Security Incidents mailing list archives
DDOS attacks on IRC
From: Elias Levy <aleph1 () SECURITYFOCUS COM>
Date: Wed, 13 Sep 2000 10:22:25 -0700
Return-Path: <owner-focus-linux () securityfocus com> Delivered-To: focus-linux () lists securityfocus com Received: from securityfocus.com (mail.securityfocus.com [207.126.127.78]) by lists.securityfocus.com (Postfix) with SMTP id DF5151EEAA for <focus-linux () lists securityfocus com>; Wed, 13 Sep 2000 05:46:01 -0700 (PDT) Received: (qmail 19964 invoked by alias); 13 Sep 2000 12:47:34 -0000 Delivered-To: FOCUS-LINUX () SECURITYFOCUS COM Received: (qmail 19960 invoked from network); 13 Sep 2000 12:47:34 -0000 Received: from fes-qout.whowhere.com (HELO mailcity.com) (209.185.123.96) by mail.securityfocus.com with SMTP; 13 Sep 2000 12:47:34 -0000 Received: from Unknown/Local ([?.?.?.?]) by mailcity.com; Wed Sep 13 05:46:01 2000 To: LINUX () SECURITYFOCUS COM Date: Wed, 13 Sep 2000 05:46:01 -0700 From: "Email for LA" <digex () lycos com> Message-ID: <GIPPDKGGENIMCAAA () mailcity com> Mime-Version: 1.0 Cc: FOCUS-LINUX () SECURITYFOCUS COM X-Sent-Mail: on Reply-To: digex () lycos com X-Expiredinmiddle: true X-Mailer: MailCity Service Subject: Red Hat Linux release 6.0/6.1 (Hedwig) (Cartman) bug? X-Sender-Ip: 63.23.223.26 Organization: Lycos Communications (http://comm.lycos.com:80) Content-Type: text/plain; charset=us-ascii Content-Language: en Content-Length: 3935 Content-Transfer-Encoding: 7bit Sender: digex () mailcity com Greetings, Ok As most of you know about IRC and how DDOS-attack tool became a play-land for some kids, I realized that when I tryed invistegating those who hacked into our channel after MASS DDOS and their ability to to tale my uplink via above.net down for almost 4 hours, please look into this logfile and the work I went throw: users on hacked boxes: #kuwait rsync H@ rsync () c137-s2-r11h5 upc chello no (resync) #kuwait rish H@ rishi () c228044-b plano1 tx home com (me) #kuwait mkdir H@ tom@208.238.180.130 (Tom Conlee) #kuwait poo` H@ nobody () hb static nanosecond com (poo) #kuwait repo H@ repo () ns gymtv sk (repo repo) #kuwait squid H@ squid@195.226.110.10 (squid) #kuwait statd H@ adm () w149 z208037132 sjc-ca dsl cnc net () #kuwait rfe H@ uucp@207.228.223.3 () #kuwait scx H@ bin () adsl-208-189-190-226 interviewmanager com (scx) #kuwait aaron H@ aaron@24.222.15.7 (Aaron's Boat Charters) #kuwait daemon` H@ daemon () w045 z208036043 lax-ca dsl cnc net (daemon) #kuwait shad H@ shad () adsl-208-189-195-17 dsl rcsntx swbell net (me) along with that there is a security hole for sure, I tryed to telnetd into each host and this is what I got: please scroll downward.. - Trying 212.186.113.137... Connected to c137-s2-r11h5.upc.chello.no. Escape character is '^]'. Red Hat Linux release 6.0 (Hedwig) Kernel 2.2.5-15 on an i486 - Trying 24.17.167.99... Connected to c228044-b.plano1.tx.home.com. Escape character is '^]'. Red Hat Linux release 6.0 (Hedwig) Kernel 2.2.5-15 on an i686 - Trying 208.238.180.130... Connected to 208.238.180.130. Escape character is '^]'. Red Hat Linux release 6.1 (Cartman) Kernel 2.2.12-20 on an i586 - Trying 207.228.44.119... Connected to hb.static.nanosecond.com. Escape character is '^]'. Red Hat Linux release 6.0 (Hedwig) Kernel 2.2.13 on an i586 login: - ns.gymtv.sk telnet has been disabeld. however same version last I checked. - Trying 195.226.110.10... Connected to 195.226.110.10. Escape character is '^]'. Red Hat Linux release 6.0 (Hedwig) Kernel 2.2.5-15 on an i686 - Trying 208.37.132.149... Connected to w149.z208037132.sjc-ca.dsl.cnc.net. Escape character is '^]'. Red Hat Linux release 6.0 (Hedwig) Kernel 2.2.5-15 on an i586 - Trying 207.228.223.3... Connected to 207.228.223.3. Escape character is '^]'. ns.tandj.net Login Linux Kernel 2.2.5 on an i586 Unauthorized use will get you killed. - Trying 208.189.190.226... Connected to adsl-208-189-190-226.interviewmanager.com. Escape character is '^]'. Red Hat Linux release 6.0 (Hedwig) Kernel 2.2.14 on an i486 - Trying 24.222.15.7... Connected to 24.222.15.7. Escape character is '^]'. Red Hat Linux release 6.0 Publisher's Edition (Hedwig) Kernel 2.2.5-15 on an i486 - Trying 208.36.43.45... Connected to w045.z208036043.lax-ca.dsl.cnc.net. Escape character is '^]'. Red Hat Linux release 6.0 (Hedwig) Kernel 2.2.5-22 on an i686 - Trying 208.189.195.17... Connected to adsl-208-189-195-17.dsl.rcsntx.swbell.net. Escape character is '^]'. Red Hat Linux release 6.0 (Hedwig) Kernel 2.2.10 on an i586 - <END> Now, those attackers are smart mostely dialup's/DSL/cabelmodem and hacked Linux-boxes, now even the owner of this box wount and cant locate any processor ps,netstat..etc wont show, I'm sure those kids are in the process on hacking more redhat6.0 machines, I'm not sure how they got into all those boxes, I'll be more than happy to contact their ISP's and give them some feekback into this. to shut those boxes OFF or maybe to try to reinstal the lame OS version please let me know if you know anything about this release. best regards; -raed LA@IRC Senior Engineer. digex () lycos com Get your FREE Email and Voicemail at Lycos Communications at http://comm.lycos.com ----- End forwarded message ----- -- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum
Current thread:
- DDOS attacks on IRC Elias Levy (Sep 13)