More /sumthin, maybe

I got a couple of E-mails from a guy that _may_ have more info on the /sumthin case. One of his servers was "owned", and he _thinks_ the /sumthin request was the start of the attack. His E-mails follow:

    I got hit with the same thing. /sumthin is exactly what everyone     thinks it is - a probe. Someone used my version info to exploit a     bug in SSL. I still don't know what the bugs are yet, but it's     really evident. From there, he looged in as my webserver, and     totally F$%^&D my server. He set up some kind of irc server, and     compromised so much of my server I'm having to rebuild from the     ground up. He redirected the root .bash_history to /dev/nul and     redirected the mail logs and he set up an account called tcp so he     could log in through ssh. Most of the services were shut down     (that's how I figured something was up - I couldn't get my mail).

    even though he did wipe the root history, he forgot to wipe     wwwrun's history, it's too long to post, but it will be up for a     short while at http://XXX [Sverre sais: URL removed. log file     attached.]

    He also replaced bash and set the default runlevel to halt, so     when I restarted the system just stopped (what a pisser).

    When I went back and grepped all the logs, the /sumthin only shows     up in the logs of one domain (despite the fact we host around [N])     and starts sometime around mid October as everyone else has     noticed.

    I found things like this in /tmp and /var/tmp:

    drwxr-xr-x   3 wwwrun   nogroup       153 Jan 26 04:10 a

    -rw-r--r--   1 wwwrun   nogroup     14138 Jan  4 20:32 a.tgz

    -rw-r--r--   1 wwwrun   nogroup     14138 Jan  4 20:32 a.tgz.1

    -rw-r--r--   1 wwwrun   nogroup     14138 Jan  4 20:32 a.tgz.2


    -rwxr-xr-x   1 wwwrun   nogroup     19577 Nov 28 15:55 alarmd


    drwxr-xr-x   5 wwwrun   nogroup       635 Dec 22 17:00 orbit-root
    drwxr-xr-x   9 wwwrun   nogroup       553 Jan 12 09:52 psybnc

    after that I did a find / -user wwwrun and found a bunch of stuff     and then discovered several other uids involved.

The attached shell history file shows what appears to be a manual attacker downloading and installing several files using wget. Some of the files are no longer available, but the few I managed to download seem to be either related to IRC (server and bot), or to Linux local exploits. (I only spent a couple of minutes downloading and glancing at the files.)

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Sverre.

-- 
shh@thathost.com		Computer Geek?  Try my Nerd Quiz
http://shh.thathost.com/	
http://nerdquiz.thathost.com/

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com