Puteti ignora acest mesaj kilometric:) Daca il cititi, macar cititi-l pe tot:))
Gushterul Se ia una bucata papagal care a incercat sa rooteze un server. Fara succes. Insa fara sa ii dea seama a ajuns bncul lui pe portul 80.... El i-a dat drumul si atat. Aug 2 13:00:02 web2 kernel: [execve] /bin/sh -c pwd [pid 21688] [ppid 12778 *] [uid 398] [euid 398] Aug 2 13:00:02 web2 kernel: [open] [pid 21688 sh] /dev/tty [RW 34818 ] No such device or address Aug 2 13:00:02 web2 kernel: [exit] [code 0] [pid 21688 sh] Aug 2 13:00:02 web2 kernel: [open] [pid 12778 *] /tmp [RO 100352 ] Ok Aug 2 13:00:02 web2 kernel: [execve] /bin/sh -c gcc think.c -o think [pid 21689] [ppid 12778 *] [uid 398] [euid 398] Aug 2 13:00:02 web2 kernel: [open] [pid 21689 sh] /dev/tty [RW 34818 ] No such device or address Aug 2 13:00:02 web2 kernel: [execve] /usr/bin/gcc think.c -o think [pid 21689] [ppid 12778 *] [uid 398] [euid 398] Aug 2 13:00:02 web2 kernel: [open] [pid 21689 sh] /tmp/ccX7qElF.i [RW 194 ] Ok Aug 2 13:00:02 web2 kernel: [execve] /usr/lib/gcc-lib/i386-redhat-linux/2.96/cpp0 -lang-c -D__GNUC__=2 -D__GNUC_MINOR__=96 -D__GNUC_PATCHLEVEL__=0 -D__ELF__ -Dunix -Dlinux -D__ELF__ -D__unix__ -D__linux__ -D__unix -D__linux -Asystem(posix) -D__NO_INLINE__ -Acpu(i386) -Amachine(i386) -Di386 -D__i386 -D__i386__ -D__tune_i386__ think.c /tmp/ccX7qElF.i [pid 21690] [ppid 21689 sh] [uid 398] [euid 398] Aug 2 13:00:02 web2 kernel: [open] [pid 21690 lib/i386-redhat-linux/2.96/cpp0] /tmp/ccX7qElF.i [WO 577 ] Ok Aug 2 13:00:02 web2 kernel: [open] [pid 21690 lib/i386-redhat-linux/2.96/cpp0] think.c [RO 256 ] Ok Aug 2 13:00:02 web2 kernel: [open] [pid 21690 lib/i386-redhat-linux/2.96/cpp0] /usr/local/include/stdio.h [RO 256 ] No such file or directory Aug 2 13:00:02 web2 kernel: [open] [pid 21690 lib/i386-redhat-linux/2.96/cpp0] /usr/lib/gcc-lib/i386-redhat-linux/2.96/include/stdio.h [RO 256 ] No such file or directory Aug 2 13:00:02 web2 kernel: lib/i386-redhat-linux/2.96/cpp0] /usr/include/bits/stdio_lim.h [RO 256 ] Ok [blabla a lot of crap de la compilare....] Aug 2 13:00:08 web2 kernel: [execve] /bin/sh -c pwd [pid 21697] [ppid 12839 *] [uid 398] [euid 398] Aug 2 13:00:08 web2 kernel: [open] [pid 21697 sh] /dev/tty [RW 34818 ] No such device or address Aug 2 13:00:08 web2 kernel: [exit] [code 0] [pid 21697 sh] Aug 2 13:00:08 web2 kernel: [open] [pid 12839 *] /tmp [RO 100352 ] Ok Aug 2 13:00:08 web2 kernel: [execve] /bin/sh -c ls -l think [pid 21698] [ppid 12839 *] [uid 398] [euid 398] Aug 2 13:00:08 web2 kernel: [open] [pid 21698 sh] /dev/tty [RW 34818 ] No such device or address Aug 2 13:00:08 web2 kernel: [execve] /bin/ls -l think [pid 21698] [ppid 12839 *] [uid 398] [euid 398] Aug 2 13:00:08 web2 kernel: [exit] [code 0] [pid 21698 sh] Aug 2 13:00:15 web2 kernel: [execve] /bin/sh -c pwd [pid 21700] [ppid 21060 *] [uid 398] [euid 398] Aug 2 13:00:15 web2 kernel: [open] [pid 21700 sh] /dev/tty [RW 34818 ] No such device or address Aug 2 13:00:15 web2 kernel: [exit] [code 0] [pid 21700 sh] Aug 2 13:00:15 web2 kernel: [open] [pid 21060 *] /tmp [RO 100352 ] Ok Aug 2 13:00:15 web2 kernel: [execve] /bin/sh -c chmod 700 think [pid 21701] [ppid 21060 *] [uid 398] [euid 398] Aug 2 13:00:15 web2 kernel: [open] [pid 21701 sh] /dev/tty [RW 34818 ] No such