Article 6059 at 06/07/20 02:36:59 From: dennis (at mark) mixfans.org Subject: [coba-e:06059] Re: vunerable

Index: [Article Count Order] [Thread]
Date:  Wed, 19 Jul 2006 19:35:54 +0200
From:  Dennis <dennis (at mark) mixfans.org>
Subject:  [coba-e:06059] Re: vunerable
To:  coba-e (at mark) bluequartz.org
Message-Id:  <44BE6D7A.9000603 (at mark) mixfans.org>
In-Reply-To:  <032001c6ab51$80cd59c0$9a00000a@pc11>
References:  <032001c6ab51$80cd59c0$9a00000a@pc11>
X-Mail-Count: 06059

Hi Steffan

No in my situation the user probably first found a ftp account of a 
user  which was having a bad password
than he uploaded the .pl file which is a CGI-TELNET script
through this script he was able to put a aha.c file (bind.tty) and bind 
in the same folder and together with cgi.php which was a php shell script
he was able to put the prctl suidseif ecsploit  from  Julien Tinnes in 
the crontab
and that was causing a malcious crontab error as the command  
/dev/shm/nice2k not seemed to work

the person entered my system @ 4 different IP addresses using 2 IP 
addresses within some seconds of each other ..

crontab stuff removed
cron restarted
removed the user ..
saved the crack stuff in a non web folder for later usage ;-)

no issues found with chkrootkit ..

Tjsak!
Dennis


Steffan wrote:
> I just found out that this server has lost control over foiles in /sbin
> I cant change owner/rights cmod /sbin and the files in it as root
> Any idees on how to correct this,
> Did you had the same problem ?
>
>
> -----Oorspronkelijk bericht-----
> Van: Dennis [mailto:dennis (at mark) mixfans.org] 
> Verzonden: woensdag 19 juli 2006 9:13
> Aan: coba-e (at mark) bluequartz.org
> Onderwerp: [coba-e:06053] Re: vunerable
>
> okay found it .. maybe this story helps and maybe some suggestions can 
> come for getting more control on the system
>
> somewhere back in feb 13 a user was created and this user was sitting in 
> my site1
> this user had in its folder:
> aha.c
> bind
> cgi.php
> *.pl
>
> how the user could be created is still unknown to me, so maybe there can 
> be added a script that will be sending info to the admin when a user is 
> created in the system?
>
> I found this user by checking which files were changed the last few days 
> as I had wierd errors seen on the 16th of july
> (httpd could not start as a session took over port 80)
>
> Today I noticed the cron errors. Seems that the ghost user tried to test 
> a vunerability from last week
> http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=140158&aff
> id=102
>
> Are there any other tools which could be used / installed to monitor 
> such httpd actions?
>
> Dennis
>
>
> Dennis wrote:
>   
>> Suddenly I get this admin messages:
>>
>> chown root:root /dev/shm/nice2k && chmod 4755 /dev/shm/nice2k && rm 
>> -rf /etc/cron.d/core && kill -USR1 3286
>>
>> chown: cannot access `/dev/shm/nice2k': No such file or directory
>>
>> it seems that someone 'broke' into my system, but how to see what 
>> happened and where ..
>> dennis
>>
>>
>>
>>
>>
>>     
>
>
>
>