Hacked Servers
Aus HS Syswiki
(Unterschied zwischen Versionen)
Hja (Diskussion | Beiträge) |
Hja (Diskussion | Beiträge) |
||
| Zeile 4: | Zeile 4: | ||
: -tux307 [Not in Prod] | : -tux307 [Not in Prod] | ||
: -tux163 [Done] | : -tux163 [Done] | ||
| − | : -tux247 | + | : -tux247 [Done] |
: -tux219 | : -tux219 | ||
: -tux3.at | : -tux3.at | ||
| Zeile 101: | Zeile 101: | ||
'''tux247:''' | '''tux247:''' | ||
<syntaxhighlight lang="bash" style="font-size:8pt;"> | <syntaxhighlight lang="bash" style="font-size:8pt;"> | ||
| + | -rwsr-xr-x 1 trusted 40672 Sep 21 2007 /usr/bin/crontab | ||
| + | -rwxr-sr-x 1 tty 15152 Sep 21 2007 /usr/bin/wall | ||
| + | -rwsr-xr-x 1 shadow 19552 Sep 21 2007 /usr/bin/expiry | ||
| + | -rwsr-xr-x 1 shadow 82744 Sep 21 2007 /usr/bin/chage | ||
| + | -rwsr-xr-x 1 root 10856 Sep 21 2007 /usr/bin/mandb | ||
| + | -rwsr-xr-x 1 shadow 82424 Sep 21 2007 /usr/bin/gpasswd | ||
| + | -rwsr-xr-x 1 root 144344 Jan 27 2009 /usr/bin/sudo | ||
| + | -rwsr-xr-x 1 root 19680 Sep 21 2007 /usr/bin/newgrp | ||
| + | -rwsr-xr-x 1 shadow 78888 Sep 21 2007 /usr/bin/chfn | ||
| + | -rwsr-xr-x 1 shadow 78208 Sep 21 2007 /usr/bin/passwd | ||
| + | -rwsr-xr-x 1 root 10856 Sep 21 2007 /usr/bin/man | ||
| + | -rwsr-xr-x 1 shadow 74232 Sep 21 2007 /usr/bin/chsh | ||
| + | -rwxr-sr-x 1 tty 15016 Sep 21 2007 /usr/bin/write | ||
| + | -rwsr-xr-x 1 root 27081 Sep 21 2007 /usr/lib64/pt_chown | ||
| + | -rwxr-sr-x 1 103 15056 Sep 22 2007 /usr/lib64/PolicyKit/polkit-grant-helper | ||
| + | -rwsr-xr-x 1 root 10856 Sep 22 2007 /usr/lib64/PolicyKit/polkit-grant-helper-pam | ||
| + | -r-sr-xr-x 1 bin 584923 May 2 2011 /usr/local/bin/dccproc | ||
| + | -r-sr-xr-x 1 bin 189707 May 2 2011 /usr/local/bin/cdcc | ||
| + | -rws--x--x 1 root 58453 Jan 16 2015 /usr/local/apache2-2.2.29/sbin/suexec.confixx | ||
| + | -rws--x--x 1 root 58453 Sep 1 14:35 /usr/local/apache2-2.2.29/sbin/suexec2 | ||
| + | -rwsr-xr-x 1 root 10784 Jul 4 2008 /usr/sbin/zypp-checkpatches-wrapper | ||
| + | -r-xr-sr-x 1 mail 2856959 Dec 5 2014 /usr/sbin/sendmail | ||
| + | -rwsr-x--- 1 dialout 58856 May 28 2008 /usr/sbin/mtr | ||
| + | -rwsr-xr-x 1 daemon 10952 Sep 21 2007 /usr/lib/majordomo/wrapper | ||
| + | -rwsr-xr-x 1 root 74720 Oct 12 2007 /bin/mount | ||
| + | -rwsr-xr-x 1 root 32304 Sep 21 2007 /bin/su | ||
| + | -rwsr-xr-x 1 root 40192 Sep 21 2007 /bin/ping | ||
| + | -rwsr-xr-x 1 root 57184 Oct 12 2007 /bin/umount | ||
| + | -rwsr-xr-x 1 root 35936 Sep 21 2007 /bin/ping6 | ||
