Security breaches
Title: twin hantu's login trojan horse
Machine: burro.monkeybrains.net
OS: Linux 2.1?
URLs: 1. http://www.sans.org/y2k/050900-1500.htm
2. http://staff.washington.edu/dittrich/misc/trinoo.analysis
Summary (notes taken during comprimise analysis):
- The machine is comprimised (portmap?? -- still unsure how initial breach is made).
- A 'twin' user is created with UID=0 and HOME=/.
- A 'hantu' user is created and then erased
- The 'twin' line is edited out of the /etc/passwd file with pico.
- The /etc/shadow retains the 'twin' user.
- The target machines 'login' is replaced with a trojan horse.
- This Trojan horse allows root access for incoming telnets with a specific term setting.
This vt number can be found by doing a 'srtings login | grep vt'
- A UDP controlled server named 'ns' is installed (a ps -aux reveals a ./ns).
This client sends a *HELLO* packet when started up to a client (it's IP is
availible from a 'strings ns'). The ns on burro was installed in /daemon/ns).
This is how I was alerted to burro's infection: burro was ping flooding other
machines on the internet with this 'ns' client. (Please see url #2 above
- The attacker leaves behind a .bash_history file which reveals several more tid-bits.
1) The ftp host which houses the 'bj.c' which is compiled to make the trojan login.
2) Other machines the user leap frogs to from your machine.
All you have to do is set term=vt???? where ???? indicates a number from 1000-9999
and you too can access other compromised machines.
3) Most commands are issued through a client side script. 'twin' doesn't really
know Unix.
4) Of course, this .bash_history file could be a plant, but I'm leaning toward
a not-too-bright user senario.
- More informaion is found in other system log files (eg originating IPs for telnets)
Time to reformat that machine with FreeBSD!!!
Another breakin this week... at a place I contracted at for a few hours.
They too were running Linux. I patched up all the messed up binaries
with new rpm... More info
Here are the people (and bots) who have looked at this page:
gunzip -c /www/logs/archive/access-www.monkeybrains.net.gz | grep ' /security' | awk '{print $1}' | sort -u | nslookup | grep Name:
*** lala.monkeybrains.net can't find 208.37.12.165: Non-existent host/domain
*** lala.monkeybrains.net can't find 208.48.124.4: Server failed
*** lala.monkeybrains.net can't find 212.150.51.90: Non-existent host/domain
*** lala.monkeybrains.net can't find 216.34.109.191: Non-existent host/domain
*** lala.monkeybrains.net can't find 216.34.109.192: Non-existent host/domain
Name: ras-c5800-1-49-73.dialup.wisc.edu
Name: kremlin.cs.uidaho.edu
Name: mail.skynet.gr
Name: ss06.ny.us.ibm.com
Name: ss11.ny.us.ibm.com
Name: AKCF1.xtra.co.nz
Name: aspseek.swusa.com
Name: 208.184.110.33.svwh.net
Name: marvin.northernlight.com
Name: lb1.antarcti.ca
Name: j6000.inktomi.com
Name: cr032r01.bos2.fastsearch.net
Name: router-sj.atomz.com
Name: gw03.webtop.com
Name: gw04.webtop.com
Name: www.britton-gw-uk.proteusweb.com
Name: adsl-216-103-213-34.dsl.snfc21.pacbell.net
Name: dhcp-197.sf.bmarts.com
Name: www.ip3000.com
Name: www.ip3000.com
Name: d83b38fc.dsl.flashcom.net
Name: adsl-63-203-32-98.dsl.snfc21.pacbell.net
Name: adsl-63-203-75-141.dsl.snfc21.pacbell.net
Name: crawler3.googlebot.com
Name: crawler1.googlebot.com
Name: crawler2.googlebot.com
Name: router-sc.atomz.com
This page was created to keep track of security breaches on the
MonkeyBrains network.
(I hope rk is friendly hehehe)