This is not subj. of discussion:)) Closed source. Se poate si mai detaliat daca vrei:))
Gushterul Gen: [EMAIL PROTECTED] root]# id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) [EMAIL PROTECTED] root]# Aug 8 07:53:24 web7 kernel: [open] [pid 795 *] /proc/loadavg [RO 0 ] Ok Aug 8 07:53:24 web7 kernel: [execve] /usr/bin/id [pid 2613] [ppid 1776 *] [uid 0] [euid 0] Aug 8 07:53:24 web7 kernel: [open] [pid 2613 id] /etc/ld.so.preload [RO 0 ] No such file or directory Aug 8 07:53:24 web7 kernel: [open] [pid 2613 id] /etc/ld.so.cache [RO 0 ] Ok Aug 8 07:53:24 web7 kernel: [open] [pid 2613 id] /lib/i686/libc.so.6 [RO 0 ] Ok Aug 8 07:53:24 web7 kernel: [open] [pid 2613 id] /usr/share/locale/locale.alias [RO 0 ] Ok Aug 8 07:53:24 web7 kernel: [open] [pid 2613 id] /usr/lib/locale/en_US.iso885915/LC_IDENTIFICATION [RO 0 ] Ok Aug 8 07:53:24 web7 kernel: [open] [pid 2613 id] /usr/lib/gconv/gconv-modules.cache [RO 0 ] Ok Aug 8 07:53:24 web7 kernel: [open] [pid 2613 id] /usr/lib/locale/en_US.iso885915/LC_MEASUREMENT [RO 0 ] Ok Aug 8 07:53:24 web7 kernel: [open] [pid 2613 id] /usr/lib/locale/en_US.iso885915/LC_TELEPHONE [RO 0 ] Ok Aug 8 07:53:24 web7 kernel: [open] [pid 2613 id] /usr/lib/locale/en_US.iso885915/LC_ADDRESS [RO 0 ] Ok Aug 8 07:53:24 web7 kernel: [open] [pid 2613 id] /usr/lib/locale/en_US.iso885915/LC_NAME [RO 0 ] Ok Aug 8 07:53:24 web7 kernel: [open] [pid 2613 id] /usr/lib/locale/en_US.iso885915/LC_PAPER [RO 0 ] Ok Aug 8 07:53:24 web7 kernel: [open] [pid 2613 id] /usr/lib/locale/en_US.iso885915/LC_MESSAGES [RO 0 ] Ok Aug 8 07:53:24 web7 kernel: [open] [pid 2613 id] /usr/lib/locale/en_US.iso885915/LC_MESSAGES/SYS_LC_MESSAGES [RO 0 ] Ok Aug 8 07:53:24 web7 kernel: [open] [pid 2613 id] /usr/lib/locale/en_US.iso885915/LC_MONETARY [RO 0 ] Ok Aug 8 07:53:24 web7 kernel: [open] [pid 2613 id] /usr/lib/locale/en_US.iso885915/LC_COLLATE [RO 0 ] Ok Aug 8 07:53:24 web7 kernel: [open] [pid 2613 id] /usr/lib/locale/en_US.iso885915/LC_TIME [RO 0 ] Ok Aug 8 07:53:24 web7 kernel: [open] [pid 2613 id] /usr/lib/locale/en_US.iso885915/LC_NUMERIC [RO 0 ] Ok Aug 8 07:53:24 web7 kernel: [open] [pid 2613 id] /usr/lib/locale/en_US.iso885915/LC_CTYPE [RO 0 ] Ok Aug 8 07:53:24 web7 kernel: [open] [pid 2613 id] /etc/nsswitch.conf [RO 0 ] Ok Aug 8 07:53:24 web7 kernel: [open] [pid 2613 id] /etc/ld.so.cache [RO 0 ] Ok Aug 8 07:53:24 web7 kernel: [open] [pid 2613 id] /lib/libnss_files.so.2 [RO 0 ] Ok Aug 8 07:53:24 web7 kernel: [open] [pid 2613 id] /etc/passwd [RO 0 ] Ok Aug 8 07:53:24 web7 kernel: [open] [pid 2613 id] /etc/group [RO 0 ] Ok Aug 8 07:53:24 web7 kernel: [open] [pid 2613 id] /usr/share/locale/en_US.iso885915/LC_MESSAGES/sh-utils.mo [RO 0 ] No such file or directory Aug 8 07:53:24 web7 kernel: [open] [pid 2613 