Very Computer

I received 2 e-mails yesterday from people telling me to stop hacking
them, so I did some poking around. I've got a RedHat 6.1 box as a firewall
between my home network and my cable modem. It does DNS (BIND 8.2.1), www,
pop3, imap, and was running telnet and ftp. I noticed a lot of activity on my
cable modem and ps revealed these processes:
TTY     COMMAND
p0      -sh
p0      sh ./r00t 163 25
p0      ./scan 163 53 25
p0      bash ./try 163.25.114.10
p0      ./bind 163.25.114.10 -e

There's nothing of consequence in the messages file. The only thing in the
secure file is:
in.fingerd[16167]: refused connect from 24.8.15.218
in.fingerd[16167]: refused connect from 24.8.123.216
in.fingerd[16167]: refused connect from 217.9.228.25
in.fingerd[16167]: refused connect from 217.11.163.147

I disabled telnet in inetd.conf, sent a SIGHUP, verified that I could no longer
telnet in, killed every ttyp0 process, and a few minutes later they were back.
The last line above was replaced with:

What's going on?

Keith

backup critical data
pull plug
reformat
reinstall
apply security updates
restore backups

Are you running BIND in caching mode, or do you really need it to host
your own DNS? That one is a real bullseye.

--
Hal B




--

Specifically, it appears that a cable-modem cracker is issuing commands via
script or from your cracked box manually in order to determine
vulnerabilities at a school in Taiwan:

Assuming that the 'finger' attempts are related to the break-in on your sys,
here is a short list:

Attack points:


   CableBG cable box in Asia Pacific
   Some box in Europe
   Your cracked box

Targets:
   2 boxes from the Ministry of Education Computer Center in Taiwan

Quote:>  p0      ./scan 163 53 25
>  p0      bash ./try 163.25.114.10
>  p0      ./bind 163.25.114.10 -e

Do you use a kernel <= 2.2.18 and have an open telnet account and/or an
insecure CGI script (that allows executing arbitrary perl code); you can
detect them in lines like

open FH, "| /usr/sbin/sendmail $address";

or

`cat Somefile | mail $adress`

(variable interpolation in an open, system or backtick command)? They
are widely used to get into a system.

Otherwise take a look at http://www.insecure.org and similar sites and
look at the described holes there.

--
2.4.5 in init/main.c(634):
  Tell the world that we're going to be the grim reaper of innocent
  orphaned children.

comments inline below...

Quote:> I received 2 e-mails yesterday from people telling me to stop hacking
> them, so I did some poking around. I've got a RedHat 6.1 box as a
> firewall  between my home network and my cable modem. It does DNS (BIND
> 8.2.1), www,  pop3, imap, and was running telnet and ftp.

Quote:> cable modem and ps revealed these processes:
> TTY     COMMAND
> p0      -sh
> p0      sh ./r00t 163 25
> p0      ./scan 163 53 25
> p0      bash ./try 163.25.114.10
> p0      ./bind 163.25.114.10 -e

You need to pull the plug. Wipe the disks (FORMAT!) and reinstall. Get your
vendor's latest updates and apply them before connecting. Learn how to turn
stuff off...especially things like bind, ftp, and just about everything
else you were offering to the net. Figure out how to implement a packet
filter using ipchains/iptables. Keep up with your vendor's updated
packages. Finally: plug back in and enjoy your fresh, new linux
installation.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
Comment: Making the world safe for geeks.

iQA/AwUBO1HjrMAVSpfzXItKEQKpKwCgyf9k+HivjBbZwnMNMQqWMySyp7gAoLhZ
gf5VJ33ImBJrPrzP155ZBFnI
=Xp7I
-----END PGP SIGNATURE-----

1. ssh <ip> -l root
2. try out some simple passwords:
     1234, aaa, 4711, 0815, abc, root and the empty line
3. enjoy

Quote:> > cable modem and ps revealed these processes:
> > TTY     COMMAND
> > p0      -sh
> > p0      sh ./r00t 163 25
> > p0      ./scan 163 53 25
> > p0      bash ./try 163.25.114.10
> > p0      ./bind 163.25.114.10 -e

>  sheesh, I shudder to think of what your ps wasn't showing you. It looks

for x in `ls /proc | grep '^[0-9]*$'`; do cat /proc/$x/cmdline; echo; done

--
#!/usr/bin/perl -- Forget the express prospect!#Which was the original text?
use LWP'Simple;use URI'Escape;print"e> ";<STDIN>=~/(.*)/;for(en_de=>'de_en')
{get("http://babelfish.altavista.com/tr?doit=done&tt=urltext&lp=$_&urltext="
.uri_escape$1)=~/(?:d bgcolor=white|q")>(.*?)</s;print"$1 - (c)babelfish\n"}

Quote:> I received 2 e-mails yesterday from people telling me to stop hacking
> them, so I did some poking around. I've got a RedHat 6.1 box

Quote:> as a firewall between my home network and my cable modem. It does DNS
> (BIND 8.2.1),

Quote:> www, pop3, imap,

Quote:> and was running telnet

Quote:> and ftp.

Quote:> I noticed a lot
> of activity on my cable modem and ps revealed these processes:
> TTY     COMMAND
> p0      -sh
> p0      sh ./r00t 163 25
> p0      ./scan 163 53 25
> p0      bash ./try 163.25.114.10
> p0      ./bind 163.25.114.10 -e

Quote:> There's nothing of consequence in the messages file.

Quote:> I disabled telnet in inetd.conf, sent a SIGHUP, verified that I could no
> longer telnet in, killed every ttyp0 process, and a few minutes later
> they were back.

--
   PGP/GnuPG key (ID 1024D/BFE0D6D0) available from keyservers everywhere
    Key fingerprint = 3EBC 97FC 68AA 65F1 65E6  3D36 35F6 4213 BFE0 D6D0
                             "...life goes on
                  long after the thrill of living is gone..."

Quote:>harddisk, install a newer version of linux, lock down the services,
>disable everything unneeded, try to get any update packages off the 'net
>using another box and update, configure whatever is running for minimal
>privileges and minimal access, restore user data, look over your new
>firewall configuration _really_ _closely_, and only *then* consider
>bringing it back online. please do not try to do this any other way.

The box is the primary DNS server for my domain. The kernel is 2.2.12.

From the r00t file:
"Bind Mass Scanner/Rooter"
"Project started by em1nem and EponaRhi"
"*Exploitable versions: 8.2, 8.2.1, 8.2.2"
"                       8.2.2-REL, 8.2.2-P3"
"                       8.2.2-P5, 8.2.2-P7 and 4.9.6-REL"

Looks like formatting and upgrading will make me immune to this particular hack.

You're right Ian, the box was most definitely a server. It was also a firewall
in that it provided dynamic NAT for my privately IP'd internal network.

I understood that I was leaving myself open to attacks like this when I
configured the box. The services it was running were all things I was either
using or learning. Now I get to learn how to configure these services securely.

Thanks again, all.

Keith

Quote:

> The box is the primary DNS server for my domain. The kernel is 2.2.12.

> Looks like formatting and upgrading will make me immune to this
> particular hack.

> You're right Ian, the box was most definitely a server. It was also a
> firewall  in that it provided dynamic NAT for my privately IP'd internal
> network.

If you are going to run a DNS server, it needs to live by itself...chroot
it, run it as a non-priv user, run something besides Bind, run it in a User
Mode processes. Put it in a DMZ by itself. Filter TCP access wherever you
can. Filter UDP to catch common exploits. Run something other than Bind. I
guess that one bears repeating :)

After you get up and running again, do not think that you can set and
forget. You should check with your OS vendor to see about subscription
updates. Also you should figure out some way of performing regular
automated system audits on the machine(s) that offer external services.

Every now and then dip in there and sniff some traffic and see what your
boxes are up to (and subjected to).

Good luck getting right again, Keith.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
Comment: Making the world safe for geeks.

iQA/AwUBO1IyjMAVSpfzXItKEQLc/wCdExmWhH+rE1ERJlNJhSD0XJKeL54AnRoS
YgMGiBkBmoLlqa2NKfHH7uz9
=Qxbt
-----END PGP SIGNATURE-----

Keith

Whether they use it or not, they have a copy of your /etc/passwd and
/etc/shadow files ... Once they rooted your box, they will have
installed backdoors that allow them to enter your box at will without
needing a password, and without logging their entry.

The bad news is, that you may never know what backdoors, or how many
they have installed, let alone whether or not they have trojaned any of
your other system binaries.

As Ian has advised, you need to backup any vital data, format the disk
and start from scratch including updateing daemons firewalling and
hardening your box.

If you are up to it, keep the disk as is and slip a new one in so that
you can do some forensics on the hacked disk later, but it is important
to get it off line asap. :(
--
Regards
Luke
------
Q:  What does FAQ stand for?
A:  We are Frequently Asked this Question, and we have no idea.
------
PLEASE NOTE: Spamgard (tm) installed.

------

: You are being used to scan for, and break into other peoples systems. In
: short, you are "owned" as they say, probably because you are running
: older versions with known holes. The standard recommendation is to:

: backup critical data
: pull plug
: reformat
: reinstall
: apply security updates
: restore backups

You're either forgetting a step in there, or getting them out of order
(pull plug is kind of ambiguous). The first step, especially since this
machine is known to be attacking other machines, is to get it offline.
Pulling the ethernet/modem cable will do the trick. Once that is done, you
can do backups (you may want to be more specific about what should be
backed up and what needs to be watched out for, so the system isn't
recompromised by the backups) without being a threat to the rest of the
world.

jessica

Quote:> The bad news is, that you may never know what backdoors, or how many
> they have installed, let alone whether or not they have trojaned any of
> your other system binaries.

> As Ian has advised, you need to backup any vital data, format the disk
> and start from scratch including updateing daemons firewalling and
> hardening your box.

> If you are up to it, keep the disk as is and slip a new one in so that
> you can do some forensics on the hacked disk later, but it is important
> to get it off line asap. :(

Thanks again, everyone.

Keith

Keith