Hacked? odd /bin/login on webserver.

Hacked? odd /bin/login on webserver.

Post by suppor » Tue, 18 Apr 2000 04:00:00



Hi.
We have noticed some unusual files on one of our webservers outside our
firewall.

System: Suse linux 6.1

standard size of /bin/login :  325940 May  1  1999
new size         /bin/login :  290652 May  1  1999

other odd files : /root/etc.z
                  /root/netscdll.z
                  /root/newcinet.exe
                  /root/execute  0 bytes
                  /root/fetch    0 bytes

ps reported the following unusual process

/usr/sbin/sendmail -FCronDaemon -odi -oem -or0s -root

The machine is now offline of course. We will be re-installing a later
version of the OS today.

Does anybody recognise this as a known exploit?

The new login binary wasn't using the passwd file and wouldn't allow
logins from legit users.

--
Roger Tattersall
  Sysadm, Support, Technical

WebWorlds Limited
  Internet solutions for business
  1 Westgate, Otley, West Yorkshire LS21 3AT
  url: http://webworlds.net/
  tel: 44(0)1943.851200

Registered in England No 3229164
Registered office: 20-22 Bedford Row, London WC1R 4JS

 
 
 

Hacked? odd /bin/login on webserver.

Post by Ralf Hildebran » Tue, 18 Apr 2000 04:00:00



>Hi.
>We have noticed some unusual files on one of our webservers outside our
>firewall.

>System: Suse linux 6.1

>standard size of /bin/login :  325940 May  1  1999
>new size         /bin/login :  290652 May  1  1999

Check the content with
% strings /bin/login
perhaps you gain some insights.

Also check open network connections (OK, now you can't since the box is
offline).

Quote:>other odd files : /root/etc.z
>                  /root/netscdll.z
>                  /root/newcinet.exe
>                  /root/execute  0 bytes
>                  /root/fetch    0 bytes

Whats in those?

Quote:>The new login binary wasn't using the passwd file and wouldn't allow
>logins from legit users.

What a stupid thing to do...

 
 
 

Hacked? odd /bin/login on webserver.

Post by Ralph Angenen » Tue, 18 Apr 2000 04:00:00



>/usr/sbin/sendmail -FCronDaemon -odi -oem -or0s -root

>Does anybody recognise this as a known exploit?

Bug in crond. Search http://www.veryComputer.com/(in Archiv bugtraq)
for more.

Quote:>The new login binary wasn't using the passwd file and wouldn't allow
>logins from legit users.

*y stupid script kiddies ;-)

When would you have noticed, if login still would have been allowed?

Ralph

 
 
 

Hacked? odd /bin/login on webserver.

Post by suppor » Tue, 18 Apr 2000 04:00:00



> When would you have noticed, if login still would have been allowed?

> Ralph

Yes indeed, fortunately there was a root login running on console....
--
Roger Tattersall
  Sysadm, Support, Technical

WebWorlds Limited
  Internet solutions for business
  1 Westgate, Otley, West Yorkshire LS21 3AT
  url: http://webworlds.net/
  tel: 44(0)1943.851200

Registered in England No 3229164
Registered office: 20-22 Bedford Row, London WC1R 4JS

 
 
 

Hacked? odd /bin/login on webserver.

Post by suppor » Tue, 18 Apr 2000 04:00:00



> Check the content with
> % strings /bin/login
> perhaps you gain some insights.

Hushlogin root
less error messages than standard binary.
the word 'root' hardcoded in various places.

Quote:> >other odd files : /root/etc.z
> >                  /root/netscdll.z
> >                  /root/newcinet.exe
> >                  /root/execute  0 bytes
> >                  /root/fetch    0 bytes

> Whats in those?

strings reports various capitalized dossish looking names with
extensions such as .DLL .Z etc.

running strings on the new and original login files and then running
diff on the results was interesting.

Quote:

> >The new login binary wasn't using the passwd file and wouldn't allow
> >logins from legit users.

> What a stupid thing to do...

Not all hackers are genii ;?)

--
Roger Tattersall
  Sysadm, Support, Technical

WebWorlds Limited
  Internet solutions for business
  1 Westgate, Otley, West Yorkshire LS21 3AT
  url: http://webworlds.net/
  tel: 44(0)1943.851200

Registered in England No 3229164
Registered office: 20-22 Bedford Row, London WC1R 4JS

 
 
 

Hacked? odd /bin/login on webserver.

Post by Ralf Hildebran » Tue, 18 Apr 2000 04:00:00



>Hushlogin root
>less error messages than standard binary.
>the word 'root' hardcoded in various places.

Wietse Venema has some slides about computer forensics on www.porcupine.org
With help of that I unscrambled what a hacker left on a box here.

Quote:>strings reports various capitalized dossish looking names with
>extensions such as .DLL .Z etc.

Strange. Why would anybody upload Windoze stuff to a Linux box?

Quote:>running strings on the new and original login files and then running
>diff on the results was interesting.

:)
 
 
 

Hacked? odd /bin/login on webserver.

Post by elle.. » Tue, 18 Apr 2000 04:00:00



> Strange. Why would anybody upload Windoze stuff to a Linux box?

1. It makes it easier to ship off to other targets, via mail or
   whathaveyou.

2. If it's a dual-boot machine, you can simply copy them onto the
   windows partition.

3. Your attacker may not be skilled enough to know the difference
   between the two. :)

--

 
 
 

Hacked? odd /bin/login on webserver.

Post by suppor » Tue, 18 Apr 2000 04:00:00




> > Strange. Why would anybody upload Windoze stuff to a Linux box?

> 1. It makes it easier to ship off to other targets, via mail or
>    whathaveyou.

> 2. If it's a dual-boot machine, you can simply copy them onto the
>    windows partition.

NO WAY!

Quote:

> 3. Your attacker may not be skilled enough to know the difference
>    between the two. :)

They replaced the login binary...

--
Roger Tattersall
  Sysadm, Support, Technical

WebWorlds Limited
  Internet solutions for business
  1 Westgate, Otley, West Yorkshire LS21 3AT
  url: http://webworlds.net/
  tel: 44(0)1943.851200

Registered in England No 3229164
Registered office: 20-22 Bedford Row, London WC1R 4JS

 
 
 

Hacked? odd /bin/login on webserver.

Post by suppor » Tue, 18 Apr 2000 04:00:00



> Hi.
> We have noticed some unusual files on one of our webservers outside our
> firewall.

> System: Suse linux 6.1

> standard size of /bin/login :  325940 May  1  1999
> new size         /bin/login :  290652 May  1  1999

Bind updated now, thanks to all.

--
Roger Tattersall
  Sysadm, Support, Technical

WebWorlds Limited
  Internet solutions for business
  1 Westgate, Otley, West Yorkshire LS21 3AT
  url: http://webworlds.net/
  tel: 44(0)1943.851200

Registered in England No 3229164
Registered office: 20-22 Bedford Row, London WC1R 4JS

 
 
 

Hacked? odd /bin/login on webserver.

Post by Ralf Hildebran » Tue, 18 Apr 2000 04:00:00



>Bind updated now, thanks to all.

Running as user named instead of root?
Running chroot'ed ?
 
 
 

Hacked? odd /bin/login on webserver.

Post by elle.. » Tue, 18 Apr 2000 04:00:00



>> 3. Your attacker may not be skilled enough to know the difference
>>    between the two. :)
> They replaced the login binary...

Yes, but that's not to say that they weren't running someone else's
scripts without any real idea what they were doing. If I had to guess,
I would bet that he simply acquired all of his tools from someplace
else, and uploaded them all.

--

 
 
 

Hacked? odd /bin/login on webserver.

Post by Osiri » Tue, 18 Apr 2000 04:00:00




> > When would you have noticed, if login still would have been allowed?

> > Ralph

> Yes indeed, fortunately there was a root login running on console....
> --
> Roger Tattersall
>   Sysadm, Support, Technical

> WebWorlds Limited
>   Internet solutions for business
>   1 Westgate, Otley, West Yorkshire LS21 3AT
>   url: http://webworlds.net/
>   tel: 44(0)1943.851200

> Registered in England No 3229164
> Registered office: 20-22 Bedford Row, London WC1R 4JS

If you can spare it:
        Save the disk from the old server.  There are a LOT of things you can
still find out about the culprit.

Search out .bash_history files.  Wtmp and Utmp are sometimes not
cleaned.  Looks like you were running tripwire.  You may also find the
original connection still in the logs when he did the core dump that
gave him his door.  Look for that and you will have a machine that is on
the trail back to him.  Really do some detailed forensics on the disk
and you may find a whole bunch of information you can use to start
tearing down his string of compromised servers.  Even if you take only
one of them back you have done something to strike back.

IT IS TIME WE ADMINS PUT A STOP TO THIS CRAP.

--
Real programmers would scratch ones and zeros into
bare metal if Dan and Brian hadn't invented 'C'.

  osiris.vcf
< 1K Download
 
 
 

Hacked? odd /bin/login on webserver.

Post by Ralf Hildebran » Wed, 19 Apr 2000 04:00:00



>This is a multi-part message in MIME format.

Why? -- post plain text instead.

Quote:>Search out .bash_history files.  

Oh yes. Lots of stuff in those.
 
 
 

Hacked? odd /bin/login on webserver.

Post by Vince Van De Coeverin » Sat, 22 Apr 2000 04:00:00


I had the very same thing happen to me.  They used a security hole
in the named service to get in.  If the file ADMROCKS is
in the /var/named directory then the same thing probably happened
to you too.

See www.cert.org for details on how it happened and what you can
do to recover.

    Vince


> Hi.
> We have noticed some unusual files on one of our webservers outside our
> firewall.

> System: Suse linux 6.1

> standard size of /bin/login :  325940 May  1  1999
> new size         /bin/login :  290652 May  1  1999

> other odd files : /root/etc.z
>                   /root/netscdll.z
>                   /root/newcinet.exe
>                   /root/execute  0 bytes
>                   /root/fetch    0 bytes

> ps reported the following unusual process

> /usr/sbin/sendmail -FCronDaemon -odi -oem -or0s -root

> The machine is now offline of course. We will be re-installing a later
> version of the OS today.

> Does anybody recognise this as a known exploit?

> The new login binary wasn't using the passwd file and wouldn't allow
> logins from legit users.

> --
> Roger Tattersall
>   Sysadm, Support, Technical

> WebWorlds Limited
>   Internet solutions for business
>   1 Westgate, Otley, West Yorkshire LS21 3AT
>   url: http://webworlds.net/
>   tel: 44(0)1943.851200

> Registered in England No 3229164
> Registered office: 20-22 Bedford Row, London WC1R 4JS

-----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
-----==  Over 80,000 Newsgroups - 16 Different Servers! =-----
 
 
 

Hacked? odd /bin/login on webserver.

Post by Roger Tattersal » Wed, 26 Apr 2000 04:00:00



Quote:

> I had the very same thing happen to me.  They used a security hole
> in the named service to get in.  If the file ADMROCKS is
> in the /var/named directory then the same thing probably happened
> to you too.

> See www.cert.org for details on how it happened and what you can
> do to recover.

I updated to a later version of bind, as recommended on suse' website
and cert.

Cheers

Roger

--

Roger Tattersall
  Sysadm, Support, Technical

WebWorlds Limited
  Internet solutions for business
  1 Westgate, Otley, West Yorkshire LS21 3AT
  url: http://webworlds.net/
  tel: 44(0)1943.851200

Registered in England No 3229164
Registered office: 20-22 Bedford Row, London WC1R 4JS

 
 
 

1. /bin/login Hacked

Hi all,

    I have restored de problem with /bin/login from another machine. Do
you know where I can find information about this backdoor ?? And, is
there any posibility to find out the hacker ?? Thanks a lot for all who
help me.

Cheers,

    Jose

--
Jose Angel Berna Galiano
Grupo de Control, Ingenieria de Sistemas y Transmision de Datos
Departamento de Fisica, Ingenieria de Sistemas y Teoria de la Se?al
Universidad de Alicante
Apartado de Correos 99  03080 Alicante (Spain)
Telefono: 96 5903968 Fax: 96 5903682

WWW: http://www.disc.ua.es/~jberna/

2. iptables flush script...

3. hacked /bin/login: can't replace it

4. PDA+flexible keyboard

5. hacked /bin/login?

6. ODBC on SCOUNIX?

7. RH6.0 /bin/login hack-vulnerability?

8. RAID Array support?

9. /usr/bin, /usr/local/bin, /sbin or /opt/bin, /var/opt/bin - I'm confused.

10. executing /bin/sh script in a /bin/csh login

11. Why does /bin/login and /usr/bin/newgrp not have setuid bit set?

12. executing /bin/sh script in a /bin/csh login #2

13. /bin/login vs /bin/su