id] /usr/share/locale/en_US/LC_MESSAGES/sh-utils.mo [RO 0 ] No such file or directory Aug 8 07:53:24 web7 kernel: [open] [pid 2613 id] /usr/share/locale/en.iso885915/LC_MESSAGES/sh-utils.mo [RO 0 ] No such file or directory Aug 8 07:53:24 web7 kernel: [open] [pid 2613 id] /usr/share/locale/en/LC_MESSAGES/sh-utils.mo [RO 0 ] No such file or directory Aug 8 07:53:24 web7 kernel: [open] [pid 2613 id] /etc/group [RO 0 ] Ok Aug 8 07:53:24 web7 last message repeated 6 times Aug 8 07:53:24 web7 kernel: [exit] [code 0] [pid 2613 id] Friday, August 8, 2003, 9:21:11 AM, you wrote: DN> Cum apare syscall trace-u ala in klog? DN> On Fri, 8 Aug 2003, Gushterul wrote: >> Puteti ignora acest mesaj kilometric:) Daca il cititi, macar cititi-l >> pe tot:)) >> >> Gushterul >> >> Se ia una bucata papagal care a incercat sa rooteze un server. Fara >> succes. Insa fara sa ii dea seama a ajuns bncul lui pe portul 80.... >> El i-a dat drumul si atat. >> >> Aug 2 13:00:02 web2 kernel: [execve] /bin/sh -c pwd [pid 21688] [ppid 12778 *] >> [uid 398] [euid 398] >> Aug 2 13:00:02 web2 kernel: [open] [pid 21688 sh] /dev/tty [RW 34818 ] No such >> device or address >> Aug 2 13:00:02 web2 kernel: [exit] [code 0] [pid 21688 sh] >> Aug 2 13:00:02 web2 kernel: [open] [pid 12778 *] /tmp [RO 100352 ] Ok >> Aug 2 13:00:02 web2 kernel: [execve] /bin/sh -c gcc think.c -o think [pid 21689] >> [ppid 12778 *] [uid 398] [euid 398] >> Aug 2 13:00:02 web2 kernel: [open] [pid 21689 sh] /dev/tty [RW 34818 ] No such >> device or address >> Aug 2 13:00:02 web2 kernel: [execve] /usr/bin/gcc think.c -o think [pid 21689] >> [ppid 12778 *] [uid 398] [euid 398] >> Aug 2 13:00:02 web2 kernel: [open] [pid 21689 sh] /tmp/ccX7qElF.i [RW 194 ] Ok >> Aug 2 13:00:02 web2 kernel: [execve] /usr/lib/gcc-lib/i386-redhat-linux/2.96/cpp0 >> -lang-c -D__GNUC__=2 -D__GNUC_MINOR__=96 -D__GNUC_PATCHLEVEL__=0 -D__ELF__ -Dunix >> -Dlinux -D__ELF__ -D__unix__ >> -D__linux__ -D__unix -D__linux -Asystem(posix) -D__NO_INLINE__ -Acpu(i386) >> -Amachine(i386) -Di386 -D__i386 -D__i386__ -D__tune_i386__ think.c /tmp/ccX7qElF.i >> [pid 21690] [ppid 21689 sh] [uid 398] >> [euid 398] >> Aug 2 13:00:02 web2 kernel: [open] [pid 21690 lib/i386-redhat-linux/2.96/cpp0] >> /tmp/ccX7qElF.i [WO 577 ] Ok >> Aug 2 13:00:02 web2 kernel: [open] [pid 21690 lib/i386-redhat-linux/2.96/cpp0] >> think.c [RO 256 ] Ok >> Aug 2 13:00:02 web2 kernel: [open] [pid 21690 lib/i386-redhat-linux/2.96/cpp0] >> /usr/local/include/stdio.h [RO 256 ] No such file or directory >> Aug 2 13:00:02 web2 kernel: [open] [pid 21690 lib/i386-redhat-linux/2.96/cpp0] >> /usr/lib/gcc-lib/i386-redhat-linux/2.96/include/stdio.h [RO 256 ] No such file or >> directory >> Aug 2 13:00:02 web2 kernel: lib/i386-redhat-linux/2.96/cpp0] >> /usr/include/bits/stdio_lim.h [RO 256 ] Ok >> >> [blabla a lot of crap de la compilare....] >> >> Aug 2 13:00:08 web2 kernel: [execve] /bin/sh -c pwd [pid 21697] [ppid 12839 *] >> [uid 398] [euid 398] >> Aug 2 13:00:08 web2 kernel: [open] [pid 21697 sh] /dev/tty [RW 34818 ] No such >> device or address >> Aug 2 13:00:08 web2 kernel: [exit] [code 0] [pid 21697 sh] >> Aug 2 13:00:08 web2 kernel: [open] [pid 12839 *] /tmp [RO 100352 ] Ok >> Aug 2 13:00:08 web2 kernel: [execve] /bin/sh -c ls -l think [pid 21698] [ppid >> 12839 *] [uid 398] [euid 398] >> Aug 2 13:00:08 web2 kernel: [open] [pid 21698 sh] /dev/tty [RW 34818 ] No such >> device or address >> Aug 2 13:00:08 web2 kernel: [execve] /bin/ls -l think [pid 21698] [ppid 12839 *] >> [uid 398] [euid 398] >> Aug 2 13:00:08 web2 kernel: [exit] [code 0] [pid 21698 sh] >> Aug 2 13:00:15 web2 kernel: [execve] /bin/sh -c pwd [pid 21700] [ppid 21060 *] >> [uid 398] [euid 398] >> Aug 2 13:00:15 web2 kernel: [open] [pid 21700 sh] /dev/tty [RW 34818 ] No such >> device or address >> Aug 2 13:00:15 web2 kernel: [exit] [code 0] [pid 21700 sh] >> Aug 2 13:00:15 web2 kernel: [open] [pid 21060 *] /tmp [RO 100352 ] Ok >> Aug 2 13:00:15 web2 kernel: [execve] /bin/sh -c chmod 700 think [pid 21701] [ppid >> 21060 *] [uid 398] [euid 398] >> Aug 2 13:00:15 web2 kernel: [open] [pid 21701 sh] /dev/tty [RW 34818 ] No such >> device or address >> Aug 2 13:00:15 web2 kernel: [execve] /bin/chmod 700 think [pid 21701] [ppid 21060 >> *] [uid 398] [euid 398] >> Aug 2 13:00:15 web2 kernel: [exit] [code 0] [pid 21701 sh] >> Aug 2 13:00:19 web2 kernel: [execve] /bin/sh -c pwd [pid 21703] [ppid 21647 *] >> [uid 398] [euid 398] >> Aug 2 13:00:19 web2 kernel: [open] [pid 21703 sh] /dev/tty [RW 34818 ] No such >> device or address >> Aug 2 13:00:19 web2 kernel: [exit] [code 0] [pid 21703 sh] >> Aug 2 13:00:19 web2 kernel: [open] [pid 21647 *] /tmp [RO 100352 ] Ok >> Aug 2 13:00:19 web2 kernel: [execve] /bin/sh -c sync ; sync [pid 21704] [ppid >> 21647 *] [uid 398] [euid 398] >> Aug 2 13:00:19 web2 kernel: [open] [pid 21704 sh] /dev/tty [RW 34818 ] No such >> device or address >> Aug 2 13:00:19 web2 kernel: [execve] /bin/sync [pid 21705] [ppid 21704 sh] [uid >> 398] [euid 398] >> Aug 2 13:00:19 web2 kernel: VFS: find_free_dqentry(): Data block full but it >> shouldn't. >> Aug 2 13:00:19 web2 kernel: VFS: Error -5 occured while creating quota. >> Aug 2 13:00:20 web2 kernel: [exit] [code 0] [pid 21705 *] >> Aug 2 13:00:20 web2 kernel: [execve] /bin/sync [pid 21706] [ppid 21704 sh] [uid >> 398] [euid 398] >> Aug 2 13:00:20 web2 kernel: [exit] [code 0] [pid 21706 *] >> Aug 2 13:00:20 web2 kernel: [exit] [code 0] [pid 21704 sh] >> Aug 2 13:00:25 web2 kernel: [execve] /bin/sh -c pwd [pid 21710] [ppid 12837 *] >> [uid 398] [euid 398] >> Aug 2 13:00:25 web2 