Security Incidents mailing list archives

god damn - we got rooted again (long, alas)

From: filipg () CORONA EPS PITT EDU (Filip M. Gieszczykiewicz)
Date: Sun, 9 Jan 2000 04:50:13 -0500

Fromthe ooh-look-at-the-pretty-fireball POV, this post is

entertaining.

Remember my last post? - where someone "got" my password on
my machine and tried 'local-user -> root' exploit script?

summary:
-------------
Date: Sat, 8 Jan 2000 23:53:40 -0500 (EST)
To: SG

Hehehe... some lamer [somehow] got into my 'filipg' account on
fw... I captured almost all of the attack. I think there might
be a sniffer on the local network... I'll be checking for it
first.

When the 'script' didn't work... they logged off. What a loser.
-------------

I had one more long look at my logs.. and posted the first
article to this forum (INCIDENTS):
-------------
Date: Sat, 8 Jan 2000 23:35:20 -0500 (EST)
To: INCIDENTS () SECURITYFOCUS COM
bcc: dbmon () connect com au, abuse () connect com au
Subject: Got cracked/attacked this morning
-------------

Then a post to our grad-in-charge-of-server(s):
-------------
Subject: Re: Sniffer on local net possible: don't forward to CIS yet
To: SZ

On Sat, 8 Jan 2000, SZ wrote:

any idea what the hell is going on here?


Here's what's going on:
a) someone GOT my filipg password on <hostnametrimmed>
   (I only log into it from corona, GIS room, and console!)
   (this part I can not explain)
b) they ran an exploit-script which FAILED (because this
   machine is really swept for bugs by yours truly)
c) the script failed, they logged off.
-------------

I checked the one server I have access to... Solaris 2.5.1
patched to LATEST levels... I did a 'ps -Af' and saw a
root'owned process running with a relative path. "WTF?"

From a message to admin (SZ):

-------------------------
Date: Sun, 9 Jan 2000 01:54:01 -0500 (EST)
Subject: strange process on corona
To: SZ

Doing a ps -Af gives a line:

    root 12450     1  0 02:31:55 ?       12:13 ./sun_lo -s -l

Any idea what it is and where it's being run from? I'm doing a
find / for it now... but I'm not root so a lot of dirs
fail.

I'd say it looks fishy!
-------------

Not much later I remembered the root password (I installed an
old 1GB clunker on corona this week... was tight on space before)...

I did a find / -print | grep "sun_id" and it came up in
"/dev/.a"

"F*ck! Not _again_. [sick feeling]"

-------------
Date: Sun, 9 Jan 2000 02:01:08 -0500 (EST)
Subject: F*CK: we *WERE* rooted on corona. Thank GOD I remember the root
 passwd. My password WAS sniffed. **CHANGE ALL PASSWORDS**

SZ, sun_lo was a packet sniffer in /dev/.a/
I'm saving logs this time.
More later.
So much for "security".
Cheers,
Filip G.
(sniffer no longer running)
-------------

Ok, echo > /etc/nologin, tar'ed the whole /dev/ tree to
/tmp, then FTPed the file to my machine (attacked but held)
then ps -Af | grep "/dev" and started nuking. Lamers added
to crontab so commented that out and restarted crond.

[a bit later, ~2AM local time, called in to the maintenance
folks that keep our central university cluster and gave them
the IP's of assumed-to-be-rooted hosts. Asked to turn on
deeper logging on local router(s). We'll see if they
react in time. I have no access to rest of machines and
until prof shows up tomorrow, lamers running free]

* * *

Anyways, here's the prelim report - gory details:

