Hey,
Hhehe, yeah and only days before I was commenting on how we haven't been
hacked in ages...
This is definately something new, have a look at:
http://seclists.org/lists/fulldisclosure/2004/Jul/1256.html
Thats basically a mirror of what I've seen in my logs. You'll see
several wget's of files on that page, I just tried ssh.tgz and it's
still working. This is where you'll find the "go.sh" command which
after running it would seem to be a scanner. But, immediately after
that everytime I ran *any* command (eg, ls, dir, netstat) to see the
state of my system, I got a "seg fault"!
The history showed the hacker creating a lot of strange directories,
like ". . . " in /usr/local/sbin. I'm thinking that this is the
key to the boobie trap.
Rebooting into 2.6.7 failed at the point where init would normally begin
to load. Trying 2.4.x seemed to get a little further, but stopped where
it would do the device-mapper stuff. Trying knoppix/tomsrootboot lead
to nothing, I didn't have a clue what might be wrong, so just rebuilt.
I'll be happy to supply whatever I have to anyone who's interested, or
the tools if you want to investigate... I'd be very into knowing more
about the specifics of the various tools etc but am kinda lacking the
necessary haxor skills ;)
I have the iso.tmp file here somewhere, haven't gotten around to looking
into that yet, been busy rebuilding machines :( I'm not sure about
posting links onto the list, but you can contact me individually to look
for these tools.
There was also a samba scanner / exploit which I successfully tested out
on the system the hacker targeted. Also of note is that the hacker
installs PSYBNC, an irc bouncer on the systems. In total, including the
tar's I have 13MB of stuff, so there is quite a bit to look into..
Eoin
On Wed, Aug 04, 2004 at 09:56:26AM -0700, Justin Mason wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>>> Scary stuff. Right after defcon, too ;)
>> Have you got any other dropping files from the exploit? that .tmp is gone
> from ftp.esat.net.
>> - --j.
>> Eoin Ryan writes:
> > Hi all,
> >
> > There appears to be a new exploit of sshd on Debian Woody. Ssh version:
> > SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3
> >
> > At the weekend 2 Debian Woody systems under my control were hacked with
> > this exploit, which lead to other, non related hacks in the University.
> >
> > The hacker seemed rather messy and left a lot of tell tale signs behind
> > that the system was broken into, despite making efforts to patch various
> > system binaries, as well as patching sshd itself. Check your
> > /var/log/auth.log for login attempts to either of the following user
> > names: test, admin. Part of the procedure seems to be to add one of
> > the before mentioned usernames to the system, including /home
> > directories, so that would seem to be the easiest way of telling if
> > you've been broken into.
> >
> > Piecing together from a few recent mails found online as well as the
> > evidence left behind in logs, it seems that preceding the attack the
> > hacker will scan target machines and try logging into the daemon with
> > test/admin. If the box has already been hacked and ssh patched then
> > premumably they will get immediate access, if not they will launch their
> > attack.
> >
> > The logs reveal a lot of downloaded tools from various websites around
> > the world. Some are DDOS tools, others r00t kits etc. Perhaps the
> > strangest download though was an iso.tmp file from ftp.esat.net, which
> > perhaps ties in with wierd behaviour that I noticed on that file server
> > over the weekend. The command was:
> >
> > wget http://ftp.esat.net/pub/linux/debian-cd/3.0_r2/source/debian-update-3.0r2.01-src.iso.tmp> >
> > I didn't actually see anything in the logs that the hacker might have
> > been doing with this file, but at the moment it is still available on
> > esat.net.
> >
> > WARNING:
> > Be very carefull about messing with any tools left behind by the hacker.
> > The file, go.sh (ssh exploit), which I found a URL to in my history, seems to be
> > boobie trapped as immediately after running it my system died a sudden
> > and horrific death. A re-install worked, but it's a perfect example
> > of curiosity killing the cat.
> >
> > Hope this is usefull,
> > Eoin.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Exmh CVS
>> iD4DBQFBERU6QTcbUG5Y7woRAoryAKDfSGJiaAiIfeFAyiUwM4LbcK5QdQCYxMbh
> w4QJOyyFqMDeGmo2OLTFxQ==
> =/2NC
> -----END PGP SIGNATURE-----
--
When you work here, you can name your own salary. I named mine, "Louie".
-
Eoin Ryan eoin.ryan at ul.ie
Biocomputing-Developmental Systems Group (BDS) http://bds.ul.ie
CSG-028, University of Limerick, Ireland Phone: +353 61 202596
------------------------------------------------------------------------
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
