Security Incidents mailing list archives

Intrusion, WuFTP exploit?

From: dknaack () RDTECH COM (David Knaack)
Date: Fri, 7 Jul 2000 19:31:45 -0500


Early morning, July 5th a box was attacked and the (apparently
really pathetic and stupid) hacker gained root access to the
system.

Access was obtained with what appears to have been slam.sh,
a PAM exploit.

Two accounts are created, x (uid=0) and donx.

The kiddie logs in and apparently FTP's some files down:

Jul  5 03:57:53 genesis identd[2794]: Connection from rdu25-11-016.nc.rr.com
Jul  5 03:57:57 genesis named[410]: Lame server on
'16.11.25.24.in-addr.arpa' (in '11.25.24.in-addr.arpa'?): [24.128.1.80].53
'NS1.MEDIAONE.NET'
Jul  5 03:57:57 genesis identd[2794]: from: 24.25.11.16
 rdu25-11-016.nc.rr.com ) for: 1084, 21
Jul  5 03:58:30 genesis PAM_pwdb[2797]: (su) session opened for user x by
donx(uid=508)

'don' kindly left his .bash_history intact.  He ran a program
called 'zip' (IIRC) with parameters 'don' and 'hell.com'.
I'm not sure what the app does, but if he left it lying
around I plan on checking.

It is amusing to note that 'don' has made repeated attempts
to telnet into the box, from the same ip from which he rooted
the box (208.191.202.76)!

dk

Current thread:

Ehm... what? (Re: Simultaneous Attacks), (continued)
- - - Ehm... what? (Re: Simultaneous Attacks) Martin Macok (Jul 11)
    - Re: Simultaneous Attacks Richard Bejtlich (Jul 11)
- Re: scan log and subsequent response from the host's ISP Ejovi Nuwere (Jul 06)
- Re: scan log and subsequent response from the host's ISP Brooke, O'Neil (Jul 06)
  - Re: scan log and subsequent response from the host's ISP Jason Storm (Jul 07)
  - 6200/tcp Werner Iknaroff-Zhikovsky (Jul 09)
- Re: scan log and subsequent response from the host's ISP Michal Nazarewicz (Jul 07)
  - Re: scan log and subsequent response from the host's ISP Dan Hollis (Jul 07)
    - Re: scan log and subsequent response from the host's ISP Michal Nazarewicz (Jul 07)
    - Re: scan log and subsequent response from the host's ISP Osvaldo Janeri Filho (Jul 10)
    - Intrusion, WuFTP exploit? David Knaack (Jul 07)
    - Re: scan log and subsequent response from the host's ISP Philipp Buehler (Jul 11)
  - Re: scan log and subsequent response from the host's ISP Pauel Loshkin (Jul 07)
    - Re: scan log and subsequent response from the host's ISP Dan Hollis (Jul 10)
    - Re: scan log and subsequent response from the host's ISP Pavel Lozhkin (Jul 10)
    - Snort (about large-udp attack) JW Oh (Jul 10)
  - lifestages on IRC Omicron N (Jul 09)
    - Re: lifestages on IRC Robert van der Meulen (Jul 10)
    - Re: lifestages on IRC Vincent Hillier (Jul 10)
    - Re: lifestages on IRC T. H. Haymore (Jul 10)
- Re: scan log and subsequent response from the host's ISP Forrester, Mike (Jul 07)

(Thread continues...)