On Wed, 27 Apr 2005, Daniel Kirsten wrote:
Hallo,
there are numerous brute force ssh attacks in the web. I was quite curious, and for fun, I created the typical user accounts and set easy to guess passwords....
Yesterday, such a ssh login was successful for users kevin and daikanyama. The hackers changed the passwords for both logins. They installed a certain program "undernet" as daikanyama and started a program called mech.
After some minutes, I removed the network cable, killed all the processes of the users and disabled these users.
Then, I figured out that some programs as grep did not work. I rebooted the machine, but during the reboot I got various "segmentation faults", "illegal instructions", ....
I booted from an FC3 rescue CD, and I found out that various executables in /bin and /user/bin where manipulated (grep, egrep, gzip, rpm, mount, ...). I replaced these manipulated executlables by original files, but I forgot to replace gtbl.
Then, the machine booted correctly. Later when gtbl was called, some executables in /bin and /user/bin where manipulated. It seems to be some virus, when you start a manipulated executable it manipulates other executables.
I managed to replace all manipulated files and the machine seems to work correctly.
My question is: They did not guess the root password, how did they manipulate files which are only writable by root???
close examination of rootkit they installed should be able to determine the attack vector used to gain root privledges
Is anyone interested in log-files or in the programs which the hackers installed under daikanyama?
Best regards, Daniel
--
-------------------------------------------------------------------------- Joel Jaeggli Unix Consulting joelja@xxxxxxxxxxxxxxxxxxxx GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2
