Incidents
More /sumthin, maybe Feb 03 2003 08:52AM
Sverre H. Huseby (shh thathost com) (1 replies)
I got a couple of E-mails from a guy that _may_ have more info on the
/sumthin case. One of his servers was "owned", and he _thinks_ the
/sumthin request was the start of the attack. His E-mails follow:

==================================================================

I got hit with the same thing. /sumthin is exactly what everyone
thinks it is - a probe. Someone used my version info to exploit a
bug in SSL. I still don't know what the bugs are yet, but it's
really evident. From there, he looged in as my webserver, and
totally F$%^&D my server. He set up some kind of irc server, and
compromised so much of my server I'm having to rebuild from the
ground up. He redirected the root .bash_history to /dev/nul and
redirected the mail logs and he set up an account called tcp so he
could log in through ssh. Most of the services were shut down
(that's how I figured something was up - I couldn't get my mail).

even though he did wipe the root history, he forgot to wipe
wwwrun's history, it's too long to post, but it will be up for a
short while at http://XXX [Sverre sais: URL removed. log file
attached.]

He also replaced bash and set the default runlevel to halt, so
when I restarted the system just stopped (what a pisser).

When I went back and grepped all the logs, the /sumthin only shows
up in the logs of one domain (despite the fact we host around [N])
and starts sometime around mid October as everyone else has
noticed.

==================================================================

I found things like this in /tmp and /var/tmp:

drwxr-xr-x 3 wwwrun nogroup 153 Jan 26 04:10 a
-rw-r--r-- 1 wwwrun nogroup 14138 Jan 4 20:32 a.tgz
-rw-r--r-- 1 wwwrun nogroup 14138 Jan 4 20:32 a.tgz.1
-rw-r--r-- 1 wwwrun nogroup 14138 Jan 4 20:32 a.tgz.2
-rwxr-xr-x 1 wwwrun nogroup 19577 Nov 28 15:55 alarmd
drwxr-xr-x 5 wwwrun nogroup 635 Dec 22 17:00 orbit-root
drwxr-xr-x 9 wwwrun nogroup 553 Jan 12 09:52 psybnc
-rw-r--r-- 1 wwwrun nogroup 596571 Oct 17 23:19 psybnc.tar.gz

after that I did a find / -user wwwrun and found a bunch of stuff
and then discovered several other uids involved.

==================================================================

The attached shell history file shows what appears to be a manual
attacker downloading and installing several files using wget. Some of
the files are no longer available, but the few I managed to download
seem to be either related to IRC (server and bot), or to Linux local
exploits. (I only spent a couple of minutes downloading and glancing
at the files.)

Sverre.

--
shh (at) thathost (dot) com [email concealed] Computer Geek? Try my Nerd Quiz
http://shh.thathost.com/ http://nerdquiz.thathost.com/

[ reply ]
Re: More /sumthin Feb 26 2003 02:23PM
Philipp Hug (securityfocus hugit ch) (1 replies)
RE: More /sumthin Feb 26 2003 09:14PM
Jonathan A. Zdziarski (jonathan networkdweebs com) (1 replies)
Re: More /sumthin Feb 27 2003 12:59AM
D.C. van Moolenbroek (dc van moolenbroek chello nl)


 

Privacy Statement
Copyright 2010, SecurityFocus