Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Intrusion - Advice?

From: "Cook, Oliver" <o.cook () ETONCOLLEGE ORG UK>
Date: Sun, 12 Nov 2000 19:03:38 -0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A system I administrate, running Slackware 7.0, was compromised today
at 18:00 GMT. I would appreciate it if you could lend me some advice.

I run a modified version of bash, so at least I can see what commands
they were issuing. This is the log of the commands the intruders
issued:

Nov 12 18:00:11 ws232 -bash: #joe# w
Nov 12 18:00:22 ws232 -bash: #joe# ps
Nov 12 18:00:29 ws232 -bash: #joe# cd public_hmtl
Nov 12 18:00:34 ws232 -bash: #joe# cd public_html
Nov 12 18:00:36 ws232 -bash: #joe# dir
Nov 12 18:00:42 ws232 -bash: #joe# cd diary_img
Nov 12 18:00:43 ws232 -bash: #joe# dir
Nov 12 18:00:53 ws232 -bash: #joe# uname -a
Nov 12 18:01:28 ws232 -bash: #joe# whereis rpc.statd
Nov 12 18:02:01 ws232 -bash: #joe# passwd
Nov 12 18:03:03 ws232 -bash: #joe# ps
Nov 12 18:03:19 ws232 -bash: #joe# kill -9 6984
Nov 12 18:05:06 ws232 -bash: #joe# passwd
Nov 12 18:06:01 ws232 -bash: #joe# finger
Nov 12 18:06:16 ws232 -bash: #joe# ps -aux
Nov 12 18:07:09 ws232 -bash: #joe# kill -9 6432
Nov 12 18:07:41 ws232 -bash: #joe# passwd
Nov 12 18:08:59 ws232 -bash: #joe# ls
Nov 12 18:09:35 ws232 -bash: #joe# ps -aux
Nov 12 18:10:03 ws232 -bash: #joe# id
Nov 12 18:10:47 ws232 -bash: #joe# uname -a
Nov 12 18:11:49 ws232 -bash: #joe# ls
Nov 12 18:13:02 ws232 -bash: #joe# passwd
Nov 12 18:15:54 ws232 -bash: #joe# who
Nov 12 18:15:59 ws232 -bash: #joe# uname -a
Nov 12 18:16:03 ws232 -bash: #joe# uptime
Nov 12 18:16:10 ws232 -bash: #joe# ls -al /bin/login
Nov 12 18:16:19 ws232 -bash: #joe# ls -al /usr/bin/*perl*
Nov 12 18:16:55 ws232 -bash: #joe# w
Nov 12 18:16:55 ws232 -bash: #joe# netstat
Nov 12 18:17:00 ws232 -bash: #joe# ln -fs /dev/null bash_history
Nov 12 18:17:02 ws232 -bash: #joe# cd /var/tmp
Nov 12 18:17:04 ws232 -bash: #joe# cat > p
Nov 12 18:17:12 ws232 -bash: #joe# chmod u+x p
Nov 12 18:17:13 ws232 -bash: #joe# ./p
Nov 12 18:17:44 ws232 -bash: #joe# ls -al /usr/bin/*perl*
Nov 12 18:17:54 ws232 -bash: #joe# vi p
Nov 12 18:18:19 ws232 -bash: #joe# ./p
Nov 12 18:18:57 ws232 -bash: #joe# last joe
Nov 12 18:19:08 ws232 -bash: #joe# ls
Nov 12 18:19:21 ws232 -bash: #joe# find / \( -perm -4000 -o -perm
- -2000 \) -type f -exec ls -l {} \; > suids 2>/dev/null &
Nov 12 18:19:34 ws232 -bash: #joe# ls -al sush
Nov 12 18:19:42 ws232 -bash: #joe# cat suids
Nov 12 18:19:51 ws232 -bash: #joe# ls
Nov 12 18:19:56 ws232 -bash: #joe# ps joe
Nov 12 18:20:01 ws232 -bash: #joe# cat suids
Nov 12 18:20:05 ws232 -bash: #joe# ps aux
Nov 12 18:20:11 ws232 -bash: #joe# ps -ef
Nov 12 18:20:18 ws232 -bash: #joe# cat /etc/passwd | grep :0:
Nov 12 18:20:23 ws232 -bash: #joe# cat s*
Nov 12 18:20:31 ws232 -bash: #joe# cat suids
Nov 12 18:20:42 ws232 -su: #root# write joe pts/6
Nov 12 18:20:59 ws232 -bash: #joe# write -f
Nov 12 18:20:59 ws232 -su: #root# tail /home/joe/.bash_history
Nov 12 18:21:02 ws232 -bash: #joe# write -d
Nov 12 18:21:13 ws232 -bash: #joe# rm .bash_history
Nov 12 18:21:23 ws232 -bash: #joe# unset HISTFILE
Nov 12 18:21:23 ws232 -su: #root# write joe pts/7
Nov 12 18:21:26 ws232 -bash: #joe# cat /etc/hosts
Nov 12 18:21:37 ws232 -bash: #joe# ls
Nov 12 18:21:38 ws232 -bash: #joe# rm -f *
Nov 12 18:21:44 ws232 -bash: #joe# write ollie
Nov 12 18:21:49 ws232 -bash: #joe# bas
Nov 12 18:22:00 ws232 -bash: #joe# write
Nov 12 18:22:01 ws232 -bash: #joe# cd bot
Nov 12 18:22:01 ws232 -bash: #joe# ls
Nov 12 18:22:16 ws232 -bash: #joe# cd scripts/
Nov 12 18:22:27 ws232 -bash: #joe# ls -al
Nov 12 18:22:28 ws232 -bash: #joe# ls
Nov 12 18:22:41 ws232 -bash: #joe# su
Nov 12 18:22:47 ws232 -bash: #joe# ls
Nov 12 18:22:53 ws232 -bash: #joe# cd /home/ollie
Nov 12 18:22:56 ws232 -bash: #joe# ls -al
Nov 12 18:23:01 ws232 -bash: #joe# cd /
Nov 12 18:23:08 ws232 -bash: #joe# cat password.tcl
Nov 12 18:23:10 ws232 -bash: #joe# ls -al `which traceroute`
Nov 12 18:23:28 ws232 -bash: #joe# who

