Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Severe exploit found, all UNIX are affected!
From: "Billy B. Bilano" <mr.bill.bilano () email server unix bill bilano biz>
Date: Thu, 16 Sep 2004 14:54:39 -0500

Dudes,

Bad news today. Oh my goodness! I am in a tizzy-fit over this! I am such an expert at system administrating but even the best of us fall from glory now and then. And let me tell you, this is one time I believe somebody got the best of me... and that somebody is a fellow named Charles!

It all started when my big OpenBSD box took a dumper and I got paged. So I get into the bank and start to look around and I poke and prod the box and then I log into it and run the appropriate debug tools (ls, ps, top, cut, etc. -- pun not intended). I notice, at long last, that the console messages were not lying... the hard drive was indeed full! (you can never be too sure about that sort of thing as everybody will agree)

The offending file was the previous administrator (Stan, who got fired when I became IT director because he was a puss and always joked about beer and had a picture of some baby looking at teats saying "lunch" on his cube wall -- that offended me as a larger man). So his old administrator account has a huge mail spoolball that is taking up 80% of the drive! Holy crappers! So I logged in as "stan" and used his password he gave me in exchange for his severance package. I typed "mail" hoping to see if this would let me view his mail and it did -- thankgod! What I saw scared the holy mole dickens out of me...

Thousands of emails! As I started reading them, I realized the full extent of what is, without a doubt, going to become known as the biggest and most notorious hack in the history of the Internet!

Northcutt better take out that section about the Mitnik attack in that terrible book he is always rehasing with only a spit-shine and fancy new cover because here comes something leaner and meaner! (I have re-bought that nut's book eight times and it is always the same old cruft over and over but there wont be a ninth purchase, you bet your pink pajamas!) Someone needs to tell him that SANS is not the MANS! LOL!

This is BIG, folks! The mails... there were big ones and small ones and they all had one thing in common: they were from a person who would soon be determined to be a master hacker who has obviously infiltrated the bank's system long ago, before I even canned Stan (he was such a chump and always lost his wallet because he wore those baggy hacker pants).

It seems that this black head hacker, named Charlie Root, has been busy alright... Every night, like clockwork, he sends me a few emails that contain the most intimate of details about the server! Drive space, logins, users I've created and removed, and more! I think he is trying to extort money from the bank!

I was scared to hell to raise any red alarms at the bank so I started to look around and I believe I found out who this Charlie Root person really is:

http://www.baseballlibrary.com/baseballlibrary/ballplayers/R/Root_Charlie.stm

It seems that old Chinski used to play baseball for the Brown Cubs back in his youth. Clearly, from reading about his shoddy career, he was washed up as his stats are terrible by modern standards and he retired from the game in 1970! Now, as is abundantly clear, he has reached a desperate point in his life and is now devoting his time to taking over the world's infrastructure and trying to do phishy things and extort money from gallant administrators like myself.

I looked into the front directory on my server and saw a folder called "root"! OMGF! I dove into his folder and saw all kinds of hacker files (like some thinger called ".bash_history" which seems to contain a list of commands he uses to take over the system, and ".forward" which contains Stan's email address). There were also tarballers for other things that look like old log backups! Incredible! I tried to delete some of these trojan files but it said I could not! I did some more looking around and found another startling fact: Charlie Root has changed my shell! It is not sh like it should be, it has been set to "stsh" which it certainly some kind of backdoor hacker tool to capture my strokes!

Normally I would just reboot the server but this time, since I was at lunch, I decided to play around with my EMACKS script on my new Sun 6800's and, by chance, I saw that almost every file on the system was already owned by the "root" fellow! He has the guile to call himself "Super-User!" when I fingered (LOL) his account! We have only had these systems for a little over a month and this Charlie Root has already taken over every UNIX server in the bank!

This may be the end of our company if I cannot get this hacker out of our systems and expunge the network of this wretched "root" Chinski thing. I will not bow to his extortion attempts!

Someone please tell me what I should do next!

P.S. My bloglog has more background info and stuff about Chinski's involvement in Y2000K... <http://www.bilano.biz/>

--
Mr. Billy B. Bilano, MSCE, CCNA
<http://www.bilano.biz/>
Expert Sysadmin Since 2003!
'C:\WINDOWS, C:\WINDOWS\GO, C:\PC\CRAWL'  -- RMS

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]