[rlug] Re: apashi (detalii:))

Dan Nae Fri, 08 Aug 2003 04:19:23 -0700

Cum apare syscall trace-u ala in klog?


On Fri, 8 Aug 2003, Gushterul wrote:

> Puteti ignora acest mesaj kilometric:) Daca il cititi, macar cititi-l
> pe tot:))
> 
> Gushterul
> 
> Se ia una bucata papagal care a incercat sa rooteze un server. Fara
> succes. Insa fara sa ii dea seama a ajuns bncul lui pe portul 80....
> El i-a dat drumul si atat.
> 
> Aug  2 13:00:02 web2 kernel: [execve] /bin/sh -c pwd [pid 21688] [ppid 12778 *] [uid 
> 398] [euid 398]
> Aug  2 13:00:02 web2 kernel: [open] [pid 21688 sh] /dev/tty [RW 34818 ] No such 
> device or address
> Aug  2 13:00:02 web2 kernel: [exit] [code 0] [pid 21688 sh]
> Aug  2 13:00:02 web2 kernel: [open] [pid 12778 *] /tmp [RO 100352 ] Ok
> Aug  2 13:00:02 web2 kernel: [execve] /bin/sh -c gcc think.c -o think [pid 21689] 
> [ppid 12778 *] [uid 398] [euid 398]
> Aug  2 13:00:02 web2 kernel: [open] [pid 21689 sh] /dev/tty [RW 34818 ] No such 
> device or address
> Aug  2 13:00:02 web2 kernel: [execve] /usr/bin/gcc think.c -o think [pid 21689] 
> [ppid 12778 *] [uid 398] [euid 398]
> Aug  2 13:00:02 web2 kernel: [open] [pid 21689 sh] /tmp/ccX7qElF.i [RW 194 ] Ok
> Aug  2 13:00:02 web2 kernel: [execve] /usr/lib/gcc-lib/i386-redhat-linux/2.96/cpp0 
> -lang-c -D__GNUC__=2 -D__GNUC_MINOR__=96 -D__GNUC_PATCHLEVEL__=0 -D__ELF__ -Dunix 
> -Dlinux -D__ELF__ -D__unix__ -D__linux__ -D__unix -D__linux -Asystem(posix) 
> -D__NO_INLINE__ -Acpu(i386) -Amachine(i386) -Di386 -D__i386 -D__i386__ 
> -D__tune_i386__ think.c /tmp/ccX7qElF.i [pid 21690] [ppid 21689 sh] [uid 398] [euid 
> 398]
> Aug  2 13:00:02 web2 kernel: [open] [pid 21690 lib/i386-redhat-linux/2.96/cpp0] 
> /tmp/ccX7qElF.i [WO 577 ] Ok
> Aug  2 13:00:02 web2 kernel: [open] [pid 21690 lib/i386-redhat-linux/2.96/cpp0] 
> think.c [RO 256 ] Ok
> Aug  2 13:00:02 web2 kernel: [open] [pid 21690 lib/i386-redhat-linux/2.96/cpp0] 
> /usr/local/include/stdio.h [RO 256 ] No such file or directory
> Aug  2 13:00:02 web2 kernel: [open] [pid 21690 lib/i386-redhat-linux/2.96/cpp0] 
> /usr/lib/gcc-lib/i386-redhat-linux/2.96/include/stdio.h [RO 256 ] No such file or 
> directory
> Aug  2 13:00:02 web2 kernel: lib/i386-redhat-linux/2.96/cpp0] 
> /usr/include/bits/stdio_lim.h [RO 256 ] Ok
> 
> [blabla a lot of crap de la compilare....]
> 
> Aug  2 13:00:08 web2 kernel: [execve] /bin/sh -c pwd [pid 21697] [ppid 12839 *] [uid 
> 398] [euid 398]
> Aug  2 13:00:08 web2 kernel: [open] [pid 21697 sh] /dev/tty [RW 34818 ] No such 
> device or address
> Aug  2 13:00:08 web2 kernel: [exit] [code 0] [pid 21697 sh]
> Aug  2 13:00:08 web2 kernel: [open] [pid 12839 *] /tmp [RO 100352 ] Ok
> Aug  2 13:00:08 web2 kernel: [execve] /bin/sh -c ls -l think [pid 21698] [ppid 12839 
