Hacked Servers
Aus HS Syswiki
(Unterschied zwischen Versionen)
Hja (Diskussion | Beiträge) |
Hja (Diskussion | Beiträge) |
||
Zeile 139: | Zeile 139: | ||
-rw-r--r-- 1 root root 0 Sep 9 09:23 list_2015-09-09 | -rw-r--r-- 1 root root 0 Sep 9 09:23 list_2015-09-09 | ||
+ | |||
+ | |||
+ | File: `/sbin/sid' | ||
+ | Size: 431516 Blocks: 856 IO Block: 4096 regular file | ||
+ | Device: 803h/2051d Inode: 1573092 Links: 1 | ||
+ | Access: (4755/-rwsr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) | ||
+ | Access: 2015-09-08 02:02:43.000000000 +0200 | ||
+ | Modify: 2011-09-29 18:34:41.000000000 +0200 | ||
+ | Change: 2013-11-26 23:16:25.000000000 +0100 | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Version vom 9. September 2015, 10:41 Uhr
Server List:
- -tux25 [Done]
- -tux307 [Not in Prod]
- -tux163 [Done]
- -tux247 [Done]
- -tux219
- -tux3.at [Done]
- -tux197 [Not patched]
Command line used to find SUID files owned by user root:
/usr/bin/nice -n 19 /usr/bin/ionice -c2 -n7 find / -type f -user root \( -perm -4000 -o -perm -2000 \) -exec ls -lg {} \; 2>/dev/null > ~/sysadmin/hack/suidfiles.txt &
Find hacked .htaccess files:
mkdir -p ~/sysadmin/hack && /usr/bin/nice -n 19 /usr/bin/ionice -c2 -n7 find /home/www/ -type f -name .htaccess -exec egrep -l 'alecspiegel|khiuh3.php|162.216.6.208' {} \; 2>/dev/null > ~/sysadmin/hack/list_`date -I` &
Cleaned servers:
tux25:
tux25:~/sysadmin # cat suidfiles.txt -rwsr-xr-x 1 root 74720 12. Okt 2007 /bin/mount ---s--x--x 1 root 226 31. Aug 16:01 /bin/delp <<< Done by Sysad -rwsr-xr-x 1 root 57184 12. Okt 2007 /bin/umount -rwsr-xr-x 1 root 35936 21. Sep 2007 /bin/ping6 -rwsr-xr-x 1 root 32304 21. Sep 2007 /bin/su -rwsr-xr-x 1 root 40192 21. Sep 2007 /bin/ping -rwsr-xr-x 1 shadow 23384 21. Sep 2007 /sbin/unix_chkpwd -rwsr-xr-x 1 shadow 10864 21. Sep 2007 /sbin/unix2_chkpwd -r-sr-xr-x 1 bin 154584 18. Jan 2012 /var/dcc/libexec/dccsight -rwsr-xr-x 1 daemon 10952 21. Sep 2007 /usr/lib/majordomo/wrapper -rwsr-xr-x 1 root 27081 21. Sep 2007 /usr/lib64/pt_chown -rwsr-xr-x 1 root 10856 22. Sep 2007 /usr/lib64/PolicyKit/polkit-grant-helper-pam -rwxr-sr-x 1 103 15056 22. Sep 2007 /usr/lib64/PolicyKit/polkit-grant-helper -rwsr-xr-x 1 trusted 40672 21. Sep 2007 /usr/bin/crontab -rwsr-xr-x 1 root 10856 21. Sep 2007 /usr/bin/man -rwsr-xr-x 1 root 10856 21. Sep 2007 /usr/bin/mandb -rwsr-xr-x 1 shadow 78888 21. Sep 2007 /usr/bin/chfn -rwsr-xr-x 1 root 144344 27. Jan 2009 /usr/bin/sudo -rwsr-xr-x 1 root 19680 21. Sep 2007 /usr/bin/newgrp -rwxr-sr-x 1 tty 15016 21. Sep 2007 /usr/bin/write -rwsr-xr-x 1 shadow 19552 21. Sep 2007 /usr/bin/expiry -rwsr-xr-x 1 shadow 82424 21. Sep 2007 /usr/bin/gpasswd -rwsr-xr-x 1 shadow 82744 21. Sep 2007 /usr/bin/chage -rwsr-xr-x 1 shadow 78208 21. Sep 2007 /usr/bin/passwd -rwsr-xr-x 1 shadow 74232 21. Sep 2007 /usr/bin/chsh -rwxr-sr-x 1 tty 15152 21. Sep 2007 /usr/bin/wall -rwsr-x--- 1 dialout 58856 28. Mai 2008 /usr/sbin/mtr -r-xr-sr-x 1 mail 2856959 5. Dez 2014 /usr/sbin/sendmail -rwsr-xr-x 1 root 10784 4. Jul 2008 /usr/sbin/zypp-checkpatches-wrapper -r-sr-xr-x 1 bin 189707 23. Aug 2010 /usr/local/bin/cdcc -r-sr-xr-x 1 bin 584923 23. Aug 2010 /usr/local/bin/dccproc -rws--x--x 1 root 58453 16. Jan 2015 /usr/local/apache2-2.2.29/sbin/suexec.confixx -rws--x--x 1 root 58453 16. Jul 09:13 /usr/local/apache2-2.2.29/sbin/suexec2
tux163:
cat suidfiles.txt -rwsr-xr-x 1 shadow 10864 Sep 21 2007 /sbin/unix2_chkpwd -rwsr-xr-x 1 shadow 23384 Sep 21 2007 /sbin/unix_chkpwd -r-sr-xr-x 1 bin 154584 Nov 24 2008 /var/dcc/libexec/dccsight -rwsr-x--- 1 dialout 58856 May 28 2008 /usr/sbin/mtr -r-xr-sr-x 1 mail 2856959 Dec 5 2014 /usr/sbin/sendmail -rwsr-xr-x 1 root 10784 Jul 4 2008 /usr/sbin/zypp-checkpatches-wrapper -rwsr-xr-x 1 root 10856 Sep 22 2007 /usr/lib64/PolicyKit/polkit-grant-helper-pam -rwxr-sr-x 1 103 15056 Sep 22 2007 /usr/lib64/PolicyKit/polkit-grant-helper -rwsr-xr-x 1 root 27081 Sep 21 2007 /usr/lib64/pt_chown -rws--x--x 1 root 58453 Sep 4 15:12 /usr/local/apache2-2.2.29/sbin/suexec2 -rws--x--x 1 root 58453 Jan 16 2015 /usr/local/apache2-2.2.29/sbin/suexec.confixx -r-sr-xr-x 1 bin 584923 Nov 24 2008 /usr/local/bin/dccproc -r-sr-xr-x 1 bin 189707 Nov 24 2008 /usr/local/bin/cdcc -rwsr-xr-x 1 daemon 10952 Sep 21 2007 /usr/lib/majordomo/wrapper -rwsr-xr-x 1 shadow 74232 Sep 21 2007 /usr/bin/chsh -rwsr-xr-x 1 trusted 40672 Sep 21 2007 /usr/bin/crontab -rwsr-xr-x 1 shadow 82424 Sep 21 2007 /usr/bin/gpasswd <<< change group password -rwsr-xr-x 1 shadow 19552 Sep 21 2007 /usr/bin/expiry -rwsr-xr-x 1 root 10856 Sep 21 2007 /usr/bin/man -rwsr-xr-x 1 shadow 78888 Sep 21 2007 /usr/bin/chfn <<< change finger information -rwsr-xr-x 1 shadow 82744 Sep 21 2007 /usr/bin/chage <<< change user password expiry information -rwsr-xr-x 1 root 144344 Jan 27 2009 /usr/bin/sudo -rwsr-xr-x 1 root 10856 Sep 21 2007 /usr/bin/mandb -rwxr-sr-x 1 tty 15152 Sep 21 2007 /usr/bin/wall -rwsr-xr-x 1 root 19680 