|
MyDoom Details
Lurhq published an excellent writeup with many details about the Zindos, the worm taking advantage of MyDoom infected systems. http://www.lurhq.com/zindos.html If you find a MyDoom infected host, we are very interested in any copies of the log left behind by MyDoom. Or if you have any early MyDoom samples. See the writeup about for details about the logs. More ssh password brute forcing A reader discovered a system that was likely compromised as part of the recent wave of ssh scans. The system's root account had no password configured and was easy picking. Another ssh compromise is discussed on our DShield mailing list: http://lists.sans.org/pipermail/list/2004-July/061219.html . Both compromises use tools from the same repository, indicating that the same group/individual is behind these scans and attacks. Once connected to the system, the attacker downloaded a rootkit to gain a foothold in the system. The bash history revealed the commands issued by the attacker. Given several typos, and some of the command options used, the attacker appears to be not very skilled. First, the attacker collected some basic system information using /etc/issue and /proc/cpuinfo (note: not uname -a). As a next step, two tarballs are downloaded using wget. The web sites these files origin from appear to be compromised. Only one of the tarballs appears to be used ('tc5.tgz'). The intruder unpacked the file, and started an installer shell script. This script identifies the root kit as 'b0skit'. The header:
Some of the highlights from the install script: (more later or in a different format if there is interest.) 1 - kills syslogd 2 - detects t0rn rootkit 3 - aborts install if remote syslogging is detected (based on /etc/syslogd.conf, can be overridden) 4 - the script looks for hidden processes by comparing the output from /proc with the output from 'ps' 5 - check for tripwire, tcplogd, stmichael, snort and LIDS. Abort if either is found. 6 - replace md5sum, libproc, ldb with trojaned versions. 7 - create a new directory /usr/info/.tc2k and /usr/bin/util. Uses touch to change its creation time to the same time /bin/mv shows (probably to make it 'blend in' with other files) 8 - remove /etc/term.db (first, file attributes like immutable, append only are removed). 9 - create /dev/ida/.. /.org (again, match time with /bin/mv) 10 - remove /.bash_history (which assumes that root's home directory is /. However, this is not the case on any current Linux distribution). The script also removes /bin/.bash_history. No idea what OS would drop a bash_history into /bin 11 - setup an ssh backdoor. The password can be specified as first command line parameter and the port it will listen on is configured as second parameter. In this case, port 7070 was specified. md5 hashed passwords are stored in /etc/term.db next, a few more binaries are replaced, and again, following the prior pattern, the ctime is adjusted to match /bin/mv. The new binaries are protected by setting the immutable, append only and overwrite attribute (sounds like overkill. but the tool in general likes to use as many commandline options as possible ;-) ). The backdoor binary is installed as /usr/sbin/ldb, and a shell script (/etc/sbin/initcheck) is added to /etc/inittab to restart the binary on reboot or on kill. Other replaced binaries: /lib/lidps1.so /bin/ps /usr/bin/dir /bin/ls /usr/sbin/lsof /usr/bin/find /usr/bin/top /usr/bin/pstree /sbin/ifconfig /usr/bin/slocate /usr/bin/md5sum ... (the script is careful to maintain the file permissions/times) Lastly, the script removes a number of 'competing' root kits and removes the files it originally downloaded. (sorry this is a bit shorter then it should be. Decrypt the message embedded in the spelling errors and typos to win an ISC bumper sticker) -------------- Johannes Ullrich, jullrich/at/sans.org I will be teaching next: Intrusion Detection In-Depth - SANS London July 2019 |
Johannes 3562 Posts ISC Handler |
| Subscribe |
Jul 29th 2004 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!