device or address Aug 2 13:00:15 web2 kernel: [execve] /bin/chmod 700 think [pid 21701] [ppid 21060 *] [uid 398] [euid 398] Aug 2 13:00:15 web2 kernel: [exit] [code 0] [pid 21701 sh] Aug 2 13:00:19 web2 kernel: [execve] /bin/sh -c pwd [pid 21703] [ppid 21647 *] [uid 398] [euid 398] Aug 2 13:00:19 web2 kernel: [open] [pid 21703 sh] /dev/tty [RW 34818 ] No such device or address Aug 2 13:00:19 web2 kernel: [exit] [code 0] [pid 21703 sh] Aug 2 13:00:19 web2 kernel: [open] [pid 21647 *] /tmp [RO 100352 ] Ok Aug 2 13:00:19 web2 kernel: [execve] /bin/sh -c sync ; sync [pid 21704] [ppid 21647 *] [uid 398] [euid 398] Aug 2 13:00:19 web2 kernel: [open] [pid 21704 sh] /dev/tty [RW 34818 ] No such device or address Aug 2 13:00:19 web2 kernel: [execve] /bin/sync [pid 21705] [ppid 21704 sh] [uid 398] [euid 398] Aug 2 13:00:19 web2 kernel: VFS: find_free_dqentry(): Data block full but it shouldn't. Aug 2 13:00:19 web2 kernel: VFS: Error -5 occured while creating quota. Aug 2 13:00:20 web2 kernel: [exit] [code 0] [pid 21705 *] Aug 2 13:00:20 web2 kernel: [execve] /bin/sync [pid 21706] [ppid 21704 sh] [uid 398] [euid 398] Aug 2 13:00:20 web2 kernel: [exit] [code 0] [pid 21706 *] Aug 2 13:00:20 web2 kernel: [exit] [code 0] [pid 21704 sh] Aug 2 13:00:25 web2 kernel: [execve] /bin/sh -c pwd [pid 21710] [ppid 12837 *] [uid 398] [euid 398] Aug 2 13:00:25 web2 kernel: [open] [pid 21710 sh] /dev/tty [RW 34818 ] No such device or address Aug 2 13:00:25 web2 kernel: [exit] [code 0] [pid 21710 sh] Aug 2 13:00:25 web2 kernel: [open] [pid 12837 *] /tmp [RO 100352 ] Ok Aug 2 13:00:25 web2 kernel: [execve] /bin/sh -c /tmp/think [pid 21711] [ppid 12837 *] [uid 398] [euid 398] Aug 2 13:00:25 web2 kernel: [open] [pid 21711 sh] /dev/tty [RW 34818 ] No such device or address Aug 2 13:00:25 web2 kernel: [execve] /tmp/think [pid 21711] [ppid 12837 *] [uid 398] [euid 398] Aug 2 13:00:25 web2 kernel: [exit] [code 0] [pid 21711 sh] Aug 2 13:00:25 web2 kernel: [exit] [code 0] [pid 21712 *] Bon. In clipa asta thinku' este pe portul 15880 lansat de httpd. Numele procesului in lista de procese este "HTTPS v1.0 daemon pid 435644". De facut nu face mare lucru, sta pe portul ala si serveste shell moca cu id-ul httpd. Am si sursele de la thinku' ala. Ideea este ca asta a fost pe 2 august. Crapatura s-a intamplat la cateva zile dupa, cand thinkul ajunge la fel ca sendmailul meu pe portul httpdului(443 thinkul, sendmailul meu pe 80). Nu serveste comenzi, telnet pe 80 si id; care normal merge pe 15880 nu functioneaza. Alte referiri la capitolul syscalls NEMA. Nici macar un open, nimic. Pur si simplu ajunge de pe 15880 pe 80. Serverul cu pricina este 100% sigur ca nu a fost rootat etc. Incercari de a bindui thinkul iar pe 15880 si apoi restartat apache in draci doar doar s-o muta pe 80, fara efect. Okeeeei... Alt prieten, alta masina. La fel masina curata, alt tampit ce incearca sa puna bncuri in /tmp. De data asta nu mai am logging ca cel de mai sus, insa sunt alte detalii. Aceleasi simptome. Procesul pornit la paste, apachu' cracanat la craciun(nu stiu datele exacte;))) Insa environ din /proc la proces zice asa: PWD=/tmp/.tmp/dircproxy-1.0.5SUDO_GID=0USER=rootSUDO_UID=0LOGNAME=root SHLVL=4_=./dircproxySUDO_COMMAND=/apache/bin/apachectl startssl