[rlug] Re: apashi (detalii:))

Octavian POPESCU Fri, 08 Aug 2003 09:44:29 -0700

cu un syscall logger? :)
si grsec-ul parca avea facilitati d-astea.

----- Original Message -----
From: "Dan Nae" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, August 08, 2003 10:21 AM
Subject: [rlug] Re: apashi (detalii:))



> Cum apare syscall trace-u ala in klog?
>
>
> On Fri, 8 Aug 2003, Gushterul wrote:
>
> > Puteti ignora acest mesaj kilometric:) Daca il cititi, macar cititi-l
> > pe tot:))
> >
> > Gushterul
> >
> > Se ia una bucata papagal care a incercat sa rooteze un server. Fara
> > succes. Insa fara sa ii dea seama a ajuns bncul lui pe portul 80....
> > El i-a dat drumul si atat.
> >
> > Aug  2 13:00:02 web2 kernel: [execve] /bin/sh -c pwd [pid 21688] [ppid
12778 *] [uid 398] [euid 398]
> > Aug  2 13:00:02 web2 kernel: [open] [pid 21688 sh] /dev/tty [RW 34818 ]
No such device or address
> > Aug  2 13:00:02 web2 kernel: [exit] [code 0] [pid 21688 sh]
> > Aug  2 13:00:02 web2 kernel: [open] [pid 12778 *] /tmp [RO 100352 ] Ok
> > Aug  2 13:00:02 web2 kernel: [execve] /bin/sh -c gcc think.c -o think
[pid 21689] [ppid 12778 *] [uid 398] [euid 398]
> > Aug  2 13:00:02 web2 kernel: [open] [pid 21689 sh] /dev/tty [RW 34818 ]
No such device or address
> > Aug  2 13:00:02 web2 kernel: [execve] /usr/bin/gcc think.c -o think [pid
21689] [ppid 12778 *] [uid 398] [euid 398]
> > Aug  2 13:00:02 web2 kernel: [open] [pid 21689 sh] /tmp/ccX7qElF.i [RW
194 ] Ok
> > Aug  2 13:00:02 web2 kernel: [execve]
/usr/lib/gcc-lib/i386-redhat-linux/2.96/cpp0 -lang-c -D__GNUC__=2 -D__GNUC_M
INOR__=96 -D__GNUC_PATCHLEVEL__=0 -D__ELF__ -Dunix -Dlinux -D__ELF__ -D__uni
x__ -D__linux__ -D__unix -D__linux -Asystem(posix) -D__NO_INLINE__ -Acpu(i38
6) -Amachine(i386) -Di386 -D__i386 -D__i386__ -D__tune_i386__ think.c
/tmp/ccX7qElF.i [pid 21690] [ppid 21689 sh] [uid 398] [euid 398]
> > Aug  2 13:00:02 web2 kernel: [open] [pid 21690
lib/i386-redhat-linux/2.96/cpp0] /tmp/ccX7qElF.i [WO 577 ] Ok
> > Aug  2 13:00:02 web2 kernel: [open] [pid 21690
lib/i386-redhat-linux/2.96/cpp0] think.c [RO 256 ] Ok
> > Aug  2 13:00:02 web2 kernel: [open] [pid 21690
lib/i386-redhat-linux/2.96/cpp0] /usr/local/include/stdio.h [RO 256 ] No
such file or directory
> > Aug  2 13:00:02 web2 kernel: [open] [pid 21690
lib/i386-redhat-linux/2.96/cpp0]
/usr/lib/gcc-lib/i386-redhat-linux/2.96/include/stdio.h [RO 256 ] No such
file or directory
> > Aug  2 13:00:02 web2 kernel: lib/i386-redhat-linux/2.96/cpp0]
/usr/include/bits/stdio_lim.h [RO 256 ] Ok
> >
> > [blabla a lot of crap de la compilare....]
> >
> > Aug  2 13:00:08 web2 kernel: [execve] /bin/sh -c pwd [pid 21697] [ppid
12839 *] [uid 398] [euid 398]
> > Aug  2 13:00:08 web2 kernel: [open] [pid 21697 sh] /dev/tty [RW 34818 ]
No such device or address
> > Aug  2 13:00:08 web2 kernel: [exit] [code 0] [pid 21697 sh]
