Re: Strange command histories in hacked shell server

[Jim Halfpenny <jim () openanswers co uk>]

On Fri, 17 Dec 2004 Valdis.Kletnieks () vt edu wrote:


> > sshd             -F      tsgan            __         0.02 secs Tue Dec 14 00:27
> > sh               -       tsgan            ttyp0      0.02 secs Tue Dec 14 00:27
> > cat              -       tsgan            ttyp0      0.00 secs Tue Dec 14 00:28
> > su               -       tsgan            ttyp0      0.00 secs Tue Dec 14 00:28
> > sleep            -       tsgan            ttyp0      0.00 secs Tue Dec 14 00:27
> > ^^^^^^
> > stty             -       tsgan            ttyp0      0.00 secs Tue Dec 14 00:27
> > stty             -       tsgan            ttyp0      0.00 secs Tue Dec 14 00:27
> > ^^^^^^
> > fortune          -       tsgan            ttyp0      0.00 secs Tue Dec 14 00:27
> > ...
> >
> > I don't quite understand why he used sleep and stty commands in above.
> > My suspect is tty hijacking. Am I right? Correct me if I'm wrong.
>
> My suspect is that your .login contains a 'fortune', an 'stty' or two, and a 'sleep',
> and those happened at login - the first *real* command actually issued was
> probably a 'su -c cat something', after which the person logged out, causing the
> login 'sh' and 'sshd' to exit.

I'd suggest a trojan was executed which contained commands used to
steal passwords. The real login prompt was followed by a short pause
(sleep), stty was used to turn of echoing stdin (stty -echo) a false
password prompt displayed and the output captured to a file or sent to the
intruder in some other fashion. The second stty restored echoing of stdin.

My guess is a trojan .login/.profile that prompted a second time for a
password after a successful login and then executed the remaining commands
e.g. /usr/bin/fortune. Do you remember typing you password in twice,
thinking you'd made a typo the first time?

Regards,
Jim Halfpenny