Sep 21 2007 /usr/bin/newgrp -rwsr-xr-x 1 shadow 78208 Sep 21 2007 /usr/bin/passwd -rwxr-sr-x 1 tty 15016 Sep 21 2007 /usr/bin/write -rwsr-xr-x 1 root 32304 Sep 21 2007 /bin/su -rwsr-xr-x 1 root 35936 Sep 21 2007 /bin/ping6 -rwsr-xr-x 1 root 40192 Sep 21 2007 /bin/ping -rwsr-xr-x 1 root 74720 Oct 12 2007 /bin/mount -rwsr-xr-x 1 root 57184 Oct 12 2007 /bin/umount ---s--x--x 1 root 226 Aug 31 16:01 /bin/delp <<< Done by Sysad -rw-r--r-- 1 root root 0 Sep 9 09:21 list_2015-09-09
tux247:
-rwsr-xr-x 1 trusted 40672 Sep 21 2007 /usr/bin/crontab -rwxr-sr-x 1 tty 15152 Sep 21 2007 /usr/bin/wall -rwsr-xr-x 1 shadow 19552 Sep 21 2007 /usr/bin/expiry -rwsr-xr-x 1 shadow 82744 Sep 21 2007 /usr/bin/chage -rwsr-xr-x 1 root 10856 Sep 21 2007 /usr/bin/mandb -rwsr-xr-x 1 shadow 82424 Sep 21 2007 /usr/bin/gpasswd -rwsr-xr-x 1 root 144344 Jan 27 2009 /usr/bin/sudo -rwsr-xr-x 1 root 19680 Sep 21 2007 /usr/bin/newgrp -rwsr-xr-x 1 shadow 78888 Sep 21 2007 /usr/bin/chfn -rwsr-xr-x 1 shadow 78208 Sep 21 2007 /usr/bin/passwd -rwsr-xr-x 1 root 10856 Sep 21 2007 /usr/bin/man -rwsr-xr-x 1 shadow 74232 Sep 21 2007 /usr/bin/chsh -rwxr-sr-x 1 tty 15016 Sep 21 2007 /usr/bin/write -rwsr-xr-x 1 root 27081 Sep 21 2007 /usr/lib64/pt_chown -rwxr-sr-x 1 103 15056 Sep 22 2007 /usr/lib64/PolicyKit/polkit-grant-helper -rwsr-xr-x 1 root 10856 Sep 22 2007 /usr/lib64/PolicyKit/polkit-grant-helper-pam -r-sr-xr-x 1 bin 584923 May 2 2011 /usr/local/bin/dccproc -r-sr-xr-x 1 bin 189707 May 2 2011 /usr/local/bin/cdcc -rws--x--x 1 root 58453 Jan 16 2015 /usr/local/apache2-2.2.29/sbin/suexec.confixx -rws--x--x 1 root 58453 Sep 1 14:35 /usr/local/apache2-2.2.29/sbin/suexec2 -rwsr-xr-x 1 root 10784 Jul 4 2008 /usr/sbin/zypp-checkpatches-wrapper -r-xr-sr-x 1 mail 2856959 Dec 5 2014 /usr/sbin/sendmail -rwsr-x--- 1 dialout 58856 May 28 2008 /usr/sbin/mtr -rwsr-xr-x 1 daemon 10952 Sep 21 2007 /usr/lib/majordomo/wrapper -rwsr-xr-x 1 root 74720 Oct 12 2007 /bin/mount -rwsr-xr-x 1 root 32304 Sep 21 2007 /bin/su -rwsr-xr-x 1 root 40192 Sep 21 2007 /bin/ping -rwsr-xr-x 1 root 57184 Oct 12 2007 /bin/umount -rwsr-xr-x 1 root 35936 Sep 21 2007 /bin/ping6 ---s--x--x 1 root 226 Aug 31 16:01 /bin/delp <<< Done by Sysad -rwsr-xr-x 1 root 661528 Feb 3 2013 /boot1/initr <<< Folder boot1 created by the hackers. initr fake bash created by the hacker (Folder removed) -r-sr-xr-x 1 bin 154584 May 2 2011 /var/dcc/libexec/dccsight -rwsr-xr-x 1 root 431516 Sep 29 2011 /sbin/sid <<< Fake bash by the