Security Incidents mailing list archives
god damn - we got rooted again (long, alas)
From: filipg () CORONA EPS PITT EDU (Filip M. Gieszczykiewicz)
Date: Sun, 9 Jan 2000 04:50:13 -0500
Fromthe ooh-look-at-the-pretty-fireball POV, this post is
entertaining. Remember my last post? - where someone "got" my password on my machine and tried 'local-user -> root' exploit script? summary: ------------- Date: Sat, 8 Jan 2000 23:53:40 -0500 (EST) To: SG Hehehe... some lamer [somehow] got into my 'filipg' account on fw... I captured almost all of the attack. I think there might be a sniffer on the local network... I'll be checking for it first. When the 'script' didn't work... they logged off. What a loser. ------------- I had one more long look at my logs.. and posted the first article to this forum (INCIDENTS): ------------- Date: Sat, 8 Jan 2000 23:35:20 -0500 (EST) To: INCIDENTS () SECURITYFOCUS COM bcc: dbmon () connect com au, abuse () connect com au Subject: Got cracked/attacked this morning ------------- Then a post to our grad-in-charge-of-server(s): ------------- Subject: Re: Sniffer on local net possible: don't forward to CIS yet To: SZ On Sat, 8 Jan 2000, SZ wrote:
any idea what the hell is going on here?
Here's what's going on: a) someone GOT my filipg password on <hostnametrimmed> (I only log into it from corona, GIS room, and console!) (this part I can not explain) b) they ran an exploit-script which FAILED (because this machine is really swept for bugs by yours truly) c) the script failed, they logged off. ------------- I checked the one server I have access to... Solaris 2.5.1 patched to LATEST levels... I did a 'ps -Af' and saw a root'owned process running with a relative path. "WTF?"
From a message to admin (SZ):
------------------------- Date: Sun, 9 Jan 2000 01:54:01 -0500 (EST) Subject: strange process on corona To: SZ Doing a ps -Af gives a line: root 12450 1 0 02:31:55 ? 12:13 ./sun_lo -s -l Any idea what it is and where it's being run from? I'm doing a find / for it now... but I'm not root so a lot of dirs fail. I'd say it looks fishy! ------------- Not much later I remembered the root password (I installed an old 1GB clunker on corona this week... was tight on space before)... I did a find / -print | grep "sun_id" and it came up in "/dev/.a" "F*ck! Not _again_. [sick feeling]" ------------- Date: Sun, 9 Jan 2000 02:01:08 -0500 (EST) Subject: F*CK: we *WERE* rooted on corona. Thank GOD I remember the root passwd. My password WAS sniffed. **CHANGE ALL PASSWORDS** SZ, sun_lo was a packet sniffer in /dev/.a/ I'm saving logs this time. More later. So much for "security". Cheers, Filip G. (sniffer no longer running) ------------- Ok, echo > /etc/nologin, tar'ed the whole /dev/ tree to /tmp, then FTPed the file to my machine (attacked but held) then ps -Af | grep "/dev" and started nuking. Lamers added to crontab so commented that out and restarted crond. [a bit later, ~2AM local time, called in to the maintenance folks that keep our central university cluster and gave them the IP's of assumed-to-be-rooted hosts. Asked to turn on deeper logging on local router(s). We'll see if they react in time. I have no access to rest of machines and until prof shows up tomorrow, lamers running free] * * * Anyways, here's the prelim report - gory details: * cracked Dec 31. Yup. * uname -a: SunOS corona 5.5.1 Generic_103640-28 sun4m sparc SUNW,SPARCstation-4 (patched to latest patchlevel) Can get more info from SZ if anyone wants as to which ptchs were installed, etc. * found core in /, /core is: ELF 32-bit MSB core file SPARC Version 1, from 'in.ftpd' BUT core dated: (239980bytes) Jan 9 00:58 (!!) (-r-xr-xr-x 1 bin bin 45936 Jul 8 1999 /usr/sbin/in.ftpd) (remember we were rooted Dec 31, see below) * gdb /usr/sbin/in.ftpd /core: ----------------- Core was generated by `in.ftpd'. Program terminated with signal 11, Segmentation fault. Reading symbols from /usr/lib/libsocket.so.1...