Thursday, September 30, 2004

Linux Hacked A Long Time Ago

Warning - Super geeky entry
I was cleaning up files in the My Documents directory on my computer and I ran across this one. A while ago I used a computer with Linux installed as a gateway for my cable modem and home network. I have a few services running on it as well, most noteably, FTP. The following text is from the log files from the time it was hacked from the outside.

[root@24-240-69-229 /root]# cat /var/log/messages.2 grep -v apmd grep -v "Oct 27" grep -v "Oct 26" grep -v "Oct 25" grep -v "Oct 24"
Oct 22 04:02:02 24-240-69-229 syslogd 1.3-3: restart.
Oct 22 04:23:26 24-240-69-229 anacron[1587]: Updated timestamp for job `cron.wee
kly' to 2000-10-22
Oct 22 15:10:36 24-240-69-229 pumpd[280]: renewed lease for interface eth0
Oct 22 22:34:37 24-240-69-229 ftpd[9595]: lost connection to 202.9.161.215 [202.
9.161.215]
Oct 22 22:34:37 24-240-69-229 ftpd[9595]: FTP session closed
Oct 22 22:34:37 24-240-69-229 inetd[568]: pid 9595: exit status 255
Oct 23 03:03:24 24-240-69-229 pumpd[280]: renewed lease for interface eth0
Oct 23 04:02:01 24-240-69-229 anacron[10526]: Updated timestamp for job `cron.da
ily' to 2000-10-23
Oct 23 15:01:11 24-240-69-229 pumpd[280]: renewed lease for interface eth0
Oct 23 22:21:05 24-240-69-229 ftpd[13092]: ANONYMOUS FTP LOGIN FROM 64-32-198-60
.den1.phoenixdsl.net [64.32.198.60], ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ
+1¦1+¦F-Ç1+1¦Cë+A¦?-Çdk^1+1+ì^^AêF^Df¦ ^A¦'-Ç1+ì^^A¦=-Ç1+1¦ì^^HëC^B1+¦+1+ì^^H¦^L
-Ǧ+u=1+êF^Iì^^H¦=-Ǧ^N¦0¦+êF^D1+êF^Gëv^HëF^Lë=ìN^HìV^L¦^K-Ç1+1¦¦^A-ÇFÉ 0bin0s
h1..11
Oct 23 22:22:39 24-240-69-229 ftpd[13092]: FTP session closed
Oct 23 18:23:54 24-240-69-229 inetd[568]: pid 13095: exit status 1
Oct 23 22:28:05 24-240-69-229 ftpd[13097]: ANONYMOUS FTP LOGIN FROM 64-32-198-60
.den1.phoenixdsl.net [64.32.198.60], ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ
+1¦1+¦F-Ç1+1¦Cë+A¦?-Çdk^1+1+ì^^AêF^Df¦ ^A¦'-Ç1+ì^^A¦=-Ç1+1¦ì^^HëC^B1+¦+1+ì^^H¦^L
-Ǧ+u=1+êF^Iì^^H¦=-Ǧ^N¦0¦+êF^D1+êF^Gëv^HëF^Lë=ìN^HìV^L¦^K-Ç1+1¦¦^A-ÇFÉ 0bin0s
h1..11
Oct 23 18:30:57 24-240-69-229 adduser[13104]: new group: name=egg, gid=502
Oct 23 18:30:57 24-240-69-229 adduser[13104]: new user: name=egg, uid=502, gid=5
02, home=/dev/eggy, shell=/bin/bash
Oct 23 18:30:58 24-240-69-229 adduser[13105]: new group: name=eggr, gid=503
Oct 23 18:30:58 24-240-69-229 adduser[13105]: new user: name=eggr, uid=0, gid=50
3, home=/dev/eggr, shell=/bin/bash
Oct 23 18:31:23 24-240-69-229 PAM_pwdb[13106]: password for (egg/502) changed by
((null)/0)
Oct 23 18:31:36 24-240-69-229 PAM_pwdb[13107]: password for (eggr/0) changed by
((null)/0)
Oct 23 18:34:23 24-240-69-229 PAM_pwdb[13109]: (login) session opened for user e
gg by (uid=0)
Oct 23 18:37:34 24-240-69-229 ftpd[13131]: FTP LOGIN FROM 202.9.161.215 [202.9.1
61.215], egg
Oct 23 18:37:44 24-240-69-229 PAM_pwdb[13132]: (su) session opened for user eggr
by egg(uid=502)
Oct 23 18:40:36 24-240-69-229 ftpd[13151]: FTP LOGIN FROM 202.9.161.215 [202.9.1
61.215], egg
Oct 23 18:40:47 24-240-69-229 ftpd[13151]: FTP session closed
Oct 23 18:43:04 24-240-69-229 PAM_pwdb[13132]: (su) session closed for user eggr
Oct 23 18:44:47 24-240-69-229 PAM_pwdb[13159]: (su) session opened for user eggr
by egg(uid=502)
Oct 23 18:47:34 24-240-69-229 PAM_pwdb[13159]: (su) session closed for user eggr
Oct 23 18:47:40 24-240-69-229 PAM_pwdb[13109]: (login) session closed for user e
gg
Oct 23 18:47:40 24-240-69-229 inetd[568]: pid 13108: exit status 1
Oct 23 18:56:50 24-240-69-229 ftpd[13131]: User egg timed out after 900 seconds
at Mon Oct 23 18:56:50 2000
Oct 23 18:56:50 24-240-69-229 ftpd[13131]: FTP session closed
Oct 23 18:56:50 24-240-69-229 inetd[568]: pid 13131: exit status 1