> > Aug  2 13:00:08 web2 kernel: [open] [pid 12839 *] /tmp [RO 100352 ] Ok
> > Aug  2 13:00:08 web2 kernel: [execve] /bin/sh -c ls -l think [pid 21698]
[ppid 12839 *] [uid 398] [euid 398]
> > Aug  2 13:00:08 web2 kernel: [open] [pid 21698 sh] /dev/tty [RW 34818 ]
No such device or address
> > Aug  2 13:00:08 web2 kernel: [execve] /bin/ls -l think [pid 21698] [ppid
12839 *] [uid 398] [euid 398]
> > Aug  2 13:00:08 web2 kernel: [exit] [code 0] [pid 21698 sh]
> > Aug  2 13:00:15 web2 kernel: [execve] /bin/sh -c pwd [pid 21700] [ppid
21060 *] [uid 398] [euid 398]
> > Aug  2 13:00:15 web2 kernel: [open] [pid 21700 sh] /dev/tty [RW 34818 ]
No such device or address
> > Aug  2 13:00:15 web2 kernel: [exit] [code 0] [pid 21700 sh]
> > Aug  2 13:00:15 web2 kernel: [open] [pid 21060 *] /tmp [RO 100352 ] Ok
> > Aug  2 13:00:15 web2 kernel: [execve] /bin/sh -c chmod 700 think [pid
21701] [ppid 21060 *] [uid 398] [euid 398]
> > Aug  2 13:00:15 web2 kernel: [open] [pid 21701 sh] /dev/tty [RW 34818 ]
No such device or address
> > Aug  2 13:00:15 web2 kernel: [execve] /bin/chmod 700 think [pid 21701]
[ppid 21060 *] [uid 398] [euid 398]
> > Aug  2 13:00:15 web2 kernel: [exit] [code 0] [pid 21701 sh]
> > Aug  2 13:00:19 web2 kernel: [execve] /bin/sh -c pwd [pid 21703] [ppid
21647 *] [uid 398] [euid 398]
> > Aug  2 13:00:19 web2 kernel: [open] [pid 21703 sh] /dev/tty [RW 34818 ]
No such device or address
> > Aug  2 13:00:19 web2 kernel: [exit] [code 0] [pid 21703 sh]
> > Aug  2 13:00:19 web2 kernel: [open] [pid 21647 *] /tmp [RO 100352 ] Ok
> > Aug  2 13:00:19 web2 kernel: [execve] /bin/sh -c sync ; sync [pid 21704]
[ppid 21647 *] [uid 398] [euid 398]
> > Aug  2 13:00:19 web2 kernel: [open] [pid 21704 sh] /dev/tty [RW 34818 ]
No such device or address
> > Aug  2 13:00:19 web2 kernel: [execve] /bin/sync [pid 21705] [ppid 21704
sh] [uid 398] [euid 398]
> > Aug  2 13:00:19 web2 kernel: VFS: find_free_dqentry(): Data block full
but it shouldn't.
> > Aug  2 13:00:19 web2 kernel: VFS: Error -5 occured while creating quota.
> > Aug  2 13:00:20 web2 kernel: [exit] [code 0] [pid 21705 *]
> > Aug  2 13:00:20 web2 kernel: [execve] /bin/sync [pid 21706] [ppid 21704
sh] [uid 398] [euid 398]
> > Aug  2 13:00:20 web2 kernel: [exit] [code 0] [pid 21706 *]
> > Aug  2 13:00:20 web2 kernel: [exit] [code 0] [pid 21704 sh]
> > Aug  2 13:00:25 web2 kernel: [execve] /bin/sh -c pwd [pid 21710] [ppid
12837 *] [uid 398] [euid 398]
> > Aug  2 13:00:25 web2 kernel: [open] [pid 21710 sh] /dev/tty [RW 34818 ]
No such device or address
> > Aug  2 13:00:25 web2 kernel: [exit] [code 0] [pid 21710 sh]
> > Aug  2 13:00:25 web2 kernel: [open] [pid 12837 *] /tmp [RO 100352 ] Ok
> > Aug  2 13:00:25 web2 kernel: [execve] /bin/sh -c /tmp/think [pid 21711]
[ppid 12837 *] [uid 398] [euid 398]
> > Aug  2 13:00:25 web2 kernel: [open] [pid 21711 sh] /dev/tty [RW 34818 ]
No such device or address