(no debugging symbols found)... done. Reading symbols from /usr/lib/libnsl.so.1...(no debugging symbols found)... done. Reading symbols from /usr/lib/libbsm.so.1...(no debugging symbols found)... done. Reading symbols from /usr/lib/libauth.so.1...(no debugging symbols found)... done. Reading symbols from /usr/lib/libdl.so.1...(no debugging symbols found)...done. Reading symbols from /usr/lib/libc.so.1...(no debugging symbols found)...done. Reading symbols from /usr/lib/libintl.so.1...(no debugging symbols found)... done. Reading symbols from /usr/lib/libmp.so.1...(no debugging symbols found)...done. Reading symbols from /usr/lib/libw.so.1...(no debugging symbols found)...done. #0 0x145a8 in yyerror () (gdb) where #0 0x145a8 in yyerror () #1 0x171fc in yylex () #2 0x177ec in yyparse () #3 0x12b08 in __cg89_used () ----------------- * /var/log/syslog ZERO. damn. * find / -ls | grep "Dec 31" gave: ----------------- 185025 1 drwxr-xr-x 2 root sys 512 Dec 31 05:46 /var/spool/cron/crontabs 64192 7 drwxrwxr-x 2 root bin 7168 Dec 31 05:45 /usr/bin 442018 26 -r-sr-xr-x 1 root other 26476 Dec 31 05:45 /usr/bin/login 411789 7 -rwxr-xr-x 1 root other 6868 Dec 31 05:43 /dev/.a/milk 411823 7 -rwxr-xr-x 1 root other 6540 Dec 31 05:44 /dev/.a/sunstealth 411879 39 -rwxr-xr-x 1 root other 39288 Dec 31 05:47 /dev/.a/sun_hmes 411880 1 -rw-r--r-- 1 root other 113 Dec 31 05:44 /dev/.a/.cr0n 411881 38 -rwxr-xr-x 1 root other 38472 Dec 31 05:47 /dev/.a/sun_lo 449440 1 drwxr-xr-x 2 root other 512 Dec 31 05:45 /dev/.backup ----------------- * strings of /usr/bin/login: (-r-sr-xr-x 1 root other 26476 Dec 31 05:45 /usr/bin/login) ----------------- login /bin/sh /usr/bin/xcat TERM vt10210 %s=%s vt100 ----------------- * strings of /usr/bin/xcat (-rwxr-xr-x 1 ayres 100 28800 Nov 1 00:38 /usr/bin/xcat) ----------------- <!sublogin> login Could not set ULIMIT to %ld ROOT LOGIN %s FROM %.*s ROOT LOGIN %s .hushlogin /var/adm/loginlog /var/adm/loginlog /etc/issue /etc/issue Looking at a login line. root /etc/nologin Not on system console Only one of -r and -h allowed Only one of -r and -h allowed f:h:r:pad: TTYPROMPT Usage: login [-h|-r] [ name [ env-var ... ]] /usr/bin/passwd /usr/bin/passwd Choose a new password. Cannot execute /usr/bin/passwd /var/adm/lastlog No directory! No directory! REPEATED LOGIN FAILURES ON %s FROM %.*s REPEATED LOGIN FAILURES ON %s No directory! Logging in with home=/ REPEATED LOGIN FAILURES ON %s FROM %.*s REPEATED LOGIN FAILURES ON %s REPEATED LOGIN FAILURES ON %s FROM %.*s REPEATED LOGIN FAILURES ON %s pri= No Root Directory Subsystem root: %s /usr/bin/login login /etc/login login No /usr/bin/login or /etc/login on root Calloc failed - out of swap space. TERM /usr/bin: /usr/bin/sh L%d=%s Last login: %.*s from %.*s on %.*s /usr/bin/sh /sbin/sh No shell %s: line %d, invalid entry -- %s %s: line %d, invalid mode -- %s %s: line %d, %s -- empty device list %s: %s: %s/%s %s: %s: SHELL= HOME= TERM= LOGNAME= PATH= MAIL=/var/mail/ login: Password: Login incorrect LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES LC_ALL no:password /etc/default/login /dev/??? login /usr/sbin:/usr/bin SHELL= HOME= LOGNAME= MAIL= CDPATH= IFS= PATH= CONSOLE= ALTSHELL= PASSREQ= TIMEZONE= PATH= SUPATH= ULIMIT= TIMEOUT= UMASK= IDLEWEEKS= SLEEPTIME= SYSLOG= 1200 1800 2400 4800 9600 19200 38400 57600 76800 115200 153600 230400 307200 460800 remuser locuser Terminal type No utmpx entry. You must exec "login" from the lowest level "shell". <!sublogin> /usr/bin/sh /sbin/sh /etc/logindevperm ----------------- * /usr/bin/xcat