Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Strange command histories in hacked shell server

from [Ganbold] Network Security [Permanent Link]
Subject: Strange command histories in hacked shell server
Date: Fri, 17 Dec 2004 09:19:26 +0800 
Hi,

Sorry for cross posting.

I have with FreeBSD 5.3-stable server which serves as a public shell server.

FreeBSD public.ub.mng.net 5.3-STABLE FreeBSD 5.3-STABLE #6: Wed Nov 24 15:55:36 ULAT 2004 tsgan@public.ub.mng.net:/usr/obj/usr/src/sys/PSH i386

It has ssh and proftp-1.2.10 daemons.

However it was hacked and I'm trying to analyze it and having some difficulties.

Machine is configured in such way that everyone can create an account itself.
Some user dir permissions:
...
drwxr-xr-x  2 root       wheel         512 Mar 29  2004 new
drwx------  3 tamiraad   unix          512 Apr  9  2004 tamiraad
drwxr-xr-x  6 tsgan      tsgan        1024 Dec 16 17:51 tsgan
drwx------  4 tugstugi   unix          512 Dec 13 20:34 tugstugi
drwxr-xr-x  5 unix       unix          512 Dec 13 12:37 unix
...
User should log on as new with password new to create an account.

Accounting is enabled and kern.securelevel is set to 2.
Only one account 'tsgan' is in wheel group and only tsgan gan become root using su.

Following is the some strange output from grave-robber (coroner toolkit):
...
Dec 13 04 20:18:40 5 m.c -rw-rw---- tugstugi smmsp /var/spool/clientmqueue/dfiBDCIeD0001529
Dec 13 04 20:34:58 512 m.. drwx------ tugstugi unix /home/tugstugi
Dec 13 04 20:35:57 512 ..c drwx------ tugstugi unix /home/tugstugi
Dec 14 04 00:19:56 0 m.c -rw-rw-rw- tugstugi unix /home/tugstugi/.myrc

Dec 14 04 00:20:50 9665 m.. -rw-r--r-- tugstugi unix /home/tsgan/.tmp/known_hosts
9665 m.c -rw-r--r-- tugstugi unix /home/tugstugi/.ssh/known_hosts

Dec 15 04 19:12:21 1002 m.c -rw------- tugstugi unix /home/tugstugi/.shrc
...
Somehow he seems like copied /home/tugstugi/.ssh/known_hosts to home/tsgan/.tmp/known_hosts.
I don't know why.


Following is lastcomm output:
...
sshd             -F      tugstugi         __         0.16 secs Tue Dec 14 23:01
sh               -       tugstugi         #C:5:0x1   0.03 secs Tue Dec 14 23:02
su               -       tugstugi         #C:5:0x1   0.02 secs Tue Dec 14 23:38
...
sshd             -F      tugstugi         __         0.08 secs Tue Dec 14 22:41
sh               -       tugstugi         #C:5:0x1   0.02 secs Tue Dec 14 22:41
who              -       tugstugi         #C:5:0x1   0.00 secs Tue Dec 14 22:52
su               -       tugstugi         #C:5:0x1   0.02 secs Tue Dec 14 22:48
sh               -       tsgan            #C:5:0x1   0.00 secs Tue Dec 14 22:48
ls               -       tsgan            #C:5:0x1   0.00 secs Tue Dec 14 22:52
su               -       tsgan            #C:5:0x1   0.02 secs Tue Dec 14 22:49
csh              -       root             #C:5:0x1   0.03 secs Tue Dec 14 22:49
...

In above I think he already hijacked my account and root password so he used su to
become root.

sshd             -F      tsgan            __         0.02 secs Tue Dec 14 00:27
sh               -       tsgan            ttyp0      0.02 secs Tue Dec 14 00:27
cat              -       tsgan            ttyp0      0.00 secs Tue Dec 14 00:28
su               -       tsgan            ttyp0      0.00 secs Tue Dec 14 00:28
sleep            -       tsgan            ttyp0      0.00 secs Tue Dec 14 00:27
^^^^^^
stty             -       tsgan            ttyp0      0.00 secs Tue Dec 14 00:27
stty             -       tsgan            ttyp0      0.00 secs Tue Dec 14 00:27
^^^^^^
fortune          -       tsgan            ttyp0      0.00 secs Tue Dec 14 00:27
...

