Posting to comp.os.linux.security relative to the /usr/bin/xntps crack

[see CrackAttack ]

From: W1LL1AM GAT35 (nHuAlTlE@blSackholeP.isAi.edMu.invalid) Search Result 1
Subject: Re: Has anyone seen this hack?
Newsgroups: comp.os.linux.security
Date: 2001-10-20		 View: Complete Thread (20 articles) | Original Format
11:14:31 PST

Mike Handley said:
>pointed bash_history > /dev/null

Patched bash-2.03 can log what's intruder doing.
http://project.honeynet.org/papers/honeynet/bash.patch

>Nslookups:
>They modified /etc/resolv.conf to include only
>nameserver 193.51.164.3 (dns01.iarc.fr)
>nameserver 207.126.96.162 (ns.above.net)

=======================
DNS spoofing mechanism:

/etc/hosts				  /etc/resolv.conf
					 query						 set dns entry
					 localhost					set localhost=a.b.c.d
					 dialinx.net				 set dialinx.net=a.b.c.d
209.173.102.42------------>193.51.164.3<========a.b.c.d
209.173.102.35				 dns01.iarc.fr		  intruder
lightspeedtech.net			207.126.96.162		 |
		  ^		 ^----------ns.above.net			|
		  |		 a.b.c.d								 |
		  |		 query answer						  |
/etc/hosts.allow:										 |
localhost		 <-------------------------------+
dialinx.net				 login admin lpd
								/etc/passwd

>Telneting to each just closed the connection.
Because 127.0.0.1 != localhost.
127.0.0.1 is not include in /etc/hosts.allow.

nslookup localhost
nslookup ???.dialinx.net
nslookup dialinx.net.dk?		  193.51.164.3
nslookup ninja.dialinx.net?	  dns01.iarc.fr
nslookup konya.tsuki.dk?		  ns.above.net
	...	brute force other combination
a.b.c.d intruder's ip

---------->8---------->8---------->8---------->8---------->8----------
#!/bin/sh

##############################
#
#		 bflookup
#
# Brute force DNS look up
#
#		 *NO WARRANTEE*
#		 *NO GUARANTEE*
#		 W1LL1AM GAT35
#
##############################

		  # setting
Vbases='dialinx.net dk navipath.net'

Vlist='_SPACE_ ninja. tsunami. linux.
konya. wa. tsuki. ga. dete. imasu. ne.
bind. admin. lpd. WVSh5. APtAhDyFoziZw.
navipath.net. dialinx.net. dk.'

Vdns1='193.51.164.3'
Vdns2='207.126.96.162'
Vdns="$Vdns1 $Vdns2"

		  # count dot separated list
Fcount () {
# $1  : dot separated list

		  echo $1			|
		  sed 's/\./ /g'  |
		  wc -w
}

for Vkey1 in $Vlist; do
		  [ $Vkey1 = _SPACE_ ] && Vkey1=''
		  for Vkey2 in $Vlist; do
					 [ $Vkey2 = _SPACE_ ] && Vkey2=''
					 for Vkey3 in $Vlist; do
								[ $Vkey3 = _SPACE_ ] && Vkey3=''
								for Vbase in $Vbases; do
										  Vurl="$Vkey1$Vkey2$Vkey3$Vbase"
										  Vnum=$(Fcount $Vurl)
										  [ "$Vnum" -le 1 ] && break
										  [ "$Vnum" -gt 4 ] && break
										  for Vsrv in $Vdns; do
													 Cmd="nslookup $Vurl $Vsrv"
													 echo "$Cmd"
													 $Cmd 2>/dev/null > bflookup.log
													 # sleep 1
										  done
								done
					 done
		  done
done
---------->8---------->8---------->8---------->8---------->8----------

=========
Programs:

