Re: msamba

From: Steve Bromwich (incidentat_private)
Date: Tue Apr 22 2003 - 07:08:18 PDT

Next message: Mally Mclane: "RE: SMTP Scans"

Previous message: Nikola Pepelishev: "Re: msamba"
In reply to: Steve Bromwich: "msamba"
Next in thread: noconflic: "Re: msamba"
Reply: noconflic: "Re: msamba"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thanks for all the responses. I'll summarise them in approximately
order of volume:

1. Congrats to all the people out of the office. Hope you're having
fun.

2. I downloaded the virus, but didn't do anything more than run strings
over it. I didn't realise it was infected with a virus already, though,
that's certainly interesting.

3. I haven't managed to get a copy of 73.tgz; I think he copied it in
by hand, possibly by scp after he reset the root password. I think this
was where the "./setup muie 55055 angelboy@the-darkside.info" came
from.

4. This was caught because he did rm -rf /var/log, which stopped exim
from running as it couldn't log incoming and outgoing mail. There was
also some kind of monitor app running that fired off a whole bunch of
rm threads deleting everything he touched whenever someone tried to log
in (I think). I logged in to see a whole bunch of threads doing
something like ./evil rm -rf directoryname, after which I had the
client pull the power.

5. After I booted off a superrescue CD to have a poke around, I found a
whole bunch of files in /bin, /usr/bin, /usr/sbin, /sbin which had been
modified in the previous 24 hours.

6. After copying off the most recently modified data (no executables) I
formatted and reinstalled Debian from CD. Data was restored from backup
and the most recently modified data was eyeballed and put back (it was
only 5 text files).

7. I still have access to all the files that were left after the rm
run. If anyone would like a copy of any of the system files to tinker
with, let me know and I'll pull them off.

8. I haven't contacted anyone because I don't have any hard evidence of
where the intrusion came from. The cahcepu.net appears to be run by the
guy who tried to get in anyway so I didn't feel it was too worthwhile.

Once again, thanks for everyone's comments!

Cheers, Steve

----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------

Next message: Mally Mclane: "RE: SMTP Scans"
Previous message: Nikola Pepelishev: "Re: msamba"
In reply to: Steve Bromwich: "msamba"
Next in thread: noconflic: "Re: msamba"
Reply: noconflic: "Re: msamba"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Apr 22 2003 - 07:58:25 PDT