[nylug-talk] Attack on Multicast Technologies Linux Computers (fwd)

Scott Howell showell at n3byy.yi.org
Tue Aug 1 05:39:53 EDT 2000 

I pass this along just as fyi.



Subject: RE: [nylug-talk] Attack on Multicast Technologies Linux Computers

------Original Message------
From: Thomas Marshall Eubanks <tme at 21rst-century.com>
To: nylug-talk at nylug.org, Al Adler <aadler at sourcecodecorp.com>, 
<!-- hide cc'd ;)
Marty S <marty at on-the-i.com>, Junkala <jim at imagedesignstudios.com>, Edward Antkowiak <edantkow at alum.mit.edu>, Norman at home <nspeciner at alum.mit.edu>, msc at maia.usno.navy.mil, Ken McCreery <danvcomp at ccnet.com>, tme at mct <tme at multicasttech.com>, novalug at tux.org, dclug at tux.org
-->

Sent: July 27, 2000 3:41:05 AM GMT
Subject: [nylug-talk] Attack on Multicast Technologies Linux Computers


Hello;

   Just  before 5:00 PM on Wednesday, July  26th, several of the VA Linux and Redhat Linux
machines belonging to Multicast Technologies were attacked, apparently from a machine in  the .lv
domain (Latvia), although the actual source is unknown. They used the Remote
Root exploit (http://www.redhat.com/support/errata/RHSA-2000-039-02.html) to overflow
a buffer in an anonymous ftp login. In all, four machines were attacked.
----

Common scenario likely taken by any script kiddiot (who is most likely the culprit) was to scan the subnet/24 for servers running bad stuff such as wu-ftp, etc. This could've been done with a slew of scanners such as SARA which will show which versions of what daemons are vulnerable to attack.

----
   The first noticed symptom of the attack was that telnet no longer worked. An examination of the
ftp logs revealed traces of the attack. We then took our network off the Internet and did a detailed examination
of the files and processes on the four systems. We found that the attackers had replace a number of system
files with different files, using a User name of 616 and a group name of users. We then
searched the hard disks for files with that ownership. We found that  the following files had been replaced :

/usr/bin/du
/usr/bin/find
/bin/ls
/bin/ps
/bin/login
/bin/netstat
/usr/sbin/infinger.d
/sbin/ifconfig
----

Seems like a typical backdoor and may be one written by lordSomer which doesn't seem to have a modified ls to actually hide the rooter's identity and chances are likely someone may have attacked from a machine that has been rooted as well. If they had any common sense.

----
We also found that user 606 had created a new "hidden" directory in /usr/src called .puta, with
the following files in it :

----

Well puta is spanish for whore so thee could be a chance the attacker is latin so you might want to also check your logs for anything coming in from a spanish country. eg.: mx, es.

----
/usr/src/.puta/t0rnparse
/usr/src/.puta/t0rnsauber
/usr/src/.puta/t0rnsniff

It seems fairly clear that the purpose of this attack was to install password sniffers and other malicious code on our machines.
It is doubtful if they attack was deliberately aimed to Multicast Technologies, but was probably instead
part of a larger scheme. As a guess, I would say that someone out there is planning a D-DOS attack.
----

Personally I wouldn't rule anything out in the spectrum of an attack on your company. It'd be hard to determine if it could be a disgruntled employee masquerading as a script kiddie to hide their actions, a competitor who paid a clueless kiddiot, etc. I wouldn't rule anything out.

----
This attack was fairly clumsy, and they did not cover their tracks well. Still, it
would probably be a good idea to check your Linux machines, especially those based on RedHat, for
/usr/src/.puta/t0rnparse
and the other bogus files.
----

On a personal note I've dealt with a lot of issues regarding backdoors, intrusions, etc and I've noticed at times files are renamed for a variety of reasons the obvious being avoidance in detection, so a search for "." && ".." would give you better results although a skilled attacker would have done a better job at hiding their tracks. For example I wrote a lame backdoor out of boredom when I was pissed at my Solaris machine which was a 3 part script that always keeps an account on reboot. So your definitely going to want to check your system thoroughly and a nice step would be to checksum a secure system's files with those of the machines that were "owned."

If you need help with some sort of scope on finding files, information I'd gladly correspond via e-mail with you on well known as well as underground methods on machines that were backdoored, rooted, etc.

As for the DDoS scope of this message, theres no way to determine by your e-mail if this was their intent. By rooting your 4 machines they could've been trying to simply gather as many accounts on networks for the purpose of warez trading, shell trading, attacks (rooting) other machines elsewhere.

killall -9 mytwocents

http://209.143.242.119/cgi-bin/search/search.cgi?searchvalue=rootkeep&type=archives [my sample Solaris backdoor]

J. Oquendo

______________________________________________
FREE Personalized Email at Mail.com
Sign up at http://www.mail.com/?sr=signup

More information about the Speakup mailing list