A number of things occur to me about this intrusion. They seem
amateur missing out the '.' in "ln -fs /dev/null bash_history".

Stupidly, I thought the login was legitimate (it is a friend of
mine's account), which is why I sent a message to his terminal:
"write joe pts/6". I received back a message:

Message from joe () ws232 compromised machine tld on pts/6 at 18:21 ...
ahuahu gay ppp
EOF

I then realised this was an intrusion when I did 'w' and saw:

ws232:~# w
  6:21pm  up 23 days,  3:50,  3 users,  load average: 0.05, 0.02,
0.01
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU  WHAT
joe      pts/6    151.99.162.162    6:15pm 15.00s  0.10s  0.10s
- -bash
joe      pts/7    dns.hokuto.ed.jp  6:05pm  4.00s  0.09s  0.09s
- -bash
ollie    pts/5    ws102.school.eto  5:45pm  0.00s  0.12s  0.02s  w

The IP address is an Italian one belonging to:

inetnum:     151.99.162.160 - 151.99.162.191
netname:     STARLANE
descr:       Starlane Srl
country:     IT
admin-c:     LF614-RIPE
tech-c:      LF614-RIPE
status:      ASSIGNED PA
notify:      network () cgi interbusiness it
mnt-by:      INTERB-MNT
changed:     cgiadmin () cgi interbusiness it 19991117
source:      RIPE

Before I had logged the users off and changed the account password,
however, the intruder issued "rm -f *" which removed his 'p' file
from /var/tmp - a real shame.

The reference to "rpc.statd" alarms me because I know there are
various exploits for this.

I've come to the point where I've done as much investigation as I can
trust myself with. I wonder if any of the people on this list can let
me know if they've seen an attack from these machines, or one that
has been along these lines.

I'm particularly interested in this "p" file that the intruder made
and then executed... Have any of you seen anything like that before?

Is it worth emailing the administrative contacts for the IP ranges
that the attacks originated from?

I eagerly anticipate any replies that may be forthcoming.

Thank you.

With regards,

Ollie Cook
- ---
Optimist:  "The glass if half full"
Pessimist: "The glass is half empty"
Engineer:  "The glass is twice as large as it needs to be"
- ---

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBOg7pgsPaWaNT0pVnEQJr6wCeI1JLxkK0PqfURY58p262p39rCBwAoPxp
VEayoKi8mB8GLM7oiVUYLzWJ
=Zg2Y
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: