[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] RAQ hacked and scripts installed: r0nin, milk

Subject: [cobalt-users] RAQ hacked and scripts installed: r0nin, milk
From: "Herby K" <mad1.z@xxxxxxx>
Date: Thu Dec 18 02:35:41 2003
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

Hi,

the files were in

ls -l /home/tmp/
total 151
----------    1 nobody   nobody      30127 Dec 18 09:07 km
----------    1 nobody   nobody      24583 Dec 18 09:07 kmod
----------    1 nobody   nobody       1730 Dec 18 09:07 l.asm --> 1)
----------    1 nobody   nobody       1465 Dec 18 09:07 mdelry.sh  -->
deleted the logfiles
----------    1 nobody   nobody      24006 Dec 18 09:07 milk
----------    1 nobody   nobody      41876 Dec 18 09:07 own
----------    1 nobody   nobody      19242 Dec 18 09:07 r0nin
----------    1 nobody   nobody       1089 Dec 18 09:07 udp.pl --> 2)
----------    1 nobody   nobody        710 Dec 18 09:07 wget-log --> 3)

the files were owner httpd and group root

1)
; The following program can be used to test if a x86 Linux system
; is vulnerable to the do_brk() exploit; use at your own risk.
; by Christophe Devine
; Linux Kernel 2.4.22 "do_brk()" Proof of Concept
; Advisory FR : http://www.k-otik.net/bugtraq/12.02.Kernel.2422.php

2)
#!/usr/bin/perl
#####################################################
# udp flood.
#
# gr33ts: meth, etech, skrilla, datawar, fr3aky, etc.
#
# --/odix
######################################################

3)
--04:33:19--  http://www.viperhaxu.hpg.com.br/kmod
           => `kmod.1'
Resolving www.viperhaxu.hpg.com.br... done.
Connecting to www.viperhaxu.hpg.com.br[200.226.137.9]:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://www.viperhaxu.hpg.ig.com.br/kmod [following]
--04:40:29--  http://www.viperhaxu.hpg.ig.com.br/kmod
           => `kmod.1'
Resolving www.viperhaxu.hpg.ig.com.br... done.
Connecting to www.viperhaxu.hpg.ig.com.br[200.226.137.12]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 28,248 [text/plain]

    0K .......... .......... .......                         100%   30.75
KB/s

04:40:32 (30.75 KB/s) - `kmod.1' saved [28248/28248]
~


The rest of the files are binary.

The ps -ax output of the problematic lines:


25889 ?        S      0:00 ./r0nin
28922 ?        S      0:00 ./r0nin
28923 ttyp1    S      0:00 sh -i
20515 ?        S      0:00 ./r0nin
20516 ttyp2    S      0:00 sh -i
20603 ttyp2    T      9:10 perl udp.pl 200.234.87.71 80 5000
20605 ttyp2    T      0:00 sh -c (sleep 5000;killall -9 udp) &
20606 ttyp2    T      0:00 sleep 5000

as the logfiles were deleted we do not know how they came in.

Do you have any experiance or infos regarding this ?

thx
Herby

Follow-Ups:
- RE: [cobalt-users] RAQ hacked and scripts installed: r0nin, milk
  - From: Chuck Lewis

Prev by Date: [cobalt-users] Raq4r - Unable to handle kernel NULL pointer dereference at virtual address
Next by Date: Re: [cobalt-users] Crontab problem - 550
Previous by thread: [cobalt-users] Raq4r - Unable to handle kernel NULL pointer dereference at virtual address
Next by thread: RE: [cobalt-users] RAQ hacked and scripts installed: r0nin, milk

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index