So here is my first try to respond at one of the challenge, i hope i my guess is right! However it was fun !!
Tools used: ethereal - tcpdump - gcc - hexdump - man :)
Following the TCP streams of his telnet/ftp first attempts permits me to have the following conclusion.
The exploit:
Ok, now that i know which vulnerability he used, i tried to see ( just for fun ) if he has re-invented the wheel or if he used a known exploit.
So i decided to search for a discreminated string ( "mmmmnnn" looks good to me) in my internal exploits database:
7530wu-v5.tar.gz from teso was the result. So it seems that the hacker used this exploit which can be found at the following location. http://teso.scene.at/releases/7350wu-v5.tar.gz
With ethereal i can see attempts of connections:
Some info about scanning activity can be found at dshield site:
about 207.35.251.172 Saying that this host
has been referenced in their database of scanning host.
Whois results for 207.35.251.172
Whois results for 217.156.93.166
[quentin@localhost tmp]$ tcpdump -r slog2.log udp port 514 -w syslog [quentin@localhost tmp]$ testu -f syslog [quentin@localhost tmp]$ cat tutu0 | grep 174
[ I remove telnet commands here ] <174>-sh: HISTORY: PID=9382 UID=0 w <174>-sh: HISTORY: PID=9382 UID=0 whoami <174>-sh: HISTORY: PID=9382 UID=0 cd /dev/rd/sdc0 <174>-sh: HISTORY: PID=9382 UID=0 ls <174>-sh: HISTORY: PID=9382 UID=0 rm Zer0.tar.gz <174>-sh: HISTORY: PID=9382 UID=0 ls <174>-sh: HISTORY: PID=9382 UID=0 alias ls='ls --color' <174>-sh: HISTORY: PID=9382 UID=0 ls <174>-sh: HISTORY: PID=9382 UID=0 ls <174>-sh: HISTORY: PID=9382 UID=0 passwd nobody <174>-sh: HISTORY: PID=9382 UID=0 ping www.yahoo.com <174>-sh: HISTORY: PID=9382 UID=0 pico /etc/rc.d/rc3.d/S50inet <174>-sh: HISTORY: PID=9382 UID=0 ls <174>-sh: HISTORY: PID=9382 UID=0 mv copy.tar.gz /usr/X11R6/bin/.,/copy/ <174>-sh: HISTORY: PID=9382 UID=0 cd /usr/X11R6/bin/.,/copy/ <174>-sh: HISTORY: PID=9382 UID=0 mv copy.tar.gz ../ <174>-sh: HISTORY: PID=9382 UID=0 ls <174>-sh: HISTORY: PID=9382 UID=0 cd .. <174>-sh: HISTORY: PID=9382 UID=0 tar zxvf copy.tar.gz <174>-sh: HISTORY: PID=9382 UID=0 chmod 7777 * <174>-sh: HISTORY: PID=9382 UID=0 ls <174>-sh: HISTORY: PID=9382 UID=0 rm copy.tar.gz <174>-sh: HISTORY: PID=9382 UID=0 cd copy <174>-sh: HISTORY: PID=9382 UID=0 chmod 7777 * <174>-sh: HISTORY: PID=9382 UID=0 ls <174>-sh: HISTORY: PID=9440 UID=0 uname -r <174>-sh: HISTORY: PID=9440 UID=0 pstree