HA... the saga continues (found a binary)

HA... the saga continues (found a binary)

Post by Geology Cl » Sun, 12 Sep 1999 04:00:00



Ok, did a few hours (4+ :-) of digging into the machine that wasn't
properly scanned for 'bugs' (because there is no funding for it) and
what do you know... I found a binary, executable, in /dev which looks
most suspicious under strings:

-----------------chop-with-axe----------------chop-with-axe---------------------
%d.%d.%d.%d
/bin/sh
ICMP
Error sending syn packet.
tc: unknown host
3.3.3.3
mservers
randomsucks
reading %s
skillz
rm -rf td

./td
130.243.70.20
127.0.0.1
lpsched
no masterserver config found.
using default ones.
available servers: %i - working servers : 0
[*] stacheldraht [*] installation failed.
found a working [*] stacheldraht [*] masterserver.
masterserver is gone, looking for a new one
sicken
in.telne
./0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
-----------------chop-with-axe----------------chop-with-axe---------------------

I checked and 130.243.70.20 is alive... It's "bilbo.mdh.se"... and
it appears to be some sort of college/school with "12,000 students".
How should I contact them? Or should I wait?

I've been looking at the above commands and also in 'vim -b'
and it looks like the program 'td' copied our 'lpcched' binary to
130.243.70.20 and called it 'sol.bin' (or 'td')... I don't know what
they can get from 'lpsched' except ... hmmm... *UNLESS* what actually
happened was the reverse, rcp'ed 'sol.bin' from 130.243.70.20 INTO our
lpsched and ran that... [shiver].

I find the line:
rm -rf td
to be most telling...

OR it was cloaking under 'lpsched' while still running? Otherwise,
why include that name in the binary?

I have chmod 0000'd the binary and ensured that nothing in any way
associated with it is running. BTW, can anyone tell me what the
ToolTalk [crap] is? I have a job running:

 14643 ?        0:54 rpc.ttdb
(I killed it off for now)

and I don't know what it's for. The man page is useless.
I don't think it's related... but if I'm going to putz with this
machine, I'd like to know what's 'normal' and what isn't.
I checked all the rc/inet/init scripts and they look clean.

I wonder if this is in any way capable of listening to local
traffic.....  it doesn't look like the answer is a "no"...

I will e-mail the sysadmin of "bilbo.mdh.se" and ask them if
they have had any security problems... and if they possibly
know about any 'sol.bin'...

I don't have pgp on this account... but that's the only way I
am at all willing to send this binary for analysis... Depending
on what you (collective expertise) say, I will act accordingly.
This program seems to me to be a "bootstrap"... and doesn't
bode well.

Cheers, I think...
Filip G.

Ever try getting sendmail to work... and much later become convinced
that the sendmail.cf was crafted by satan himself? ARGH!
--
+---------> Geology Club of the University of Pittsburgh

|           http://www.pitt.edu/~geoclub/

 
 
 

HA... the saga continues (found a binary)

Post by Erick Staa » Mon, 20 Sep 1999 04:00:00


Did you also run strings on that one? It could be most illuminating  :-/.

greets, Erick


> Ok, did a few hours (4+ :-) of digging into the machine that wasn't
> properly scanned for 'bugs' (because there is no funding for it) and
> what do you know... I found a binary, executable, in /dev which looks
> most suspicious under strings:

> -----------------chop-with-axe----------------chop-with-axe---------------
------
> %d.%d.%d.%d
> /bin/sh
> ICMP
> Error sending syn packet.
> tc: unknown host
> 3.3.3.3
> mservers
> randomsucks
> reading %s
> skillz
> rm -rf td

> ./td
> 130.243.70.20
> 127.0.0.1
> lpsched
> no masterserver config found.
> using default ones.
> available servers: %i - working servers : 0
> [*] stacheldraht [*] installation failed.
> found a working [*] stacheldraht [*] masterserver.
> masterserver is gone, looking for a new one
> sicken
> in.telne
> ./0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
> -----------------chop-with-axe----------------chop-with-axe---------------
------

> I checked and 130.243.70.20 is alive... It's "bilbo.mdh.se"... and
> it appears to be some sort of college/school with "12,000 students".
> How should I contact them? Or should I wait?

> I've been looking at the above commands and also in 'vim -b'
> and it looks like the program 'td' copied our 'lpcched' binary to
> 130.243.70.20 and called it 'sol.bin' (or 'td')... I don't know what
> they can get from 'lpsched' except ... hmmm... *UNLESS* what actually
> happened was the reverse, rcp'ed 'sol.bin' from 130.243.70.20 INTO our
> lpsched and ran that... [shiver].

