Re: Cracked by the Brazilians

[mhw () WITTSEND COM (Michael H. Warfield)]

On Thu, Mar 30, 2000 at 01:22:56PM -0500, Seth Milder wrote:
> Hi.

> I am running a Linux server that is running RH 6.0. I have implemented
> TCP wrappers, portsentry, logcheck and religiously applied any patches
> as soon as possible. Still, I get cracked. My server runs Bind-8.2
                                                            ^^^^^^^^
        Oh oh...  Is that 8.2 or 8.8.2P5 or better?  If the former
(and the reset of your information would seem to confirm it) that's
how you were owned.  Latest RPM for RedHat bind is bind-8.2.2_P3-1
which is suppose to be equivalent to ISC Bind 8.2.2P5.  Any 8.2 version
prior to that has a known root hack and ADMROCKS is symptomatic of
that breakin.

> (caching nameserver only, which is bound to an ethernet card with
> private addresses), PostgreSQL, NFS, ssh2 (no root login allowed),
> ipop3d, and NIS. It also serves as a IP MASQ server for a computer lab
> through a second ethernet card. I found the usual BitchX stuff along
> with the package bscan.tar which contains:
>
> README  binfo  bscan  bscan.conf  core  dupecheck
>
> The README says:
>
>       BinD    bInD    biNd    BinD    bINd    BiNd    biNd    BInd    biND
>
>       Bind scanner by sagi.
>
>       This scanner is PRIVATE, so dont fucking send it to anyone!
>       if you do, you will die.
>
>       I'll bet you're sitting down teling yourself "Ok shuttup just tell me
>       how to use it."
>
>       If I'm right, than it means you are a fucking idiot and I'm NOT going
>       to teach the lamest script kiddie on earth how to use it.
>       Figure it out, it's easy.
>
>
>       - sagi & I_D_F.
>
>       *** CrEdiTs:
>       1. spwny :-) for his kewl dupecheck program.
>       2. 'Joshua James Drake' for the binfo program ;p.
>       3. I_D_F for helping with this README :)
>
>
> I guess this may have something to do with this:
>       [root@physics ADMROCKS]# pwd
>       /var/named/ADMROCKS

        Yup...  Named root hole.

> But this is an empty directory. I think maybe it did not work. I can't
> remember what this is but I have seen it before. There is also the
> directory /usr4/.usr which contains:
>
> [root@physics .usr]# ls
> BitchX
> [LASF]_Hanging_Up_[Telesync][1of2].asf                                
> [LASF]_Mission_To_Mars_[GOOD.Telesync][1of2].asf  scr-bx      sexet2.mpg
> BitchX-75p3-Linux-glibc2-i386.tar
> [LASF]_Hanging_Up_[Telesync][2of2].asf
> [LASF]_Mission_To_Mars_[GOOD.Telesync][2of2].asf  sexet1.mpg  wserv

> I still do not know how they got in. Furthermore, I do not know how they
> obtained root access even if they did compromise a user account. I do
> know that ls and netstat are changed as well.

        If you have the ADMROCKS directory, they got in through bind and
they probably cleaned up after themselves.

