Tuesday, June 14, 2016

Security breaches


Title: twin hantu's login trojan horse Machine: burro.monkeybrains.net OS: Linux 2.1? URLs: 1. http://www.sans.org/y2k/050900-1500.htm 2. http://staff.washington.edu/dittrich/misc/trinoo.analysis Summary (notes taken during comprimise analysis):
  • The machine is comprimised (portmap?? -- still unsure how initial breach is made).
  • A 'twin' user is created with UID=0 and HOME=/.
  • A 'hantu' user is created and then erased
  • The 'twin' line is edited out of the /etc/passwd file with pico.
  • The /etc/shadow retains the 'twin' user.
  • The target machines 'login' is replaced with a trojan horse.
  • This Trojan horse allows root access for incoming telnets with a specific term setting. This vt number can be found by doing a 'srtings login | grep vt'
  • A UDP controlled server named 'ns' is installed (a ps -aux reveals a ./ns). This client sends a *HELLO* packet when started up to a client (it's IP is availible from a 'strings ns'). The ns on burro was installed in /daemon/ns). This is how I was alerted to burro's infection: burro was ping flooding other machines on the internet with this 'ns' client. (Please see url #2 above
  • The attacker leaves behind a .bash_history file which reveals several more tid-bits.
    1) The ftp host which houses the 'bj.c' which is compiled to make the trojan login.
    2) Other machines the user leap frogs to from your machine. All you have to do is set term=vt???? where ???? indicates a number from 1000-9999 and you too can access other compromised machines.
    3) Most commands are issued through a client side script. 'twin' doesn't really know Unix.
    4) Of course, this .bash_history file could be a plant, but I'm leaning toward a not-too-bright user senario.
  • More informaion is found in other system log files (eg originating IPs for telnets)
Time to reformat that machine with FreeBSD!!!
 

Another breakin this week... at a place I contracted at for a few hours. They too were running Linux. I patched up all the messed up binaries with new rpm... More info
Here are the people (and bots) who have looked at this page: gunzip -c /www/logs/archive/access-www.monkeybrains.net.gz | grep ' /security' | awk '{print $1}' | sort -u | nslookup | grep Name: *** lala.monkeybrains.net can't find 208.37.12.165: Non-existent host/domain *** lala.monkeybrains.net can't find 208.48.124.4: Server failed *** lala.monkeybrains.net can't find 212.150.51.90: Non-existent host/domain *** lala.monkeybrains.net can't find 216.34.109.191: Non-existent host/domain *** lala.monkeybrains.net can't find 216.34.109.192: Non-existent host/domain Name: ras-c5800-1-49-73.dialup.wisc.edu Name: kremlin.cs.uidaho.edu Name: mail.skynet.gr Name: ss06.ny.us.ibm.com Name: ss11.ny.us.ibm.com Name: AKCF1.xtra.co.nz Name: aspseek.swusa.com Name: 208.184.110.33.svwh.net Name: marvin.northernlight.com Name: lb1.antarcti.ca Name: j6000.inktomi.com Name: cr032r01.bos2.fastsearch.net Name: router-sj.atomz.com Name: gw03.webtop.com Name: gw04.webtop.com Name: www.britton-gw-uk.proteusweb.com Name: adsl-216-103-213-34.dsl.snfc21.pacbell.net Name: dhcp-197.sf.bmarts.com Name: www.ip3000.com Name: www.ip3000.com Name: d83b38fc.dsl.flashcom.net Name: adsl-63-203-32-98.dsl.snfc21.pacbell.net Name: adsl-63-203-75-141.dsl.snfc21.pacbell.net Name: crawler3.googlebot.com Name: crawler1.googlebot.com Name: crawler2.googlebot.com Name: router-sc.atomz.com
This page was created to keep track of security breaches on the MonkeyBrains network.
(I hope rk is friendly hehehe) 

https://www.monkeybrains.net/security/ 

No comments:

Man in the Rain