Re: two machines hack through rpc.statd

[Justin Shore <macdaddy () NEO PITTSTATE EDU>]

     I was given control of a 6.2 machine some months only to find that
it had been hacked within a week of it being put on the 'Net.  rpc.statd
as well.  Best I can tell the overflow allowed the guy to add an
interactive shell line to /etc/inetd.conf and SIGHUP inetd.  The guy then
connected as root, rcp'ed a generic rootkit from a machine owned by
broadcast.com (hacked also) which installed a couple binaries that I
couldn't identify (cronlogd and xfsd).  He then rpm installed 3 old rpms
from a German mirror site.  They were an old/vulnerable versions of
Wu-ftpd, nfs-utils, and LPRng.  As best I could tell he didn't clean up
the system logs.  For that matter he didn't clean up root's bash history
files. (/bin/sh is a symlink to /bin/bash so system-default bashrc
settings apply, which turn on logs by default).  That's how I managed to
track his actively so easily.  All in all, the rootkit was very generic
and fairly worthless.  I still don't know what the binaries do though.  I
have the whole drive tarballed somewhere.  As for who to contact about
that home.com machine, I'd first email them with all the pertinent logs
and descriptions and then call them a few minutes later and escalate it
as high as you can.  If you can catch an active session between your
hacked machine and that home.com guy (or whomever is using his machine)
it would help.  That's about the best I suggest for you.  The law doesn't
always take an interest in these cases unless it's big news.  Even they
are susceptible to PR tactics.  Good luck!

Justin


On 3/7/01 7:47 AM Vegard Svanberg said...

> Hi.
>
> I admin two servers who was recently hacked.  They were just installed
> with RH7 and really not important (and not in production) so there was
> no big deal.  However, that is not an excuse for hacking them, so I'd
> like to report this guy to his local police so they could lock him up in
> jail where he belongs.
>
> I'd also like to get in touch with other people who've had similar
> breakins from this guy.  This is _some_ of the info I have on what he
> did:
>
> 1.  Exploited rpc.statd
> 2.  Fetched a package (secure.tar.gz) containing some scripts to clear
>    the logs and a couple of RPMs to fix a couple of security holes.
> 3.  Patched rpc.statd.
> 4.  Configured inetd to run /bin/sh at port 666.  He firewalled the
>    port.
> 5.  Ran a script ("g.sh" also known as "gh0st.sh") to wipe the logs.
>
> He added user "r3wt" and "gid" to /etc/passwd and /etc/shadow with uid 0
> and no password.  He also added an account "Vogz" which I believe is his
> nickname.
>
> Here's the hostnames/IP addresses he came from:
>
> Vogz[9590]: LOGIN ON pts/2 BY Vogz FROM cx589008-a.vista1.sdca.home.com
> xinetd[8755]: START: reg pid=9614 from=63.198.203.190
>
> In addition, I am wondering how I should handle this further, and IF
> I should..  I am currently located in Europe while he is probably in the
> US or something, hacking from a rooted *DSL-machine..  Any tips and
> recommendations is appreciated.
>
> Regards,
> --
> Vegard Svanberg <vegard () svanberg no>



--
Justin Shore, ES                Pittsburg State University
Network & Systems Manager       Kelce 157Q
Office of Information Systems   Pittsburg, KS 66762
Voice: (620) 235-4606           Fax: (620) 235-4545
http://www.pittstate.edu/ois/

Warning:  This message has been quadruple Rot13'ed for your protection.