Help - Search - Member List - Calendar
Full Version: Hack Overview
GovernmentSecurity.org > The Archives > Linux Security
coder
Oct 20 2003, 02:38 PM
This was posted by a user in another forum. I would've posted a link- but it's the Senior section - and none of you have the proper rights wink.gif

QUOTE

Howdy all.

Looks like I was hacked. I guess that's what I get for installing an OS, connecting it to the internet, half updating it and going to bed and class. I returned and saw some funky messages about the games user having ssh'd in and it confused me, but the logs revealed nothing so I went to bed. Silly me. I haven't touched it since it happened (a few days ago), and I went to play with John the Ripper tonight. I noticed that it found 4 passwords when I attempted to crack my shadow file. I have my root account, my user account and one friend has a shell, so this confused me. I checked and games had a password. I promptly removed the password and locked the account (removed the shell as well) and started searching for clues. I decided to start with the games folder and sure enough found a file called owned with an ip address in it (213.146.38.180) this resolves to tnt.pl. Anyone know anything about it? Anyways I then noticed a directory called w00t, which is full of source and compiled apps, mostly for scanning samba. Now I know i had an insecure version of ssh, but i'm wondering if my samba was also insecure and that's how they used it to get in. They seem to just be scanning from one network to another. Anyways I'm still investigating but I seem to have most things locked back down. It's good that my linux box isn't my day to day box because I wouldn't want any valuable data stored on there.

I have aliased the /usr/games/w00t directory that they created into apache and those of you that are interested to see what they were using and what they were attempting to do it's located at http://tyler.reguly.net/w00t
Hopefully this will help others from suffering the same fate and possibly shed some light onto what happened to me.


-----------
Edit:

Server will be availble for the next 24 hours max. Then I will be reinstalling Mandrake 9.1 (I'm leaving it up for those of you interested in viewing the files located there).The attackers gained access to the games account and from there escalated their privledges to root. They (obviously from poland based on an abundance of .pl addresses) then wiped the syslogs clean (http://republika.pl/garfix/wipe) , before proceding. They played around a bit, and cleaned off my samba software. They installed some program called k (http://anax.us/~fishboner/k). After some other garbage (view the bash_history on the server) they installed the vckit (http://republika.pl/garfix/vckit.tgz).. it is quite the lil toy, I downloaded it and viewed the set-up file and it does some serious damage to the system moving around files and such. They downloaded and iso (who knows why) and then grabbed woot (http://republika.pl/garfix/woot.tgz) the files of which are still available from the server. Then they played around with a BitchX exploit (http://netric.org/exploits/gespuis.c)

This is similar to the behaviour of a linux worm that is out there exploiting samba, however it is different and there are obvious user typos in the bash_history. As well the existance of the bash_history tells me they were sloppy. Then again I guess I was even sloppier...


I found it to be an interesting read... taking a look at the tools/methods used by this attack scenario...
hermel
Oct 22 2003, 10:30 AM
THX coder for the nice articel smile.gif
Grinler
Oct 22 2003, 07:35 PM
Mind telling us what site that forum post was posted on?

Thanks
Phoenix
Oct 24 2003, 08:27 AM
thx coder! very nice smile.gif
ganz2
Dec 20 2003, 05:42 AM
excellent thx
UnDeRTaKeR
Dec 20 2003, 12:22 PM
wow thx... but the link (http://tyler.reguly.net/w00t) is not avaible now... can you please post what was out there? i found it very interesting...
10x for the helpers


edited: also some of the links dont work .. like..
http://republika.pl/garfix/woot.tgz & http://republika.pl/garfix/vckit.tgz
sad.gif
please repost it
GhostCow
Dec 20 2003, 02:49 PM
undertaker, try http://republika.pl/garfix/prog/vckit.tgz instead... biggrin.gif

btw coder thanks for the intresting read! its always nice to see how hackers work...
clip
Dec 20 2003, 04:37 PM
just adding some info.
"k" is a irc enabled trojan.
UnDeRTaKeR
Dec 20 2003, 09:27 PM
10x clip
Oscillate
Dec 30 2003, 11:35 PM
good read man !

Ps might wanna watch these ports for another attack man.
22
25
53
110
113
443
995
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.