| + | ---s--x--x 1 root 226 Aug 31 16:01 /bin/delp <<< Done by Sysad | ||
| + | -rwsr-xr-x 1 root 661528 Feb 3 2013 /boot1/initr <<< Folder boot1 created by the hackers. initr fake bash created by the hacker (Folder removed) | ||
| + | -r-sr-xr-x 1 bin 154584 May 2 2011 /var/dcc/libexec/dccsight | ||
| + | -rwsr-xr-x 1 root 431516 Sep 29 2011 /sbin/sid <<< Fake bash by the hacker (file removed) | ||
| + | -rwsr-xr-x 1 shadow 23384 Sep 21 2007 /sbin/unix_chkpwd | ||
| + | -rwsr-xr-x 1 shadow 10864 Sep 21 2007 /sbin/unix2_chkpwd | ||
| + | |||
| + | -rw-r--r-- 1 root root 0 Sep 9 09:23 list_2015-09-09 | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Version vom 9. September 2015, 10:28 Uhr
Server List:
- -tux25 [Done]
- -tux307 [Not in Prod]
- -tux163 [Done]
- -tux247 [Done]
- -tux219
- -tux3.at
Command line used to find SUID files owned by user root:
/usr/bin/nice -n 19 /usr/bin/ionice -c2 -n7 find / -type f -user root \( -perm -4000 -o -perm -2000 \) -exec ls -lg {} \; 2>/dev/null > ~/sysadmin/hack/suidfiles.txt &
Find hacked .htaccess files:
mkdir -p ~/sysadmin/hack && /usr/bin/nice -n 19 /usr/bin/ionice -c2 -n7 find /home/www/ -type f -name .htaccess -exec egrep -l 'alecspiegel|khiuh3.php|162.216.6.208' {} \; 2>/dev/null > ~/sysadmin/hack/list_`date -I` &
Cleaned servers:
tux25:
tux25:~/sysadmin # cat suidfiles.txt -rwsr-xr-x 1 root 74720 12. Okt 2007 /bin/mount ---s--x--x 1 root 226 31. Aug 16:01 /bin/delp <<< Done by Sysad -rwsr-xr-x 1 root 57184 12. Okt 2007 /bin/umount -rwsr-xr-x 1 root 35936 21. Sep 2007 /bin/ping6 -rwsr-xr-x 1 root 32304 21. Sep 2007 /bin/su -rwsr-xr-x 1 root 40192 21. Sep 2007 /bin/ping -rwsr-xr-x 1 shadow 23384 21. Sep 2007 /sbin/unix_chkpwd -rwsr-xr-x 1 shadow 10864 21. Sep 2007 /sbin/unix2_chkpwd -r-sr-xr-x 1 bin 154584 18. Jan 2012 /var/dcc/libexec/dccsight -rwsr-xr-x 1 daemon 10952 21. Sep 2007 /usr/lib/majordomo/wrapper -rwsr-xr-x 1 root 27081 21. Sep 2007 /usr/lib64/pt_chown -rwsr-xr-x 1 root 10856 22. Sep 2007 /usr/lib64/PolicyKit/polkit-grant-helper-pam -rwxr-sr-x 1 103 15056 22. Sep 2007 /usr/lib64/PolicyKit/polkit-grant-helper -rwsr-xr-x 1 trusted 40672 21. Sep 2007 /usr/bin/crontab -rwsr-xr-x 1 root 10856 21. Sep 2007 /usr/bin/man -rwsr-xr-x 1 root 10856 21. Sep 2007 /usr/bin/mandb -rwsr-xr-x 1 shadow 78888 21. Sep 2007 /usr/bin/chfn -rwsr-xr-x 1 root 144344 27. Jan 2009 /usr/bin/sudo -rwsr-xr-x 1 root 19680 21. Sep 2007 /usr/bin/newgrp -rwxr-sr-x 1 tty 15016 21. Sep 2007 /usr/bin/write -rwsr-xr-x 1 shadow 19552 21. Sep 2007 /usr/bin/expiry -rwsr-xr-x 1 shadow 82424 21. Sep 2007 /usr/bin/gpasswd -rwsr-xr-x 1 shadow 82744 21. Sep 2007 /usr/bin/chage -rwsr-xr-x 1 shadow 78208 21. Sep 2007 /usr/bin/passwd -rwsr-xr-x 1 shadow 74232 21. Sep 2007 /usr/bin/chsh -rwxr-sr-x 1 tty 15152 21. Sep 2007 /usr/bin/wall -rwsr-x--- 1 dialout 58856 28. Mai 2008 /usr/sbin/mtr -r-xr-sr-x 1 mail 2856959 5. Dez 2014 /usr/sbin/sendmail -rwsr-xr-x 1 root 10784 4. Jul 2008 /usr/sbin/zypp-checkpatches-wrapper -r-sr-xr-x 1 bin 189707 23. Aug 2010 /usr/local/bin/cdcc -r-sr-xr-x 1 bin 584923 23. Aug 2010 /usr/local/bin/dccproc -rws--x--x 1 root 58453 16. Jan 2015 /usr/local/apache2-2.2.29/sbin/suexec.confixx -rws--x--x 1 root 58453 16. Jul 09:13 /usr/local/apache2-2.2.29/sbin/suexec2
tux163:
cat suidfiles.txt -rwsr-xr-x 1 shadow 10864 Sep 21 2007 /sbin/unix2_chkpwd -rwsr-xr-x 1 shadow 23384 Sep 21 2007 /sbin/unix_chkpwd -r-sr-xr-x 1 bin 154584 Nov 24 2008 /var/dcc/libexec/dccsight -rwsr-x--- 1 dialout 58856 May 28 2008 /usr/sbin/mtr -r-xr-sr-x 1 mail 2856959 Dec 5 2014 /usr/sbin/sendmail -rwsr-xr-x 1 root 10784 Jul 4 2008 /usr/sbin/zypp-checkpatches-wrapper -rwsr-xr-x 1 root 10856 Sep 22 2007 /usr/lib64/PolicyKit/polkit-grant-helper-pam -rwxr-sr-x 1 103 15056 Sep 22 2007 /usr/lib64/PolicyKit/polkit-grant-helper -rwsr-xr-x 1 root 27081 Sep 21 2007 /usr/lib64/pt_chown -rws--x--x 1 root 58453 Sep 4 15:12 /usr/local/apache2-2.2.29/sbin/suexec2 -rws--x--x 1 root 58453 Jan 16 2015 /usr/local/apache2-2.2.29/sbin/suexec.confixx -r-sr-xr-x 1 bin 584923 Nov 24 2008 /usr/local/bin/dccproc -r-sr-xr-x 1 bin 189707 Nov 24 2008 /usr/local/bin/cdcc -rwsr-xr-x 1 daemon 10952 Sep 21 2007 /usr/lib/majordomo/wrapper -rwsr-xr-x 1 shadow 74232 Sep 21 2007 /usr/bin/chsh -rwsr-xr-x 1 trusted 40672 Sep 21 2007 /usr/bin/crontab -rwsr-xr-x 1 shadow 82424 Sep 21 2007 /usr/bin/gpasswd <<< change group password -rwsr-xr-x 1 shadow 19552 Sep 21 2007 /usr/bin/expiry -rwsr-xr-x 1 root 10856 Sep 21 2007 /usr/bin/man -rwsr-xr-x 1 shadow 78888 Sep 21 2007 /usr/bin/chfn <<< change finger information -rwsr-xr-x 1 shadow 82744 Sep 21 2007 /usr/bin/chage <<< change user password expiry information -rwsr-xr-x 1 root 144344 Jan 27 2009 /usr/bin/sudo -rwsr-xr-x 1 root 10856 Sep 21 2007 /usr/bin/mandb -rwxr-sr-x 1 tty 15152 Sep 21 2007 /usr/bin/wall -rwsr-xr-x 1 root 19680 Sep 21 2007 /usr/bin/newgrp -rwsr-xr-x 1 shadow 78208 Sep 21 2007 /usr/bin/passwd -rwxr-sr-x 1 tty 15016 Sep 21 2007 /usr/bin/write -rwsr-xr-x 1 root 32304 Sep 21 2007 /bin/su -rwsr-xr-x 1 root 35936 Sep 21 2007 /bin/ping6 -rwsr-xr-x 1 root 40192 Sep 21 2007 /bin/ping -rwsr-xr-x 1 root 74720 Oct 12 2007 /bin/mount -rwsr-xr-x 1 root 57184 Oct 12 2007 /bin/umount ---s--x--x 1 root 226 Aug 31 16:01 /bin/delp <<< Done by Sysad -rw-r--r-- 1 root root 0 Sep 9 09:21 list_2015-09-09