> Here is the first suspicious log entry:
>
>
> Mar 28 23:55:13 physics kernel: adm uses obsolete (PF_INET,SOCK_PACKET)
> Mar 28 23:55:13 physics kernel: eth0: Setting promiscuous mode.
> Mar 28 23:55:13 physics kernel: device eth0 entered promiscuous mode
> Mar 29 00:00:43 physics portsentry[638]: attackalert: SYN/Normal scan
> from host: slip-32-101-214-193.ri.br.prserv.net/32.101.214.193 to TCP
> port: 15
> Mar 29 00:00:43 physics portsentry[638]: attackalert: Host
> 32.101.214.193 has been blocked via wrappers with string: "ALL:
> 32.101.214.193"
> Mar 29 00:00:43 physics portsentry[638]: attackalert: Host
> 32.101.214.193 has been blocked via dropped route using command:
> "/sbin/ipchains -I input -s 32.101.214.193 -j DENY -
> l"
> Mar 29 00:00:49 physics kernel: Packet log: input DENY eth0 PROTO=6
> 32.101.214.193:4640 129.174.44.73:4380 L=60 S=0x00 I=39469 F=0x4000 T=54
> SYN (#1)
> Mar 29 00:00:52 physics kernel: Packet log: input DENY eth0 PROTO=6
> 32.101.214.193:4640 129.174.44.73:4380 L=60 S=0x00 I=39473 F=0x4000 T=54
> SYN (#1)
> Mar 29 00:00:58 physics kernel: Packet log: input DENY eth0 PROTO=6
> 32.101.214.193:4640 129.174.44.73:4380 L=60 S=0x00 I=39476 F=0x4000 T=54
> SYN (#1)
> Mar 29 00:02:49 physics kernel: Packet log: input DENY eth0 PROTO=6
> 32.101.214.193:4638 129.174.44.73:4380 L=55 S=0x00 I=39520 F=0x4000 T=54
> (#1)
>
>
>
> Then I get this:
>
>
> Mar 30 05:00:19 physics login[10906]: FAILED LOGIN 1 FROM
> ABD73C7E.ipt.aol.com FOR ftp, User not known to the underlying
> authentication module
> Mar 30 05:00:28 physics PAM_pwdb[10906]: authentication failure; (uid=0)
> -> postgres for login service
> Mar 30 05:00:29 physics login[10906]: FAILED LOGIN 2 FROM
> ABD73C7E.ipt.aol.com FOR postgres, Authentication failure
> Mar 30 05:00:33 physics PAM_pwdb[10906]: (login) session opened for user
> postgres by (uid=0)
> Mar 30 05:01:26 physics PAM_pwdb[10927]: (login) session opened for user
> postgres by (uid=0)
> Mar 30 05:01:31 physics PAM_pwdb[10943]: (su) session opened for user x
> by postgres(uid=40)
> Mar 30 05:04:47 physics identd[10961]: Connection from irc.Stanford.EDU
> Mar 30 05:04:57 physics identd[10961]: from: 198.94.52.220 (
> irc.Stanford.EDU ) for: 4160, 6667
> Mar 30 05:05:46 physics identd[10963]: Connection from irc.Stanford.EDU
> Mar 30 05:05:56 physics identd[10963]: from: 198.94.52.220 (
> irc.Stanford.EDU ) for: 4179, 6667
> Mar 30 05:05:57 physics identd[10965]: Connection from cypher.core.com
> Mar 30 05:05:57 physics identd[10965]: from: 208.133.73.83 (
> cypher.core.com ) for: 4190, 6667
> Mar 30 05:06:06 physics identd[10967]: Connection from irc.Stanford.EDU
> Mar 30 05:06:08 physics identd[10967]: from: 198.94.52.220 (
> irc.Stanford.EDU ) for: 4191, 6667
> Mar 30 05:06:15 physics identd[10969]: Connection from Irc.mcs.net
> Mar 30 05:06:15 physics identd[10969]: from: 192.160.127.97 (
> Irc.mcs.net ) for: 4198, 6667
> Mar 30 05:21:18 physics identd[11003]: Connection from osf1.gmu.edu
> Mar 30 05:21:18 physics identd[11003]: from: 129.174.1.13 ( osf1.gmu.edu
> ) for: 4507, 25
> Mar 30 06:11:26 physics PAM_pwdb[10943]: (su) session closed for user x
> Mar 30 06:13:09 physics kernel: VFS: file-max limit 4096 reached
> Mar 30 06:22:58 physics kernel: Unable to load interpreter
> Mar 30 06:23:59 physics kernel: Unable to load interpreter
> Mar 30 06:30:19 physics kernel: Unable to load interpreter
> Mar 30 06:32:37 physics kernel: Unable to load interpreter
> Mar 30 06:32:37 physics kernel: Unable to load interpreter
>
> Then they try to log on as a faculty member:
>
>
> Mar 30 10:52:04 physics login[26695]: FAILED LOGIN 1 FROM
> slip-32-101-214-192.ri.br.prserv.net FOR xxxxx, Authentication failure
> Mar 30 10:52:09 physics login[26695]: FAILED LOGIN 2 FROM
> slip-32-101-214-192.ri.br.prserv.net FOR xxxxx, Authentication failure

> Any ideas how they got in?

        ADMROCKS = broken into via known bind exploit.

> Thanks,

> Seth

        Mike

--
 Michael H. Warfield    |  (770) 985-6132   |  mhw () WittsEnd com
  (The Mad Wizard)      |  (770) 331-2437   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!