[Full-Disclosure] Severe exploit found, all UNIX are affected!
gaubrig at yahoo.com
Thu Sep 16 22:31:54 BST 2004
--- "Billy B. Bilano"
<mr.bill.bilano at email.server.unix.bill.bilano.biz>
> Bad news today. Oh my goodness! I am in a tizzy-fit
> over this! I am such
> an expert at system administrating but even the best
> of us fall from
> glory now and then. And let me tell you, this is one
> time I believe
> somebody got the best of me... and that somebody is
> a fellow named Charles!
> It all started when my big OpenBSD box took a dumper
> and I got paged. So
> I get into the bank and start to look around and I
> poke and prod the box
> and then I log into it and run the appropriate debug
> tools (ls, ps, top,
> cut, etc. -- pun not intended). I notice, at long
> last, that the console
> messages were not lying... the hard drive was indeed
> full! (you can
> never be too sure about that sort of thing as
> everybody will agree)
> The offending file was the previous administrator
> (Stan, who got fired
> when I became IT director because he was a puss and
> always joked about
> beer and had a picture of some baby looking at teats
> saying "lunch" on
> his cube wall -- that offended me as a larger man).
> So his old
> administrator account has a huge mail spoolball that
> is taking up 80% of
> the drive! Holy crappers! So I logged in as "stan"
> and used his password
> he gave me in exchange for his severance package. I
> typed "mail" hoping
> to see if this would let me view his mail and it did
> -- thankgod! What I
> saw scared the holy mole dickens out of me...
> Thousands of emails! As I started reading them, I
> realized the full
> extent of what is, without a doubt, going to become
> known as the biggest
> and most notorious hack in the history of the
> Northcutt better take out that section about the
> Mitnik attack in that
> terrible book he is always rehasing with only a
> spit-shine and fancy new
> cover because here comes something leaner and
> meaner! (I have re-bought
> that nut's book eight times and it is always the
> same old cruft over and
> over but there wont be a ninth purchase, you bet
> your pink pajamas!)
> Someone needs to tell him that SANS is not the MANS!
> This is BIG, folks! The mails... there were big ones
> and small ones and
> they all had one thing in common: they were from a
> person who would soon
> be determined to be a master hacker who has
> obviously infiltrated the
> bank's system long ago, before I even canned Stan
> (he was such a chump
> and always lost his wallet because he wore those
> baggy hacker pants).
> It seems that this black head hacker, named Charlie
> Root, has been busy
> alright... Every night, like clockwork, he sends me
> a few emails that
> contain the most intimate of details about the
> server! Drive space,
> logins, users I've created and removed, and more! I
> think he is trying
> to extort money from the bank!
> I was scared to hell to raise any red alarms at the
> bank so I started to
> look around and I believe I found out who this
> Charlie Root person
> really is:
> It seems that old Chinski used to play baseball for
> the Brown Cubs back
> in his youth. Clearly, from reading about his shoddy
> career, he was
> washed up as his stats are terrible by modern
> standards and he retired
> from the game in 1970! Now, as is abundantly clear,
> he has reached a
> desperate point in his life and is now devoting his
> time to taking over
> the world's infrastructure and trying to do phishy
> things and extort
> money from gallant administrators like myself.
> I looked into the front directory on my server and
> saw a folder called
> "root"! OMGF! I dove into his folder and saw all
> kinds of hacker files
> (like some thinger called ".bash_history" which
> seems to contain a list
> of commands he uses to take over the system, and
> ".forward" which
> contains Stan's email address). There were also
> tarballers for other
> things that look like old log backups! Incredible! I
> tried to delete
> some of these trojan files but it said I could not!
> I did some more
> looking around and found another startling fact:
> Charlie Root has
> changed my shell! It is not sh like it should be, it
> has been set to
> "stsh" which it certainly some kind of backdoor
> hacker tool to capture
> my strokes!
> Normally I would just reboot the server but this
> time, since I was at
> lunch, I decided to play around with my EMACKS
> script on my new Sun
> 6800's and, by chance, I saw that almost every file
> on the system was
> already owned by the "root" fellow! He has the guile
> to call himself
> "Super-User!" when I fingered (LOL) his account! We
> have only had these
> systems for a little over a month and this Charlie
> Root has already
> taken over every UNIX server in the bank!
> This may be the end of our company if I cannot get
> this hacker out of
> our systems and expunge the network of this wretched
> "root" Chinski
> thing. I will not bow to his extortion attempts!
> Someone please tell me what I should do next!
> P.S. My bloglog has more background info and stuff
> about Chinski's
> involvement in Y2000K... <http://www.bilano.biz/>
> Mr. Billy B. Bilano, MSCE, CCNA
> Expert Sysadmin Since 2003!
> 'C:\WINDOWS, C:\WINDOWS\GO, C:\PC\CRAWL' -- RMS
> Full-Disclosure - We believe in it.
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
Full-Disclosure is hosted and sponsored by Secunia.