I found the root of all evil ;-) the /sumthin tool is attached. I got it from an "owned" server. Philipp ----- Original Message ----- From: "Sverre H. Huseby" <shhat_private> To: <incidentsat_private> Sent: Monday, February 03, 2003 9:52 AM Subject: More /sumthin, maybe > I got a couple of E-mails from a guy that _may_ have more info on the > /sumthin case. One of his servers was "owned", and he _thinks_ the > /sumthin request was the start of the attack. His E-mails follow: > > ================================================================== > > I got hit with the same thing. /sumthin is exactly what everyone > thinks it is - a probe. Someone used my version info to exploit a > bug in SSL. I still don't know what the bugs are yet, but it's > really evident. From there, he looged in as my webserver, and > totally F$%^&D my server. He set up some kind of irc server, and > compromised so much of my server I'm having to rebuild from the > ground up. He redirected the root .bash_history to /dev/nul and > redirected the mail logs and he set up an account called tcp so he > could log in through ssh. Most of the services were shut down > (that's how I figured something was up - I couldn't get my mail). > > even though he did wipe the root history, he forgot to wipe > wwwrun's history, it's too long to post, but it will be up for a > short while at http://XXX [Sverre sais: URL removed. log file > attached.] > > He also replaced bash and set the default runlevel to halt, so > when I restarted the system just stopped (what a pisser). > > When I went back and grepped all the logs, the /sumthin only shows > up in the logs of one domain (despite the fact we host around [N]) > and starts sometime around mid October as everyone else has > noticed. > > ================================================================== > > I found things like this in /tmp and /var/tmp: > > drwxr-xr-x 3 wwwrun nogroup 153 Jan 26 04:10 a > -rw-r--r-- 1 wwwrun nogroup 14138 Jan 4 20:32 a.tgz > -rw-r--r-- 1 wwwrun nogroup 14138 Jan 4 20:32 a.tgz.1 > -rw-r--r-- 1 wwwrun nogroup 14138 Jan 4 20:32 a.tgz.2 > -rwxr-xr-x 1 wwwrun nogroup 19577 Nov 28 15:55 alarmd > drwxr-xr-x 5 wwwrun nogroup 635 Dec 22 17:00 orbit-root > drwxr-xr-x 9 wwwrun nogroup 553 Jan 12 09:52 psybnc > -rw-r--r-- 1 wwwrun nogroup 596571 Oct 17 23:19 psybnc.tar.gz > > after that I did a find / -user wwwrun and found a bunch of stuff > and then discovered several other uids involved. > > ================================================================== > > The attached shell history file shows what appears to be a manual > attacker downloading and installing several files using wget. Some of > the files are no longer available, but the few I managed to download > seem to be either related to IRC (server and bot), or to Linux local > exploits. (I only spent a couple of minutes downloading and glancing > at the files.) > > > Sverre. > > -- > shhat_private Computer Geek? Try my Nerd Quiz > http://shh.thathost.com/ http://nerdquiz.thathost.com/ > ---------------------------------------------------------------------------- ---- > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Feb 26 2003 - 13:04:47 PST