* cracked Dec 31. Yup.
* uname -a:
SunOS corona 5.5.1 Generic_103640-28 sun4m sparc SUNW,SPARCstation-4
(patched to latest patchlevel) Can get more info from SZ if anyone
wants as to which ptchs were installed, etc.
* found core in /, /core is:
ELF 32-bit MSB core file SPARC Version 1, from 'in.ftpd'
BUT core dated: (239980bytes) Jan  9 00:58 (!!)
(-r-xr-xr-x   1 bin      bin        45936 Jul  8  1999 /usr/sbin/in.ftpd)
(remember we were rooted Dec 31, see below)
* gdb /usr/sbin/in.ftpd /core:
-----------------
Core was generated by `in.ftpd'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libsocket.so.1...(no debugging symbols found)...
done.
Reading symbols from /usr/lib/libnsl.so.1...(no debugging symbols found)...
done.
Reading symbols from /usr/lib/libbsm.so.1...(no debugging symbols found)...
done.
Reading symbols from /usr/lib/libauth.so.1...(no debugging symbols found)...
done.
Reading symbols from /usr/lib/libdl.so.1...(no debugging symbols found)...done.
Reading symbols from /usr/lib/libc.so.1...(no debugging symbols found)...done.
Reading symbols from /usr/lib/libintl.so.1...(no debugging symbols found)...
done.
Reading symbols from /usr/lib/libmp.so.1...(no debugging symbols found)...done.
Reading symbols from /usr/lib/libw.so.1...(no debugging symbols found)...done.
#0  0x145a8 in yyerror ()
(gdb) where
#0  0x145a8 in yyerror ()
#1  0x171fc in yylex ()
#2  0x177ec in yyparse ()
#3  0x12b08 in __cg89_used ()
-----------------
* /var/log/syslog ZERO. damn.
* find / -ls | grep "Dec 31" gave:
-----------------
185025    1 drwxr-xr-x  2 root     sys           512 Dec 31 05:46 /var/spool/cron/crontabs
64192    7 drwxrwxr-x  2 root     bin          7168 Dec 31 05:45 /usr/bin
442018   26 -r-sr-xr-x  1 root     other       26476 Dec 31 05:45 /usr/bin/login
411789    7 -rwxr-xr-x  1 root     other        6868 Dec 31 05:43 /dev/.a/milk
411823    7 -rwxr-xr-x  1 root     other        6540 Dec 31 05:44 /dev/.a/sunstealth
411879   39 -rwxr-xr-x  1 root     other       39288 Dec 31 05:47 /dev/.a/sun_hmes
411880    1 -rw-r--r--  1 root     other         113 Dec 31 05:44 /dev/.a/.cr0n
411881   38 -rwxr-xr-x  1 root     other       38472 Dec 31 05:47 /dev/.a/sun_lo
449440    1 drwxr-xr-x  2 root     other         512 Dec 31 05:45 /dev/.backup
-----------------
* strings of /usr/bin/login:
(-r-sr-xr-x   1 root     other      26476 Dec 31 05:45 /usr/bin/login)
-----------------
login
/bin/sh
/usr/bin/xcat
TERM
vt10210
%s=%s
vt100
-----------------
* strings of /usr/bin/xcat
(-rwxr-xr-x   1 ayres    100        28800 Nov  1 00:38 /usr/bin/xcat)
-----------------
<!sublogin>
login
Could not set ULIMIT to %ld
ROOT LOGIN %s FROM %.*s
ROOT LOGIN %s
.hushlogin
/var/adm/loginlog
/var/adm/loginlog
/etc/issue
/etc/issue
Looking at a login line.
root
/etc/nologin
Not on system console
Only one of -r and -h allowed
Only one of -r and -h allowed
f:h:r:pad:
TTYPROMPT
Usage:
login [-h|-r] [ name [ env-var ... ]]
/usr/bin/passwd
/usr/bin/passwd
Choose a new password.
Cannot execute /usr/bin/passwd
/var/adm/lastlog
No directory!
No directory!
REPEATED LOGIN FAILURES ON %s FROM %.*s
REPEATED LOGIN FAILURES ON %s
No directory! Logging in with home=/
REPEATED LOGIN FAILURES ON %s FROM %.*s
REPEATED LOGIN FAILURES ON %s
REPEATED LOGIN FAILURES ON %s FROM %.*s
REPEATED LOGIN FAILURES ON %s
pri=
No Root Directory
Subsystem root: %s
/usr/bin/login
login
/etc/login
login