> *] [uid 398] [euid 398]
> Aug  2 13:00:08 web2 kernel: [open] [pid 21698 sh] /dev/tty [RW 34818 ] No such 
> device or address
> Aug  2 13:00:08 web2 kernel: [execve] /bin/ls -l think [pid 21698] [ppid 12839 *] 
> [uid 398] [euid 398]
> Aug  2 13:00:08 web2 kernel: [exit] [code 0] [pid 21698 sh]
> Aug  2 13:00:15 web2 kernel: [execve] /bin/sh -c pwd [pid 21700] [ppid 21060 *] [uid 
> 398] [euid 398]
> Aug  2 13:00:15 web2 kernel: [open] [pid 21700 sh] /dev/tty [RW 34818 ] No such 
> device or address
> Aug  2 13:00:15 web2 kernel: [exit] [code 0] [pid 21700 sh]
> Aug  2 13:00:15 web2 kernel: [open] [pid 21060 *] /tmp [RO 100352 ] Ok
> Aug  2 13:00:15 web2 kernel: [execve] /bin/sh -c chmod 700 think [pid 21701] [ppid 
> 21060 *] [uid 398] [euid 398]
> Aug  2 13:00:15 web2 kernel: [open] [pid 21701 sh] /dev/tty [RW 34818 ] No such 
> device or address
> Aug  2 13:00:15 web2 kernel: [execve] /bin/chmod 700 think [pid 21701] [ppid 21060 
> *] [uid 398] [euid 398]
> Aug  2 13:00:15 web2 kernel: [exit] [code 0] [pid 21701 sh]
> Aug  2 13:00:19 web2 kernel: [execve] /bin/sh -c pwd [pid 21703] [ppid 21647 *] [uid 
> 398] [euid 398]
> Aug  2 13:00:19 web2 kernel: [open] [pid 21703 sh] /dev/tty [RW 34818 ] No such 
> device or address
> Aug  2 13:00:19 web2 kernel: [exit] [code 0] [pid 21703 sh]
> Aug  2 13:00:19 web2 kernel: [open] [pid 21647 *] /tmp [RO 100352 ] Ok
> Aug  2 13:00:19 web2 kernel: [execve] /bin/sh -c sync ; sync [pid 21704] [ppid 21647 
> *] [uid 398] [euid 398]
> Aug  2 13:00:19 web2 kernel: [open] [pid 21704 sh] /dev/tty [RW 34818 ] No such 
> device or address
> Aug  2 13:00:19 web2 kernel: [execve] /bin/sync [pid 21705] [ppid 21704 sh] [uid 
> 398] [euid 398]
> Aug  2 13:00:19 web2 kernel: VFS: find_free_dqentry(): Data block full but it 
> shouldn't.
> Aug  2 13:00:19 web2 kernel: VFS: Error -5 occured while creating quota.
> Aug  2 13:00:20 web2 kernel: [exit] [code 0] [pid 21705 *]
> Aug  2 13:00:20 web2 kernel: [execve] /bin/sync [pid 21706] [ppid 21704 sh] [uid 
> 398] [euid 398]
> Aug  2 13:00:20 web2 kernel: [exit] [code 0] [pid 21706 *]
> Aug  2 13:00:20 web2 kernel: [exit] [code 0] [pid 21704 sh]
> Aug  2 13:00:25 web2 kernel: [execve] /bin/sh -c pwd [pid 21710] [ppid 12837 *] [uid 
> 398] [euid 398]
> Aug  2 13:00:25 web2 kernel: [open] [pid 21710 sh] /dev/tty [RW 34818 ] No such 
> device or address
> Aug  2 13:00:25 web2 kernel: [exit] [code 0] [pid 21710 sh]
> Aug  2 13:00:25 web2 kernel: [open] [pid 12837 *] /tmp [RO 100352 ] Ok
> Aug  2 13:00:25 web2 kernel: [execve] /bin/sh -c /tmp/think [pid 21711] [ppid 12837 
> *] [uid 398] [euid 398]
> Aug  2 13:00:25 web2 kernel: [open] [pid 21711 sh] /dev/tty [RW 34818 ] No such 
> device or address