> I find the line:
> rm -rf td
> to be most telling...

> OR it was cloaking under 'lpsched' while still running? Otherwise,
> why include that name in the binary?

> I have chmod 0000'd the binary and ensured that nothing in any way
> associated with it is running. BTW, can anyone tell me what the
> ToolTalk [crap] is? I have a job running:

>  14643 ?        0:54 rpc.ttdb
> (I killed it off for now)

> and I don't know what it's for. The man page is useless.
> I don't think it's related... but if I'm going to putz with this
> machine, I'd like to know what's 'normal' and what isn't.
> I checked all the rc/inet/init scripts and they look clean.

> I wonder if this is in any way capable of listening to local
> traffic.....  it doesn't look like the answer is a "no"...

> I will e-mail the sysadmin of "bilbo.mdh.se" and ask them if
> they have had any security problems... and if they possibly
> know about any 'sol.bin'...

> I don't have pgp on this account... but that's the only way I
> am at all willing to send this binary for analysis... Depending
> on what you (collective expertise) say, I will act accordingly.
> This program seems to me to be a "bootstrap"... and doesn't
> bode well.

> Cheers, I think...
> Filip G.

> Ever try getting sendmail to work... and much later become convinced
> that the sendmail.cf was crafted by satan himself? ARGH!
> --
> +---------> Geology Club of the University of Pittsburgh

> |           http://www.pitt.edu/~geoclub/


 
 
 

HA... the saga continues (found a binary)

Post by Geology Cl » Tue, 21 Sep 1999 04:00:00



Geology Wrote:
[snip]

Quote:>> associated with it is running. BTW, can anyone tell me what the
>> ToolTalk [crap] is? I have a job running:

>>  14643 ?        0:54 rpc.ttdb
>> (I killed it off for now)
[snip]

>Did you also run strings on that one? It could be most illuminating  :-/.

Yes, that was the first thing I did. Second was 'diff' it with one off a
CD-backup from fresh install of same OS version - it checked out. I
have since, of course, found the latest CERT alert which implicated said
suite of binaries.... I should trust my hunches more....

Cheers,
Filip.

P.S. I have updated and trimmed down most of the [semi-trusted] systems
around the dept. This should have been done years ago. Next is to do
something about some professors who have root access and have the sheet
with passwords (yikes) taped up on the wall of their office (yikes^2)...
We're up... and ready for another left hook ;-)
--
+---------> Geology Club of the University of Pittsburgh

|           http://www.pitt.edu/~geoclub/

 
 
 

HA... the saga continues (found a binary)

Post by Mark Nelso » Tue, 21 Sep 1999 04:00:00




>Geology Wrote:
>[snip]
>>> associated with it is running. BTW, can anyone tell me what the
>>> ToolTalk [crap] is? I have a job running:

>>>  14643 ?        0:54 rpc.ttdb
>>> (I killed it off for now)
>[snip]

>>Did you also run strings on that one? It could be most illuminating  :-/.

>Yes, that was the first thing I did. Second was 'diff' it with one off a
>CD-backup from fresh install of same OS version - it checked out. I
>have since, of course, found the latest CERT alert which implicated said
>suite of binaries.... I should trust my hunches more....

>Cheers,
>Filip.

>P.S. I have updated and trimmed down most of the [semi-trusted] systems
>around the dept. This should have been done years ago. Next is to do
>something about some professors who have root access and have the sheet
>with passwords (yikes) taped up on the wall of their office (yikes^2)...
>We're up... and ready for another left hook ;-)

If it was up to me I would terminate the Professors root access
acounts and give them ordinary user accounts that I had to approve any
actions before they could do anything that might affect the system.
 
 
 

HA... the saga continues (found a binary)

Post by Geology Cl » Wed, 22 Sep 1999 04:00:00




>>I have updated and trimmed down most of the [semi-trusted] systems
>>around the dept. This should have been done years ago. Next is to do
>>something about some professors who have root access and have the sheet
>>with passwords (yikes) taped up on the wall of their office (yikes^2)...
>>We're up... and ready for another left hook ;-)

>If it was up to me I would terminate the Professors root access
>acounts and give them ordinary user accounts that I had to approve any
>actions before they could do anything that might affect the system.

Fly-in-the-soup: their grant-money bought machines... their grant-money
keeps software licenses active.