+-------+-----------------------+-----------------------+-------------------+
|daemon |sshd						 |sniffer					 |ircd					| +-------+-----------------------+-----------------------+-------------------+
|name	|/bin/term				  |/sbin/klogd				|/RAND/mysqld		 |
|		 |/usr/sbin/init.d		 |							  |						 | +-------+-----------------------+-----------------------+-------------------+
|proc	|[bash]					  |klogd ?					 |'ps aux' 40>logined| +-------+-----------------------+-----------------------+-------------------+
|port	|9706						 |eth0						 |3879 ?				 | +-------+-----------------------+-----------------------+-------------------+
|start  |/etc/rc.d/rc.local	  |/etc/rc.d/rc.local	  |/etc/rc.d/rc.local |
|		 |/etc/rc.d/rc.sysinit	|							  |						 | +-------+-----------------------+-----------------------+-------------------+
|file	|							  |.log						 |						 | +-------+-----------------------+-----------------------+-------------------+
|misc	|/usr/sbin/xntps -q	  |user pass				  |mIRC32 v5.7		  |
|		 |							  |ftp						  |K.Mardam-Bey		 |
+-------+-----------------------+-----------------------+-------------------+

-------------------------
/random_exist_dir/mysqld:
(/usr/bin/share/mysqld	same)
(/usr/share/mysql/mysqld same)
(/etc/rc.d/mysqld		  same)
function
		  Spoofs: %d.%d.%d.%d - %d.%d.%d.%d
		  attack tools ? Packeting(udp), Panning, Tsunami, Killing_pid
password ?
		  Konya wa tsuki ga dete imasu ne.
		  ninja
copy themselves /random_exist_dir/mysqld
write (append) /etc/rc.d/rc.local

Intruder communicate with irc.
I think this irc don't encrypt contents.
You can sniff it using tcpdump or other sniffer.

======
Files:

-------------------
/etc/rc.d/rc.local:
		  killall -9 rpc.statd
		  killall -9 gdm
		  killall -9 gpm
		  killall -9 lpd

		  why kill? launch same name prog? cheese worm?

		  /sbin/klogd
		  term (/bin/term)
		  "/usr/bin/share/mysqld"
		  "/usr/share/mysql/mysqld"
		  "/etc/rc.d/mysqld"
		  /random_exist_dir/mysqld ?
---------------------
/etc/rc.d/rc.sysinit:
		  /usr/sbin/init.d (same as /bin/term)

------------
/etc/passwd:
		  admin
		  lpd

-----------------
/etc/hosts.allow:
		  ALL: .navipath.net		216.67.0.0 - 216.67.127.255
		  ALL: localhost.localdomain		-> /etc/resolv.conf
		  ALL: localhost						-> /etc/resolv.conf
		  ALL: .dialinx.net no exist?	  -> /etc/resolv.conf
		  ALL: .dk

		  Name:	  navipath.net
		  Name:	  www.navipath.net
		  Aliases:  ftp.navipath.net
		  Address:  216.67.14.7
		  Name:	  solutionscripts.com
		  Address:  216.205.84.186
		  Name:	  webmin.com
		  Address:  216.136.171.204
		  dialinx.net N.A.

-----------------
/etc/resolv.conf:
		  193.51.164.3	 dns01.iarc.fr
		  207.126.96.162  ns.above.net

		  nslookup localhost 193.51.164.3					  # dns01.iarc.fr
		  nslookup localhost.localdomain 193.51.164.3	  # dns01.iarc.fr
		  nslookup localhost 207.126.96.162					# ns.above.net
		  nslookup localhost.localdomain 207.126.96.162	# ns.above.net

		  *** dns01.iarc.fr can't find localhost: Non-existent host/domain
		  *** ns.above.net can't find localhost: Non-existent host/domain

=====
Misc:
strings /bin/ls
strings /usr/bin/find
strings /bin/ps
strings /bin/netstat
strings /usr/sbin/lsof

strings /usr/sbin/xntps

strings /usr/sbin/rpc.statd
strings /usr/bin/gdm
strings /usr/sbin/gpm
strings /usr/sbin/lpd

HTH,
W1LL1AM

-- MarioStorti - 08 Feb 2002

Topic revision: r1 - 2002-02-08 - 16:21:58 - MarioStorti
 

TWIKI.NET
This site is powered by the TWiki collaboration platformCopyright � by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback