A few weeks ago, some script kiddie from Romania hopped on my AppleTV that I’d converted to run Linux. My first hint that something was wrong was that the “-h” argument to ls stopped working properly. I’d been using this box as a fileserver with a USB drive attached to it for storage. I pulled the machine from the network, but didn’t get a chance to peek at what had happened until now.
First stop, auth.log:
Oct 31 15:51:59 appletv sshd[1629]: reverse mapping checking getaddrinfo for 79-117-141-201.rdsnet.ro [79.117.141.201] failed - POSSIBLE BREAK-IN ATTEMPT!
Oct 31 15:52:02 appletv sshd[1629]: Accepted password for bull from 79.117.141.201 port 50414 ssh2
Oct 31 15:52:02 appletv sshd[1629]: pam_unix(sshd:session): session opened for user bull by (uid=0)
Well, this is a pretty good sign that the box was rooted, let’s take a look in /home:
# ls -alh
drwxr-xr-x 7 root root 4.0k Oct 24 21:00 .
drwxr-xr-x 22 root root 4.0k Oct 11 2009 ..
drwxr-xr-x 51 1000 1000 4.0k Nov 2 16:21 bill
drwxr-xr-x 2 1002 1003 4.0k Oct 31 20:53 bull
drwxr-xr-x 2 1004 1005 4.0k Oct 24 21:20 cgi
drwxr-xr-x 2 1003 1004 4.0k Oct 17 21:10 enter
drwxr-xr-x 7 1001 1001 4.0k Feb 22 2010 gabesk
Looking through the directories, I see that cgi still has a .bash_history:
ls -a
./run 123.36
./ftp_scanner.c 123.36
clear
ls -a
cd ..
ls -a
su
clear
cd /var
ls -a
cd tmp
chmod +x
chmod * =x
chmod * -x
clear
ls -a
pwd
mkdir ” “
cd ” “
clear
ps -aux
ls -a
clear
ls
screen -r
clear
cat /proc/cpuinfo
ls -a
tar xzvfdedicate.tar
tar xzvf dedicate.tar
clear
ls -a
cd fb
ls -a
pico run
ls -a
pico pass
ls -a
pico pass
ls -a
screen
screen -wipe
cd var/tmp
bash -i
cd /var/tnp
cd /var/tmp
clear
ls -a
cd ” “
clear
cd fb
clear
ls -a
clear
ls -a
ps -aux
screen
ps -aux
ls -a
w
cd /var/tmp
cd ” “
cd fb
clear
ls -a
ps -aux
ls -a
screen -r
ls -a
./ftp_scanner 0-100
./ftp_scanner 192.168.0.0/24
./ftp_scanner -h 192.168.0.0/24
clear
./192.168.0.0/24
clear
ps -aux
ls -a
./ftp_scanner
pico run
./ftp_scanner
./ftp_scanner -h 123.36.0.0/16 -u users -p pass -t 6 -c 20 -o log -d -k -C
ls -a
cat log
pico o
ls -a
pico ftp_scanner
ls -a
pico 100-200
ls -a
./run 0-100
ps -aux
ls -a
./run 100-200
./run 200-255
ps -aux
cd /var/tmp
cd ” “
cdfb
ps -aux
cd fb
ls -a
screen -r
cd /var/tmp
ls -a
cd “”
cd .vox
cd /var/tmp
cd ” “
cd .vox
clear
cdfb
ps -aux
ls -a
cd fb
ls -a
screen-r
screen -r
clear
ls -a
pico log
ls -a
ps -aux
ls -a
w
cd /var/tmp
cd ” “
cd .vox
ps- aux
ls -a
cdfb
clear
ps -aux
ls -a
cd fb
screen -r
clear
ls -a
catlog
cat log
killall -9 -vq ftp_scanner
clear
ls -a
s -aux
ps -aux
w
cdb /var/tmp
cd ” “
ls -a
cd /var/tmp
cd ” “
ls -a
tar -xvf multiscan.tgz
rm -rf multiscan.tgz
cd .vox
ls -a
rm -rf vuln.txt
screen
cd /var/tmp
cd ” “
cd .vox
ls -a
cat vuln.txt
clear
cat vuln.txt
screen -r
cat buln.txt
cat vuln.txt
./start 201
There’s quite a few hints as to what happened in there, one of which is that there should be a directory of a space in /var/tmp:
# ls -al
drwxr-xr-x 4 1004 1005 4096 Oct 28 18:26
drwxrwxrwt 3 root root 4096 Oct 24 21:10 .
drwxr-xr-x 14 root root 4096 Jan 23 2010 ..
Well, isn’t that interesting.
# find .
.
./
./ /.vox
./ /.vox/ssh-scan
./ /.vox/start
./ /.vox/screen
./ /.vox/pscan2
./ /.vox/pass_file
./ /.vox/gen-pass.sh
./ /.vox/vuln.txt
./ /.vox/core
./ /.vox/common
./ /.vox/a
./ /fb
./ /fb/log
./ /fb/ftp_scanner
./ /fb/users
./ /fb/0-100
./ /fb/100-200
./ /fb/run
./ /fb/200-255
./ /fb/pass
./ /fb/o
./ /fb/ftp_scanner.c
In vuln.txt, I see a list of machines with poorly set passwords (anonymized and truncated):
root:root:201.9.x.x
root:admin:201.11.x.x
root:root:201.20.x.x
root:root:201.20.x.x
root:admin:201.20.x.x
root:admin:201.20.x.x
root:admin:201.20.x.x
root:root:201.20.x.x
root:root:201.20.x.x
root:root:201.25.x.x