> > Aug  2 13:00:25 web2 kernel: [execve] /tmp/think [pid 21711] [ppid 12837
*] [uid 398] [euid 398]
> > Aug  2 13:00:25 web2 kernel: [exit] [code 0] [pid 21711 sh]
> > Aug  2 13:00:25 web2 kernel: [exit] [code 0] [pid 21712 *]
> >
> > Bon. In clipa asta thinku' este pe portul 15880 lansat de httpd.
> > Numele procesului in lista de procese este "HTTPS v1.0 daemon pid
> > 435644". De facut nu face mare lucru, sta pe portul ala si serveste
> > shell moca cu id-ul httpd. Am si sursele de la thinku' ala. Ideea este
> > ca asta a fost pe 2 august. Crapatura s-a intamplat la cateva zile
> > dupa, cand thinkul ajunge la fel ca sendmailul meu pe portul
> > httpdului(443 thinkul, sendmailul meu pe 80). Nu serveste comenzi,
> > telnet pe 80 si id; care normal merge pe 15880 nu functioneaza. Alte
> > referiri la capitolul syscalls NEMA. Nici macar un open, nimic. Pur si
> > simplu ajunge de pe 15880 pe 80. Serverul cu pricina este 100% sigur
> > ca nu a fost rootat etc. Incercari de a bindui thinkul iar pe 15880 si
> > apoi restartat apache in draci doar doar s-o muta pe 80, fara efect.
> >
> > Okeeeei...
> > Alt prieten, alta masina. La fel masina curata, alt tampit ce incearca
> > sa puna bncuri in /tmp. De data asta nu mai am logging ca cel de mai
> > sus, insa sunt alte detalii. Aceleasi simptome. Procesul pornit la
> > paste, apachu' cracanat la craciun(nu stiu datele exacte;)))
> > Insa environ din /proc la proces zice asa:
> > PWD=/tmp/.tmp/dircproxy-1.0.5SUDO_GID=0USER=rootSUDO_UID=0LOGNAME=root
> > SHLVL=4_=./dircproxySUDO_COMMAND=/apache/bin/apachectl startssl
> > SHELL=/bin/shHOME=/rootPATH=/usr/bin:/binSUDO_USER=root
> >
> > Rezultat: gasit dircproxy si pe 80 si pe 443...
> >
> > /proc/(procesul)/maps
> > 08048000-08060000 r-xp 00000000 03:02 146892
/tmp/.tmp/dircproxy-1.0.5/dircproxy
> > 08060000-08061000 rw-p 00017000 03:02 146892
/tmp/.tmp/dircproxy-1.0.5/dircproxy
> > 08061000-08068000 rwxp 00000000 00:00 0
> > 40000000-40013000 r-xp 00000000 03:02 292040     /lib/ld-2.2.5.so
> > 40013000-40014000 rw-p 00013000 03:02 292040     /lib/ld-2.2.5.so
> > 4001b000-40020000 r-xp 00000000 03:02 292059     /lib/libcrypt-2.2.5.so
> > 40020000-40021000 rw-p 00004000 03:02 292059     /lib/libcrypt-2.2.5.so
> > 40021000-40049000 rw-p 00000000 00:00 0
> > 40049000-40052000 r-xp 00000000 03:02 292081
/lib/libnss_files-2.2.5.so
> > 40052000-40053000 rw-p 00009000 03:02 292081
/lib/libnss_files-2.2.5.so
> > 40053000-4005d000 r-xp 00000000 03:02 292089
/lib/libnss_nisplus-2.2.5.so
> > 4005d000-4005e000 rw-p 00009000 03:02 292089
/lib/libnss_nisplus-2.2.5.so
> > 4005e000-40070000 r-xp 00000000 03:02 292065     /lib/libnsl-2.2.5.so
> > 40070000-40071000 rw-p 00012000 03:02 292065     /lib/libnsl-2.2.5.so
> > 40071000-40073000 rw-p 00000000 00:00 0
> > 42000000-4212c000 r-xp 00000000 03:02 308431     /lib/i686/libc-2.2.5.so