kernel: [open] [pid 21710 sh] /dev/tty [RW 34818 ] No such >> device or address >> Aug 2 13:00:25 web2 kernel: [exit] [code 0] [pid 21710 sh] >> Aug 2 13:00:25 web2 kernel: [open] [pid 12837 *] /tmp [RO 100352 ] Ok >> Aug 2 13:00:25 web2 kernel: [execve] /bin/sh -c /tmp/think [pid 21711] [ppid 12837 >> *] [uid 398] [euid 398] >> Aug 2 13:00:25 web2 kernel: [open] [pid 21711 sh] /dev/tty [RW 34818 ] No such >> device or address >> Aug 2 13:00:25 web2 kernel: [execve] /tmp/think [pid 21711] [ppid 12837 *] [uid >> 398] [euid 398] >> Aug 2 13:00:25 web2 kernel: [exit] [code 0] [pid 21711 sh] >> Aug 2 13:00:25 web2 kernel: [exit] [code 0] [pid 21712 *] >> >> Bon. In clipa asta thinku' este pe portul 15880 lansat de httpd. >> Numele procesului in lista de procese este "HTTPS v1.0 daemon pid >> 435644". De facut nu face mare lucru, sta pe portul ala si serveste >> shell moca cu id-ul httpd. Am si sursele de la thinku' ala. Ideea este >> ca asta a fost pe 2 august. Crapatura s-a intamplat la cateva zile >> dupa, cand thinkul ajunge la fel ca sendmailul meu pe portul >> httpdului(443 thinkul, sendmailul meu pe 80). Nu serveste comenzi, >> telnet pe 80 si id; care normal merge pe 15880 nu functioneaza. Alte >> referiri la capitolul syscalls NEMA. Nici macar un open, nimic. Pur si >> simplu ajunge de pe 15880 pe 80. Serverul cu pricina este 100% sigur >> ca nu a fost rootat etc. Incercari de a bindui thinkul iar pe 15880 si >> apoi restartat apache in draci doar doar s-o muta pe 80, fara efect. >> >> Okeeeei... >> Alt prieten, alta masina. La fel masina curata, alt tampit ce incearca >> sa puna bncuri in /tmp. De data asta nu mai am logging ca cel de mai >> sus, insa sunt alte detalii. Aceleasi simptome. Procesul pornit la >> paste, apachu' cracanat la craciun(nu stiu datele exacte;))) >> Insa environ din /proc la proces zice asa: >> PWD=/tmp/.tmp/dircproxy-1.0.5SUDO_GID=0USER=rootSUDO_UID=0LOGNAME=root >> SHLVL=4_=./dircproxySUDO_COMMAND=/apache/bin/apachectl startssl >> SHELL=/bin/shHOME=/rootPATH=/usr/bin:/binSUDO_USER=root >> >> Rezultat: gasit dircproxy si pe 80 si pe 443... >> >> /proc/(procesul)/maps >> 08048000-08060000 r-xp 00000000 03:02 146892 /tmp/.tmp/dircproxy-1.0.5/dircproxy >> 08060000-08061000 rw-p 00017000 03:02 146892 /tmp/.tmp/dircproxy-1.0.5/dircproxy >> 08061000-08068000 rwxp 00000000 00:00 0 >> 40000000-40013000 r-xp 00000000 03:02 292040 /lib/ld-2.2.5.so >> 40013000-40014000 rw-p 00013000 03:02 292040 /lib/ld-2.2.5.so >> 4001b000-40020000 r-xp 00000000 03:02 292059 /lib/libcrypt-2.2.5.so >> 40020000-40021000 rw-p 00004000 03:02 292059 /lib/libcrypt-2.2.5.so >> 40021000-40049000 rw-p 00000000 00:00 0 >> 40049000-40052000 r-xp 00000000 03:02 292081 /lib/libnss_files-2.2.5.so >> 40052000-40053000 rw-p 00009000 03:02 292081 /lib/libnss_files-2.2.5.so >> 40053000-4005d000 r-xp 00000000 03:02 292089 /lib/libnss_nisplus-2.2.5.so >> 4005d000-4005e000 rw-p 00009000 03:02 292089 /lib/libnss_nisplus-2.2.5.so >> 4005e000-40070000 r-xp 00000000 03:02 292065 /lib/libnsl-2.2.5.so >> 40070000-40071000 rw-p 00012000 03:02 292065 /lib/libnsl-2.2.5.so >> 40071000-40073000 rw-p 00000000 00:00 0 >> 42000000-4212c000 r-xp 00000000 03:02 308431 /lib/i686/libc-2.2.5.so >> 4212c000-42131000 rw-p 0012c000 03:02 308431 /lib/i686/libc-2.2.5.so >> 42131000-42135000 rw-p 00000000 00:00 0 >> bfffc000-c0000000 rwxp ffffd000 00:00 0 >> 08060000-08061000 rw-p 00017000 03:02 146892 /tmp/.tmp/dircproxy-1.0.5/dircproxy >> 08061000-08068000 rwxp 00000000 00:00 0 >> 40000000-40013000 r-xp 00000000 03:02 292040 /lib/ld-2.2.5.so >> 40013000-40014000 rw-p 00013000 03:02 292040 /lib/ld-2.2.5.so >> 4001b000-40020000 r-xp 00000000 03:02 292059 /lib/libcrypt-2.2.5.so >> 40020000-40021000 rw-p 00004000 03:02 292059 /lib/libcrypt-2.2.5.so >> 40021000-40049000 rw-p 00000000 00:00 0 >> 40049000-40052000 r-xp 00000000 03:02 292081 /lib/libnss_files-2.2.5.so >> 40052000-40053000 rw-p 00009000 03:02 292081 /lib/libnss_files-2.2.5.so >> 40053000-4005d000 r-xp 00000000 03:02 292089 /lib/libnss_nisplus-2.2.5.so >> 4005d000-4005e000 rw-p 00009000 03:02 292089 /lib/libnss_nisplus-2.2.5.so >> 4005e000-40070000 r-xp 00000000 03:02 292065 /lib/libnsl-2.2.5.so >> 40070000-40071000 rw-p 00012000 03:02 292065 /lib/libnsl-2.2.5.so >> 40071000-40073000 rw-p 00000000 00:00 0 >> 42000000-4212c000 r-xp 00000000 03:02 308431 /lib/i686/libc-2.2.5.so >> 4212c000-42131000 rw-p 0012c000 03:02 308431 /lib/i686/libc-2.2.5.so >> 42131000-42135000 rw-p 00000000 00:00 0 >> bfffc000-c0000000 rwxp ffffd000 00:00 0 >> >> ls -la /proc/(procesul) >> total 0 >> dr-xr-xr-x 3 httpd httpd 0 Jul 28 01:28 . >> dr-xr-xr-x 50 root root 0 Jul 22 05:00 .. >> -r--r--r-- 1 httpd httpd 0 Jul 28 01:31 cmdline >> lrwxrwxrwx 1 httpd httpd 0 Jul 28 01:31 cwd -> >> /tmp/.tmp/dircproxy-1.0.5 >> -r-------- 1 httpd httpd 0 Jul 28 01:31 environ >> lrwxrwxrwx 1 httpd httpd 0 Jul 28 01:31 exe -> >> /tmp/.tmp/dircproxy-1.0.5/dircproxy >> dr-x------ 2 httpd httpd 0 Jul 28 01:31 fd >> -r--r--r-- 1 httpd httpd 0 Jul 28 01:31 maps >> -rw------- 1 httpd httpd 0 Jul 28 01:31 mem >> -r--r--r-- 1 httpd httpd 0 Jul 28 01:31 mounts >> lrwxrwxrwx 1 httpd httpd 0 Jul 28 01:31 root -> / >> -r--r--r-- 1 httpd httpd 0 Jul 28 01:31 stat >> -r--r--r-- 1 httpd httpd 0 Jul 28 01:31 statm >> -r--r--r-- 1 httpd httpd 0 Jul 28 01:31 status >> >> Si pentru doritori think.c la http://www.securityorg.net/think.c >> >> >> --- >> Detalii despre listele noastre de mail: http://www.lug.ro/ >> >> --- Detalii despre listele noastre de mail: http://www.lug.ro/
