Findings from day 1
From Gridkaschool
Jump to navigationJump to search
- /etc.bak.tgz <- bkup contains readable /etc/shadow
- bash-history of user sycorax shows JtR-activity on shadowfile -> possible pw-compromise
- tmp. directory under /var/tmp/ab7a…, dloaded JtR, exec'd, cracked shadow, changed uid -> admin
- admin "sudo su -", starts rootkit
- sycorax changed prompt, reason unknown
- sycorax compromised
- CVE-2010-3856, LD_AUDID (.bash_history)
- lots of info in .bash_history of sycorax. Killed apache.
- Attacker came from 141.52.174.51
- glibc to old.
- Attacker might have used python-expect, needed to change prompt to function
- netstat -> bind-shell-exec (argv0 mangled). lsof -> pid -> full path to executable. strings -> password
- dload of rds-exploit -> root-compromise.
- /bin/ping compromised (suid-binary). Used for race-condition-exploit.
Addendum from Leif: The last point is, of course, not correct. That the ctime on /bin/ping has changed is just a byproduct of the CVE-2010-3847 (not 3856) exploit. The file contents are not changed, as can easily be checked with "rpm -Vf /bin/ping". The original write-up on CVE-2010-3847 is worth a read, even if one does not understand all details: http://seclists.org/fulldisclosure/2010/Oct/257