 |
|
You are here: Foswiki>Main/Cimec Web>CompOsLinuxSecurityPosting (08 Feb 2002, MarioStorti)Edit Attach
Posting to comp.os.linux.security relative to the /usr/bin/xntps crack
[see CrackAttack ]
From: W1LL1AM GAT35 (nHuAlTlE@blSackholeP.isAi.edMu.invalid) Search Result 1
Subject: Re: Has anyone seen this hack?
Newsgroups: comp.os.linux.security
Date: 2001-10-20 View: Complete Thread (20 articles) | Original Format
11:14:31 PST
Mike Handley said:
>pointed bash_history > /dev/null
Patched bash-2.03 can log what's intruder doing.
http://project.honeynet.org/papers/honeynet/bash.patch
>Nslookups:
>They modified /etc/resolv.conf to include only
>nameserver 193.51.164.3 (dns01.iarc.fr)
>nameserver 207.126.96.162 (ns.above.net)
=======================
DNS spoofing mechanism:
/etc/hosts /etc/resolv.conf
query set dns entry
localhost set localhost=a.b.c.d
dialinx.net set dialinx.net=a.b.c.d
209.173.102.42------------>193.51.164.3<========a.b.c.d
209.173.102.35 dns01.iarc.fr intruder
lightspeedtech.net 207.126.96.162 |
^ ^----------ns.above.net |
| a.b.c.d |
| query answer |
/etc/hosts.allow: |
localhost <-------------------------------+
dialinx.net login admin lpd
/etc/passwd
>Telneting to each just closed the connection.
Because 127.0.0.1 != localhost.
127.0.0.1 is not include in /etc/hosts.allow.
nslookup localhost
nslookup ???.dialinx.net
nslookup dialinx.net.dk? 193.51.164.3
nslookup ninja.dialinx.net? dns01.iarc.fr
nslookup konya.tsuki.dk? ns.above.net
... brute force other combination
a.b.c.d intruder's ip
---------->8---------->8---------->8---------->8---------->8----------
#!/bin/sh
##############################
#
# bflookup
#
# Brute force DNS look up
#
# *NO WARRANTEE*
# *NO GUARANTEE*
# W1LL1AM GAT35
#
##############################
# setting
Vbases='dialinx.net dk navipath.net'
Vlist='_SPACE_ ninja. tsunami. linux.
konya. wa. tsuki. ga. dete. imasu. ne.
bind. admin. lpd. WVSh5. APtAhDyFoziZw.
navipath.net. dialinx.net. dk.'
Vdns1='193.51.164.3'
Vdns2='207.126.96.162'
Vdns="$Vdns1 $Vdns2"
# count dot separated list
Fcount () {
# $1 : dot separated list
echo $1 |
sed 's/\./ /g' |
wc -w
}
for Vkey1 in $Vlist; do
[ $Vkey1 = _SPACE_ ] && Vkey1=''
for Vkey2 in $Vlist; do
[ $Vkey2 = _SPACE_ ] && Vkey2=''
for Vkey3 in $Vlist; do
[ $Vkey3 = _SPACE_ ] && Vkey3=''
for Vbase in $Vbases; do
Vurl="$Vkey1$Vkey2$Vkey3$Vbase"
Vnum=$(Fcount $Vurl)
[ "$Vnum" -le 1 ] && break
[ "$Vnum" -gt 4 ] && break
for Vsrv in $Vdns; do
Cmd="nslookup $Vurl $Vsrv"
echo "$Cmd"
$Cmd 2>/dev/null > bflookup.log
# sleep 1
done
done
done
done
done
---------->8---------->8---------->8---------->8---------->8----------
=========
Programs:
+-------+-----------------------+-----------------------+-------------------+
|daemon |sshd |sniffer |ircd | +-------+-----------------------+-----------------------+-------------------+
|name |/bin/term |/sbin/klogd |/RAND/mysqld |
| |/usr/sbin/init.d | | | +-------+-----------------------+-----------------------+-------------------+
|proc |[bash] |klogd ? |'ps aux' 40>logined| +-------+-----------------------+-----------------------+-------------------+
|port |9706 |eth0 |3879 ? | +-------+-----------------------+-----------------------+-------------------+
|start |/etc/rc.d/rc.local |/etc/rc.d/rc.local |/etc/rc.d/rc.local |
| |/etc/rc.d/rc.sysinit | | | +-------+-----------------------+-----------------------+-------------------+
|file | |.log | | +-------+-----------------------+-----------------------+-------------------+
|misc |/usr/sbin/xntps -q |user pass |mIRC32 v5.7 |
| | |ftp |K.Mardam-Bey |
+-------+-----------------------+-----------------------+-------------------+
-------------------------
/random_exist_dir/mysqld:
(/usr/bin/share/mysqld same)
(/usr/share/mysql/mysqld same)
(/etc/rc.d/mysqld same)
function
Spoofs: %d.%d.%d.%d - %d.%d.%d.%d
attack tools ? Packeting(udp), Panning, Tsunami, Killing_pid
password ?
