Security Incidents mailing list archives

Re: Linux-box hacked, ls, ps, login modified

From: rickt () UNIXLABS NET (Rick Tait)
Date: Thu, 23 Mar 2000 00:50:17 -0500


It's times and incidents like this that remind me of the power of
[ch,ls]attr & friends.

Why not setup your box as you want it, then chattr +i all the binaries
that could potentially be trojaned - and then *remove* the ability from
the running kernel to remove the +i bit? That way - no binary can be
modified *at* all. End result: no trojans! cf:

[root@sigsegv sbin]# cp /tmp/install.log /bin/login
cp: overwrite `/bin/login', overriding mode 0755? y
cp: cannot create regular file `/bin/login': Permission denied

Someone gave me a perl script (syscapset) to do this last week and it
works fabulously. AFAIK, one can't undo the removal of the immutable bit
after using syscapset until you reboot. And John Q. Cracker is unlikely to
do this due to the rather large suspicion quotient involved.

I've tested this and it *does* work. Of course, moving the script to a
secured box after using it, thus not leaving it lying around for prying
eyes would be a good thing. :)

Anyone who's interested in said script, let me know.

Rick.

On Wed, 22 Mar 2000, Frank Derichsweiler wrote:

Hi list,

Anybody seen this?
The process for gl0ck is running as root on a red hat box.

/bin/bincp/glox.su:

gl0ck 3.2 [icmp/tcp/udp/frag+rand ID] by ip, this copy is registred to s3phz

usage: Cancer <ip#1,ip#2,...> [options]

-F <type>       : i=icmp s=syn u=udp f=fragbomb [i=icmp]
-I <addr>       : Use <addr> as source [random]
-p <port>       : Destinationport in syn/udp flood
-s <size>       : Payload size in bytes(always 0 in synflood) [0]
-c <count>      : Only send <count> packets [endless]
-m <count>      : Multiple packets(<count>) in each packetburst [1]
-d <delay>      : Microsec(s) delay between bursts [0]
-t <min>        : Floodtimeout in min(s) [30]
-l <port>       : CancerServer, listen for cmd's on <port>
-f <hostfile>   : Flood using CancerServers in <hostfile>
-q              : Quiet mode
~

Further investigation shoed shat /bin/ls /bin/ps /bin/login were
replaced byx trojaned ones.

Luckily I found a source file with code for an exploit. Unfortunately
I cannont transfer it from "\xeb \x38 ..." to a readalby form.

Any ideas?

TIA
Frank


--
Frank Derichsweiler
Please *NO* CC: I read the mailing list !


--
main(v, c)char**c;{for(v[c++]="Rick Tait <rickt () unixlabs net>\n)";(!!c)[*
c]&&(v--||--c&&execlp(*c,*c,c[!!c]+!!c,!c));**c=!c)write(!!*c,*c,!!**c);}

Current thread:

Re: Cracked by the Brazilians, (continued)
- - - Re: Cracked by the Brazilians Robert Graham (Mar 30)
    - Re: Cracked by the Brazilians Seth Milder (Mar 30)
    - Re: Cracked by the Brazilians Michael H. Warfield (Mar 30)
    - Re: Cracked by the Brazilians Omachonu Ogali (Mar 30)
    - Re: Cracked by the Brazilians Blaise St-Laurent (Mar 30)
    - Re: Cracked by the Brazilians Ralf Spenneberg (Mar 30)
    - Re: Cracked by the Brazilians Seth Milder (Mar 30)
    - link-local IPs (Was "Re: 169.254.x.x (Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity)") Richard Johnson (Mar 30)
    - unapproved queries for "aol.com" Francis A. Vidal (Mar 26)
    - Linux-box hacked, ls, ps, login modified Frank Derichsweiler (Mar 22)
    - Re: Linux-box hacked, ls, ps, login modified Rick Tait (Mar 22)
    - Re: Linux-box hacked, ls, ps, login modified Granquist, Lamont (Mar 24)
    - 'fatal:' sshd log message Przemyslaw Frasunek (Mar 25)
    - sgi-dgl scanning Michael Stone (Mar 27)
    - unusual mail file Donald McLachlan (Mar 28)
    - Re: unusual mail file Ryan Hilton (Mar 28)
    - Front Page Extensions vventura () SIA PT (Mar 28)
    - Re: sgi-dgl scanning E. Larry Lidz (Mar 28)
    - Syn attacks ? Klavs Klavsen (Mar 28)
    - Re: lots of interest in port 109 (POP2) markus tromday (Mar 22)
- Re: lots of interest in port 109 (POP2) Donald McLachlan (Mar 07)

(Thread continues...)