Whitepaper Addition (A_D)

Posted: Sat, 12 Jan 2002 by A_D
thrugdush
There was more..
The whitepaper given was incomplete and not the final paper so ill just add a few other things we done also:
Results of the perl program i made to drop packets:

A simple example shown:

--- 192.168.0.201 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss

--- 192.168.0.202 ping statistics ---
6 packets transmitted, 0 packets received, 100% packet loss <<<<<<OUR SERVER

--- 192.168.0.203 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss

We ran alot of daemons, but we linked them all to /dev/null or /bin/false, so this would be picked up in a scan but would/could not be exploited in any way.

Then Telnet was finally disabled, and ssh2 installed. Secure shell! oh yeah.

APACHE was some old decrepid 1.3.6, so we updated that to 1.3.20, latest release covers some security flaws.

HTTP/1.1 501 Method Not Implemented
Date: Thu, 04 Oct 2001 05:51:41 GMT
Server: Apache/1.3.20 (Unix)

Log cleaner was written specifically for this OS. It will hide all the users curently logged on.

Then we wrote another program to monitor any logins after we cleared, this program ran every 100 seconds, i suppose this could be added to cron in the real scenario.

Then we manually patched some local exploits such as the su trojan, and the suidperl exploit, which give a local normal user root. The way we achieved this was to mkdir LC_MESSAGES in /tmp and chown root. Making su trojan unable to function. Then suidperl exploit...LMAO....we simpley chown that to but this could be rename /usr/bin/suidperl and linkor PATH=$.

Installed Dsniff for and listened on eth0, which will sniff clear text daemons like telnet and ftp and so on. We retreaved team3's user and pass then su passwd, but this was way to late because team 1 were already doing the dirty .

Added some IPCHAINS to deny the opposing team1:

./ipchains -A input -s 192.168.0.201 -p TCP -j REJECT
./ipchains -A input -s 192.168.0.201 -p ICMP -j REJECT
./ipchains -A input -s 192.168.0.201 -p UDP -j DENY

This will set some simple rules, plus our perl program from before.


Last but not least, Pir8 programmed a script to open services for 3 seconds and then close on 1 min intervals, so to stop any brute forces or exploits.

All this failed us getting root compromise. APACHE?