Security Incidents mailing list archives
Re: two machines hack through rpc.statd
From: Justin Shore <macdaddy () NEO PITTSTATE EDU>
Date: Wed, 7 Mar 2001 14:59:57 -0600
I was given control of a 6.2 machine some months only to find that it had been hacked within a week of it being put on the 'Net. rpc.statd as well. Best I can tell the overflow allowed the guy to add an interactive shell line to /etc/inetd.conf and SIGHUP inetd. The guy then connected as root, rcp'ed a generic rootkit from a machine owned by broadcast.com (hacked also) which installed a couple binaries that I couldn't identify (cronlogd and xfsd). He then rpm installed 3 old rpms from a German mirror site. They were an old/vulnerable versions of Wu-ftpd, nfs-utils, and LPRng. As best I could tell he didn't clean up the system logs. For that matter he didn't clean up root's bash history files. (/bin/sh is a symlink to /bin/bash so system-default bashrc settings apply, which turn on logs by default). That's how I managed to track his actively so easily. All in all, the rootkit was very generic and fairly worthless. I still don't know what the binaries do though. I have the whole drive tarballed somewhere. As for who to contact about that home.com machine, I'd first email them with all the pertinent logs and descriptions and then call them a few minutes later and escalate it as high as you can. If you can catch an active session between your hacked machine and that home.com guy (or whomever is using his machine) it would help. That's about the best I suggest for you. The law doesn't always take an interest in these cases unless it's big news. Even they are susceptible to PR tactics. Good luck! Justin On 3/7/01 7:47 AM Vegard Svanberg said...
Hi. I admin two servers who was recently hacked. They were just installed with RH7 and really not important (and not in production) so there was no big deal. However, that is not an excuse for hacking them, so I'd like to report this guy to his local police so they could lock him up in jail where he belongs. I'd also like to get in touch with other people who've had similar breakins from this guy. This is _some_ of the info I have on what he did: 1. Exploited rpc.statd 2. Fetched a package (secure.tar.gz) containing some scripts to clear the logs and a couple of RPMs to fix a couple of security holes. 3. Patched rpc.statd. 4. Configured inetd to run /bin/sh at port 666. He firewalled the port. 5. Ran a script ("g.sh" also known as "gh0st.sh") to wipe the logs. He added user "r3wt" and "gid" to /etc/passwd and /etc/shadow with uid 0 and no password. He also added an account "Vogz" which I believe is his nickname. Here's the hostnames/IP addresses he came from: Vogz[9590]: LOGIN ON pts/2 BY Vogz FROM cx589008-a.vista1.sdca.home.com xinetd[8755]: START: reg pid=9614 from=63.198.203.190 In addition, I am wondering how I should handle this further, and IF I should.. I am currently located in Europe while he is probably in the US or something, hacking from a rooted *DSL-machine.. Any tips and recommendations is appreciated. Regards, -- Vegard Svanberg <vegard () svanberg no>
-- Justin Shore, ES Pittsburg State University Network & Systems Manager Kelce 157Q Office of Information Systems Pittsburg, KS 66762 Voice: (620) 235-4606 Fax: (620) 235-4545 http://www.pittstate.edu/ois/ Warning: This message has been quadruple Rot13'ed for your protection.
Current thread:
- two machines hack through rpc.statd Vegard Svanberg (Mar 07)
- Re: two machines hack through rpc.statd Ryan Russell (Mar 07)
- Re: two machines hack through rpc.statd Vegard Svanberg (Mar 08)
- Re: two machines hack through rpc.statd Vegard Svanberg (Mar 08)
- <Possible follow-ups>
- Re: two machines hack through rpc.statd Timothy Lyons (Mar 07)
- Re: two machines hack through rpc.statd Justin Shore (Mar 07)
- Re: two machines hack through rpc.statd Ryan Russell (Mar 07)