Grawlfang Prince
Joined: 18 Feb 2005 Posts: 1256 Location: The Land of our lord JC, silly walks and all
|
Posted: Wed Mar 19, 2008 8:06 pm Post subject: ooohhh BUGGER!!!! |
|
|
Well I did wonder why my workrate had dropped a little...
....got back home this evening, logged on and found that my PC wasn't processing milkyway@home at all, but 100% CPU was bound up on something called pscan2
Bloody script kiddie had got in (well in fact two of them had) and installed some kit on my machine.
I wouldn't mind but I protect my machine via public key authentication - well I did, but it seems that a recent upgrade to Zenwalk 4.8 undid all my clever sshd_config and put a basic one in its place...which meant that one of the usernames I gave to one of children (which had a simple password) got broken into...
So, to the point..
Anyone know what a kit that installs into a '.pa' directory does (they installed it in /tmp/mds/.pa) ? The files it contains seem to be :-
Code: |
root[mds]# tar ztvf pa1.tgz
drwx------ web/web 0 2007-04-05 09:08 .pa/
-rwxr-xr-x web/web 218 2006-07-14 23:51 .pa/a
-rwxr-xr-x web/web 1184 2007-04-16 04:19 .pa/a1
-rwxr-xr-x web/web 215 2006-01-11 01:19 .pa/a2
-rwxr-xr-x web/web 7213 2006-01-11 01:40 .pa/a4
-rwx------ web/web 208 2006-01-11 01:08 .pa/a5
-rwxr-xr-x web/web 141 2007-04-16 04:21 .pa/a6
-rwxr-xr-x web/web 171740 2006-07-14 23:51 .pa/pico
-rwxr-xr-x web/web 8958 2006-01-15 17:51 .pa/sshf
-rwxr-xr-x web/web 8973 2006-01-15 17:51 .pa/sshf0
-rwxr-xr-x web/web 4196 2007-04-16 04:23 .pa/start
-rw-r--r-- web/web 201 2007-04-16 04:32 .pa/README
-rw-r--r-- web/web 0 2006-07-14 23:51 .pa/22.pscan.22
-rw-r--r-- web/web 190148 2006-03-01 15:04 .pa/pass_file
-rwxr-xr-x web/web 159 2006-01-11 00:29 .pa/test.sh
-rw-r--r-- web/web 22354 2004-12-01 23:31 .pa/common
-rwxr-xr-x web/web 846832 2006-07-14 23:51 .pa/ssh-scan
-rwx------ web/web 25503 2006-07-14 23:51 .pa/pscan2
-rwxr-xr-x web/web 265 2004-11-24 23:21 .pa/gen-pass.sh
-rwxr-xr-x web/web 249980 2001-02-13 12:36 .pa/screen
-rwxr-xr-x web/web 107 2006-07-14 23:50 .pa/pass_sh
-rw-r--r-- web/web 136 2007-04-16 04:22 .pa/vuln.txt
-rw-r--r-- web/web 190148 2006-03-22 12:45 .pa/pass_filees
|
There was also a fontx.tgz installed in the broken into users home directory which contained :-
Code: |
root[kiddie]# tar ztvf fontx.tgz
drwxr-xr-x prueba/prueba 0 2008-01-07 07:15 .font-UNIX/
-rw-r--r-- prueba/prueba 16652 2005-07-21 05:24 .font-UNIX/hide
-rw-r--r-- prueba/prueba 200 2005-07-21 06:01 .font-UNIX/run
-rw-r--r-- prueba/prueba 3205 2008-01-07 07:15 .font-UNIX/mech.set
drwxr-xr-x prueba/prueba 0 2008-01-07 07:14 .font-UNIX/randfiles/
-rw-r--r-- prueba/prueba 3982 2002-12-29 23:21 .font-UNIX/randfiles/randinsult.e
-rw-r--r-- prueba/prueba 519 2002-12-29 23:21 .font-UNIX/randfiles/randnicks.e
-rw-r--r-- prueba/prueba 1465 2002-12-29 23:21 .font-UNIX/randfiles/randversions.e
-rw-r--r-- prueba/prueba 830 2002-12-29 23:21 .font-UNIX/randfiles/randkicks.e
drwxr-xr-x prueba/prueba 0 2008-02-27 01:52 .font-UNIX/randfiles/.font/
-rwxr-xr-x prueba/prueba 16652 2005-07-21 05:24 .font-UNIX/randfiles/.font/hide
-rwxr-xr-x prueba/prueba 588 2008-02-27 01:00 .font-UNIX/randfiles/.font/1
