nanog mailing list archives
Re: black hat .cn networks
From: "Justin Hinderliter" <justin () interaccess com>
Date: Mon, 7 May 2001 12:41:29 -0500
For those looking for evidence of attacks, I personally know of 3 boxes that were hit and rooted this morning. The three attacks happened between 6:20am and 7:04am. One NT box, one Linux box, and one as of yet unknown OS (haven't gotten ahold of the person yet, but his bandwidth's maxed out and way over what it ever is by about 15x). They're hitting port 80 this morning. One hit from a Mapquest IP, one from bucket.rutgers.edu 165.230.8.106, and one from an APNIC netblock 210.33.68.1 . The webpages they left indicated "fuq you, Americans" and indicated that they were part of the Chinese offensive. PAM session authentication on the linux box noted that a session was opened by user htdig (uid 0) and closed 4ms later. Syslogs were wiped, so were last and lastlog output. The logs are available still despite their efforts since the precaution was taken to have them sent elsewhere and mailed immediately to boot. Other boxes may have been gotten to as well, still looking at them all and unplugging them as I go/advising suspected customers to unplug as well as I find them. Fuq U2, Chinese. Got plenty of evidence here, and there's a death sentence in China for doing this... provided it was really Chinese responsible. I'm happily contributing all info I have towards investigation and prosecution, and am going to get Mapquest and rutgers.edu to dig up all info they can to track this shit back to where they got hit from. Hey, just found another one. Note that all Linux boxes were locked pretty damned tight, and even blocked numerous connection attempts on port 80 with portsentry killing the connection and then dropping them to a null route. But all it took was 4ms to run that script. Apparently there's probably a hole in apache 1.3.14-2, as there were no world-writable files in the htp root structure... bugtraq should be interested in this. Have to see what I can dig up post mortem as far as what they used. "Time for a malenki lemtock of the ole ultraviolence, me droogs." Cheers.
Current thread:
- Re: black hat .cn networks, (continued)
- Re: black hat .cn networks Shawn McMahon (May 01)
- Re: black hat .cn networks Valdis . Kletnieks (May 01)
- Re: black hat .cn networks Scott Francis (May 01)
- Re: black hat .cn networks Pat Myrto (May 01)
- Re: black hat .cn networks Michael C . Wu (May 01)
- Re: black hat .cn networks John Fraizer (May 02)
- Re: black hat .cn networks Shawn McMahon (May 02)
- Re: black hat .cn networks Shawn McMahon (May 02)
- Re: black hat .cn networks John Fraizer (May 02)
- Re: black hat .cn networks Elias Halldor Agustsson (May 02)
- Re: black hat .cn networks Henry R. Linneweh (May 02)
- Re: black hat .cn networks Justin Hinderliter (May 07)
- Re: black hat .cn networks Dan Hollis (May 07)
- Re: black hat .cn networks Justin Hinderliter (May 07)
- Re: black hat .cn networks Patrick Evans (May 08)
- Re: black hat .cn networks Franklin Lian (May 08)
- Re: black hat .cn networks John Fraizer (May 08)
- Re: black hat .cn networks Bryan C. Andregg (May 08)
- Re: black hat .cn networks David Charlap (May 08)
- RE: black hat .cn networks Matt Levine (May 08)
- Re: black hat .cn networks Henry R. Linneweh (May 02)
- Re: black hat .cn networks Shawn McMahon (May 08)
- Re: black hat .cn networks Justin Hinderliter (May 08)