Security Incidents mailing list archives
Re: rooted
From: oogali () INTRANOVA NET (Omachonu Ogali)
Date: Wed, 23 Feb 2000 18:53:01 -0500
broadscan is a broadcast scanner, basically feeds the user a list of broadcast address they can use to 'smurf' off of. If it is a user of pop2 then delete the user being that that's not a regular user, and b00ger-rpc is the name they stuck in /etc/services for the actual port that the trojan/daemon is running on to allow the attacker to connect back and retrieve their 'rootshell.' It sounds feasible, to pass a program to execute to the UBB and then login and execute the crontab exploit to achieve root access. On Tue, 22 Feb 2000, Philip Champon wrote:
Today I was notified via email that a machine of ours was compromised. He told us that he gained access through UltimateBB (of recent fame and chatter on butraq) then used crontab (he said that he thought that was what he used) to obtain a root shell. He also told us that he replaced our sshd binary. RedHat (kernel 2.2.12-6.2smp) 6.1 was the OS and cron version is 2.4 and ubb was the freeware version off their site http://www.ultimatebb.com. In poking around that server we also found b00ger-rpc listed in inetd.conf and running as pop2 ??? (Does b00ger take anything other than stdin?), something in tmp called jrnt1.2 and broadscan. If anyone has anymore info on anything listed here (exploits etc) I am all too happy to hear from you. Can anyone refute his claims of using crontab to get root, we were pretty sure that this cron version OS release were free from any exploit issues. Even the use of ultimatebb seems strange since as I understood it, the insecurities were regarding executing code as the user and even reading the passwd file, not actually obtaining shell access. thanks, Phil Champon Systems Administrator NOC, Valueweb
-- +-------------------------------------------------------------------------+ | Omachonu Ogali oogali () intranova net | | Intranova Networking Group http://tribune.intranova.net | | PGP Key ID: 0xBFE60839 | | PGP Fingerprint: C8 51 14 FD 2A 87 53 D1 E3 AA 12 12 01 93 BD 34 | +-------------------------------------------------------------------------+
Current thread:
- smurf scanning Jon Lewis (Feb 20)
- Re: smurf scanning Robert Graham (Feb 21)
- rooted Philip Champon (Feb 22)
- Re: rooted Omachonu Ogali (Feb 23)
- Re: rooted Administrator (Feb 23)
- Being Hacked?! Please Help!! Francis Lee (Feb 24)
- Re: rooted John Kougoulos (Feb 24)
- Re: smurf scanning Rick Magill (Feb 23)
- rooted Philip Champon (Feb 22)
- @home: Is *anyone* really home there??? Missouri FreeNet Administration (Feb 22)
- Re: @home: Is *anyone* really home there??? Omachonu Ogali (Feb 22)
- Re: @home: Is *anyone* really home there??? Jim Littlefield (Feb 23)
- Re: @home: Is *anyone* really home there??? James M. Atkinson, Comm-Eng (Feb 23)
- Re: @home: Is *anyone* really home there??? David Brumley (Feb 23)
- Re: @home: Is *anyone* really home there??? Philip R. Moyer (Feb 23)
(Thread continues...)
- Re: smurf scanning Robert Graham (Feb 21)