Government Security
Network Security Resources

Jump to content

Hack Overview

- - - - - linux scanning server network exploit tools exploiting shell ssh worm
  • Please log in to reply
9 replies to this topic

#1 Guest_coder_*

Guest_coder_*
  • Guests

Posted 20 October 2003 - 06:38 AM

This was posted by a user in another forum. I would've posted a link- but it's the Senior section - and none of you have the proper rights ;)

Howdy all.

Looks like I was hacked. I guess that's what I get for installing an OS, connecting it to the internet, half updating it and going to bed and class. I returned and saw some funky messages about the games user having ssh'd in and it confused me, but the logs revealed nothing so I went to bed. Silly me. I haven't touched it since it happened (a few days ago), and I went to play with John the Ripper tonight. I noticed that it found 4 passwords when I attempted to crack my shadow file. I have my root account, my user account and one friend has a shell, so this confused me. I checked and games had a password. I promptly removed the password and locked the account (removed the shell as well) and started searching for clues. I decided to start with the games folder and sure enough found a file called owned with an ip address in it (213.146.38.180) this resolves to tnt.pl. Anyone know anything about it? Anyways I then noticed a directory called w00t, which is full of source and compiled apps, mostly for scanning samba. Now I know i had an insecure version of ssh, but i'm wondering if my samba was also insecure and that's how they used it to get in. They seem to just be scanning from one network to another. Anyways I'm still investigating but I seem to have most things locked back down. It's good that my linux box isn't my day to day box because I wouldn't want any valuable data stored on there.

I have aliased the /usr/games/w00t directory that they created into apache and those of you that are interested to see what they were using and what they were attempting to do it's located at http://tyler.reguly.net/w00t
Hopefully this will help others from suffering the same fate and possibly shed some light onto what happened to me.


-----------
Edit:

Server will be availble for the next 24 hours max. Then I will be reinstalling Mandrake 9.1 (I'm leaving it up for those of you interested in viewing the files located there).The attackers gained access to the games account and from there escalated their privledges to root. They (obviously from poland based on an abundance of .pl addresses) then wiped the syslogs clean (http://republika.pl/garfix/wipe) , before proceding. They played around a bit, and cleaned off my samba software. They installed some program called k (http://anax.us/~fishboner/k). After some other garbage (view the bash_history on the server) they installed the vckit (http://republika.pl/garfix/vckit.tgz).. it is quite the lil toy, I downloaded it and viewed the set-up file and it does some serious damage to the system moving around files and such. They downloaded and iso (who knows why) and then grabbed woot (http://republika.pl/garfix/woot.tgz) the files of which are still available from the server. Then they played around with a BitchX exploit (http://netric.org/exploits/gespuis.c)

This is similar to the behaviour of a linux worm that is out there exploiting samba, however it is different and there are obvious user typos in the bash_history. As well the existance of the bash_history tells me they were sloppy. Then again I guess I was even sloppier...


I found it to be an interesting read... taking a look at the tools/methods used by this attack scenario...

#2 Guest_hermel_*

Guest_hermel_*
  • Guests

Posted 22 October 2003 - 02:30 AM

THX coder for the nice articel :)

#3 Grinler

Grinler

    Private First Class

  • Members
  • 62 posts

Posted 22 October 2003 - 11:35 AM

Mind telling us what site that forum post was posted on?

Thanks

#4 Guest_Phoenix_*

Guest_Phoenix_*
  • Guests

Posted 24 October 2003 - 12:27 AM

thx coder! very nice :)

#5 ganz2

ganz2

    Private First Class

  • Members
  • 67 posts

Posted 19 December 2003 - 09:42 PM

excellent thx

#6 UnDeRTaKeR

UnDeRTaKeR

    Specialist

  • Members
  • 143 posts

Posted 20 December 2003 - 04:22 AM

wow thx... but the link (http://tyler.reguly.net/w00t) is not avaible now... can you please post what was out there? i found it very interesting...
10x for the helpers


edited: also some of the links dont work .. like..
http://republika.pl/garfix/woot.tgz & http://republika.pl/garfix/vckit.tgz
:(
please repost it

#7 GhostCow

GhostCow

    Staff Sergeant

  • Members
  • 345 posts

Posted 20 December 2003 - 06:49 AM

undertaker, try http://republika.pl/.../prog/vckit.tgz instead... :D

btw coder thanks for the intresting read! its always nice to see how hackers work...

#8 clip

clip

    Specialist

  • Members
  • 139 posts

Posted 20 December 2003 - 08:37 AM

just adding some info.
"k" is a irc enabled trojan.

#9 UnDeRTaKeR

UnDeRTaKeR

    Specialist

  • Members
  • 143 posts

Posted 20 December 2003 - 01:27 PM

10x clip

#10 Guest_Oscillate_*

Guest_Oscillate_*
  • Guests

Posted 30 December 2003 - 03:35 PM

good read man !

Ps might wanna watch these ports for another attack man.
22
25
53
110
113
443
995





Also tagged with one or more of these keywords: linux, scanning, server, network, exploit, tools, exploiting, shell, ssh, worm