Posting to comp.os.linux.security relative to the /usr/bin/xntps crack
[see CrackAttack ]
From: W1LL1AM GAT35 (nHuAlTlE@blSackholeP.isAi.edMu.invalid) Search Result 1
Subject: Re: Has anyone seen this hack?
Newsgroups: comp.os.linux.security
Date: 2001-10-20 View: Complete Thread (20 articles) | Original Format
11:14:31 PST
Mike Handley said:
>pointed bash_history > /dev/null
Patched bash-2.03 can log what's intruder doing.
http://project.honeynet.org/papers/honeynet/bash.patch
>Nslookups:
>They modified /etc/resolv.conf to include only
>nameserver 193.51.164.3 (dns01.iarc.fr)
>nameserver 207.126.96.162 (ns.above.net)
=======================
DNS spoofing mechanism:
/etc/hosts /etc/resolv.conf
query set dns entry
localhost set localhost=a.b.c.d
dialinx.net set dialinx.net=a.b.c.d
209.173.102.42------------>193.51.164.3<========a.b.c.d
209.173.102.35 dns01.iarc.fr intruder
lightspeedtech.net 207.126.96.162 |
^ ^----------ns.above.net |
| a.b.c.d |
| query answer |
/etc/hosts.allow: |
localhost <-------------------------------+
dialinx.net login admin lpd
/etc/passwd
>Telneting to each just closed the connection.
Because 127.0.0.1 != localhost.
127.0.0.1 is not include in /etc/hosts.allow.
nslookup localhost
nslookup ???.dialinx.net
nslookup dialinx.net.dk? 193.51.164.3
nslookup ninja.dialinx.net? dns01.iarc.fr
nslookup konya.tsuki.dk? ns.above.net
... brute force other combination
a.b.c.d intruder's ip
---------->8---------->8---------->8---------->8---------->8----------
#!/bin/sh
##############################
#
# bflookup
#
# Brute force DNS look up
#
# *NO WARRANTEE*
# *NO GUARANTEE*
# W1LL1AM GAT35
#
##############################
# setting
Vbases='dialinx.net dk navipath.net'
Vlist='_SPACE_ ninja. tsunami. linux.
konya. wa. tsuki. ga. dete. imasu. ne.
bind. admin. lpd. WVSh5. APtAhDyFoziZw.
navipath.net. dialinx.net. dk.'
Vdns1='193.51.164.3'
Vdns2='207.126.96.162'
Vdns="$Vdns1 $Vdns2"
# count dot separated list
Fcount () {
# $1 : dot separated list
echo $1 |
sed 's/\./ /g' |
wc -w
}
for Vkey1 in $Vlist; do
[ $Vkey1 = _SPACE_ ] && Vkey1=''
for Vkey2 in $Vlist; do
[ $Vkey2 = _SPACE_ ] && Vkey2=''
for Vkey3 in $Vlist; do
[ $Vkey3 = _SPACE_ ] && Vkey3=''
for Vbase in $Vbases; do
Vurl="$Vkey1$Vkey2$Vkey3$Vbase"
Vnum=$(Fcount $Vurl)
[ "$Vnum" -le 1 ] && break
[ "$Vnum" -gt 4 ] && break
for Vsrv in $Vdns; do
Cmd="nslookup $Vurl $Vsrv"
echo "$Cmd"
$Cmd 2>/dev/null > bflookup.log
# sleep 1
done
done
done
done
done
---------->8---------->8---------->8---------->8---------->8----------
=========
Programs:
+-------+-----------------------+-----------------------+-------------------+
|daemon |sshd |sniffer |ircd | +-------+-----------------------+-----------------------+-------------------+
|name |/bin/term |/sbin/klogd |/RAND/mysqld |
| |/usr/sbin/init.d | | | +-------+-----------------------+-----------------------+-------------------+
|proc |[bash] |klogd ? |'ps aux' 40>logined| +-------+-----------------------+-----------------------+-------------------+
|port |9706 |eth0 |3879 ? | +-------+-----------------------+-----------------------+-------------------+
|start |/etc/rc.d/rc.local |/etc/rc.d/rc.local |/etc/rc.d/rc.local |
| |/etc/rc.d/rc.sysinit | | | +-------+-----------------------+-----------------------+-------------------+
|file | |.log | | +-------+-----------------------+-----------------------+-------------------+
|misc |/usr/sbin/xntps -q |user pass |mIRC32 v5.7 |
| | |ftp |K.Mardam-Bey |
+-------+-----------------------+-----------------------+-------------------+
-------------------------
/random_exist_dir/mysqld:
(/usr/bin/share/mysqld same)
(/usr/share/mysql/mysqld same)
(/etc/rc.d/mysqld same)
function
Spoofs: %d.%d.%d.%d - %d.%d.%d.%d
attack tools ? Packeting(udp), Panning, Tsunami, Killing_pid
password ?
Konya wa tsuki ga dete imasu ne.
ninja
copy themselves /random_exist_dir/mysqld
write (append) /etc/rc.d/rc.local
Intruder communicate with irc.
I think this irc don't encrypt contents.
You can sniff it using tcpdump or other sniffer.
======
Files:
-------------------
/etc/rc.d/rc.local:
killall -9 rpc.statd
killall -9 gdm
killall -9 gpm
killall -9 lpd
why kill? launch same name prog? cheese worm?
/sbin/klogd
term (/bin/term)
"/usr/bin/share/mysqld"
"/usr/share/mysql/mysqld"
"/etc/rc.d/mysqld"
/random_exist_dir/mysqld ?
---------------------
/etc/rc.d/rc.sysinit:
/usr/sbin/init.d (same as /bin/term)
------------
/etc/passwd:
admin
lpd
-----------------
/etc/hosts.allow:
ALL: .navipath.net 216.67.0.0 - 216.67.127.255
ALL: localhost.localdomain -> /etc/resolv.conf
ALL: localhost -> /etc/resolv.conf
ALL: .dialinx.net no exist? -> /etc/resolv.conf
ALL: .dk
Name: navipath.net
Name: www.navipath.net
Aliases: ftp.navipath.net
Address: 216.67.14.7
Name: solutionscripts.com
Address: 216.205.84.186
Name: webmin.com
Address: 216.136.171.204
dialinx.net N.A.
-----------------
/etc/resolv.conf:
193.51.164.3 dns01.iarc.fr
207.126.96.162 ns.above.net
nslookup localhost 193.51.164.3 # dns01.iarc.fr
nslookup localhost.localdomain 193.51.164.3 # dns01.iarc.fr
nslookup localhost 207.126.96.162 # ns.above.net
nslookup localhost.localdomain 207.126.96.162 # ns.above.net
*** dns01.iarc.fr can't find localhost: Non-existent host/domain
*** ns.above.net can't find localhost: Non-existent host/domain
=====
Misc:
strings /bin/ls
strings /usr/bin/find
strings /bin/ps
strings /bin/netstat
strings /usr/sbin/lsof
strings /usr/sbin/xntps
strings /usr/sbin/rpc.statd
strings /usr/bin/gdm
strings /usr/sbin/gpm
strings /usr/sbin/lpd
HTH,
W1LL1AM
-- MarioStorti - 08 Feb 2002 This topic: Main/Cimec > CompOsLinuxSecurityPosting
Topic revision: 08 Feb 2002, MarioStorti
Topic revision: 08 Feb 2002, MarioStorti
Copyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding Foswiki? Send feedback