> Aug  2 13:00:25 web2 kernel: [execve] /tmp/think [pid 21711] [ppid 12837 *] [uid 
> 398] [euid 398]
> Aug  2 13:00:25 web2 kernel: [exit] [code 0] [pid 21711 sh]
> Aug  2 13:00:25 web2 kernel: [exit] [code 0] [pid 21712 *]
> 
> Bon. In clipa asta thinku' este pe portul 15880 lansat de httpd.
> Numele procesului in lista de procese este "HTTPS v1.0 daemon pid
> 435644". De facut nu face mare lucru, sta pe portul ala si serveste
> shell moca cu id-ul httpd. Am si sursele de la thinku' ala. Ideea este
> ca asta a fost pe 2 august. Crapatura s-a intamplat la cateva zile
> dupa, cand thinkul ajunge la fel ca sendmailul meu pe portul
> httpdului(443 thinkul, sendmailul meu pe 80). Nu serveste comenzi,
> telnet pe 80 si id; care normal merge pe 15880 nu functioneaza. Alte
> referiri la capitolul syscalls NEMA. Nici macar un open, nimic. Pur si
> simplu ajunge de pe 15880 pe 80. Serverul cu pricina este 100% sigur
> ca nu a fost rootat etc. Incercari de a bindui thinkul iar pe 15880 si
> apoi restartat apache in draci doar doar s-o muta pe 80, fara efect.
> 
> Okeeeei...
> Alt prieten, alta masina. La fel masina curata, alt tampit ce incearca
> sa puna bncuri in /tmp. De data asta nu mai am logging ca cel de mai
> sus, insa sunt alte detalii. Aceleasi simptome. Procesul pornit la
> paste, apachu' cracanat la craciun(nu stiu datele exacte;)))
> Insa environ din /proc la proces zice asa:
> PWD=/tmp/.tmp/dircproxy-1.0.5SUDO_GID=0USER=rootSUDO_UID=0LOGNAME=root
> SHLVL=4_=./dircproxySUDO_COMMAND=/apache/bin/apachectl startssl
> SHELL=/bin/shHOME=/rootPATH=/usr/bin:/binSUDO_USER=root
> 
> Rezultat: gasit dircproxy si pe 80 si pe 443...
> 
> /proc/(procesul)/maps
> 08048000-08060000 r-xp 00000000 03:02 146892     /tmp/.tmp/dircproxy-1.0.5/dircproxy
> 08060000-08061000 rw-p 00017000 03:02 146892     /tmp/.tmp/dircproxy-1.0.5/dircproxy
> 08061000-08068000 rwxp 00000000 00:00 0
> 40000000-40013000 r-xp 00000000 03:02 292040     /lib/ld-2.2.5.so
> 40013000-40014000 rw-p 00013000 03:02 292040     /lib/ld-2.2.5.so
> 4001b000-40020000 r-xp 00000000 03:02 292059     /lib/libcrypt-2.2.5.so
> 40020000-40021000 rw-p 00004000 03:02 292059     /lib/libcrypt-2.2.5.so
> 40021000-40049000 rw-p 00000000 00:00 0
> 40049000-40052000 r-xp 00000000 03:02 292081     /lib/libnss_files-2.2.5.so
> 40052000-40053000 rw-p 00009000 03:02 292081     /lib/libnss_files-2.2.5.so
> 40053000-4005d000 r-xp 00000000 03:02 292089     /lib/libnss_nisplus-2.2.5.so
> 4005d000-4005e000 rw-p 00009000 03:02 292089     /lib/libnss_nisplus-2.2.5.so
> 4005e000-40070000 r-xp 00000000 03:02 292065     /lib/libnsl-2.2.5.so
> 40070000-40071000 rw-p 00012000 03:02 292065     /lib/libnsl-2.2.5.so
> 40071000-40073000 rw-p 00000000 00:00 0
