirth. It is in your nature to do one thing correctly: before me you rightly tremble. If for some reason the attachment doesn't get through, I have created a site containing 7350reass.tar.gz: http://www.angelfire.com/apes/7350reass/ From the site... Since when do you guys place your exploits on 'owned' systems? 8-) I have tarred up the two files that were found on a compromised machine on my subnet. They can be downloaded below. It purports to be a remote kernel exploit for *BSD systems. This is very dubious, but in the interests of security, it may still be worthy of a forensics analysis. Unfortunately, I do not have the password that allows the encrypted exploit to run, so you're on your own here. Regardless of whether or not this is a fake exploit, everyone is urged to take proper security precautions before running untrusted executables on your systems. It may be best to play around with this on a spare system at hand. From the EXAMPLE file: ./7350reass 10.0.0.2 7350reass - OpenBSD/FreeBSD/NetBSD remote kernel exploit fragment reassembly numeric overflow + logic fuckup -s & -l (21/04) inferior exploits for this bug rely on 3 values.. we only need the ip_reass delta, but still, patience is required to find this.. this shouldn't be a problem.. you don't need root to run this, as everything can be crafted via setsockopt.. mhhh, should get you in.. < 5 minutes.. no guarantees though.. OpenBSD developers are weenies ;) TESO: 2^32-1 SecurityFocus: 2>>2 password: [*] finding ip_reass delta.. FOUND: 154 [*] checking for timeout during reassembly error.. PASSED [*] final stage of exploitation. you should receive a shell prompt in a matter of minutes if all is fine.. FreeBSD saturn 4.5-RELEASE FreeBSD 4.5-RELEASE #0: Mon Sep 6 10:18:37 EST 2002 ubel@saturn:/usr/src/sys/compile/SATURN i386 uid=0(root) gid=0(wheel) -- Personalised email by http://another.com
This archive was generated by hypermail 2b30 : Tue Oct 22 2002 - 00:07:54 PDT