?

Log in

No account? Create an account

Josh-D. S. Davis

Xaminmo / Omnimax / Max Omni / Mad Scientist / Midnight Shadow / Radiation Master

Previous Entry Share Next Entry
Found CRAP!
Josh 201604 KWP
joshdavis
OK, so one of the people with an account on my box is not the most technically savy person in the world.
Well, trying to debug some of her crud, I found ref to a cron job.

WHat!?!?!
So I check it out, and I find this sort of disturbing stuff
[root@ns1:/var/tmp/  ]
/bin/bash# crontab -u jester -l
* * * * * /var/tmp/  /.access.log/y2kupdate >/dev/null 2>&1

[root@ns1:/var/tmp/  ]
/bin/bash# ls -alR
.:
total 572
drwxr-xr-x  3 jester nancy   4096 Jun  7 12:30 ./
drwxrwxrwt  7 root   root   28672 Jun 27 16:35 ../
-rw-r--r--  1 jester nancy   2843 Jun  7 12:30 c.htm
-rw-r--r--  1 jester nancy 529926 Apr 29 07:57 info.tar.gz
-rw-r--r--  1 jester nancy   1251 Jun  6 21:20 send
drwxr-xr-x  3 jester nancy   4096 Jun  6 07:13 ssh/
-rw-r--r--  1 jester nancy    124 Jun  7 12:13 target

./ssh:
total 1232
drwxr-xr-x  2 jester nancy    4096 Jun  7 06:25  /
drwxr-xr-x  3 jester nancy    4096 Jun  6 07:13 ./
drwxr-xr-x  3 jester nancy    4096 Jun  7 12:30 ../
-rw-r--r--  1 jester nancy       0 Jun  4 11:31 213.71.pscan.22
-rw-r--r--  1 jester nancy       0 Jun  5 06:51 66.22.pscan.22
-rwx------  1 jester nancy     715 Apr 16 09:54 assh*
-rwx------  1 jester nancy     206 Mar 28 01:39 auto*
-rw-r--r--  1 jester nancy     727 Jun  5 04:49 log.bigsshf
-rwxr-xr-x  1 jester nancy   22574 Apr 16 08:35 pscan2*
-rwxr-xr-x  1 jester nancy 1206920 Jun  5 06:51 sshf*

./ssh/ :
total 540
drwxr-xr-x  2 jester nancy   4096 Jun  7 06:25 ./
drwxr-xr-x  3 jester nancy   4096 Jun  6 07:13 ../
-rwxr-xr-x  1 jester nancy  22295 Jun  7 06:25 0*
-rw-r--r--  1 jester nancy   4096 Jun  7 06:30 213.161.pscan.80
-rwxr-xr-x  1 jester nancy    179 Apr  8 17:31 a*
-rwxr-xr-x  1 jester nancy 426030 Jun  7 06:25 a.out*
-rwxr-xr-x  1 jester nancy    573 Apr  8 15:37 c*
-rwxr-xr-x  1 jester nancy    162 Apr  8 15:37 cgifile*
-rwxr-xr-x  1 jester nancy   2626 Apr  8 15:37 http_get.c*
-rwxr-xr-x  1 jester nancy    270 Apr  8 15:37 http_get.h*
-rwxr-xr-x  1 jester nancy   1937 Apr  8 15:37 s*
-rwxr-xr-x  1 jester nancy    210 Apr  8 15:37 target*
-rw-r--r--  1 jester nancy     68 Jun  6 07:23 vuln.txt
-rwxr-xr-x  1 jester nancy  27237 Apr  8 15:37 x*
-rwxr-xr-x  1 jester nancy  20461 Jun  7 06:25 z*


Aparently, one of it's ways in is that it exploits awstats.pl, brute forces ssh, and a variety of other tools I haven't figured out yet.


  • 1
Yay for haxxors!

Time to lock down the account and start scanning for rootkits. =/

Hrm... root kits... I don't think I have md5 sums of everything, no tripwire.

I'll have to see if dpkg has a checksum verify.

All of the files were owned by her, so it should be ok, but I'm still surfing and looking to see if stuff reappears.

I should have known better than to open things up for truly clueless people.

I'm not sure what you're running, but take a look at ChkRootKit. It's not foolproof, but it will automate a lot of the menial crap.

Danke for chkrootkit recommendation. It says says all is good.
Install package set it to run nightly from cron.

I went ahead and installed tripwire, but I'm really too lazy to set up removable RO media for a copy of the DB, so I don't know how useful that would be.

It forwarded some stat info to ccaddysad@yahoo.com

(Deleted comment)
Nice. Good luck with that.


http://72.14.207.104/search?q=cache:a9XRiaE1HF0J:tux.widearea.org:2080/bannedusers.html+ccaddysad&hl=en&start=1


Do you think it's more automated attack or more random person in random box?

I think it's the lUser being insecure and got scammed (she loves spam, truly) or sniffed by malware (she's not really technical minded).

I think it's the lUser being insecure and got scammed (she loves spam, truly) or sniffed by malware (she's not really technical minded).


I set up swatch to update iptables, and other goodies...
but the user said
Sorry about the virus!!!!!! I didn't know! Of course, our Macs aren't affected by anything like that.

Your posts make me feel stupid.

I do that on purpose. It's sort of a desensitizing experiment. :)

haha .. it just makes me aware about just how much i dont know about computers (yet), even if i know more than the average person

  • 1