owned by a user that never logged in! * list of /dev/backup: (original login pgm) ----------------- -r-sr-xr-x 1 root bin 46444 May 2 1996 login ----------------- * list of /dev/.a: ----------------- -rw-r--r-- 1 root other 113 Dec 31 05:44 .cr0n -rw-rw-rw- 1 root root 87866 Jan 9 01:55 abc.heh -rwxr-xr-x 1 root other 6868 Dec 31 05:43 milk -rwxr-xr-x 1 root other 39288 Dec 31 05:47 sun_hmes -rwxr-xr-x 1 root other 38472 Dec 31 05:47 sun_lo -rwxr-xr-x 1 root other 6540 Dec 31 05:44 sunstealth ----------------- * list of .cr0n: ----------------- 0,10,20,30,40,50 * * * * /dev/logcheck >/dev/null 2>&1 0,10,20,30,40,50 * * * * /dev/named >/dev/null 2>&1 ----------------- * strings of /dev/logcheck: ----------------- bind /dev/tty fork: %s Password: Wrong password, got %s. Host: Found address for %s Didnt find address for %s Port: %s: bad port number Trying %s... telcli: socket Connected to %s port %d... ----------------- * strings of /dev/named: ----------------- named socket bind listen accept Eggdrop1.3.28 (Modified) FUCK OFF /sbin/sh Password: fux0rd ----------------- * Contents of /dev/.a/abc.heh: ----------------- All the f*ckin packet headers for the whole g*dd*mn dept. All the users, all the local machines, everything. Including the root passwd for our main server. AND the passwords of 2 profs. Geez. 88KB of them. MY machine in there AND my password. ***MYSTERY SOLVED!!!*** (see prev message to INCIDENTS) ----------------- * strings of /dev/.a/milk ----------------- milk v0.1a[milkweed] usage: %s <victim> <size> %s: unknown host bombing %s with packets of %i bytes ignoring ----------------- * strings of /dev/.a/sun_hmes ----------------- rlogin telnet smtp -- TCP/IP LOG -- TM: %s -- PATH: %s(%s) => %s(%s) STAT: %s, %d pkts, %d bytes [%s] DATA: : (%d) PKT: (%s %04X) %s[%s] => %s[%s] DATA LIMIT TH_FIN TH_RST IDLE TIMEOUT SIGNAL Log ended at => %s sigalrm: TIMEOUT %s: alarm %s: getmsg %s: MORECTL|MOREDATA %s: MORECTL %s: MOREDATA getmsg: control portion length < sizeof (long): %d unexpected dlprim error dlattachreq: putmsg dlokack dlokack: response ctl.len too short: %d dlokack: DL_OK_ACK was not M_PCPROTO dlokack: short response ctl.len: %d dlbindreq: putmsg dlbindack dlbindack: DL_OK_ACK was not M_PCPROTO dlbindack: short response ctl.len: %d dlpromiscon: putmsg /dev/hme DLIOCRAW bufmod push bufmod SBIOCSTIME SBIOCSCHUNK I_FLUSH finished getmsg() = %i c6Lqd3Dvn2l3s (%s)UP? Output file cant be opened filtering out smtp connections. filtering out telnet connections. filtering out rsh/rlogin connections. filtering out ftp connections. Usage: %s [-d x] [-s] [-f] [-l] [-t] [-i interface] [-o file] -d int set new data limit (128 default) -s filter out smtp connections -f filter out ftp connections -l filter out rlogin/rsh connections -t filter out telnet connections -o <file> output to <file> Using logical device %s [%s] Output to %s.%s%s stdout (debug) Backgrounding [Cannot bg with debug on] Log started at => %s [pid %d] ----------------- * strings of /dev/.a/sun_lo ----------------- rlogin telnet smtp -- TCP/IP LOG -- TM: %s -- PATH: %s(%s) => %s(%s) STAT: %s, %d pkts, %d bytes [%s] DATA: : (%d) PKT: (%s %04X) %s[%s] => %s[%s] DATA LIMIT TH_FIN TH_RST IDLE TIMEOUT SIGNAL Log ended at => %s sigalrm: TIMEOUT %s: alarm %s: getmsg %s: MORECTL|MOREDATA %s: MORECTL %s: MOREDATA getmsg: control portion length < sizeof (long): %d unexpected dlprim error dlattachreq: putmsg dlokack dlokack: response ctl.len too short: %d dlokack: DL_OK_ACK was not M_PCPROTO dlokack: short response ctl.len: %d dlbindreq: putmsg dlbindack dlbindack: DL_OK_ACK was not M_PCPROTO dlbindack: short response ctl.len: %d dlpromiscon: putmsg /dev/le DLIOCRAW bufmod push bufmod SBIOCSTIME SBIOCSCHUNK I_FLUSH finished getmsg() = %i c6Lqd3Dvn2l3s (%s)UP? Output file cant be opened filtering out smtp connections. filtering out telnet connections. filtering out rsh/rlogin connections. filtering out ftp connections. Usage: %s [-d x] [-s] [-f] [-l] [-t] [-i interface] [-o file] -d int set new data limit (128 default) -s filter out smtp connections -f filter out ftp connections -l filter out rlogin/rsh connections -t filter out telnet connections -o <file> output to <file> Using logical device %s [%s] Output to %s.