hacker (file removed) -rwsr-xr-x 1 shadow 23384 Sep 21 2007 /sbin/unix_chkpwd -rwsr-xr-x 1 shadow 10864 Sep 21 2007 /sbin/unix2_chkpwd -rw-r--r-- 1 root root 0 Sep 9 09:23 list_2015-09-09 File: `/sbin/sid' Size: 431516 Blocks: 856 IO Block: 4096 regular file Device: 803h/2051d Inode: 1573092 Links: 1 Access: (4755/-rwsr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2015-09-08 02:02:43.000000000 +0200 Modify: 2011-09-29 18:34:41.000000000 +0200 Change: 2013-11-26 23:16:25.000000000 +0100
tux219:
tux3.at:
cat suidfiles.txt -rwsr-xr-x 1 shadow 23384 Sep 21 2007 /sbin/unix_chkpwd -rwsr-xr-x 1 shadow 10864 Sep 21 2007 /sbin/unix2_chkpwd -r-sr-xr-x 1 bin 154584 Oct 19 2009 /var/dcc/libexec/dccsight -rwsr-xr-x 1 root 35936 Sep 21 2007 /bin/ping6 ---s--x--x 1 root 226 Aug 31 16:01 /bin/delp -rwsr-xr-x 1 root 74720 Oct 12 2007 /bin/mount -rwsr-xr-x 1 root 57184 Oct 12 2007 /bin/umount -rwsr-xr-x 1 root 40192 Sep 21 2007 /bin/ping -rwsr-xr-x 1 root 32304 Sep 21 2007 /bin/su -rwsr-xr-x 1 root 10784 Jul 4 2008 /usr/sbin/zypp-checkpatches-wrapper -rwsr-x--- 1 dialout 58856 May 28 2008 /usr/sbin/mtr -r-xr-sr-x 1 mail 2712278 Nov 15 2007 /usr/sbin/sendmail -rwsr-xr-x 1 shadow 82744 Sep 21 2007 /usr/bin/chage -rwsr-xr-x 1 root 10856 Sep 21 2007 /usr/bin/man -rwsr-xr-x 1 trusted 40672 Sep 21 2007 /usr/bin/crontab -rwsr-xr-x 1 root 19680 Sep 21 2007 /usr/bin/newgrp -rwsr-xr-x 1 root 144344 Jan 27 2009 /usr/bin/sudo -rwsr-xr-x 1 shadow 74232 Sep 21 2007 /usr/bin/chsh -rwxr-sr-x 1 tty 15016 Sep 21 2007 /usr/bin/write -rwsr-xr-x 1 shadow 78888 Sep 21 2007 /usr/bin/chfn -rwsr-xr-x 1 root 10856 Sep 21 2007 /usr/bin/mandb -rwxr-sr-x 1 tty 15152 Sep 21 2007 /usr/bin/wall -rwsr-xr-x 1 shadow 78208 Sep 21 2007 /usr/bin/passwd -rwsr-xr-x 1 shadow 19552 Sep 21 2007 /usr/bin/expiry -rwsr-xr-x 1 shadow 82424 Sep 21 2007 /usr/bin/gpasswd -rwsr-xr-x 1 root 27081 Sep 21 2007 /usr/lib64/pt_chown -rwsr-xr-x 1 root 10856 Sep 22 2007 /usr/lib64/PolicyKit/polkit-grant-helper-pam -rwxr-sr-x 1 103 15056 Sep 22 2007 /usr/lib64/PolicyKit/polkit-grant-helper -r-sr-xr-x 1 bin 584923 Oct 19 2009 /usr/local/bin/dccproc -r-sr-xr-x 1 bin 189707 Oct 19 2009 /usr/local/bin/cdcc -rws--x--x 1 root 58453 Apr 5 2013 /usr/local/apache2-2.2.24/sbin/suexec.confixx -rws--x--x 1 root 58453 Jun 5 2013 /usr/local/apache2-2.2.24/sbin/suexec2 -rwsr-xr-x 1 daemon 10952 Sep 21 2007 /usr/lib/majordomo/wrapper -rw-r--r-- 1 root root 0 Sep 9 09:24 list_2015-09-09
tux197:
tuxYY: