| View previous topic :: View next topic |
| Author |
Message |
XL-Reaper
n00b
Joined: 25 Mar 2003
Posts: 50
|
 Posted: Fri May 14, 2004 6:11 pm Post subject: Possible attack? |
 |
|
Hi,
i´ve just noticed strange commands in the history of my user running gameservers.
PROMPT_COMMAND='pwd>&7;kill -STOP $$'
and
cd "`echo -e '\057\165\163\162\057\154\157\143\141\154\057\147\141\155\145\163\057\143\157\144'`"
Could somebody explain to me what these commands are trying to achieve? |
|
| Back to top |
|
 |
spamspam
Apprentice
Joined: 05 Dec 2003
Posts: 153
|
| Posted: Fri May 14, 2004 6:31 pm Post subject: Umm, yeah... |
|
|
I'm not sure about the first command (other that it's telling bash to run "pwd>&7;kill -STOP $$" before each time it displays the prompt.
The second is interesting... you probably have a directory called "/usr/local/games/cod" that has some things in it you may not want. |
|
| Back to top |
|
|
dsd
Developer
Joined: 30 Mar 2003
Posts: 2162
Location: nr London
|
| Posted: Fri May 14, 2004 6:33 pm Post subject: Re: Possible attack? |
|
|
strange stuff.
the first one is setting a bash feature - a command that is run every time the prompt is displayed. for example, do this at a console:
PROMPT_COMMAND='date'
pwd
whoami
you'll see its running "date" before every prompt. to unset it, do
PROMPT_COMMAND=''
the command that they are using appears to save the current working directory to a file opened at file descriptor 7. i'm not too sure about the kill command, it appears to be sending the STOP signal to the bash process that is running the console..?
feel free to post more of the logs if anything else stands out.
the cd command is changing directory to "/usr/local/games/cod".
_________________
http://dev.gentoo.org/~dsd |
|
| Back to top |
|
|
XL-Reaper
n00b
Joined: 25 Mar 2003
Posts: 50
|
| Posted: Fri May 14, 2004 6:34 pm Post subject: |
|
|
thats my call of duty server 
When I run the first command it kills the bash ...
I really wonder where those commands come from |
|
| Back to top |
|
|
spamspam
Apprentice
Joined: 05 Dec 2003
Posts: 153
|
| Posted: Fri May 14, 2004 6:38 pm Post subject: hmmm... |
|
|
| Quote: |
thats my call of duty server
|
Have you looked in the script that you use to run call of duty? Maybe there's clues in there. |
|
| Back to top |
|
|
XL-Reaper
n00b
Joined: 25 Mar 2003
Posts: 50
|
| Posted: Fri May 14, 2004 6:45 pm Post subject: |
|
|
I dont think that this will show up in my bash history, or would it ?
I will check the COD-Scripts |
|
| Back to top |
|
|
barbar
Guru
Joined: 16 Apr 2003
Posts: 397
Location: Austria
|
|
| Back to top |
|
|
XL-Reaper
n00b
Joined: 25 Mar 2003
Posts: 50
|
| Posted: Fri May 14, 2004 7:16 pm Post subject: |
|
|
Ahh!
Thanks - i used mc yesterday - you helped me a lot |
|
| Back to top |
|
|
GentooBox
Veteran
Joined: 22 Jun 2003
Posts: 1168
Location: Denmark
|
| Posted: Fri May 14, 2004 7:38 pm Post subject: Re: Possible attack? |
|
|
| XL-Reaper wrote: |
cd "`echo -e '\057\165\163\162\057\154\157\143\141\154\057\147\141\155\145\163\057\143\157\144'`"
|
how did you guys find out what that is ?
did you simply execute the command ?
or do you have some sort of shellcode converter ?
_________________
Encrypt, lock up everything and duct tape the rest |
|
| Back to top |
|
|
dsd
Developer
Joined: 30 Mar 2003
Posts: 2162
Location: nr London
|
| Posted: Fri May 14, 2004 7:39 pm Post subject: |
|
|
if you break it up, you end up with this in the middle:
| Code: | | echo -e '\057\165\163\162\057\154\157\143\141\154\057\147\141\155\145\163\057\143\157\144' |
running that at a console will "decode" it
_________________
http://dev.gentoo.org/~dsd |
|
| Back to top |
|
|
tomk
Bodhisattva
Joined: 23 Sep 2003
Posts: 7221
Location: Sat in front of my computer
|
| Posted: Sat May 15, 2004 9:35 am Post subject: |
|
|
By default bash interprets escaped numbers in octal. You can work it out from an ascii chart if you want. 057 = /, 165 = u, 163 = s, etc.
_________________
Search | Read | Answer | Report | Strip |
|
| Back to top |
|
|
|
Networking & Security