Konya wa tsuki ga dete imasu ne.
ninja
copy themselves /random_exist_dir/mysqld
write (append) /etc/rc.d/rc.local
Intruder communicate with irc.
I think this irc don't encrypt contents.
You can sniff it using tcpdump or other sniffer.
======
Files:
-------------------
/etc/rc.d/rc.local:
killall -9 rpc.statd
killall -9 gdm
killall -9 gpm
killall -9 lpd
why kill? launch same name prog? cheese worm?
/sbin/klogd
term (/bin/term)
"/usr/bin/share/mysqld"
"/usr/share/mysql/mysqld"
"/etc/rc.d/mysqld"
/random_exist_dir/mysqld ?
---------------------
/etc/rc.d/rc.sysinit:
/usr/sbin/init.d (same as /bin/term)
------------
/etc/passwd:
admin
lpd
-----------------
/etc/hosts.allow:
ALL: .navipath.net 216.67.0.0 - 216.67.127.255
ALL: localhost.localdomain -> /etc/resolv.conf
ALL: localhost -> /etc/resolv.conf
ALL: .dialinx.net no exist? -> /etc/resolv.conf
ALL: .dk
Name: navipath.net
Name: www.navipath.net
Aliases: ftp.navipath.net
Address: 216.67.14.7
Name: solutionscripts.com
Address: 216.205.84.186
Name: webmin.com
Address: 216.136.171.204
dialinx.net N.A.
-----------------
/etc/resolv.conf:
193.51.164.3 dns01.iarc.fr
207.126.96.162 ns.above.net
nslookup localhost 193.51.164.3 # dns01.iarc.fr
nslookup localhost.localdomain 193.51.164.3 # dns01.iarc.fr
nslookup localhost 207.126.96.162 # ns.above.net
nslookup localhost.localdomain 207.126.96.162 # ns.above.net
*** dns01.iarc.fr can't find localhost: Non-existent host/domain
*** ns.above.net can't find localhost: Non-existent host/domain
=====
Misc:
strings /bin/ls
strings /usr/bin/find
strings /bin/ps
strings /bin/netstat
strings /usr/sbin/lsof
strings /usr/sbin/xntps
strings /usr/sbin/rpc.statd
strings /usr/bin/gdm
strings /usr/sbin/gpm
strings /usr/sbin/lpd
HTH,
W1LL1AM
-- MarioStorti - 08 Feb 2002 Edit | Attach | Print version | History: r1 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r1 - 08 Feb 2002, MarioStorti
Main/Cimec Web
Cursos de grado y posgrado
Navegación
Cursos de grado y posgrado
- Algoritmos y Estructuras de Datos
- Cálculo Numérico
- Cálculo Paralelo
- CFD
- HPC en MC
- Cálculo Tensorial en Mec. del Cont.
- Computación Gráfica
- Programación en C++ para Ciencia e Ingeniería
- Introducción al MEF
- Mecánica del Continuo
- Mecánica Computacional
- Mecánica de Fluidos
- Mecánica de Sólidos
- Mecánica Racional
- Métodos Iterativos
- Teoría de la Computación
Navegación
Copyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding Foswiki? Send feedback