No /usr/bin/login or /etc/login on root
Calloc failed - out of swap space.
TERM
/usr/bin:
/usr/bin/sh
L%d=%s
Last login: %.*s
from %.*s
on %.*s
/usr/bin/sh
/sbin/sh
No shell
%s: line %d, invalid entry -- %s
%s: line %d, invalid mode -- %s
%s: line %d, %s -- empty device list
%s:
%s:
%s/%s
%s:
%s:
SHELL=
HOME=
TERM=
LOGNAME=
PATH=
MAIL=/var/mail/
login:
Password:
Login incorrect
LANG
LC_CTYPE
LC_NUMERIC
LC_TIME
LC_COLLATE
LC_MONETARY
LC_MESSAGES
LC_ALL
no:password
/etc/default/login
/dev/???
login
/usr/sbin:/usr/bin
SHELL=
HOME=
LOGNAME=
MAIL=
CDPATH=
IFS=
PATH=
CONSOLE=
ALTSHELL=
PASSREQ=
TIMEZONE=
PATH=
SUPATH=
ULIMIT=
TIMEOUT=
UMASK=
IDLEWEEKS=
SLEEPTIME=
SYSLOG=
1200
1800
2400
4800
9600
19200
38400
57600
76800
115200
153600
230400
307200
460800
remuser
locuser
Terminal type
No utmpx entry. You must exec "login" from the lowest level "shell".
<!sublogin>
/usr/bin/sh
/sbin/sh
/etc/logindevperm
-----------------
* /usr/bin/xcat owned by a user that never logged in!
* list of /dev/backup: (original login pgm)
-----------------
-r-sr-xr-x   1 root     bin        46444 May  2  1996 login
-----------------
* list of /dev/.a:
-----------------
-rw-r--r--   1 root     other        113 Dec 31 05:44 .cr0n
-rw-rw-rw-   1 root     root       87866 Jan  9 01:55 abc.heh
-rwxr-xr-x   1 root     other       6868 Dec 31 05:43 milk
-rwxr-xr-x   1 root     other      39288 Dec 31 05:47 sun_hmes
-rwxr-xr-x   1 root     other      38472 Dec 31 05:47 sun_lo
-rwxr-xr-x   1 root     other       6540 Dec 31 05:44 sunstealth
-----------------
* list of .cr0n:
-----------------
0,10,20,30,40,50 * * * *   /dev/logcheck >/dev/null 2>&1
0,10,20,30,40,50 * * * *   /dev/named >/dev/null 2>&1
-----------------
* strings of /dev/logcheck:
-----------------
bind
/dev/tty
fork: %s
Password:
Wrong password, got %s.
Host:
Found address for %s
Didnt find address for %s
Port:
%s: bad port number
Trying %s...
telcli: socket
Connected to %s port %d...
-----------------
* strings of /dev/named:
-----------------
named
socket
bind
listen
accept
Eggdrop1.3.28 (Modified)
FUCK OFF
/sbin/sh
Password:
fux0rd
-----------------
* Contents of /dev/.a/abc.heh:
-----------------
All the f*ckin packet headers for the whole g*dd*mn dept. All
the users, all the local machines, everything. Including the
root passwd for our main server. AND the passwords of 2 profs.
Geez. 88KB of them. MY machine in there AND my password.
***MYSTERY SOLVED!!!*** (see prev message to INCIDENTS)
-----------------
* strings of /dev/.a/milk
-----------------
milk v0.1a[milkweed]
usage: %s <victim> <size>
%s: unknown host
bombing %s with packets of %i bytes
ignoring
-----------------
* strings of /dev/.a/sun_hmes
-----------------
rlogin
telnet
smtp
-- TCP/IP LOG -- TM: %s --
 PATH: %s(%s) =>
 %s(%s)
 STAT: %s, %d pkts, %d bytes [%s]
 DATA:
     :
(%d)
PKT: (%s %04X)
%s[%s] =>
%s[%s]
DATA LIMIT
TH_FIN
TH_RST
IDLE TIMEOUT
SIGNAL
Log ended at => %s
sigalrm:  TIMEOUT
%s:  alarm
%s:  getmsg
%s:  MORECTL|MOREDATA
%s:  MORECTL
%s:  MOREDATA
getmsg:  control portion length < sizeof (long):  %d
unexpected dlprim error
dlattachreq:  putmsg
dlokack
dlokack:  response ctl.len too short:  %d
dlokack:  DL_OK_ACK was not M_PCPROTO
dlokack:  short response ctl.len:  %d
dlbindreq:  putmsg
dlbindack
dlbindack:  DL_OK_ACK was not M_PCPROTO
dlbindack:  short response ctl.len:  %d
dlpromiscon:  putmsg
/dev/hme
DLIOCRAW
bufmod
push bufmod
SBIOCSTIME
SBIOCSCHUNK
I_FLUSH
finished getmsg() = %i
c6Lqd3Dvn2l3s
(%s)UP?
Output file cant be opened
filtering out smtp connections.
filtering out telnet connections.
filtering out rsh/rlogin connections.
filtering out ftp connections.
Usage: %s [-d x] [-s] [-f] [-l] [-t] [-i interface] [-o file]
-d int    set new data limit (128 default)
-s        filter out smtp connections
-f        filter out ftp connections
-l        filter out rlogin/rsh connections
-t        filter out telnet connections
-o <file> output to <file>
Using logical device %s [%s]
Output to %s.%s%s
stdout
 (debug)
 Backgrounding
[Cannot bg with debug on]
Log started at => %s [pid %d]
-----------------
* strings of /dev/.a/sun_lo
-----------------
rlogin
telnet
smtp
-- TCP/IP LOG -- TM: %s --
 PATH: %s(%s) =>
 %s(%s)
 STAT: %s, %d pkts, %d bytes [%s]
 DATA:
     :
(%d)
PKT: (%s %04X)
%s[%s] =>
%s[%s]
DATA LIMIT
TH_FIN
TH_RST
IDLE TIMEOUT
SIGNAL
Log ended at => %s
sigalrm:  TIMEOUT
%s:  alarm
%s:  getmsg
%s:  MORECTL|MOREDATA
%s:  MORECTL
%s:  MOREDATA
getmsg:  control portion length < sizeof (long):  %d
unexpected dlprim error
dlattachreq:  putmsg
dlokack
dlokack:  response ctl.len too short:  %d
dlokack:  DL_OK_ACK was not M_PCPROTO
dlokack:  short response ctl.len:  %d
dlbindreq:  putmsg
dlbindack
dlbindack:  DL_OK_ACK was not M_PCPROTO
dlbindack:  short response ctl.len:  %d
dlpromiscon:  putmsg
/dev/le
DLIOCRAW
bufmod
push bufmod
SBIOCSTIME
SBIOCSCHUNK
I_FLUSH
finished getmsg() = %i
c6Lqd3Dvn2l3s
(%s)UP?
Output file cant be opened
filtering out smtp connections.
filtering out telnet connections.
filtering out rsh/rlogin connections.
filtering out ftp connections.
Usage: %s [-d x] [-s] [-f] [-l] [-t] [-i interface] [-o file]
-d int    set new data limit (128 default)
-s        filter out smtp connections
-f        filter out ftp connections
-l        filter out rlogin/rsh connections
-t        filter out telnet connections
-o <file> output to <file>
Using logical device %s [%s]
Output to %s.%s%s
stdout
 (debug)
 Backgrounding
[Cannot bg with debug on]
Log started at => %s [pid %d]
-----------------
* strings of /dev/.a/sunstealth
-----------------
[1mStealth
[0m> %s
[1;30m:
[0m port %d
[1mStealth
[0m> Non
[1;30m-
[0mexistant host
[1;30m:
[0m %s
[1;30mtw
[0mit
[1mch@St
[0meal
[1;30mth
[33m:
[1;5;31mThis tool is extremely dangerous. Use at your own risk!
[1;30mUsage:
[0m st
[1m-
[0mkill <
[1mhost
[0m> <
[1mport
[0m>
0123456789ABCDE
-----------------
* Additional view of above file:
-----------------
<@(#)SunOS 5.5.1 Generic May 1996as: SC4.0 dev 15 Feb 1995
GCC: (GNU) 2.7.2.1as: WorkShop Compilers 4.2 dev 13 May 1996
GCC: (GNU) 2.7.2.1as: SC4.0 dev 15 Feb 1995
GCC: (GNU) 2.7.2.1ld: (SGU) SunOS/ELF (LK-2.0 (S/I)
[...]
-----------------
* That's about it.
* I'll halt the machine once this is posted. There was a
backup made WHILE the sniffer was running - so, if a) the
tape is good, b) /dev was backed up, and c) the tape can
be found, we have a backup of exploit.
* The other machine in the dept was behaving 'odd' - but I
thought 'we got hacked in July, BEEN keeping up with patches,
can't be that'... [SMACK! SMACK!] Ow! Ow! S.Z.
* The dept 'purchased' a security service contract with our
very own CIS, oh, 4 MONTHS ago. They NEVER sent anyone to
do any work. I wonder if this a) makes them look like idiots,
b) makes more of their people quit, c) changes nothing. [yawn]
* I think I'm going to be sick. Anyone have a barf-bag?