SHELL=/bin/shHOME=/rootPATH=/usr/bin:/binSUDO_USER=root Rezultat: gasit dircproxy si pe 80 si pe 443... /proc/(procesul)/maps 08048000-08060000 r-xp 00000000 03:02 146892 /tmp/.tmp/dircproxy-1.0.5/dircproxy 08060000-08061000 rw-p 00017000 03:02 146892 /tmp/.tmp/dircproxy-1.0.5/dircproxy 08061000-08068000 rwxp 00000000 00:00 0 40000000-40013000 r-xp 00000000 03:02 292040 /lib/ld-2.2.5.so 40013000-40014000 rw-p 00013000 03:02 292040 /lib/ld-2.2.5.so 4001b000-40020000 r-xp 00000000 03:02 292059 /lib/libcrypt-2.2.5.so 40020000-40021000 rw-p 00004000 03:02 292059 /lib/libcrypt-2.2.5.so 40021000-40049000 rw-p 00000000 00:00 0 40049000-40052000 r-xp 00000000 03:02 292081 /lib/libnss_files-2.2.5.so 40052000-40053000 rw-p 00009000 03:02 292081 /lib/libnss_files-2.2.5.so 40053000-4005d000 r-xp 00000000 03:02 292089 /lib/libnss_nisplus-2.2.5.so 4005d000-4005e000 rw-p 00009000 03:02 292089 /lib/libnss_nisplus-2.2.5.so 4005e000-40070000 r-xp 00000000 03:02 292065 /lib/libnsl-2.2.5.so 40070000-40071000 rw-p 00012000 03:02 292065 /lib/libnsl-2.2.5.so 40071000-40073000 rw-p 00000000 00:00 0 42000000-4212c000 r-xp 00000000 03:02 308431 /lib/i686/libc-2.2.5.so 4212c000-42131000 rw-p 0012c000 03:02 308431 /lib/i686/libc-2.2.5.so 42131000-42135000 rw-p 00000000 00:00 0 bfffc000-c0000000 rwxp ffffd000 00:00 0 08060000-08061000 rw-p 00017000 03:02 146892 /tmp/.tmp/dircproxy-1.0.5/dircproxy 08061000-08068000 rwxp 00000000 00:00 0 40000000-40013000 r-xp 00000000 03:02 292040 /lib/ld-2.2.5.so 40013000-40014000 rw-p 00013000 03:02 292040 /lib/ld-2.2.5.so 4001b000-40020000 r-xp 00000000 03:02 292059 /lib/libcrypt-2.2.5.so 40020000-40021000 rw-p 00004000 03:02 292059 /lib/libcrypt-2.2.5.so 40021000-40049000 rw-p 00000000 00:00 0 40049000-40052000 r-xp 00000000 03:02 292081 /lib/libnss_files-2.2.5.so 40052000-40053000 rw-p 00009000 03:02 292081 /lib/libnss_files-2.2.5.so 40053000-4005d000 r-xp 00000000 03:02 292089 /lib/libnss_nisplus-2.2.5.so 4005d000-4005e000 rw-p 00009000 03:02 292089 /lib/libnss_nisplus-2.2.5.so 4005e000-40070000 r-xp 00000000 03:02 292065 /lib/libnsl-2.2.5.so 40070000-40071000 rw-p 00012000 03:02 292065 /lib/libnsl-2.2.5.so 40071000-40073000 rw-p 00000000 00:00 0 42000000-4212c000 r-xp 00000000 03:02 308431 /lib/i686/libc-2.2.5.so 4212c000-42131000 rw-p 0012c000 03:02 308431 /lib/i686/libc-2.2.5.so 42131000-42135000 rw-p 00000000 00:00 0 bfffc000-c0000000 rwxp ffffd000 00:00 0 ls -la /proc/(procesul) total 0 dr-xr-xr-x 3 httpd httpd 0 Jul 28 01:28 . dr-xr-xr-x 50 root root 0 Jul 22 05:00 .. -r--r--r-- 1 httpd httpd 0 Jul 28 01:31 cmdline lrwxrwxrwx 1 httpd httpd 0 Jul 28 01:31 cwd -> /tmp/.tmp/dircproxy-1.0.5 -r-------- 1 httpd httpd 0 Jul 28 01:31 environ lrwxrwxrwx 1 httpd httpd 0 Jul 28 01:31 exe -> /tmp/.tmp/dircproxy-1.0.5/dircproxy dr-x------ 2 httpd httpd 0 Jul 28 01:31 fd -r--r--r-- 1 httpd httpd 0 Jul 28 01:31 maps -rw------- 1 httpd httpd 0 Jul 28 01:31 mem -r--r--r-- 1 httpd httpd 0 Jul 28 01:31 mounts lrwxrwxrwx 1 httpd httpd 0 Jul 28 01:31 root -> / -r--r--r-- 1 httpd httpd 0 Jul 28 01:31 stat -r--r--r-- 1 httpd httpd 0 Jul 28 01:31 statm -r--r--r-- 1 httpd httpd 0 Jul 28 01:31 status Si pentru doritori think.c la http://www.securityorg.net/think.c --- Detalii despre listele noastre de mail: http://www.lug.ro/
