Security Incidents mailing list archives
Re: More /sumthin
From: "Philipp Hug" <securityfocus () hugit ch>
Date: Wed, 26 Feb 2003 15:23:17 +0100
I found the root of all evil ;-) the /sumthin tool is attached. I got it from an "owned" server. Philipp ----- Original Message ----- From: "Sverre H. Huseby" <shh () thathost com> To: <incidents () securityfocus com> Sent: Monday, February 03, 2003 9:52 AM Subject: More /sumthin, maybe
I got a couple of E-mails from a guy that _may_ have more info on the
/sumthin case. One of his servers was "owned", and he _thinks_ the
/sumthin request was the start of the attack. His E-mails follow:
==================================================================
I got hit with the same thing. /sumthin is exactly what everyone
thinks it is - a probe. Someone used my version info to exploit a
bug in SSL. I still don't know what the bugs are yet, but it's
really evident. From there, he looged in as my webserver, and
totally F$%^&D my server. He set up some kind of irc server, and
compromised so much of my server I'm having to rebuild from the
ground up. He redirected the root .bash_history to /dev/nul and
redirected the mail logs and he set up an account called tcp so he
could log in through ssh. Most of the services were shut down
(that's how I figured something was up - I couldn't get my mail).
even though he did wipe the root history, he forgot to wipe
wwwrun's history, it's too long to post, but it will be up for a
short while at http://XXX [Sverre sais: URL removed. log file
attached.]
He also replaced bash and set the default runlevel to halt, so
when I restarted the system just stopped (what a pisser).
When I went back and grepped all the logs, the /sumthin only shows
up in the logs of one domain (despite the fact we host around [N])
and starts sometime around mid October as everyone else has
noticed.
==================================================================
I found things like this in /tmp and /var/tmp:
drwxr-xr-x 3 wwwrun nogroup 153 Jan 26 04:10 a
-rw-r--r-- 1 wwwrun nogroup 14138 Jan 4 20:32 a.tgz
-rw-r--r-- 1 wwwrun nogroup 14138 Jan 4 20:32 a.tgz.1
-rw-r--r-- 1 wwwrun nogroup 14138 Jan 4 20:32 a.tgz.2
-rwxr-xr-x 1 wwwrun nogroup 19577 Nov 28 15:55 alarmd
drwxr-xr-x 5 wwwrun nogroup 635 Dec 22 17:00 orbit-root
drwxr-xr-x 9 wwwrun nogroup 553 Jan 12 09:52 psybnc
-rw-r--r-- 1 wwwrun nogroup 596571 Oct 17 23:19 psybnc.tar.gz
after that I did a find / -user wwwrun and found a bunch of stuff
and then discovered several other uids involved.
==================================================================
The attached shell history file shows what appears to be a manual
attacker downloading and installing several files using wget. Some of
the files are no longer available, but the few I managed to download
seem to be either related to IRC (server and bot), or to Linux local
exploits. (I only spent a couple of minutes downloading and glancing
at the files.)
Sverre.
--
shh () thathost com Computer Geek? Try my Nerd Quiz
http://shh.thathost.com/ http://nerdquiz.thathost.com/
---------------------------------------------------------------------------- ----
--------------------------------------------------------------------------
--
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Attachment:
httpver.c
Description:
---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>
Current thread:
- Re: More /sumthin Philipp Hug (Feb 26)
- RE: More /sumthin Jonathan A. Zdziarski (Feb 26)
- Re: More /sumthin D.C. van Moolenbroek (Feb 27)
- RE: More /sumthin Jonathan A. Zdziarski (Feb 26)