NO cheers,
Filip G.

P.S. Ok, rant time. Ignore if you're from CIS. I'm pissed:
(rot13)
--------------
Fgnegrq cbxvat nebhaq @10CZ... sbhaq favssre ng 12NZ...
vg'f 4NZ abj. V pna'g ernpu nalbar vaibyirq. V pna'g anvy
qbja nalbar ng gur havirefvgl pyhfgre ybpngvba (rkprcg
fbzrbar jub pynvzrq gb or n 'pbzchgre bcrengbe' jub pbhyq
'pnyy na nanylfg' be _znlor_ Cvgg'f puvrs bs frphevgl - jub,
ng guvf cbvag, V qb abg guvax gbb uvtuyl bs - qhr gb 4-zbagu-
byq hasvavfurq ohfvarff naq gung-ybat bs orvat wrexrq nebhaq,
FGVYY ab cbyvpl ba frphevgl sebz Cvgg, BE gur qrcg. JGS vf
tbvat ba nebhaq guvf cynpr?!?!?! 10,000 fghqragf cnlvat
$55/grez sbe pbzchgre srrf naq lbh pnyy guvf freivpr? V jnag
n S*vat ershaq. NETUUUU!

Naq V unir gb ernq 60 cntrf bs Vtarbhf Crgebybtl sbe Zbaqnl.
Vg'f qrafr rabhtu jura V'z abg fyrrcl. Zl TS vf qbja jvgu gur
syh. V arrq gb qevir zl erpragyl-fgbyra pne gb gur fubc gb
trg er-vafcrpgrq orpnhfr gur #$#% chaxf oebxr zl tynff gb
trg gur fgvpxref. Jnaan org jvgu zr gung guvf cynpr jvyy or
n qnza pvephf sbe gur arkg jrrxf naq ABGUVAT jvyy vzcebir?
Urer'f zl $20. sztfg () lnubb pbz
--------------

Current thread:

Scanners using netcraft? Michael Damm (Jan 05)
- Re: Scanners using netcraft? Richard Trott (Jan 05)
- Re: Scanners using netcraft? Mike Johnson (Jan 05)
  - Got cracked/attacked this morning Filip M. Gieszczykiewicz (Jan 08)
  - god damn - we got rooted again (long, alas) Filip M. Gieszczykiewicz (Jan 09)
  - rootkit site found in sniff log (??) Filip M. Gieszczykiewicz (Jan 09)
- Re: Scanners using netcraft? Al Huger - Mail Account (Jan 05)
- Port 3593 Raistlin (Jan 05)
- Re: Scanners using netcraft? sekurity (Jan 05)
- <Possible follow-ups>
- Re: Scanners using netcraft? Eric Cholet (Jan 05)
  - Re: Scanners using netcraft? mea culpa (Jan 10)