What I _did_ do is automate the license-server startup and proofed them
for use in /etc/rc* scripts. If they fail (god knows why?) they e-mail
the active sys-admin who may elect to ask the prof to do something
specific (like spend more $$ :-) This, effectively, removes profs from
the loop as far as the system is concerned. I hope I don't ruffle too
many feathers though :-|

I have been automating most things.. like wrote a simple script that
calls analog on apache server, updates a stat's page, rotates logs,
and sends e-mail to the office secretaty so she can tell the grant
people how well their money is working (NSF mostly). This is ready to
be crontab'ed... ensuring that we won't have another 130MB access_log
ever again that no one knows what to do with ;-)

Hehehehe... I found we have yet another ancient machine on the semi-
trusted net... running IRIX 5.2... zero patches. [sigh]... [I just
spent a good half hour looking into this] 5.2 isn't supported...
many patches carry a "upgrade OS" note... sigh... something tells
me we'll be retiring that machine :-) All that prof really needs is
an Xterm and I can do that with Linux in no time.

Cheers,
Filip G.
--
+---------> Geology Club of the University of Pittsburgh

|           http://www.pitt.edu/~geoclub/

 
 
 

HA... the saga continues (found a binary)

Post by DHobb » Wed, 22 Sep 1999 04:00:00



> Hehehehe... I found we have yet another ancient machine on the semi-
> trusted net... running IRIX 5.2... zero patches. [sigh]... [I just
> spent a good half hour looking into this] 5.2 isn't supported...
> many patches carry a "upgrade OS" note... sigh... something tells
> me we'll be retiring that machine :-) All that prof really needs is
> an Xterm and I can do that with Linux in no time.

Is it an Indigo?  Don't trash the machine, 6.5 loads just fine onto it.
It's a touch slow, but it runs well.

Dan

 
 
 

HA... the saga continues (found a binary)

Post by Geology Cl » Wed, 22 Sep 1999 04:00:00




>> Hehehehe... I found we have yet another ancient machine on the semi-
>> trusted net... running IRIX 5.2... zero patches. [sigh]... [I just
>> spent a good half hour looking into this] 5.2 isn't supported...
>> many patches carry a "upgrade OS" note... sigh... something tells
>> me we'll be retiring that machine :-) All that prof really needs is
>> an Xterm and I can do that with Linux in no time.

>Is it an Indigo?  Don't trash the machine, 6.5 loads just fine onto it.
>It's a touch slow, but it runs well.

What's the $damage$? She (prof) will be calling the local SGI folks
this week to find out. I found she has an active license for ENVI
for it (remote sensing package) so has to keep it. The Linux option
was just the last resort... she knows IRIX and prolly would hate
learning another flavor.

BTW, do you know what memory type this machine takes? Is it custom
or 72pin SIMMs? She's gotten 2 dumps because of a bad one... and
if she moves to 6.5, it might be nice to max out the memory.

Cheers,
Filip G.
--
+---------> Geology Club of the University of Pittsburgh

|           http://www.pitt.edu/~geoclub/

 
 
 

HA... the saga continues (found a binary)

Post by DHobb » Wed, 22 Sep 1999 04:00:00





> >> Hehehehe... I found we have yet another ancient machine on the semi-
> >> trusted net... running IRIX 5.2... zero patches. [sigh]... [I just
> >> spent a good half hour looking into this] 5.2 isn't supported...
> >> many patches carry a "upgrade OS" note... sigh... something tells
> >> me we'll be retiring that machine :-) All that prof really needs is
> >> an Xterm and I can do that with Linux in no time.

> >Is it an Indigo?  Don't trash the machine, 6.5 loads just fine onto it.
> >It's a touch slow, but it runs well.

> What's the $damage$? She (prof) will be calling the local SGI folks
> this week to find out. I found she has an active license for ENVI
> for it (remote sensing package) so has to keep it. The Linux option
> was just the last resort... she knows IRIX and prolly would hate
> learning another flavor.

> BTW, do you know what memory type this machine takes? Is it custom
> or 72pin SIMMs? She's gotten 2 dumps because of a bad one... and
> if she moves to 6.5, it might be nice to max out the memory.

