Date: Fri, 12 Jul 1996 11:28:36 -0700 (PDT) From: jbhunt <jbhunt@mercury.gaianet.net> To: root@mercury.gaianet.net Cc: freebsd-security-notification@freebsd.org, freebsd-security@freebsd.org, first-teams@first.org Subject: ROOT COMPROMISE Message-ID: <Pine.BSF.3.91.960712111508.2906A-300000@mercury.gaianet.net>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Ok, I tracked down the offending account Vince. The account soulz has 2 setuid root shells in it at this moment. Fortunately for us this time this offender wasn't as smart as the last one and left us a trail. Included in this email are both of his history files the .historysoulz file is the one he used to gain root the historysoulz file is what he did after he got root. It seems that he telneted to io.com and downloaded a file called bsdiex. Then ran the file and it made a setuid shell called .irc. He seems to have been trying many different things to gain root such as dip and the other things. After the bsdiex file he compiled a file called real.c. I tracked that down on the system it is in the usr dir. So there may be something that ties them together. I have since called Ken Jackson,System's Manager, at io.com and he is going to help as much as he can. He is currently looking for the bsdiex file on his system. I have suspended the account. However it looks as tho he made 1 account while he was root and I am not sure exactly what it is. So Vince we may need to take some action on this. Give me your thoughts on what we might do. I would also appreciate some help on this from the freebsd guys. A few weeks ago when I posted saying there was a NEW exploit for freebsd nobody seemed to believe me however it seems there truely IS something new out here. Please give me your thoughts and ideas after looking at the files. John SysAdmin Gaianet [-- Attachment #2 --] #+0833472284 mail #+0833472396 cd eggdrop1.0a #+0833472410 pico mycron #+0833472579 crontab mycron #+0833472606 pico botchk #+0833479977 cd eggdro0a #+0833480000 cd eggdrop1.0a #+0833480034 botchk #+0833480586 dir #+0833480603 cd eggdrop1.0a #+0833480610 ps - #+0833480622 ps -x #+0833480638 kill -9 -1 #+0833480643 ps #+0833480690 eggdrop fwa #+0833483608 cd drop1.0a #+0833483621 cd egdrop1.0a #+0833483640 cd eggdrop1.0a #+0833483690 ps -x #+0833483705 kill -9 -1 #+0833483908 eggdrop #+0833483915 ps #+0833483926 eggdrop fwa #+0833484847 ps -x #+0833484953 kill -9 -1 #+0833485000 eggdrop fwa #+0833490047 mail #+0833501454 cd eggdrop1.0a #+0833501459 eggdrop fwa #+0833504796 mail #+0833504846 cd eggdrop1.0a #+0833504856 cd svers #+0833504876 cd servers #+0833504883 cd server #+0833504888 ls #+0833504932 cd #+0833504958 cd scipts #+0833504970 cd scripts #+0833504997 pico #+0833505171 cd eggdrop1.0a #+0833505215 ls #+0833505228 scripts #+0833505289 eggdrop f #+0833505308 eggdrop fwa #+0833507614 cd eggdrop1.0a #+0833507625 ps -x #+0833507638 kill -9 #+0833507652 eggdr fwa #+0833507667 eggdrop fwa #+0833507917 ps -x #+0833507927 kill -0 -1 #+0833507933 pico fwa #+0833508139 eggdrop fwa #+0833508317 ps -x #+0833508336 kil-9 -1 #+0833508353 kill -9 -1 #+0833508364 ls #+0833508386 eggdrop fwa #+0833508477 cd .. #+0833521570 cd eggdrop1.0a #+0833521575 pico fwa #+0833522268 eggdrop solid #+0833522288 ps #+0833522301 eggdrop -m solid #+0833522312 pico solid #+0833522384 eggdrop solid #+0833522404 eggdrop -m solid #+0833522412 eggdrop fwa #+0833522418 ps -x #+0833522423 kill -9 -1 #+0833522427 pico fwa #+0833522489 eggdrop fwa #+0833527428 ls #+0833527440 rm eggdrop0.9tp2.tar #+0833527457 rm -r eggdrop0.9tp2 #+0833527470 ls #+0833527493 irc #+0833527521 irc #+0833527579 irc #+0833527697 ls #+0833527703 move #+0833527706 help #+0833527711 copy #+0833527715 mv #+0833527737 mv flood.tcl eggdrop1.0a/scripts #+0833527740 las #+0833527742 ls #+0833527747 cd eggdrop1.0a #+0833527749 cd scripts #+0833527752 ls #+0833527762 cd .. #+0833527765 pico fwa #+0833527888 ps -x #+0833527985 ps #+0833527993 eggdrop solid #+0833528006 ps #+0833528009 ps -x #+0833528013 kill -9 -1 #+0833528019 eggdrop fwa #+0833528351 pico fwa #+0833685541 dir #+0833685552 spoof.c #+0833685558 spoof #+0833685587 textbox.irc #+0833685599 ./textbox #+0833685610 ls #+0833687855 ls #+0833687936 mkdir playa #+0833687938 ls #+0833687960 cp eggdro~1 #+0833687964 cp eggdro~1 playa #+0833691220 irc #+0833696303 dir playa #+0833696519 cd playa #+0833696522 dir #+0833696543 tar -vxf eggdro~1 #+0833696818 < _Spice_ > =] #+0833696828 cd eggdrop1.0a #+0833697163 configure #+0833697318 make #+0833698054 pico lamestbot #+0833698635 pico lamestbot #+0833740383 dir #+0833740404 cd playa #+0833740406 dir #+0833740412 cd eggdrop1.0a #+0833740413 dir #+0833740428 cd .. #+0833740433 cd .. #+0833740436 irc #+0833740483 irc #+0833740574 dir #+0833740582 irc #+0833859176 irc #+0833860234 /quit #+0833860239 mail #+0833896018 dir #+0833896032 ircseq28 #+0833896036 ircseq28.c #+0833896051 rm -r eggdrop1.0a #+0833896066 dir #+0833896082 tar -vxf eggdro~1 #+0833896100 cd eggdrop1.0a #+0833896107 configure #+0833896137 make #+0834067572 ls #+0834067576 dir #+0834067583 cd playa #+0834067584 dir #+0834067594 cd .. #+0834067598 rm -r playa #+0834067617 rm rx32.zip #+0834067619 dir #+0834068855 cd eggdrop1.0a #+0834068857 dir #+0834068863 ls #+0834079460 ls #+0834079470 irc #+0834079927 irc irc.mo.net #+0834080616 miz #+0834080626 irc #+0834080804 irc #+0834081467 telnet #+0834081922 telnet #+0834129829 mail #+0834129859 cd eggdrop1.0a #+0834129898 pico botchk #+0834130058 pico mycron #+0834130071 ls #+0834130137 pico elmo #+0834130620 crontab mycron #+0834130923 pico mycron #+0834130934 ls #+0834130940 .pico botchk #+0834130946 pico botchk #+0834130972 eggdrop -m eye #+0834131356 pico eye #+0834131410 kill -9 -1 #+0834131416 eggdrop -m eye #+0834131952 pico eye #+0834132004 ps -x #+0834132010 kill -9 -1 #+0834132015 eggdrop -m eye #+0834132529 pico eye #+0834132624 eggdrop eye #+0834332246 ls #+0834332287 irc #+0834332410 irc #+0834332438 telnet #+0834374537 ls #+0834374554 ircseq28.c #+0834374559 spoof.c #+0834374561 spoof #+0834374566 tsu11 #+0834374591 cat /etc/passwd #+0834374814 cat /etc/shadow #+0834374820 cd .. #+0834374823 cd .. #+0834374826 cd .. #+0834374828 ls #+0834374835 cd etc #+0834374836 ls #+0834374881 ppp #+0834374903 ls #+0834374913 shells #+0834374944 passwd #+0834374963 cat master.passwd #+0834374976 cd .. #+0834374978 cd .. #+0834374981 ls #+0834374988 exit #+0834379088 irc #+0834379124 irc #+0834379245 ls #+0834379255 cc -c unshad.c #+0834379257 ls #+0834379265 cc -o unshad.o #+0834379275 cc -o unshad.o unshad #+0834379340 cc -c unshad.o #+0834379367 cc -o unshad.o unshad.c #+0834379370 ls #+0834379384 pico unshad #+0834379404 cc -o unshad.o unshad #+0834379411 ls #+0834379419 rm unshad #+0834379468 link #+0834379470 l #+0834379501 cc unshad.o #+0834379503 ls #+0834379516 cc -o unshad.c unshad.o #+0834379518 ls #+0834379532 cc #+0834379539 cc -o unshad.o #+0834379548 cc -o unshad.o unshad #+0834379555 cc -o unshad.o unhad.o #+0834379562 cc -o unshad.o unshad,o #+0834379565 cc -o unshad.o unshad.o #+0834379567 ls #+0834379614 unshad.o #+0834379626 rm unshad.o #+0834379632 cc -c unshad.c #+0834379643 rm unshad.c #+0834379648 irc #+0834381449 irc #+0834381539 irc #+0834381746 cc -o unshad unshad.c #+0834381762 chmod u+x unshad #+0834381765 ls #+0834381771 unshad #+0834381832 ls #+0834381857 ls #+0834381860 dir #+0834381892 unshad #+0834382421 cat /ect/passwd #+0834382449 /ca #+0834382498 cat /etc/passwd > shadowed #+0834382515 cat /ect/shadow #+0834382525 cat /etc/shadow #+0834382530 cat /etc/shadowed #+0834382627 /etc/passwd > shadowed #+0834382646 cat /etc/passwd > shadow #+0834382689 cat /etc/passwd #+0834382799 /etc/passwd > shadowed #+0834382809 /etc/passwd #+0834382869 cp /etc/passwd ~/ #+0834382875 ls #+0834382894 cat /etc/passwd > shadowed #+0834382904 cat /etc/passwd > shadow #+0834382939 cat /etc/passwd > shadow #+0834383183 cat shadow #+0834383225 ls #+0834383236 cat passwd #+0834383312 ls #+0834383324 rm passwd #+0834383333 rm shadowed #+0834383337 rm shadow #+0834383338 ls #+0834383381 cc -o spoof spoof.c #+0834383397 ls #+0834383434 unshad shadow #+0834383499 ls #+0834383533 /etc/passwd < shadow #+0834383544 /etc/passwd > shadow #+0834383555 /etc/passwd > shadow #+0834383620 unshad > shadow #+0834383624 ls #+0834383634 cat shadow #+0834383718 ls #+0834383724 rm shadow #+0834383734 ls #+0834383833 cd /etc/ #+0834383836 ls #+0834383862 pico master.passwd #+0834383881 cat master.passwd #+0834383887 unshad #+0834383899 cd /soulz/ #+0834383906 cd soulz #+0834383910 cd /home/ #+0834383913 cd soulz #+0834383915 ls #+0834383921 mbox #+0834920251 ls #+0834920270 rm -r egdro~1 #+0834920286 rm -r eggdro~1 #+0834920294 blackout #+0834920318 blackout soulz@mercury.gaianet.net #+0834920325 ls #+0834920399 cc -o spoosf spoof.c #+0834920449 cc -o spoof spoof.c #+0834920461 ls #+0834920482 mail #+0834920510 cd egg1.0a #+0834920529 cd eggrop1.0a #+0834920538 cd eggdrop1.0a #+0834920543 pico mycron2 #+0834920556 crontab mycron #+0834920567 ls #+0834920599 logout #+0835673721 ls #+0835673801 cc -o spoof spoof.c #+0835673817 ls #+0835673829 tsu11 #+0835673870 tsu11 FROM: XSouL1tZOn ScottAjIll haha u suck #+0835673884 ls #+0835673903 a.out #+0835673915 rm a.out #+0835673921 rm anonirc.c #+0835673928 rm autore #+0835673933 rm blackout #+0835673935 rm blackout.c #+0835673943 rm raw.c #+0835673955 rm spoof.c #+0835673963 rm tsu11 #+0835673967 rm unshad #+0835673971 rm unshad.c #+0835673973 ls #+0835673982 rm autore.c #+0835673986 rm tsu11.c #+0835673987 ls #+0835673994 cd eggdrop1.0a #+0835673995 ls #+0835674009 eggdrop eye #+0835674038 cd .. #+0835674328 ls #+0835674336 rm -r eggdrop1.0a #+0835674356 ls #+0835674361 ps -x #+0835674367 kill -9 -01 #+0835674370 kill -9 -1 #+0835674373 ps -x #+0835674429 irc #+0835674490 pico mycron #+0835674500 crontab mycron #+0835674503 mail #+0835674608 mail #+0835674628 mail #+0835674664 mail #+0835674674 mail #+0835674680 ls #+0835674686 rm dead.letter #+0835674693 rm mycron #+0835674696 cd mail #+0835674696 ls #+0835674702 sent-mail #+0835674706 cd sent-mail #+0835674714 pico sent-mail #+0835674744 cd .. #+0835674745 ls #+0835674750 rm -r mail #+0835674756 mbox #+0835674758 cd mbox #+0835674763 pico mbox #+0835674779 rm -r mbox #+0835674781 ls #+0835674791 passwd #+0835674819 ls #+0835674827 irc #+0835674855 irc #+0835674905 irc #+0835674938 irc #+0835674982 irc #+0835675022 irc #+0835675035 irc #+0835675275 irc #+0835675389 irc #+0835867953 ls #+0835867976 logout #+0836632103 ps -x #+0836632106 ls #+0836632396 mv .foomox foomox #+0836632402 chmod 700 foomox #+0836632404 foomox #+0836632414 rm -r foomox #+0836632447 cc -o dip .dip.c #+0836632451 cc -o dip dip.c #+0836632456 dip #+0836632459 ls #+0836632466 rm -r temp.dip #+0836632531 chmod 700 dip #+0836632533 dip #+0836632536 ls #+0836632546 rm foomox.core #+0836632567 chmod temp.dip 6777 #+0836632579 chmod 6777 temp.dip #+0836632583 temp.dip #+0836632603 chmod 700 temp.dip #+0836632607 ./temp.dip #+0836632614 rm -r temp.dip #+0836632615 ls #+0836632622 rm -r dip #+0836632625 rm -r dip.c #+0836632631 quota -v #+0836632640 cd .. #+0836632641 ls #+0836632667 cd fwa #+0836632671 cd fwa96 #+0836632675 ls #+0836632679 cd .. #+0836632682 cd .. #+0836632684 ls #+0836632689 cd .. #+0836632689 ls #+0836632693 cd etc #+0836632695 ls #+0836632733 pico master.passwd #+0836632745 cat master.passwd #+0836632764 chmod 700 master.passwd #+0836632786 chmod 700 .foomox #+0836632790 cd #+0836632797 chmod 700 .foomox #+0836632817 chmod 6777 .foomox #+0836632823 .foomox #+0836632833 rm -r .foomix #+0836632836 rm -r .foomox #+0837133350 uname -a #+0837133360 users #+0837133376 ls #+0837133381 ls -a #+0837133391 splitvt #+0837133402 pico /etc/motd #+0837133467 telnet io.com #+0837133705 ls #+0837133712 chmod 6777 bsdiex #+0837133718 bsdiex #+0837133874 ls #+0837133879 irc #+0837133996 ls #+0837134002 whereis bash #+0837134023 irc #+0837134060 ls #+0837134065 mv irc .irc #+0837134082 pico real.c #+0837134113 whereis bash #+0837134122 rm -r real #+0837134129 cc -o real real.c #+0837134134 real #+0837134140 ./irc #+0837134145 irc #+0837134156 ls #+0837134164 .irc #+0837134174 mv .irc irc #+0837134177 irc #+0837134213 mv real ftp #+0837134218 irc #+0837134988 rm -r bsdiex #+0837134996 mv master.passwd gaianet #+0837135009 rm -r real.c #+0837135056 ic #+0837135059 irc #+0837135180 ls -a #+0837146415 users #+0837146425 ls #+0837146436 rm -r gaianet #+0837146443 irc #+0837192929 ls #+0837192934 ls -la #+0837192940 pico history #+0837192944 pico .history #+0837193148 ls #+0837193154 irc #+0837193174 exit [-- Attachment #3 --] whereis bash real exit exit ps -x whoami exit cd /usr/sbin ./adduser irc irc cd /usr/home ls cd erb ls flash flash 3l33t@vie-va7-05.ix.netcom.com users cd .. cd fwa cd fwa96 ls cd .. ls cd twinz ls ls -a cd ... ls cd eggdrop1.0 ls pico LamestBot.user ls pico tcl.hide tcl.hind cd .. ls cd ls cd / ls cd etc ls pico master.passwd cp master.passwd /usr/home/soulz mv master.passwd gaianet exit
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.960712111508.2906A-300000>