This all started, oh, a week or so ago...

(hostnames, IPs changed to protect the innocent)

joff had asked a bunch of us to test the security of the machine that
hosts somesite.us.  This was kinda late one night, but I couldn't sleep
anyway, so took up the challenge.  And yes, this a box that he owns and I
had/have an account on, so I wasn't violating any sort of laws/rules.

I already knew a good bit about the box.  It was a RedHat 9 box setup by
fairly competent admins and was behind some sort of a firewall.  I don't
know of any local or remote exploits for RedHat 9, and figured that all of
the remotely accessible services were either part of the stock in stall or
were installed from relatively new, secure and stable code.

A quick nmap of the host showed a bunch of services up:

	22/tcp     open        ssh
	23/tcp     open        telnet
	25/tcp     open        smtp
	53/tcp     open        domain
	80/tcp     open        http
	443/tcp    open        https
	993/tcp    open        imaps
	8443/tcp   open        https-alt

The ssh daemon on port 22 was new and only allowed ssh version 2:

	$  telnet somesite.us 22
	Trying 10.0.0.230...
	Connected to somesite.us.
	Escape character is '^]'.
	SSH-2.0-OpenSSH_3.6.1p2
	SSH-1.0-OpenSSH-3.6.0p1
	Protocol major versions differ.
	Connection closed by foreign host.

Port 22 revealed the same ssh daemon, but running on a different port.

Port 25 was what appeared to be a postfix SMTP server.  I few quick checks
for relays proved pointless, as postfix ships relay-free by default.  I
then checked for common misconfigurations.  I tried the 'vrfy' command,
which allows a user to verfiy if a recipient exists:

	$  telnet somesite.us 25
	Trying 10.0.0.230...
	Connected to somesite.us.
	Escape character is '^]'.
	220 falling.somesite.us ESMTP Postfix
	helo foo
	250 falling.somesite.us
	vrfy root
	252 root
	vrfy joff
	252 joff
	vrfy f
	550 <f>: User unknown

This tells me that users 'root' and 'joff' exist as valid mail recipients,
whereas 'f', not surprisingly, does not.  Not only does this give me targets
to send malicious mail to, it gives me a good idea of what actual accounts
might exist on the system in terms of daemons, etc, which gives me a good
idea of what services might be running, and what accounts might be
misconfigured.

Port 53 was a bind 9.2.2 server:

	$  dig @somesite.us chaos txt version.bind

	; <<>> DiG 9.2.2 <<>> @somesite.us chaos txt version.bind
	;; global options:  printcmd
	;; Got answer:
	;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 547
	;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

	;; QUESTION SECTION:
	;version.bind.                  CH      TXT

	;; ANSWER SECTION:
	version.bind.           0       CH      TXT     "9.2.2"

	;; Query time: 69 msec
	;; SERVER: 10.0.0.230#53(somesite.us)
	;; WHEN: Mon Sep  8 01:05:46 2003
	;; MSG SIZE  rcvd: 48


A quick poking showed that it would resolve other addresses for me (i.e.,
hotmail.com) and that it allowed zone transfers:

	$  host -l somesite.us
	somesite.us.           NS      ns1.somesite.us.
	somesite.us.           NS      ns3.somednsserver.net.
	somesite.us.           A       10.0.0.230
	admin.somesite.us.     A       10.0.0.230
	davedap.admin.somesite.us.     A       10.0.0.230
	jamm.admin.somesite.us.        A       10.0.0.230
	all.your.fyi.are.somesite.us.  A       10.0.0.230
	squirrels.are.somesite.us.     A       10.0.0.230
	cerebro.somesite.us.   A       192.168.0.3 
	falling.somesite.us.   A       10.0.0.230
	has.fun.somesite.us.   A       10.0.2.15 
	george.w.bush.is.somesite.us.  A       192.168.0.3 
	dmca.is.somesite.us.   A      	192.168.1.3 
	microsoft.is.somesite.us.      A       192.168.0.4 
	minx.is.somesite.us.   A       10.0.0.230
	packetstorm.is.somesite.us.    A       10.0.0.230
	mail.somesite.us.      A       10.0.0.230
	ns1.somesite.us.       A       10.0.0.230
	silc.somesite.us.      A       192.168.0.6 
	spigger.somesite.us.   A       10.0.0.230
	theyre.somesite.us.    A       10.0.0.230
	webmail.somesite.us.   A       10.0.0.230
	www.somesite.us.       A       10.0.0.230

Since the vast majority of the hosts were bound to the same IP
(10.0.0.230) and I was only attacking that one machine, I parsed out the
other irrelevant ones and saved that info for what would later turn into
the ultimate compromise of the machine.

Port 80 was an Apache 2.0.x server, port 443 was the SSL version of the
same site, and 8443 was another SSL enabled virtual host.  Port 993 was
IMAP, but I didn't feel like poking at that much.

So, I started poking at the websites.  A number of things popped up on port
80:

	/logs which gave me information into what files people were
	accessing, and from where, thanks to webalizer.  Yes, the info was old
	and outdated, but it was useful regardless.  It should've been
	restricted to ignore certain files, or, better yet, require
	authentication and restrict it to certain hosts.

	/webmail redirected to src/login.php, which means that there is both
	webmail and php installed.  goodie.


Same deal on port 44