> > 4212c000-42131000 rw-p 0012c000 03:02 308431     /lib/i686/libc-2.2.5.so
> > 42131000-42135000 rw-p 00000000 00:00 0
> > bfffc000-c0000000 rwxp ffffd000 00:00 0
> > 08060000-08061000 rw-p 00017000 03:02 146892
/tmp/.tmp/dircproxy-1.0.5/dircproxy
> > 08061000-08068000 rwxp 00000000 00:00 0
> > 40000000-40013000 r-xp 00000000 03:02 292040     /lib/ld-2.2.5.so
> > 40013000-40014000 rw-p 00013000 03:02 292040     /lib/ld-2.2.5.so
> > 4001b000-40020000 r-xp 00000000 03:02 292059     /lib/libcrypt-2.2.5.so
> > 40020000-40021000 rw-p 00004000 03:02 292059     /lib/libcrypt-2.2.5.so
> > 40021000-40049000 rw-p 00000000 00:00 0
> > 40049000-40052000 r-xp 00000000 03:02 292081
/lib/libnss_files-2.2.5.so
> > 40052000-40053000 rw-p 00009000 03:02 292081
/lib/libnss_files-2.2.5.so
> > 40053000-4005d000 r-xp 00000000 03:02 292089
/lib/libnss_nisplus-2.2.5.so
> > 4005d000-4005e000 rw-p 00009000 03:02 292089
/lib/libnss_nisplus-2.2.5.so
> > 4005e000-40070000 r-xp 00000000 03:02 292065     /lib/libnsl-2.2.5.so
> > 40070000-40071000 rw-p 00012000 03:02 292065     /lib/libnsl-2.2.5.so
> > 40071000-40073000 rw-p 00000000 00:00 0
> > 42000000-4212c000 r-xp 00000000 03:02 308431     /lib/i686/libc-2.2.5.so
> > 4212c000-42131000 rw-p 0012c000 03:02 308431     /lib/i686/libc-2.2.5.so
> > 42131000-42135000 rw-p 00000000 00:00 0
> > bfffc000-c0000000 rwxp ffffd000 00:00 0
> >
> > ls -la /proc/(procesul)
> > total 0
> > dr-xr-xr-x    3 httpd    httpd           0 Jul 28 01:28 .
> > dr-xr-xr-x   50 root     root            0 Jul 22 05:00 ..
> > -r--r--r--    1 httpd    httpd           0 Jul 28 01:31 cmdline
> > lrwxrwxrwx    1 httpd    httpd           0 Jul 28 01:31 cwd ->
/tmp/.tmp/dircproxy-1.0.5
> > -r--------    1 httpd    httpd           0 Jul 28 01:31 environ
> > lrwxrwxrwx    1 httpd    httpd           0 Jul 28 01:31 exe ->
/tmp/.tmp/dircproxy-1.0.5/dircproxy
> > dr-x------    2 httpd    httpd           0 Jul 28 01:31 fd
> > -r--r--r--    1 httpd    httpd           0 Jul 28 01:31 maps
> > -rw-------    1 httpd    httpd           0 Jul 28 01:31 mem
> > -r--r--r--    1 httpd    httpd           0 Jul 28 01:31 mounts
> > lrwxrwxrwx    1 httpd    httpd           0 Jul 28 01:31 root -> /
> > -r--r--r--    1 httpd    httpd           0 Jul 28 01:31 stat
> > -r--r--r--    1 httpd    httpd           0 Jul 28 01:31 statm
> > -r--r--r--    1 httpd    httpd           0 Jul 28 01:31 status
> >
> > Si pentru doritori think.c la http://www.securityorg.net/think.c
> >
> >
> > ---
> > Detalii despre listele noastre de mail: http://www.lug.ro/
> >
> >
>
> --
> -------------------------
> Dan Nae
> Romanian Education Network
> Bucharest NOC
>
>
> ---
> Detalii despre listele noastre de mail: http://www.lug.ro/
>
>
>


--- 
Detalii despre listele noastre de mail: http://www.lug.ro/

[rlug] Re: apashi (detalii:))

Raspunde prin e-mail lui