Security Incidents mailing list archives
hack from 212.211.194.165
From: Elias Levy <aleph1 () SECURITYFOCUS COM>
Date: Mon, 18 Sep 2000 09:27:20 -0700
Message-ID: <39C51E6B.15A2D674 () lphys chem utoronto ca> Date: Sun, 17 Sep 2000 15:41:31 -0400 From: "Chris J. Milne" <cmilne () lphys chem utoronto ca> Organization: University of Toronto X-Mailer: Mozilla 4.75 [en] (Win98; U) X-Accept-Language: en,pdf MIME-Version: 1.0 To: guardian () nefkom de, heinzinger () nefkom de, digital () STEALTH NET, =09ops () BBNPLANET COM, domain-bill () GTEI NET, andrew.a () EASYEVERYTHING COM, =09postmaster () rug nl, rugmail () rc rug nl, postmaster () infomac nl, =09rens.meijer () widexs net, hostmaster () widexs nl Cc: FOCUS-LINUX () SECURITYFOCUS COM Subject: hack from 212.211.194.165 Content-Type: text/plain; charset=3Diso-8859-1 Content-Transfer-Encoding: 8bit =20 Greetings, =20 We were hacked last weekend from the 212.211.194.165 IP, since nefkom.de is the last resolvable domain name prior to the offending IP I'm primarily sending this to you. My apologies if this is not your area of responsibility, if you could forward to whoever is responsible for network security I would appreciate it. Immediately following the attack we had apparent connections from : =20 torn () infomac nl (212.204.196.31) adsl-61-44-215.mia.bellsouth.net (208.61.44.215) irc.stealth.net (193.166.0.134, 206.252.192.195) 198.78.172.10 (.bbnplanet.net) b-e14.victoria.stores.easyeverything.com (146.101.133.34) root () flits102-154 flits rug nl (129.125.102.154) =20 I would estimate that the hacker let all his buddies on IRC know about the hole & they then proceeded to visit. I'm not sure how many of the above machines are hacked themselves or even how many of them are real. The hack that was used was an rpc.statd vulnerability that is well documented & which most vendors have patches for (CERT Advisory CA-2000-17 Input Validation Problem in rpc.statd). Once compromised the system had a rootkit (t0rn) installed which replaced ps, find, top & cd among others. A hacked version of ssh was installed as well as a sniffer. A quick detection of our version of the hack is if the machine in question is running something on ports 511 & 47019 (511 is pretty fixed but 47019 is user-configurable). Other detection methods include using locate to search for /usr/src/.puta (sniffer directory) & /usr/info/.t0rn, or using netstat to look for weird open ports. Performing an 'lsof | grep t0rn/puta' provided the processes which lead to the hidden directories. Pretty standard attack performed by somebody pretty incompetent (left weird processes running, didn't check logging, completely dependent on the rootkit to cover his traces). The moral of the story is don't forget to restart daemons after upgrading. =20 I hope this information is useful to those of you responsible for the above machines, I've included logs for perusal at the conclusion of the message. Thanks for your time, =20 Chris Milne Chemistry Department University of Toronto =20 ------------------------------------logs---------------------------------=
----------------
Sep 9 09:45:01 lphys tcplog[8575]: sunrpc connection attempt from root@212.211.194.165:1993=20 Sep 9 09:45:01 lphys tcplog[8576]: sunrpc connection attempt from root@212.211.194.165:762=20 Sep 9 09:45:18 lphys rpc.statd[389]: gethostbyname error for ^X=F7=FF=BF^X=F7=FF=BF^Y=F7=FF=BF^Y=F7=FF=BF^Z=F7=FF=BF^Z=F7=FF=BF^[=F7=
=FF=BF^[=F7=FF=BFbffff750 8049710
80554c0687465676274736f6d616e797265206520726f7220726f66 bffff718 bffff719 bffff71a bffff71b=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=
=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90= =90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90= =90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90= =90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90= =90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90= =90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90= =90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90= =90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90= =90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90= =90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90= =90=90=90=90=90=90=90=90=90=90
Sep 9 09:45:22 lphys tcplog[8579]: port 992 connection attempt from torn () infomac nl:3173=20 Sep 9 09:45:28 lphys tcplog[8580]: port 39168 connection attempt from torn () infomac nl:3183=20 Sep 9 09:49:28 lphys inetd[8734]: extra conf for service finger/tcp (skipped) =20 Sep 9 09:49:41 lphys tcplog[509]: port 2555 connection attempt from adsl-61-44-215.mia.bellsouth.net:2792=20 Sep 9 09:51:53 lphys tcplog[509]: auth connection attempt from localhost:2728=20 Sep 9 09:51:53 lphys tcplog[8829]: sunrpc connection attempt from root@localhost:948=20 Sep 9 09:54:57 lphys tcplog[509]: auth connection attempt from irc.stealth.net:2802=20 Sep 9 09:55:48 lphys tcplog[509]: auth connection attempt from 198.78.172.10:2807=20 Sep 9 09:56:23 lphys tcplog[509]: auth connection attempt from 198.78.172.10:2983 Sep 9 10:00:13 lphys tcplog[8599]: port 2555 connection attempt from b-e14.victoria.stores.easyeverything.com:2624=20 Sep 9 10:00:18 lphys tcplog[8603]: port 2555 connection attempt from adsl-61-44-215.mia.bellsouth.net:2791=20 Sep 9 10:03:14 lphys tcplog[8789]: port 47019 connection attempt from b-e14.victoria.stores.easyeverything.com:2653=20 Sep 9 10:48:24 lphys tcplog[10344]: sunrpc connection attempt from root () flits102-154 flits rug nl:3711=20 Sep 9 10:48:24 lphys tcplog[10345]: sunrpc connection attempt from root () flits102-154 flits rug nl:770 =20
Current thread:
- hack from 212.211.194.165 Elias Levy (Sep 18)