[root@24-240-69-229 /root]# cat /var/log/secure.2
Oct 22 22:34:32 24-240-69-229 in.ftpd[9595]: connect from 202.9.161.215
Oct 23 18:21:04 24-240-69-229 in.ftpd[13092]: connect from 64.32.198.60
Oct 23 18:22:50 24-240-69-229 in.telnetd[13095]: connect from 64.30.5.226
Oct 23 18:28:04 24-240-69-229 in.ftpd[13097]: connect from 64.32.198.60
Oct 23 18:34:14 24-240-69-229 in.telnetd[13108]: connect from 64.30.5.226
Oct 23 18:34:23 24-240-69-229 login: LOGIN ON 0 BY egg FROM 64.30.5.226
Oct 23 18:37:28 24-240-69-229 in.ftpd[13131]: connect from 202.9.161.215
Oct 23 18:40:30 24-240-69-229 in.ftpd[13151]: connect from 202.9.161.215
Oct 24 18:32:07 24-240-69-229 in.telnetd[17534]: connect from 216.101.115.2
Oct 24 18:32:09 24-240-69-229 in.ftpd[17536]: connect from 216.101.115.2
Oct 27 17:29:40 24-240-69-229 in.telnetd[30209]: connect from 10.2.2.5

[root@24-240-69-229 /root]# cat /var/log/xferlog.2
Mon Oct 23 18:41:39 2000 7 202.9.161.215 16634 /dev/eggy/wipe b _ i r egg ftp 0
* c

[root@24-240-69-229 /root]# cat /dev/eggy/.bash_history
who
set
su eggr
ls -l
df -h
ftp
su eggr
exi
exit

[root@24-240-69-229 /root]# cat /dev/eggr/.bash_history
pico /etc/ftpaccess
emacs /etc/ftpaccess
emacs /etc/ftpaccess
ps
kill -9 13145
kill -9 13146
wget
lynx
exit
./wipe
chmod 775 wipe
./wipe
./wipe u egg
./wipe eggr
./wipe u eggr
./wipe w egg
./wipe w eggr
./wipe l egg
./wipe l eggr
exit

Basically, they exploited the FTP server with a buffer overflow. Created a root account called eggr, logged in, checked to see how much disk space there was, and then tried to wipe the log files, and log out. Obviously, the wipe didn’t work.
A .txt version of the log text

There is nobody to blame her but myself. The exploit was known, I just didn't have the latest patch installed on my Linux system. People bash Microsoft all the time, but Linux isn't so much more secure if left unpatched. Both Windows & Unix/Linux systems are fairly secure when they are fully patched, when the admins get lazy, the security problems start.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)