Very Computer

Ok, did a few hours (4+ :-) of digging into the machine that wasn't
properly scanned for 'bugs' (because there is no funding for it) and
what do you know... I found a binary, executable, in /dev which looks
most suspicious under strings:

-----------------chop-with-axe----------------chop-with-axe---------------------
%d.%d.%d.%d
/bin/sh
ICMP
Error sending syn packet.
tc: unknown host
3.3.3.3
mservers
randomsucks
reading %s
skillz
rm -rf td

./td
130.243.70.20
127.0.0.1
lpsched
no masterserver config found.
using default ones.
available servers: %i - working servers : 0
[*] stacheldraht [*] installation failed.
found a working [*] stacheldraht [*] masterserver.
masterserver is gone, looking for a new one
sicken
in.telne
./0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
-----------------chop-with-axe----------------chop-with-axe---------------------

I checked and 130.243.70.20 is alive... It's "bilbo.mdh.se"... and
it appears to be some sort of college/school with "12,000 students".
How should I contact them? Or should I wait?

I've been looking at the above commands and also in 'vim -b'
and it looks like the program 'td' copied our 'lpcched' binary to
130.243.70.20 and called it 'sol.bin' (or 'td')... I don't know what
they can get from 'lpsched' except ... hmmm... *UNLESS* what actually
happened was the reverse, rcp'ed 'sol.bin' from 130.243.70.20 INTO our
lpsched and ran that... [shiver].

I find the line:
rm -rf td
to be most telling...

OR it was cloaking under 'lpsched' while still running? Otherwise,
why include that name in the binary?

I have chmod 0000'd the binary and ensured that nothing in any way
associated with it is running. BTW, can anyone tell me what the
ToolTalk [crap] is? I have a job running:

 14643 ?        0:54 rpc.ttdb
(I killed it off for now)

and I don't know what it's for. The man page is useless.
I don't think it's related... but if I'm going to putz with this
machine, I'd like to know what's 'normal' and what isn't.
I checked all the rc/inet/init scripts and they look clean.

I wonder if this is in any way capable of listening to local
traffic.....  it doesn't look like the answer is a "no"...

I will e-mail the sysadmin of "bilbo.mdh.se" and ask them if
they have had any security problems... and if they possibly
know about any 'sol.bin'...

I don't have pgp on this account... but that's the only way I
am at all willing to send this binary for analysis... Depending
on what you (collective expertise) say, I will act accordingly.
This program seems to me to be a "bootstrap"... and doesn't
bode well.

Cheers, I think...
Filip G.

Ever try getting sendmail to work... and much later become convinced
that the sendmail.cf was crafted by satan himself? ARGH!
--
+---------> Geology Club of the University of Pittsburgh

|           http://www.pitt.edu/~geoclub/

Did you also run strings on that one? It could be most illuminating  :-/.

greets, Erick

Geology Wrote:
[snip]

Quote:>> associated with it is running. BTW, can anyone tell me what the
>> ToolTalk [crap] is? I have a job running:

>>  14643 ?        0:54 rpc.ttdb
>> (I killed it off for now)
[snip]

>Did you also run strings on that one? It could be most illuminating  :-/.

Yes, that was the first thing I did. Second was 'diff' it with one off a
CD-backup from fresh install of same OS version - it checked out. I
have since, of course, found the latest CERT alert which implicated said
suite of binaries.... I should trust my hunches more....

Cheers,
Filip.

P.S. I have updated and trimmed down most of the [semi-trusted] systems
around the dept. This should have been done years ago. Next is to do
something about some professors who have root access and have the sheet
with passwords (yikes) taped up on the wall of their office (yikes^2)...
We're up... and ready for another left hook ;-)
--
+---------> Geology Club of the University of Pittsburgh

|           http://www.pitt.edu/~geoclub/

If it was up to me I would terminate the Professors root access
acounts and give them ordinary user accounts that I had to approve any
actions before they could do anything that might affect the system.

Fly-in-the-soup: their grant-money bought machines... their grant-money
keeps software licenses active.

What I _did_ do is automate the license-server startup and proofed them
for use in /etc/rc* scripts. If they fail (god knows why?) they e-mail
the active sys-admin who may elect to ask the prof to do something
specific (like spend more $$ :-) This, effectively, removes profs from
the loop as far as the system is concerned. I hope I don't ruffle too
many feathers though :-|

I have been automating most things.. like wrote a simple script that
calls analog on apache server, updates a stat's page, rotates logs,
and sends e-mail to the office secretaty so she can tell the grant
people how well their money is working (NSF mostly). This is ready to
be crontab'ed... ensuring that we won't have another 130MB access_log
ever again that no one knows what to do with ;-)

Hehehehe... I found we have yet another ancient machine on the semi-
trusted net... running IRIX 5.2... zero patches. [sigh]... [I just
spent a good half hour looking into this] 5.2 isn't supported...
many patches carry a "upgrade OS" note... sigh... something tells
me we'll be retiring that machine :-) All that prof really needs is
an Xterm and I can do that with Linux in no time.

Cheers,
Filip G.
--
+---------> Geology Club of the University of Pittsburgh

|           http://www.pitt.edu/~geoclub/

Is it an Indigo?  Don't trash the machine, 6.5 loads just fine onto it.
It's a touch slow, but it runs well.

Dan

What's the $damage$? She (prof) will be calling the local SGI folks
this week to find out. I found she has an active license for ENVI
for it (remote sensing package) so has to keep it. The Linux option
was just the last resort... she knows IRIX and prolly would hate
learning another flavor.

BTW, do you know what memory type this machine takes? Is it custom
or 72pin SIMMs? She's gotten 2 dumps because of a bad one... and
if she moves to 6.5, it might be nice to max out the memory.

Cheers,
Filip G.
--
+---------> Geology Club of the University of Pittsburgh

|           http://www.pitt.edu/~geoclub/

I don't know what type it is, but here's an idea.  When I had one open,
it looked like it was special, not EDO or 72 Pin:

Desc: 256MB KIT FOR SILICON GRAPHIC POWER INDIGO 2 / MSD
Vendor: KINGSTON TECHNOLOGY (MEMORY)
Online/Fax Order Price is $719.55 Call-in/Sales Person Assisted Price
$746.70      Retail Price: $871.00
MFR PART NUMBER: KSG256/R40

Dan

umm... need to amend that: it runs on SOME indigo's. it depends which CPU is
in the indigo. youll need to consult the IRIX 6.5/CPU matrix.

Quote:>> What's the $damage$? She (prof) will be calling the local SGI folks
>> this week to find out. I found she has an active license for ENVI
>> for it (remote sensing package) so has to keep it. The Linux option
>> was just the last resort... she knows IRIX and prolly would hate
>> learning another flavor.

well, the differences between IRIX 5.2 and IRIX 6.5 can be fairly major
(at least to a system administrator). Not to mention the fact that if
she is running 5.2, she is probably using COFF binaries, which IRIX 6.5
does NOT support.

Quote:>> BTW, do you know what memory type this machine takes? Is it custom
>> or 72pin SIMMs? She's gotten 2 dumps because of a bad one... and
>> if she moves to 6.5, it might be nice to max out the memory.

>I don't know what type it is, but here's an idea.  When I had one open,
>it looked like it was special, not EDO or 72 Pin:

Indigos and Indigo2's use different memory, if i recall correctly.
Indigo 2's use 60-80ns ECC 72-pin SIMMS. dont recall what the older
Indigos used.

-tom

--

"You can only be -so- accurate with a claw-hammer."  --me

Quote:> > BTW, do you know what memory type this machine takes? Is it custom
> > or 72pin SIMMs? She's gotten 2 dumps because of a bad one... and
> > if she moves to 6.5, it might be nice to max out the memory.

> I don't know what type it is, but here's an idea.  When I had one open,
> it looked like it was special, not EDO or 72 Pin:

> Desc: 256MB KIT FOR SILICON GRAPHIC POWER INDIGO 2 / MSD  
> Vendor: KINGSTON TECHNOLOGY (MEMORY)
> Online/Fax Order Price is $719.55 Call-in/Sales Person Assisted Price
> $746.70      Retail Price: $871.00  
> MFR PART NUMBER: KSG256/R40  

DO NOT PAY THIS!!!  I use an Indigo2 at work and recently upgraded the memory
with old 72 pin SIMMs from a PC.  I have been running this way for several
months with absolutely no problems.  In fact, if you need parts for you SGI
you should check out http://www.reputable.com .  We have bought several
things from Reputable with no problems.

Justin