Security Incidents mailing list archives

Re: rooted

From: oogali () INTRANOVA NET (Omachonu Ogali)
Date: Wed, 23 Feb 2000 18:53:01 -0500


broadscan is a broadcast scanner, basically feeds the user a list of
broadcast address they can use to 'smurf' off of. If it is a user of pop2
then delete the user being that that's not a regular user, and b00ger-rpc
is the name they stuck in /etc/services for the actual port that the
trojan/daemon is running on to allow the attacker to connect back and
retrieve their 'rootshell.' It sounds feasible, to pass a program to
execute to the UBB and then login and execute the crontab exploit to
achieve root access.

On Tue, 22 Feb 2000, Philip Champon wrote:

Today I was notified via email that a machine of ours was compromised. He
told us that he gained access through UltimateBB (of recent fame and chatter
on butraq) then used crontab (he said that he thought that was what he used)
to obtain a root shell. He also told us that he replaced our sshd binary.

RedHat (kernel 2.2.12-6.2smp) 6.1 was the OS and cron version is 2.4 and ubb
was the freeware version off their site http://www.ultimatebb.com.

In poking around that server we also found b00ger-rpc listed in inetd.conf
and running as pop2 ??? (Does b00ger take anything other than stdin?),
something in tmp called jrnt1.2 and broadscan.

If anyone has anymore info on anything listed here (exploits etc) I am
all too happy to hear from you. Can anyone refute his claims of using
crontab to get root, we were pretty sure that this cron version OS release
were free from any exploit issues.  Even the use of ultimatebb seems strange
since as I understood it, the insecurities were regarding executing code as the
user and even reading the passwd file, not actually obtaining shell access.

thanks,
Phil Champon
Systems Administrator NOC, Valueweb


--
+-------------------------------------------------------------------------+
| Omachonu Ogali                                     oogali () intranova net |
| Intranova Networking Group                 http://tribune.intranova.net |
| PGP Key ID:                                                  0xBFE60839 |
| PGP Fingerprint:       C8 51 14 FD 2A 87 53 D1  E3 AA 12 12 01 93 BD 34 |
+-------------------------------------------------------------------------+

Current thread:

smurf scanning Jon Lewis (Feb 20)
- Re: smurf scanning Robert Graham (Feb 21)
  - rooted Philip Champon (Feb 22)
    - Re: rooted Omachonu Ogali (Feb 23)
    - Re: rooted Administrator (Feb 23)
    - Being Hacked?! Please Help!! Francis Lee (Feb 24)
    - Re: rooted John Kougoulos (Feb 24)
  - Re: smurf scanning Rick Magill (Feb 23)
- @home: Is *anyone* really home there??? Missouri FreeNet Administration (Feb 22)
  - Re: @home: Is *anyone* really home there??? Omachonu Ogali (Feb 22)
  - Re: @home: Is *anyone* really home there??? Jim Littlefield (Feb 23)
    - Re: @home: Is *anyone* really home there??? James M. Atkinson, Comm-Eng (Feb 23)
    - Re: @home: Is *anyone* really home there??? David Brumley (Feb 23)
    - Re: @home: Is *anyone* really home there??? Philip R. Moyer (Feb 23)

(Thread continues...)