%s%s stdout (debug) Backgrounding [Cannot bg with debug on] Log started at => %s [pid %d] ----------------- * strings of /dev/.a/sunstealth ----------------- [1mStealth [0m> %s [1;30m: [0m port %d [1mStealth [0m> Non [1;30m- [0mexistant host [1;30m: [0m %s [1;30mtw [0mit [1mch@St [0meal [1;30mth [33m: [1;5;31mThis tool is extremely dangerous. Use at your own risk! [1;30mUsage: [0m st [1m- [0mkill < [1mhost [0m> < [1mport [0m> 0123456789ABCDE ----------------- * Additional view of above file: ----------------- <@(#)SunOS 5.5.1 Generic May 1996as: SC4.0 dev 15 Feb 1995 GCC: (GNU) 2.7.2.1as: WorkShop Compilers 4.2 dev 13 May 1996 GCC: (GNU) 2.7.2.1as: SC4.0 dev 15 Feb 1995 GCC: (GNU) 2.7.2.1ld: (SGU) SunOS/ELF (LK-2.0 (S/I) [...] ----------------- * That's about it. * I'll halt the machine once this is posted. There was a backup made WHILE the sniffer was running - so, if a) the tape is good, b) /dev was backed up, and c) the tape can be found, we have a backup of exploit. * The other machine in the dept was behaving 'odd' - but I thought 'we got hacked in July, BEEN keeping up with patches, can't be that'... [SMACK! SMACK!] Ow! Ow! S.Z. * The dept 'purchased' a security service contract with our very own CIS, oh, 4 MONTHS ago. They NEVER sent anyone to do any work. I wonder if this a) makes them look like idiots, b) makes more of their people quit, c) changes nothing. [yawn] * I think I'm going to be sick. Anyone have a barf-bag? NO cheers, Filip G. P.S. Ok, rant time. Ignore if you're from CIS. I'm pissed: (rot13) -------------- Fgnegrq cbxvat nebhaq @10CZ... sbhaq favssre ng 12NZ... vg'f 4NZ abj. V pna'g ernpu nalbar vaibyirq. V pna'g anvy qbja nalbar ng gur havirefvgl pyhfgre ybpngvba (rkprcg fbzrbar jub pynvzrq gb or n 'pbzchgre bcrengbe' jub pbhyq 'pnyy na nanylfg' be _znlor_ Cvgg'f puvrs bs frphevgl - jub, ng guvf cbvag, V qb abg guvax gbb uvtuyl bs - qhr gb 4-zbagu- byq hasvavfurq ohfvarff naq gung-ybat bs orvat wrexrq nebhaq, FGVYY ab cbyvpl ba frphevgl sebz Cvgg, BE gur qrcg. JGS vf tbvat ba nebhaq guvf cynpr?!?!?! 10,000 fghqragf cnlvat $55/grez sbe pbzchgre srrf naq lbh pnyy guvf freivpr? V jnag n S*vat ershaq. NETUUUU! Naq V unir gb ernq 60 cntrf bs Vtarbhf Crgebybtl sbe Zbaqnl. Vg'f qrafr rabhtu jura V'z abg fyrrcl. Zl TS vf qbja jvgu gur syh. V arrq gb qevir zl erpragyl-fgbyra pne gb gur fubc gb trg er-vafcrpgrq orpnhfr gur #$#% chaxf oebxr zl tynff gb trg gur fgvpxref. Jnaan org jvgu zr gung guvf cynpr jvyy or n qnza pvephf sbe gur arkg jrrxf naq ABGUVAT jvyy vzcebir? Urer'f zl $20. sztfg () lnubb pbz --------------
Current thread:
- Scanners using netcraft? Michael Damm (Jan 05)
- Re: Scanners using netcraft? Richard Trott (Jan 05)
- Re: Scanners using netcraft? Mike Johnson (Jan 05)
- Got cracked/attacked this morning Filip M. Gieszczykiewicz (Jan 08)
- god damn - we got rooted again (long, alas) Filip M. Gieszczykiewicz (Jan 09)
- rootkit site found in sniff log (??) Filip M. Gieszczykiewicz (Jan 09)
- Re: Scanners using netcraft? Al Huger - Mail Account (Jan 05)
- Port 3593 Raistlin (Jan 05)
- Re: Scanners using netcraft? sekurity (Jan 05)
- <Possible follow-ups>
- Re: Scanners using netcraft? Eric Cholet (Jan 05)
- Re: Scanners using netcraft? mea culpa (Jan 10)