I got a couple of E-mails from a guy that _may_ have more info on the
/sumthin case. One of his servers was "owned", and he _thinks_ the
/sumthin request was the start of the attack. His E-mails follow:
==================================================================
I got hit with the same thing. /sumthin is exactly what everyone
thinks it is - a probe. Someone used my version info to exploit a
bug in SSL. I still don't know what the bugs are yet, but it's
really evident. From there, he looged in as my webserver, and
totally F$%^&D my server. He set up some kind of irc server, and
compromised so much of my server I'm having to rebuild from the
ground up. He redirected the root .bash_history to /dev/nul and
redirected the mail logs and he set up an account called tcp so he
could log in through ssh. Most of the services were shut down
(that's how I figured something was up - I couldn't get my mail).
even though he did wipe the root history, he forgot to wipe
wwwrun's history, it's too long to post, but it will be up for a
short while at http://XXX [Sverre sais: URL removed. log file
attached.]
He also replaced bash and set the default runlevel to halt, so
when I restarted the system just stopped (what a pisser).
When I went back and grepped all the logs, the /sumthin only shows
up in the logs of one domain (despite the fact we host around [N])
and starts sometime around mid October as everyone else has
noticed.
==================================================================
I found things like this in /tmp and /var/tmp:
drwxr-xr-x 3 wwwrun nogroup 153 Jan 26 04:10 a
-rw-r--r-- 1 wwwrun nogroup 14138 Jan 4 20:32 a.tgz
-rw-r--r-- 1 wwwrun nogroup 14138 Jan 4 20:32 a.tgz.1
-rw-r--r-- 1 wwwrun nogroup 14138 Jan 4 20:32 a.tgz.2
-rwxr-xr-x 1 wwwrun nogroup 19577 Nov 28 15:55 alarmd
drwxr-xr-x 5 wwwrun nogroup 635 Dec 22 17:00 orbit-root
drwxr-xr-x 9 wwwrun nogroup 553 Jan 12 09:52 psybnc
-rw-r--r-- 1 wwwrun nogroup 596571 Oct 17 23:19 psybnc.tar.gz
after that I did a find / -user wwwrun and found a bunch of stuff
and then discovered several other uids involved.
==================================================================
The attached shell history file shows what appears to be a manual
attacker downloading and installing several files using wget. Some of
the files are no longer available, but the few I managed to download
seem to be either related to IRC (server and bot), or to Linux local
exploits. (I only spent a couple of minutes downloading and glancing
at the files.)
Sverre.
--
shhat_private Computer Geek? Try my Nerd Quiz
http://shh.thathost.com/ http://nerdquiz.thathost.com/
This archive was generated by hypermail 2b30 : Mon Feb 03 2003 - 07:55:11 PST