Security Incidents mailing list archives

Re: msamba

From: Steve Bromwich <incident () fop ns ca>
Date: Tue, 22 Apr 2003 11:08:18 -0300 (ADT)

Thanks for all the responses. I'll summarise them in approximately
order of volume:

1. Congrats to all the people out of the office. Hope you're having
fun.

2. I downloaded the virus, but didn't do anything more than run strings
over it. I didn't realise it was infected with a virus already, though,
that's certainly interesting.

3. I haven't managed to get a copy of 73.tgz; I think he copied it in
by hand, possibly by scp after he reset the root password. I think this
was where the "./setup muie 55055 angelboy () the-darkside info" came
from.

4. This was caught because he did rm -rf /var/log, which stopped exim
from running as it couldn't log incoming and outgoing mail. There was
also some kind of monitor app running that fired off a whole bunch of
rm threads deleting everything he touched whenever someone tried to log
in (I think). I logged in to see a whole bunch of threads doing
something like ./evil rm -rf directoryname, after which I had the
client pull the power.

5. After I booted off a superrescue CD to have a poke around, I found a
whole bunch of files in /bin, /usr/bin, /usr/sbin, /sbin which had been
modified in the previous 24 hours.

6. After copying off the most recently modified data (no executables) I
formatted and reinstalled Debian from CD. Data was restored from backup
and the most recently modified data was eyeballed and put back (it was
only 5 text files).

7. I still have access to all the files that were left after the rm
run. If anyone would like a copy of any of the system files to tinker
with, let me know and I'll pull them off.

8. I haven't contacted anyone because I don't have any hard evidence of
where the intrusion came from. The cahcepu.net appears to be run by the
guy who tried to get in anyway so I didn't feel it was too worthwhile.

Once again, thanks for everyone's comments!

Cheers, Steve

----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------

Current thread:

msamba Steve Bromwich (Apr 21)
- Re: msamba Paulo Abrantes (Apr 21)
- Re: msamba William Salusky (Apr 22)
  - Re: msamba noconflic (Apr 22)
- Re: msamba Nikola Pepelishev (Apr 22)
- Re: msamba Steve Bromwich (Apr 22)
  - Re: msamba noconflic (Apr 23)
    - Re: msamba Tobias Klein (Apr 25)