I don't know what type it is, but here's an idea.  When I had one open,
it looked like it was special, not EDO or 72 Pin:

Desc: 256MB KIT FOR SILICON GRAPHIC POWER INDIGO 2 / MSD
Vendor: KINGSTON TECHNOLOGY (MEMORY)
Online/Fax Order Price is $719.55 Call-in/Sales Person Assisted Price
$746.70      Retail Price: $871.00
MFR PART NUMBER: KSG256/R40

Dan

 
 
 

HA... the saga continues (found a binary)

Post by Thomas H Jones I » Thu, 23 Sep 1999 04:00:00







>> >Is it an Indigo?  Don't trash the machine, 6.5 loads just fine onto it.
>> >It's a touch slow, but it runs well.

umm... need to amend that: it runs on SOME indigo's. it depends which CPU is
in the indigo. youll need to consult the IRIX 6.5/CPU matrix.

Quote:>> What's the $damage$? She (prof) will be calling the local SGI folks
>> this week to find out. I found she has an active license for ENVI
>> for it (remote sensing package) so has to keep it. The Linux option
>> was just the last resort... she knows IRIX and prolly would hate
>> learning another flavor.

well, the differences between IRIX 5.2 and IRIX 6.5 can be fairly major
(at least to a system administrator). Not to mention the fact that if
she is running 5.2, she is probably using COFF binaries, which IRIX 6.5
does NOT support.

Quote:>> BTW, do you know what memory type this machine takes? Is it custom
>> or 72pin SIMMs? She's gotten 2 dumps because of a bad one... and
>> if she moves to 6.5, it might be nice to max out the memory.

>I don't know what type it is, but here's an idea.  When I had one open,
>it looked like it was special, not EDO or 72 Pin:

Indigos and Indigo2's use different memory, if i recall correctly.
Indigo 2's use 60-80ns ECC 72-pin SIMMS. dont recall what the older
Indigos used.

-tom

--

"You can only be -so- accurate with a claw-hammer."  --me

 
 
 

HA... the saga continues (found a binary)

Post by Justin Mead » Sat, 25 Sep 1999 04:00:00


Quote:> > BTW, do you know what memory type this machine takes? Is it custom
> > or 72pin SIMMs? She's gotten 2 dumps because of a bad one... and
> > if she moves to 6.5, it might be nice to max out the memory.

> I don't know what type it is, but here's an idea.  When I had one open,
> it looked like it was special, not EDO or 72 Pin:

> Desc: 256MB KIT FOR SILICON GRAPHIC POWER INDIGO 2 / MSD  
> Vendor: KINGSTON TECHNOLOGY (MEMORY)
> Online/Fax Order Price is $719.55 Call-in/Sales Person Assisted Price
> $746.70      Retail Price: $871.00  
> MFR PART NUMBER: KSG256/R40  

DO NOT PAY THIS!!!  I use an Indigo2 at work and recently upgraded the memory
with old 72 pin SIMMs from a PC.  I have been running this way for several
months with absolutely no problems.  In fact, if you need parts for you SGI
you should check out http://www.reputable.com .  We have bought several
things from Reputable with no problems.

Justin

 
 
 

1. Microsoft suing Lindows!! HA HA HA HA!!!!

http://news.cnet.com/news/0-1003-200-8246647.html?tag=mn_hd

This has got to be the funniest thing I've ever seen!
Mighty Microsoft complaining about some small time
Linux company calling themselves Lindows trying to sell their own version of
Linux with Wine!

It's a very appropriate name though.

L I N U X
L I N D O W S
W I N D O W S

I can suggest an alternative.

L I N D O Z E

It's got the same sound as L I N D O W S
but two letters are different instead of just
one.

They can argue that L-I-N matches with Linux
no conflict there, and the "Z" isn't even
in the word "W-I-N-D-O-W-S" so the majority
of the letters, 4 letters out of 7,
aren't even derived from the the word WINDOWS
at all!

Ha ha ha! Let's see the Microsoft lawyers argue
over that one!
:-)

-----=  Posted via Newsfeeds.Com, Uncensored Usenet News  =-----
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
 Check out our new Unlimited Server. No Download or Time Limits!
-----==  Over 80,000 Newsgroups - 19 Different Servers!  ==-----

2. FA: (finally) 600MHz EV56 164LX Tower

3. Maximum Linux Magazine Is Going Out Of Business Ha Ha Ha

4. MuPAD and xview libraries: libxview.so.3 <--> libxv3.so.3

5. Bwa-ha-ha-ha!

6. #9 GXE Level 12 config?

7. MORE HA HA HA (and it's no laughing matter)

8. how to combine 2 nics to have higher network bandwith

9. AH HA HA HA! MS FIGHTS SPAM LAW!!!

10. ha ha ha

11. The Networking Saga Continues...

12. Installing xfce: the saga continues (or I'm too stupid for Linux)

13. The PPP Saga Continues