The Ethical Hacker Network - Latest posts of: Negrita

Latest Additions

EH-Net Login

Welcome Guest.

No account yet? Register

Who's Online
We have 124 guests and 5 members online

EH-Net News Feeds
Latest Additions

Advertisement

You are here: Home

Forum

EH-Net

February 10, 2012, 05:29:41 AM

Welcome, Guest. Please login or register.
Did you miss your activation email?

News: Advertise on EH-Net!! - Reasonable Rates, Highly Targeted Audience.

Home

Help

Calendar

Login

Register

Show Posts
Pages: [1] 2 3 ... 20

1	Ethical Hacking Discussions and Related Certifications / Malware / Strange findings on a server compromised by perl.Bossworm (CVE-2010-0738).	on: December 30, 2011, 05:19:44 PM
I've come across numerous servers over the past month which have been compromised by perl.Bossworm (CVE-2010-0738). All the servers had the same behaviour; they all had hundreds of instances of the pnscan port scanner running looking for JBoss in the HTTP headers of /16 address blocks and dumping them to /tmp. They all had the fly.pl, linda.pl, line.pl and other files associated with this worm all doing their thing. But one server which was running RHEL 5.4 had some other strange behaviour which was not on the other servers and which I've never seen before. Unfortunately this was the first server that I'd seen with this worm and so I did not think this behaviour strange until I noticed that the others were different. By the time I got suspicious my customer had already formatted and rebuilt their server so I can't do any futher investigating. The difference between the regular infections and this one all have to do with the passwd and shadow files; Code: [root@server1 bin]# cat /etc/shadow root:$1$gm9ykhCF$5SclI2Qg5qAojg64vLhbG.:15253:0:99999:7::: root:$1$gm9ykhCF$5SclI2Qg5qAojg64vLhbG.:15253:0:99999:7::: daemon::14672:0:99999:7::: adm::14672:0:99999:7::: lp::14672:0:99999:7::: sync::14672:0:99999:7::: shutdown::14672:0:99999:7::: halt::14672:0:99999:7::: mail::14672:0:99999:7::: news::14672:0:99999:7::: uucp::14672:0:99999:7::: operator::14672:0:99999:7::: games::14672:0:99999:7::: gopher::14672:0:99999:7::: ftp::14672:0:99999:7::: nobody::14672:0:99999:7::: nscd:!!:14672:0:99999:7::: vcsa:!!:14672:0:99999:7::: pcap:!!:14672:0:99999:7::: rpc:!!:14672:0:99999:7::: mailnull:!!:14672:0:99999:7::: smmsp:!!:14672:0:99999:7::: rpcuser:!!:14672:0:99999:7::: nfsnobody:!!:14672:0:99999:7::: sshd:!!:14672:0:99999:7::: dbus:!!:14672:0:99999:7::: haldaemon:!!:14672:0:99999:7::: avahi-autoipd:!!:14672:0:99999:7::: avahi:!!:14672:0:99999:7::: ntp:!!:14672:0:99999:7::: xfs:!!:14672:0:99999:7::: gdm:!!:14672:0:99999:7::: sabayon:!!:14672:0:99999:7::: hacluster:!!:14672:::::: admin:$1$5Mq6lUXu$h6E9E0Am3s.UwK82spdNn/:15253:0:99999:7::: user:$1$UNIM0eKr$ysqyzTeEZ1MoK7UavDM1O.:15291:0:99999:7::: egg:$1$kTJWkCDt$Ls8.Xyik.Ao4wQMdLlBXn.:15264:0:99999:7::: [root@server1 bin]# cat /etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/bin/bash daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin nscd:x:28:28:NSCD Daemon:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin pcap:x:77:77::/var/arpwatch:/sbin/nologin rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:4294967294:4294967294:Anonymous NFS User:/var/lib/nfs:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin avahi-autoipd:x:100:101:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin avahi:x:70:70:Avahi daemon:/:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin gdm:x:42:42::/var/gdm:/sbin/nologin sabayon:x:86:86:Sabayon user:/home/sabayon:/sbin/nologin hacluster:x:90:90:heartbeat processes:/var/lib/heartbeat/cores/hacluster:/bin/bash admin:x:501:500:Admin:/opt/admin:/bin/bash user:x:0:504::/home/user:/bin/bash egg:x:502:502::/home/egg:/bin/bash 1. A new user called "user" had been added with root privileges. 2. A new user called "egg" had been added. I presume this means an eggdrop had been installed. 3. The database user had been deleted. This is how I discovered that the server had been compromised in the first place. :-) 4. The application server user had been deleted. 5. The most curious thing (and the reason I opened this thread in the first place) is that the shadow file had 2 root users both with the same password hash and other properties, while passwd has only one root user. I suspect that this server was being used as a C&C master instead of a zombie which is why the additional users had been added (in particular the egg user). I don't quite understand why the cracker would want to delete the database and application server users as this immediately caused things to malfunction and caused the customer to open the support case. What I really want to know from the *NIX guru's here is what effect having 2 root users in the shadow file has on the servers functionality and user authentication?

