Security Incidents mailing list archives
sendmail/identd attack
From: gyst () NFG NL (Guido A.J. Stevens)
Date: Fri, 31 Mar 2000 09:57:43 +0200
We've been subjected to two prolonged attacks yesterday. The attacks were from different ip's and have slightly different signatures. Both were sourced from port 113 and targeted at port 25. What bothers me is that we suffered a general protection error on our own identd process after the first attack. Which triggers a paranoia protection error in my mindware, asking: is anybody aware of a new tool that uses a compromised identd to propagate itself via a sendmail channel? Or something like that....... Has anybody seen an attack like this before? Is anybody aware of a (new) tool with these signatures? I'm hoping somebody here can provide some insights. A more detailed description of the progression of events follows below. I did a bit of ip/hostname obfuscation, of course, if only to protect the 0wned machine that was used to attack us :-[ The attack starts by a port 25 scan. Mar 30 16:14:16 abyss libnids: Scan from attacker.1.ip. Scanned ports: target.b1.cnet.131:25,target.b1.cnet.209:25,target.b1.cnet.217:25,target.b1.cnet.211:25,target.b1.cnet.213:25,target.b1.cnet.210:25,target.b1.cnet.214:25,target.b1.cnet.208:25,target.b1.cnet.216:25,target.b1.cnet.215:25,target.b1.cnet.212:25,scan type: SYN This passes our incoming firewall. Some of those probes just elicit responses that are blocked and logged: Mar 30 16:14:17 abyss kernel: IP fw-out deny eth0 TCP target.b1.cnet.219:17521 attacker.1.ip:113 L=44 S=0x00 I=58938 F=0x0000 T=64 Mar 30 16:14:17 abyss kernel: IP fw-out deny eth0 TCP target.b1.cnet.218:17522 attacker.1.ip:113 L=44 S=0x00 I=58945 F=0x0000 T=64 But some seem to make it through to the application layer: Mar 30 16:14:18 abyss sendmail[11823]: NOQUEUE: Null connection from IDENT:root () 0wned machine edu [attacker.1.ip] Mar 30 16:14:19 abyss sendmail[11828]: NOQUEUE: Null connection from IDENT:root () 0wned machine edu [attacker.1.ip] Mar 30 16:14:19 abyss kernel: IP fw-out deny eth0 TCP target.b1.cnet.211:17492 attacker.1.ip:113 L=44 S=0x00 I=59024 F=0x0000 T=64 Mar 30 16:14:20 abyss kernel: IP fw-out deny eth0 TCP target.b1.cnet.217:17512 attacker.1.ip:113 L=44 S=0x00 I=59031 F=0x0000 T=64 So far, so good. What really bothers me though, is the kernel general protection error on identd that follows some hours later: Mar 30 22:27:56 abyss kernel: general protection: 0000 Mar 30 22:27:56 abyss kernel: CPU: 0 Mar 30 22:27:56 abyss kernel: EIP: 0010:[get__netinfo+334/684] Mar 30 22:27:56 abyss kernel: EFLAGS: 00010206 Mar 30 22:27:56 abyss kernel: eax: 7001285c ebx: 04cb2c0c ecx: 00000000 edx: 00000000 Mar 30 22:27:56 abyss kernel: esi: 00000000 edi: 00000180 ebp: 00000000 esp: 04befe78 Mar 30 22:27:56 abyss kernel: ds: 0018 es: 0018 fs: 002b gs: 002b ss: 0018 Mar 30 22:27:56 abyss kernel: Process identd (pid: 29125, process nr: 60, stackpage=04bef000) Mar 30 22:27:56 abyss kernel: Stack: 07fe4000 0019c06c 051b74c8 00000400 ffffffff 00000000 04befeb0 00004b80 Mar 30 22:27:56 abyss kernel: 00000095 04010050 08fc0435 43116dc2 2b917d81 00000000 38343120 3030203a Mar 30 22:27:56 abyss kernel: 30303030 303a3030 20303530 30303030 30303030 3030303a 37302030 30303020 Mar 30 22:27:56 abyss kernel: Call Trace: [ip_rcv+1107/1412] [tcp_get_info+33/40] [proc_readnet+173/324] [sys_read+192/232] [system_call+85/124] Mar 30 22:27:56 abyss kernel: Code: 8b 40 04 89 44 24 14 8b 54 24 14 52 31 c0 85 f6 74 06 8b 83 Mar 30 22:27:56 abyss kernel: Aiee, killing interrupt handler Which repeats itself some 5 minutes later. Then, some hours later, the circus starts anew with a another attack from another ip, in which again both sendmail and identd seem to be involved: Mar 31 01:03:03 abyss libnids: Scan from attacker.2.ip. Scanned ports: target.b2.cnet.72:25,target.b2.cnet.73:25,target.b2.cnet.74:25,target.b2.cnet.75:25,target.b2.cnet.76:25,194.109 .17.77:25,target.b2.cnet.78:25,target.b2.cnet.79:25,target.b2.cnet.80:25,target.b2.cnet.81:25,target.b2.cnet.82:25,scan type: SYN Mar 31 01:03:03 abyss libnids: Max number of TCP streams reached,from attacker.2.ip:3965 to target.b2.cnet.82:25 Mar 31 01:03:03 abyss libnids: Max number of TCP streams reached,from attacker.2.ip:3966 to target.b2.cnet.83:25 Mar 31 01:03:03 abyss libnids: Max number of TCP streams reached,from attacker.2.ip:3967 to target.b2.cnet.84:25 Mar 31 01:03:03 abyss libnids: Max number of TCP streams reached,from attacker.2.ip:3968 to target.b2.cnet.85:25 Mar 31 01:03:03 abyss libnids: Max number of TCP streams reached,from attacker.2.ip:3969 to target.b2.cnet.86:25 Mar 31 01:03:03 abyss libnids: Max number of TCP streams reached,from attacker.2.ip:3970 to target.b2.cnet.87:25 Mar 31 01:03:04 abyss kernel: IP fw-out deny eth0 TCP target.b2.cnet.64:5331 attacker.2.ip:113 L=44 S=0x00 I=39104 F=0x0000 T=64 Mar 31 01:03:04 abyss kernel: IP fw-out deny eth0 TCP target.b2.cnet.66:5332 attacker.2.ip:113 L=44 S=0x00 I=39109 F=0x0000 T=64 Mar 31 01:03:04 abyss libnids: Max number of TCP streams reached,from target.b2.cnet.65:5335 to attacker.2.ip:113 Mar 31 01:03:04 abyss kernel: IP fw-out deny eth0 TCP target.b2.cnet.67:5341 attacker.2.ip:113 L=44 S=0x00 I=39121 F=0x0000 T=64 Mar 31 01:03:04 abyss kernel: IP fw-out deny eth0 TCP target.b2.cnet.68:5394 attacker.2.ip:113 L=44 S=0x00 I=39126 F=0x0000 T=64 etc. etc. This results in some unusual sendmail log messages: Mar 31 01:03:34 abyss sendmail[3187]: NOQUEUE: Null connection from hostile.dialin.home.com [attacker.2.ip] Mar 31 01:03:34 abyss sendmail[3188]: NOQUEUE: SYSERR: putoutmsg (hostile.dialin.home.com): error on output channel sending "220 mailserver.target.net ESMTP Sendmail 8.9.3/8.9.3/Debian/GNU; Fri, 31 Mar 2000 01:03:34 +0200": Broken pipe Mar 31 01:03:34 abyss sendmail[3188]: NOQUEUE: Null connection from hostile.dialin.home.com [attacker.2.ip] Mar 31 01:03:34 abyss sendmail[3189]: NOQUEUE: SYSERR: putoutmsg (hostile.dialin.home.com): error on output channel sending "220 mailserver.target.net ESMTP Sendmail 8.9.3/8.9.3/Debian/GNU; Fri, 31 Mar 2000 01:03:34 +0200": Broken pipe I'm puzzled. Can anybody clue me in as to what's been going on here? :*CU# -- *** Guido A.J. Stevens *** mailto:gyst () nfg nl *** *** Net Facilities Group *** tel:+31.43.3618933 *** *** http://www.nfg.nl *** fax:+31.43.3560502 *** narratives of digital utopias attempt to engage the pragmatics of anticipation [Coyne, ISBN 0-262-03260-0, p. 145]
Current thread:
- Re: Curious HTTP related probings., (continued)
- Re: Curious HTTP related probings. Russell Fulton (Mar 22)
- [Fwd: [fw-wiz] Specious network performance measurements.] horio shoichi (Mar 22)
- Re: 8 hours of pinging Scott Wunsch (Mar 22)
- Re: 8 hours of pinging Robert Graham (Mar 22)
- Re: 8 hours of pinging Rainer Freis (Mar 27)
- Re: 8 hours of pinging Ed Padin (Mar 28)
- Re: 8 hours of pinging Dragos Ruiu (Mar 29)
- rooted by r0x - from address 212.177.241.127 Dwight Schauer (Mar 29)
- Re: rooted by r0x - from address 212.177.241.127 Ethan King (Mar 29)
- Re: rooted by r0x - from address 212.177.241.127 Rick Magill (Mar 30)
- sendmail/identd attack Guido A.J. Stevens (Mar 30)
- Re: rooted by r0x - from address 212.177.241.127 Ryan Russell (Mar 29)
- UDP port 9200 Bobby, Paul (Mar 30)
- Re: UDP port 9200 Robert Graham (Mar 30)
- Re: UDP port 9200 Joey McAlerney (Mar 30)
- Re: rooted by r0x - from address 212.177.241.127 Jens Hektor (Mar 31)
- Re: 8 hours of pinging Robert Kulagowski (Mar 29)