Hack

[Martin Mačok]

On Sun, Jan 14, 2001 at 11:45:48AM +0100, Vladimir Rengevic wrote:
> Mam mensi problem - priamo pod rukami mi hackli server (nastastie cerstvo
> experimentalne nainstalovany, takze len zabijem cas reinstalaciou, inac
> nic).
> 
> Chcel by som sa len pre buducnost opytat, ci je uz proti tomu obrana.
> Je tam named 8.2.2-P5 (no, po tejto skusenosti uz bude to najnovsie co
> najdem).

Podle vsech verejne dostupnych informaci, co mam:
securityfocus.com - konference BUGTRAQ a VULN-DEV
http://www.isc.org/products/BIND/bind-security.html
http://www.redhat.com/support/errata/rh7-errata-security.html

... se v 8.2.2-P5 vyskytuji jen 2 denial of service chyby, ale ne
remote root shell (krz overflow ci formatovaci chyby ...). Tyto 2 DoS
chyby byly opraveny -P7.

Nedostal se tam krz neco jineho? (LPRng ?) Je mozne, ze ten hacker ma
nejaky exploit na jeste neznamou chybu v bindu. Zareportujte to na
INCIDENTS na SECURITYFOCUS.COM (popr. na VULN-DEV na SECURITYFOCUS.COM).

> Stalo sa to takto - klasicky stack owerflow (ci buffer owerflow?)
> proste preplnenie vstupneho riadka- X- pokusov:
> 
> Jan 14 09:51:07 ns SERVER[1065]: Dispatch_input: bad request line
> 'BBđBBżBBżBBżóBBż
> XXXXXXXXXXXXXXXXXX000000000000000000000000000000000000000000000
> 0000000000000000000000000000000000000000000000000000000000000000000000000000
> 00
> 0000000000000000000000000000000000000000000000000004800001347270610000000000
> 000000000000000000000000000000000000000000000000000000000000000000000000
> 000000000000000000000000000000000000000000000000000000000000000000000000
> 00000000000000000000000000000000000000000000000000000000000000000000000000
> 0000000000000000135022648000000000000000000000000000000000000000000000000
> 0000000000000000000000000000000000000000000000000000000000000000000000000
> 00000000000000000000000000000000000000000000000000000000000003221224720
> 
> 
> 
> 
> 1Ű1É1Ŕ°FÍ??ĺ1Ҳf?Đ1É?ËC?]řC?]ôK?MüŤM
> ôÍ?1É?EôCf?]fÇEî^O'MđŤEEřĆEü^P?ĐŤMôÍ??ĐCCÍ??
> 
> Jan 14 09:51:07 ns SERVER[1066]: Dispatch_input: bad request line
> 'BB^HüBż^IüBż'
> 
> 
> 
> a potom (znova X-krat, az sa mu to zadarilo):
> 
> Jan 14 09:51:12 ns SERVER[1100]: Dispatch_input: bad request
> line 'BBđűBżűBżűBżóűBżXXXXXXXXXXXXXXXXXX000000000000000000000
> 00000000000000000000000000000000000000000000000000000000000000000000000000
> 00000000000000000000000000000000000000000000000000000000000000000000000000
> 0000048security.00000000000000000000000000000000000000000000000000000000000
> 000000000000000000000000000000000000000000000000000000000000000000000000000
> 0000000000000000000000000000000000000000000000000134727061
> 
> 
> 
> 
> 1Ű1É1Ŕ°FÍ??ĺ1Ҳf?Đ1É?ËC?]řC?]ôK?MüŤ
> MôÍ?1É?EôCf?]fÇEî^O'MđŤEEřĆEü^P?ĐŤMôÍ??ĐCCÍ??ĐCÍ??Ă1ɲ??ĐÍ??
> ĐAÍ?ë^X^?u^H1ŔˆF^G?E^L°^K?óŤM^HŤU^LÍ?čăBBB/bin/sh'
> 
> (riadky su pozalamovane)
> 
> no a nakoniec si doinstaloval :
> 
> Jan 14 09:59:58 ns crontab[1710]: (root) LIST (root)
> 
> Jan 14 09:59:58 ns crontab[1711]: (root) REPLACE (root)
> 
> Jan 14 10:00:00 ns CROND[1715]: (root) CMD ( /sbin/rmmod -as)
> 
> Jan 14 10:00:00 ns CROND[1716]: (root) CMD (/tmp/install.sh >/dev/null
> 2>/dev/null)
> 
> Jan 14 10:00:00 ns crontab[1718]: (root) LIST (root)
> 
> Jan 14 10:00:00 ns crontab[1720]: (root) REPLACE (root)
> 
> Jan 14 10:01:00 ns crond[778]: (root) RELOAD (cron/root)
> 
> Jan 14 10:01:00 ns CROND[1725]: (root) CMD (run-parts /etc/cron.hourly)
> 
> 
> No, proste do crontabu pridal riadky:
> # sysstat
> 
> 0 * * * 0,6 /usr/lib/sa/sa1 600 6 &
> 
> 5 19 * * * /usr/lib/sa/sa2 -A &
> 
> Viac som nezistil, ale aj tak to preinstalujem :-(

Nenechal tam nekde po sobe nejake zdrojaky? Mate zalogovane IP odkud
pristupoval??? Kontaktujte tamni administratory, nejspis to maji
taktez hacknute a mozna se na jejich serveru vyskytuji zdrojove kody
toho exploitu!

(mimochodem - nekdy behem pristich 14 dnu rozjedeme konferenci
security na underground.cz, uz mame vse pripraveno a testujeme to na
ostry provoz)

> Len by ma zaujimal nazor na bezpecnost od skusenejsich. Mne sa to stalo prvy
> krat, pevnu linku mam
> tak 2 tyzdne, z toho tam bol hlavny firemny server asi 5 dni (stastie, ze si
> ho zatial nik nevsimol)

To to pekne zacina, ze? ;-)

> a tento pokusny tam bol asi 3 hodiny.

To je docela neobvykle, ze to hackli tak rychle. Kazdopadne neni
rozumne to davat na sit hned po instalaci pred zabezpecenim.

> Inac je tam RedHat 7.0 tak ako bol nainstalovany z CD. Updaty som
> nestihol :-(.

bye

-- 
   Martin Mačok
  underground.cz
    openbsd.cz