Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

hack from 212.211.194.165

From: Elias Levy <aleph1 () SECURITYFOCUS COM>
Date: Mon, 18 Sep 2000 09:27:20 -0700
Message-ID: <39C51E6B.15A2D674 () lphys chem utoronto ca>
Date: Sun, 17 Sep 2000 15:41:31 -0400
From: "Chris J. Milne" <cmilne () lphys chem utoronto ca>
Organization: University of Toronto
X-Mailer: Mozilla 4.75 [en] (Win98; U)
X-Accept-Language: en,pdf
MIME-Version: 1.0
To: guardian () nefkom de, heinzinger () nefkom de, digital () STEALTH NET,
=09ops () BBNPLANET COM, domain-bill () GTEI NET, andrew.a () EASYEVERYTHING COM,
=09postmaster () rug nl, rugmail () rc rug nl, postmaster () infomac nl,
=09rens.meijer () widexs net, hostmaster () widexs nl
Cc: FOCUS-LINUX () SECURITYFOCUS COM
Subject: hack from 212.211.194.165
Content-Type: text/plain; charset=3Diso-8859-1
Content-Transfer-Encoding: 8bit
=20
Greetings,
=20
We were hacked last weekend from the 212.211.194.165 IP, since nefkom.de
is the last resolvable domain name prior to the offending IP I'm
primarily sending this to you. My apologies if this is not your area of
responsibility, if you could forward to whoever is responsible for
network security I would appreciate it. Immediately following the attack
we had apparent connections from :
=20
torn () infomac nl (212.204.196.31)
adsl-61-44-215.mia.bellsouth.net (208.61.44.215)
irc.stealth.net (193.166.0.134, 206.252.192.195)
198.78.172.10 (.bbnplanet.net)
b-e14.victoria.stores.easyeverything.com (146.101.133.34)
root () flits102-154 flits rug nl (129.125.102.154)
=20
I would estimate that the hacker let all his buddies on IRC know about
the hole & they then proceeded to visit. I'm not sure how many of the
above machines are hacked themselves or even how many of them are real.
The hack that was used was an rpc.statd vulnerability that is well
documented & which most vendors have patches for (CERT Advisory
CA-2000-17 Input Validation Problem in rpc.statd). Once compromised the
system had a rootkit (t0rn) installed which replaced ps, find, top & cd
among others. A hacked version of ssh was installed as well as a
sniffer. A quick detection of our version of the hack is if the machine
in question is running something on ports 511 & 47019 (511 is pretty
fixed but 47019 is user-configurable). Other detection methods include
using locate to search for /usr/src/.puta (sniffer directory) &
/usr/info/.t0rn, or using netstat to look for weird open ports.
Performing an 'lsof | grep t0rn/puta' provided the processes which lead
to the hidden directories. Pretty standard attack performed by somebody
pretty incompetent (left weird processes running, didn't check logging,
completely dependent on the rootkit to cover his traces). The moral of
the story is don't forget to restart daemons after upgrading.
=20
I hope this information is useful to those of you responsible for the
above machines, I've included logs for perusal at the conclusion of the
message. Thanks for your time,
=20
Chris Milne
Chemistry Department
University of Toronto
=20
------------------------------------logs---------------------------------=

----------------

Sep  9 09:45:01 lphys tcplog[8575]: sunrpc connection attempt from
root@212.211.194.165:1993=20
Sep  9 09:45:01 lphys tcplog[8576]: sunrpc connection attempt from
root@212.211.194.165:762=20
Sep  9 09:45:18 lphys rpc.statd[389]: gethostbyname error for
^X=F7=FF=BF^X=F7=FF=BF^Y=F7=FF=BF^Y=F7=FF=BF^Z=F7=FF=BF^Z=F7=FF=BF^[=F7=

=FF=BF^[=F7=FF=BFbffff750 8049710

80554c0687465676274736f6d616e797265206520726f7220726f66
bffff718
bffff719  bffff71a
bffff71b=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=

=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=
=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=
=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=
=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=
=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=
=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=
=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=
=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=
=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=
=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=
=90=90=90=90=90=90=90=90=90=90

Sep  9 09:45:22 lphys tcplog[8579]: port 992 connection attempt from
torn () infomac nl:3173=20
Sep  9 09:45:28 lphys tcplog[8580]: port 39168 connection attempt from
torn () infomac nl:3183=20
Sep  9 09:49:28 lphys inetd[8734]: extra conf for service finger/tcp
(skipped) =20
Sep  9 09:49:41 lphys tcplog[509]: port 2555 connection attempt from
adsl-61-44-215.mia.bellsouth.net:2792=20
Sep  9 09:51:53 lphys tcplog[509]: auth connection attempt from
localhost:2728=20
Sep  9 09:51:53 lphys tcplog[8829]: sunrpc connection attempt from
root@localhost:948=20
Sep  9 09:54:57 lphys tcplog[509]: auth connection attempt from
irc.stealth.net:2802=20
Sep  9 09:55:48 lphys tcplog[509]: auth connection attempt from
198.78.172.10:2807=20
Sep  9 09:56:23 lphys tcplog[509]: auth connection attempt from
198.78.172.10:2983
Sep  9 10:00:13 lphys tcplog[8599]: port 2555 connection attempt from
b-e14.victoria.stores.easyeverything.com:2624=20
Sep  9 10:00:18 lphys tcplog[8603]: port 2555 connection attempt from
adsl-61-44-215.mia.bellsouth.net:2791=20
Sep  9 10:03:14 lphys tcplog[8789]: port 47019 connection attempt from
b-e14.victoria.stores.easyeverything.com:2653=20
Sep  9 10:48:24 lphys tcplog[10344]: sunrpc connection attempt from
root () flits102-154 flits rug nl:3711=20
Sep  9 10:48:24 lphys tcplog[10345]: sunrpc connection attempt from
root () flits102-154 flits rug nl:770
=20
Previous By Date Next
Previous By Thread Next

Current thread: