Findings from day 1

From Gridkaschool
  • /etc.bak.tgz <- bkup contains readable /etc/shadow
  • bash-history of user sycorax shows JtR-activity on shadowfile -> possible pw-compromise
  • tmp. directory under /var/tmp/ab7a…, dloaded JtR, exec'd, cracked shadow, changed uid -> admin
  • admin "sudo su -", starts rootkit
  • sycorax changed prompt, reason unknown
  • sycorax compromised
  • CVE-2010-3856, LD_AUDID (.bash_history)
  • lots of info in .bash_history of sycorax. Killed apache.
  • Attacker came from 141.52.174.51
  • glibc to old.
  • Attacker might have used python-expect, needed to change prompt to function
  • netstat -> bind-shell-exec (argv0 mangled). lsof -> pid -> full path to executable. strings -> password
  • dload of rds-exploit -> root-compromise.
  • /bin/ping compromised (suid-binary). Used for race-condition-exploit.

Addendum from Leif: The last point is, of course, not correct. That the ctime on /bin/ping has changed is just a byproduct of the CVE-2010-3847 (not 3856) exploit. The file contents are not changed, as can easily be checked with "rpm -Vf /bin/ping". The original write-up on CVE-2010-3847 is worth a read, even if one does not understand all details: http://seclists.org/fulldisclosure/2010/Oct/257

Retrieved from "https://wiki.scc.kit.edu/gridkaschool/index.php?title=Findings_from_day_1&oldid=719"