> 42000000-4212c000 r-xp 00000000 03:02 308431     /lib/i686/libc-2.2.5.so
> 4212c000-42131000 rw-p 0012c000 03:02 308431     /lib/i686/libc-2.2.5.so
> 42131000-42135000 rw-p 00000000 00:00 0
> bfffc000-c0000000 rwxp ffffd000 00:00 0
> 08060000-08061000 rw-p 00017000 03:02 146892     /tmp/.tmp/dircproxy-1.0.5/dircproxy
> 08061000-08068000 rwxp 00000000 00:00 0
> 40000000-40013000 r-xp 00000000 03:02 292040     /lib/ld-2.2.5.so
> 40013000-40014000 rw-p 00013000 03:02 292040     /lib/ld-2.2.5.so
> 4001b000-40020000 r-xp 00000000 03:02 292059     /lib/libcrypt-2.2.5.so
> 40020000-40021000 rw-p 00004000 03:02 292059     /lib/libcrypt-2.2.5.so
> 40021000-40049000 rw-p 00000000 00:00 0
> 40049000-40052000 r-xp 00000000 03:02 292081     /lib/libnss_files-2.2.5.so
> 40052000-40053000 rw-p 00009000 03:02 292081     /lib/libnss_files-2.2.5.so
> 40053000-4005d000 r-xp 00000000 03:02 292089     /lib/libnss_nisplus-2.2.5.so
> 4005d000-4005e000 rw-p 00009000 03:02 292089     /lib/libnss_nisplus-2.2.5.so
> 4005e000-40070000 r-xp 00000000 03:02 292065     /lib/libnsl-2.2.5.so
> 40070000-40071000 rw-p 00012000 03:02 292065     /lib/libnsl-2.2.5.so
> 40071000-40073000 rw-p 00000000 00:00 0
> 42000000-4212c000 r-xp 00000000 03:02 308431     /lib/i686/libc-2.2.5.so
> 4212c000-42131000 rw-p 0012c000 03:02 308431     /lib/i686/libc-2.2.5.so
> 42131000-42135000 rw-p 00000000 00:00 0
> bfffc000-c0000000 rwxp ffffd000 00:00 0
> 
> ls -la /proc/(procesul)
> total 0
> dr-xr-xr-x    3 httpd    httpd           0 Jul 28 01:28 .
> dr-xr-xr-x   50 root     root            0 Jul 22 05:00 ..
> -r--r--r--    1 httpd    httpd           0 Jul 28 01:31 cmdline
> lrwxrwxrwx    1 httpd    httpd           0 Jul 28 01:31 cwd -> 
> /tmp/.tmp/dircproxy-1.0.5
> -r--------    1 httpd    httpd           0 Jul 28 01:31 environ
> lrwxrwxrwx    1 httpd    httpd           0 Jul 28 01:31 exe -> 
> /tmp/.tmp/dircproxy-1.0.5/dircproxy
> dr-x------    2 httpd    httpd           0 Jul 28 01:31 fd
> -r--r--r--    1 httpd    httpd           0 Jul 28 01:31 maps
> -rw-------    1 httpd    httpd           0 Jul 28 01:31 mem
> -r--r--r--    1 httpd    httpd           0 Jul 28 01:31 mounts
> lrwxrwxrwx    1 httpd    httpd           0 Jul 28 01:31 root -> /
> -r--r--r--    1 httpd    httpd           0 Jul 28 01:31 stat
> -r--r--r--    1 httpd    httpd           0 Jul 28 01:31 statm
> -r--r--r--    1 httpd    httpd           0 Jul 28 01:31 status
> 
> Si pentru doritori think.c la http://www.securityorg.net/think.c
> 
> 
> --- 
> Detalii despre listele noastre de mail: http://www.lug.ro/
> 
> 

-- 
-------------------------
Dan Nae
Romanian Education Network
Bucharest NOC


--- 
Detalii despre listele noastre de mail: http://www.lug.ro/

[rlug] Re: apashi (detalii:))

Raspunde prin e-mail lui