I don't quite understand why he used sleep and stty commands in above.
My suspect is tty hijacking. Am I right? Correct me if I'm wrong.

sleep            -       tugstugi         #C:5:0x2   0.00 secs Tue Dec 14 00:24
stty             -       tugstugi         #C:5:0x2   0.00 secs Tue Dec 14 00:24
stty             -       tugstugi         #C:5:0x2   0.00 secs Tue Dec 14 00:24
...
id               -       tugstugi         #C:5:0x2   0.00 secs Tue Dec 14 00:24
sleep            -       tugstugi         #C:5:0x2   0.00 secs Tue Dec 14 00:24
stty             -       tugstugi         #C:5:0x2   0.00 secs Tue Dec 14 00:24
stty             -       tugstugi         #C:5:0x2   0.00 secs Tue Dec 14 00:24
id               -       tugstugi         #C:5:0x2   0.00 secs Tue Dec 14 00:24
cat              -       tsgan            #C:5:0x2   0.00 secs Tue Dec 14 00:24
ls               -       tsgan            #C:5:0x2   0.00 secs Tue Dec 14 00:24
su               -       tsgan            #C:5:0x2   0.02 secs Tue Dec 14 00:23
sh               -       tugstugi         #C:5:0x2   0.00 secs Tue Dec 14 00:23
ls               -       tugstugi         #C:5:0x2   0.00 secs Tue Dec 14 00:23
id               -       tugstugi         #C:5:0x2   0.00 secs Tue Dec 14 00:23
ls               -       tugstugi         #C:5:0x2   0.00 secs Tue Dec 14 00:23
sleep            -       tugstugi         #C:5:0x2   0.00 secs Tue Dec 14 00:23
stty             -       tugstugi         #C:5:0x2   0.00 secs Tue Dec 14 00:23
stty             -       tugstugi         #C:5:0x2   0.00 secs Tue Dec 14 00:23
ls               -       tugstugi         #C:5:0x2   0.00 secs Tue Dec 14 00:23
id               -       tugstugi         #C:5:0x2   0.00 secs Tue Dec 14 00:23
ls               -       tugstugi         #C:5:0x2   0.00 secs Tue Dec 14 00:23
cat              -       tsgan            #C:5:0x2   0.00 secs Tue Dec 14 00:23
su               -       tsgan            #C:5:0x2   0.02 secs Tue Dec 14 00:23
cat              -       tsgan            #C:5:0x2   0.00 secs Tue Dec 14 00:22
sleep            -       tsgan            #C:5:0x2   0.00 secs Tue Dec 14 00:22
stty             -       tsgan            #C:5:0x2   0.00 secs Tue Dec 14 00:22
stty             -       tsgan            #C:5:0x2   0.00 secs Tue Dec 14 00:22
fortune          -       tsgan            #C:5:0x2   0.00 secs Tue Dec 14 00:22
...
One more strange thing is "#C:5:0x2". What is this?

Again I'm suspecting that, this guy hijacked my tty and got tsgan and then he could log my keystroke and
get root password. Am I right?

Please give me some advice and info regarding this kind of hack.
What should I do in order to secure my shell server? I mean except securelevel, unneeded services etc.
Can somebody give me some hints on file and directory permissions?
Is there anybody who has similar server config and already had such issues and problems?
I appreciate very much if somebody will help me in this regard.

thanks in advance,

Ganbold

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: IIS web server hacked..any tips?, Dave Dodge
Next by Date:  RE: IIS web server hacked..any tips?, David LeBlanc
Previous by Thread:  IIS web server hacked..any tips?, Francesco
Next by Thread:  Re: Strange command histories in hacked shell server, Valdis . Kletnieks
Indexes:  [Date] [Thread] [Top] [All Lists]