-rwxr-xr-x prueba/prueba 199 2008-02-27 02:10 .font-UNIX/randfiles/.font/run
-rwxr-xr-x prueba/prueba 9283 2008-02-27 02:13 .font-UNIX/randfiles/.font/mech.set
-rwxr-xr-x prueba/prueba 588 2008-02-27 01:00 .font-UNIX/randfiles/.font/2
-rwxr-xr-x prueba/prueba 44 2008-02-25 12:22 .font-UNIX/randfiles/.font/livezone.dir
-rwxr-xr-x prueba/prueba 468134 2001-05-15 14:05 .font-UNIX/randfiles/.font/sshd
drwxr-xr-x prueba/prueba 0 2007-12-26 09:10 .font-UNIX/randfiles/.font/randfiles/
-rw-r--r-- prueba/prueba 3982 2002-12-29 23:21 .font-UNIX/randfiles/.font/randfiles/randinsult.e
-rw-r--r-- prueba/prueba 519 2002-12-29 23:21 .font-UNIX/randfiles/.font/randfiles/randnicks.e
-rw-r--r-- prueba/prueba 1465 2002-12-29 23:21 .font-UNIX/randfiles/.font/randfiles/randversions.e
-rw-r--r-- prueba/prueba 830 2002-12-29 23:21 .font-UNIX/randfiles/.font/randfiles/randkicks.e
-rw-r--r-- prueba/prueba 55316 2002-12-29 23:21 .font-UNIX/randfiles/.font/randfiles/randsay.e
-rw-r--r-- prueba/prueba 5195 2002-12-29 23:21 .font-UNIX/randfiles/.font/randfiles/randaway.e
-rw-r--r-- prueba/prueba 2495 2002-12-29 23:21 .font-UNIX/randfiles/.font/randfiles/randpickup.e
-rw-r--r-- prueba/prueba 3651 2002-12-29 23:21 .font-UNIX/randfiles/.font/randfiles/randsignoff.e
-rwxr-xr-x prueba/prueba 1033 2008-02-27 01:00 .font-UNIX/randfiles/.font/mech.levels
-rwxr-xr-x prueba/prueba 80 2008-02-25 12:22 .font-UNIX/randfiles/.font/cron.d
-rwx--x--x prueba/prueba 5 2008-02-27 01:55 .font-UNIX/randfiles/.font/mech.pid
-rwxr-xr-x prueba/prueba 588 2008-02-27 01:00 .font-UNIX/randfiles/.font/0
-rwxr-xr-x prueba/prueba 2532 2005-07-21 06:03 .font-UNIX/randfiles/.font/config
-rwxr-xr-x prueba/prueba 76 2008-02-27 01:55 .font-UNIX/randfiles/.font/LinkEvents
-rwxr-xr-x prueba/prueba 588 2008-02-27 01:00 .font-UNIX/randfiles/.font/3
-rwxr-xr-x prueba/prueba 764 2007-12-26 08:53 .font-UNIX/randfiles/.font/conf
-rwxr-xr-x prueba/prueba 265 2008-02-25 12:22 .font-UNIX/randfiles/.font/y2kupdate
-rw-r--r-- prueba/prueba 55316 2002-12-29 23:21 .font-UNIX/randfiles/randsay.e
-rw-r--r-- prueba/prueba 5195 2002-12-29 23:21 .font-UNIX/randfiles/randaway.e
-rw-r--r-- prueba/prueba 2495 2002-12-29 23:21 .font-UNIX/randfiles/randpickup.e
-rw-r--r-- prueba/prueba 3651 2002-12-29 23:21 .font-UNIX/randfiles/randsignoff.e
-rw-r--r-- prueba/prueba 6 2007-12-26 08:28 .font-UNIX/mech.pid
-rw-r--r-- prueba/prueba 2532 2005-07-21 06:03 .font-UNIX/config
-rw-r--r-- prueba/prueba 34 2007-12-26 08:28 .font-UNIX/LinkEvents
-rw-r--r-- prueba/prueba 468134 2001-05-15 14:05 .font-UNIX/emech
|
And finally I found a new user added - 'sshhd' - any clues what may have been installed [or attempted to be installed] with this ?
Fortunately (as I know of no current secrity issues with my version of Zenwalk) they only got into a restricted user account (not even in the same group as my main login) so I don't think too much damage was done - but if anyone knows what these kits do I'd love to know ?
Ni! [and a little embarrased]
Fang _________________ Listen; Strange women laying in ponds, distributing swords, is no basis for a system of government.
|
|