Penetration Testing mailing list archives
Re: [PEN-TEST] DOS Attack
From: H D Moore <hdm () SECUREAUSTIN COM>
Date: Sun, 15 Oct 2000 17:43:52 -0500
Craig,
From your port listing I can see at least 6 ports of entry:
1. Secure Shell - Are you running an old version of SSH linked against rsaref? How many user acocunts do you have? 2. LPD - There have been quite a few lpd/lpngd exploits floating aorund over the last few years. 3. MDBMS - Suse Linux (maybe others) distributed a version of mdbms that allowed remote root compromise. 4 rpc.mountd - Probably running on one of those unknown ports, there have been some buffer overflows in older versions (r00t) 5. NFS - Are you exporting any file systems? Do these include a user's home directory, root directory, or a directory containing passwords or executables? 6. X11 - What hosts are you allowing to connect to your X server? Somone may have sniffed your keystrokes. I havent seen rwhois in use before, is it a valid daemon? What other RPC services are you running? $ rpcinfo -p <host> -HD http://www.digitaldefense.net (work) http://www.digitaloffense.net (play) "Craig T. Hancock" wrote:
Hello all I am doing some reasearch for a friend for a DOS attack on an IRIX 6.5 the attack from what I was told can be ported to an unix machine. So I am trying here this is the info that I have on the attack. It is called Hack a Tick. Hello all a machine that I administer has been involved in a DOS attack on my subnet. THe networking monitor group as told me that a person was connecting to my machine via prt 31789 which is a udp port that cause a huge amount of overhead on the network. The thing I don't understand is how is this attacked is cause also I don't understand how the person could have gotten in. I didn't see any relevant info from the logs, but then again those could have been doctored. Port State Protocol Service 22 open tcp ssh 111 open tcp sunrpc 515 open tcp printer 620 open tcp unknown 800 open tcp mdbs_daemon 801 open tcp device 1024 open tcp unknown 1025 open tcp listen 1026 open tcp nterm 1030 open tcp iad1 1455 open tcp esl-lm 2049 open tcp nfs 4321 open tcp rwhois 6000 open tcp X11 I would like to know exactly how is this attack done, I mean I haven't been able to find out any specifics and how is this prevented. I have checked the logs but I haven't been able to find out if the person ever got in. It looks like no one was logged in at the time, but then again the logs could have been doctored. Here is a reference to the attack this is the only info that I have been able to find.
Current thread:
- [PEN-TEST] Password Protection in0m of the s0d crew (Oct 07)
- Re: [PEN-TEST] Password Protection Mark Teicher (Oct 09)
- Re: [PEN-TEST] Password Protection Fred Mobach (Oct 09)
- Re: [PEN-TEST] Password Protection Patrick Feisthammel (Oct 09)
- Re: [PEN-TEST] Password Protection Allen, Peter (Oct 09)
- [PEN-TEST] DOS Attack Craig T. Hancock (Oct 10)
- Re: [PEN-TEST] DOS Attack James Kelly (Oct 10)
- Re: [PEN-TEST] DOS Attack H D Moore (Oct 15)
- <Possible follow-ups>
- Re: [PEN-TEST] Password Protection Ben Ford (Oct 09)
- Re: [PEN-TEST] Password Protection Jensen, Greg (Oct 10)
- Re: [PEN-TEST] Password Protection White Vampire (Oct 10)
- Re: [PEN-TEST] Password Protection Dunker, Noah (Oct 10)
- Re: [PEN-TEST] Password Protection White Vampire (Oct 11)