2	Ethical Hacking Discussions and Related Certifications / Hardware / Re: Which OS are you running currently?	on: October 13, 2011, 07:36:09 PM
Windows 7 on my work PC and laptop (unfortunately it's company policy). Windows at home too (because my daughters computer classes are all on Windows/MS Office so they need a Windows system for home work). I've installed Backtrack on VMware on all my work and home systems though just in case I need a *nix unit to check things. At work I work mostly on Linux systems (Slackware, RHEL, CentOS and some custom made kernels) which I just connect to via SecureCRT or PuTTY.

3	Resources / Career Central / Re: New job.. I drive 2 hours a day now..any good pod-cast to listen to?	on: October 13, 2011, 07:21:29 PM
I've got a 1 and a half hour commute in the mornings and an hour in the evenings getting home. I must confess that I usually listen to Harry Potter or other audio books on my iPod one after the other. I can't imagine wanting to listen to something technical to or from work - I need that time for musing.

4	Resources / Career Central / Re: Landed a job with a good amount of Linux involved..should I crank out Linux cert	on: October 13, 2011, 07:14:21 PM
Quote from: hayabusa on October 12, 2011, 07:41:33 PM Whoa!!! What's up Negrita? Haven't seen much of you on EH for a little while, now... Doing well, I hope / assume? Yup, I'm doing well thanks. I'm working very hard though I'm loving every moment of it. I've been blessed with a very interesting and challenging job, a great team and an excellent team leader. I still pop in here every few days even though I don't post as much as I used to.

5	Resources / Career Central / Re: Landed a job with a good amount of Linux involved..should I crank out Linux cert	on: October 12, 2011, 06:51:41 PM
I've never done any formal Linux training or have any Linux certs. I started out a few years ago studying Data Communications and found myself a network support job at an ISP. Later on I moved to the NOC where I had to help check some files and run some scripts on the DNS, RADIUS and MTA servers which were all running Solaris. At the same time I read through a copy of UNIX for Dummies. All that was enough for me to write on my resume that I had a bit of NIX experience. In my present job I work almost all day long on Linux systems - mostly Slackware, RHEL, CentOS and also some custom stuff my company develops based on Montavista kernels. I basically learned on the job and my knowledge is quite extensive now. After over 7 years of experience I had never missed not having formal NIX training until a few weeks ago...... We use sed and awk in some install scripts to manipulate the output of ifconfig and bind that output to some other stuff which I'm not going to go into right now. Anyway one day the installation failed and after troubleshooting I noticed that this system (which was running RHEL5) had a very old version of ifconfig which was giving some strange output. I found another system with a new version of ifconfig and tried to copy it to the problematic system but it wouldn't let me. So instead of copying it to /sbin I copied the file to /tmp and checked the file permissions and group and file ownerships and compared them to the old file in /sbin and they were exactly the same. I was logged in as root and I was not even able to delete or move the old file from its place. I was most amazed. This was the first time I had been logged on to a system as root and the system wasn't allowing me to do something I commanded it to do. Anyway it turned out that the old ifconfig file had some file attributes which was causing my problem and they had to be removed before I could swap the files and continue with the installation. You will never use everything that you learn in formal training but it is good to do the courses just so you have the background and a good reference book to look things up when you get stuck. Who knows - in formal training they might even teach you that being root and having full permissions on a file and group and file ownership is not always enough to do what you want. Anyway whether you do formal Linux training or not here's my advice; 1. Read UNIX for Dummies. 2. Learn the Linux CLI from here; http://linuxcommand.org/. 3. Learn VI; http://www.eng.hawaii.edu/Tutor/vi.html. BTW, I read earlier in this thread that someone said that RHEL is a beast, but I must disagree. Beside the rpm and yum commands I find that RHEL is almost exactly the same as any other Linux system.

6	Resources / Tools / BackTrack4 R2 VMware Tools update issue.	on: April 22, 2011, 06:53:16 PM
I am running BackTrack4 R2 on VMware Player and all was working just fine until I decided to update VMware Tools to the latest version (VMwareTools-8.4.6-385536.tar.gz). During the upgrade I got an error saying that I should mount the virtual CD-ROM, untar the VMware tools package and then run the VMware tools installer Perl script. I did all that and it finished fine but then the BackTrack guest wouldn't boot any more and I got a message saying "Ubuntu is running in low-graphics mode" and also "(EE) Unable to locate/open config file". It then gave me a few options, one of which was to run the guest in low-graphics mode just this time (which is what I chose). I was then prompted to login. After logging in I typed the command sudo dpkg-reconfigure xserver-xorg and then chose Ok on all the options in the menu that followed. Once that finished I started the GUI again by typing startx. Everything is now back to normal. Hope this helps anyone else that runs into this problem.

7	Resources / Tools / Re: SecureCRT on Linux	on: March 19, 2011, 07:13:32 AM
I just got a PM from someone at VanDyke Software saying the following; Quote I wanted to let you know that SecureCRT is now available in beta version for Linux: http://www.vandyke.com/products/beta/securecrt/index.html

8	EH-Net / News Items and General Discussion About EH-Net / Re: Voice from the past.	on: January 31, 2011, 03:46:13 PM
Thank you BillV, Don and g00d_4sh for your welcomes back. I haven't done any certs since March 2006 and so I doubt I can help with any cert info. I also don't use VMware at work (even though I have BackTrack4 on VMware Player installed on my laptop) and so I doubt that I could add any new info to the tutorial I wrote here a few years ago. I still hope that I can continue to contribute here with any other knowledge I may have which people might need. g00d_4sh please note that I didn't get the job based solely on the CEH cert. I learned a great deal while studying for that cert and I still use MANY of the tools I learned about on a day to day basis at work. The CEH cert gave me a foot in the door. The VP of my department was looking through the resumes of all the candidates that had passed the HR and technical interviews and he saw the CEH logo which I'd placed as a footer to my resume. He said to me that he was so consumed with curiosity about it that he couldn't resist inviting me to be interviewed by him. He wanted to know how a hacker could be both certified and ethical and also who in the world would want to certify a hacker. Once I had my foot in the door it was my own personal and technical skills that actually got me the job. Please tell this to your protege.

9	EH-Net / News Items and General Discussion About EH-Net / Voice from the past.	on: January 26, 2011, 12:44:30 PM
Hey everyone Well it's been over a year since I last logged in here. I'm still working at the same job I had before doing Tier 3 tech support for a company in the DPI industry. Just FYI, I got the job thanks to the CEH certification I had after winning a tutorial book and exam voucher here @ EH Network. Thanks again Don!!! Anyway I hope everyone here is doing well.

10	Resources / Tools / Re: Network flow analysis	on: September 03, 2008, 05:03:16 PM
This is exactly what my company does. Please see my PM to you. P.S. Unfortunately we don't work for free.

11	Features / Opinions / Re: The greatest Hackers?	on: August 30, 2008, 01:02:03 PM
Quote from: Ketchup on August 29, 2008, 10:40:36 PM Wow, that's a fantastic find, what a time capsule. It's definitely going into my bookmarks. Yes, a true gem!!

12	Resources / News from the Outside World / Re: Bad news for me. The worst! Yikes!	on: August 20, 2008, 05:15:08 PM
Has anyone heard from Oyle? How did his cancer treatment go? His account has been inactive for nearly a year now, and this does not bode well.

13	Columns / Editor-In-Chief / Re: Man Looks Into the Abyss...	on: August 19, 2008, 04:12:26 PM
Good luck Don.

14	Ethical Hacking Discussions and Related Certifications / Other / Re: Networking question	on: August 08, 2008, 05:07:13 PM
Yes, of course I use them - every day. They're used for connecting like devices as BillV mentioned and also for directly connecting PC's to the network equipment my company manufactures.

15	Ethical Hacking Discussions and Related Certifications / Malware / Re: Injecting Virus in pics...	on: July 30, 2008, 01:21:30 PM
My pleasure.

Pages: [1] 2 3 ... 20

Powered by SMF 1.1.16 | SMF © 2011, Simple Machines
Joomla Bridge by JoomlaHacks.com

Page created in 0.441 seconds with 21 queries.

Global Knowledge Training: Build Security Skills to Protect and Defend

Offensive Security
AWE Live in the Caribbean!
March 5 - 9, 2012

SANS Deals 4 EH-Netters
$150 OFF Any SANS Course in Any Format! Coupon Code: Refer_EHN Including SANS Phoenix 2012, SANS 2012

Recent Forum Topics

Try CBT Nuggets Free!

Vote For EH-Net

technorati fave

Privacy Notice
for TDCC & All Properties

Advertisement

© 2012 The Ethical Hacker Network

Joomla! is Free Software released under the GNU/GPL License.