tux247:
-rwsr-xr-x 1 trusted 40672 Sep 21 2007 /usr/bin/crontab -rwxr-sr-x 1 tty 15152 Sep 21 2007 /usr/bin/wall -rwsr-xr-x 1 shadow 19552 Sep 21 2007 /usr/bin/expiry -rwsr-xr-x 1 shadow 82744 Sep 21 2007 /usr/bin/chage -rwsr-xr-x 1 root 10856 Sep 21 2007 /usr/bin/mandb -rwsr-xr-x 1 shadow 82424 Sep 21 2007 /usr/bin/gpasswd -rwsr-xr-x 1 root 144344 Jan 27 2009 /usr/bin/sudo -rwsr-xr-x 1 root 19680 Sep 21 2007 /usr/bin/newgrp -rwsr-xr-x 1 shadow 78888 Sep 21 2007 /usr/bin/chfn -rwsr-xr-x 1 shadow 78208 Sep 21 2007 /usr/bin/passwd -rwsr-xr-x 1 root 10856 Sep 21 2007 /usr/bin/man -rwsr-xr-x 1 shadow 74232 Sep 21 2007 /usr/bin/chsh -rwxr-sr-x 1 tty 15016 Sep 21 2007 /usr/bin/write -rwsr-xr-x 1 root 27081 Sep 21 2007 /usr/lib64/pt_chown -rwxr-sr-x 1 103 15056 Sep 22 2007 /usr/lib64/PolicyKit/polkit-grant-helper -rwsr-xr-x 1 root 10856 Sep 22 2007 /usr/lib64/PolicyKit/polkit-grant-helper-pam -r-sr-xr-x 1 bin 584923 May 2 2011 /usr/local/bin/dccproc -r-sr-xr-x 1 bin 189707 May 2 2011 /usr/local/bin/cdcc -rws--x--x 1 root 58453 Jan 16 2015 /usr/local/apache2-2.2.29/sbin/suexec.confixx -rws--x--x 1 root 58453 Sep 1 14:35 /usr/local/apache2-2.2.29/sbin/suexec2 -rwsr-xr-x 1 root 10784 Jul 4 2008 /usr/sbin/zypp-checkpatches-wrapper -r-xr-sr-x 1 mail 2856959 Dec 5 2014 /usr/sbin/sendmail -rwsr-x--- 1 dialout 58856 May 28 2008 /usr/sbin/mtr -rwsr-xr-x 1 daemon 10952 Sep 21 2007 /usr/lib/majordomo/wrapper -rwsr-xr-x 1 root 74720 Oct 12 2007 /bin/mount -rwsr-xr-x 1 root 32304 Sep 21 2007 /bin/su -rwsr-xr-x 1 root 40192 Sep 21 2007 /bin/ping -rwsr-xr-x 1 root 57184 Oct 12 2007 /bin/umount -rwsr-xr-x 1 root 35936 Sep 21 2007 /bin/ping6 ---s--x--x 1 root 226 Aug 31 16:01 /bin/delp <<< Done by Sysad -rwsr-xr-x 1 root 661528 Feb 3 2013 /boot1/initr <<< Folder boot1 created by the hackers. initr fake bash created by the hacker (Folder removed) -r-sr-xr-x 1 bin 154584 May 2 2011 /var/dcc/libexec/dccsight -rwsr-xr-x 1 root 431516 Sep 29 2011 /sbin/sid <<< Fake bash by the hacker (file removed) -rwsr-xr-x 1 shadow 23384 Sep 21 2007 /sbin/unix_chkpwd -rwsr-xr-x 1 shadow 10864 Sep 21 2007 /sbin/unix2_chkpwd -rw-r--r-- 1 root root 0 Sep 9 09:23 list_2015-09-09
tux219:
tux3.at:
tuxYY:
