Security Incidents mailing list archives

Compromise and Bind Replacement

From: sbrown () CYBERCYCLONE COM (Scott Brown)
Date: Wed, 28 Jun 2000 16:18:18 -0400


-----BEGIN PGP SIGNED MESSAGE-----

Our company has see a host on our DMZ compromised and the hacker
replaced the in.named to in.bind on the box.  That program had some
strange text in it when we did a strings on it.  We were able to
gather information from a sniffer as follows.  Any idea as to what
this may be, or where I may look for more information.  It appeared
to be a DoS attack or something like that because our Internet router
was having trouble keeping up with the requests.

Below is a small log of what we were able to gather.  The logs
reflect real data except the 10.0.0.0 address is the compromised
host.  Any help with this would be great

The test machine was removed from the network and is being rebuild
from scratch to be safe.

 Frame Status Source Address    Dest. Address      Size Rel. Time
Delta Time    Abs. Time              Summary
     1 M      [10.0.0.0] [195.120.118.14]     60 0:00:00.000
0.000.000     06/20/2000 10:24:43 AM TCP: D=10 S=1086
ACK=1595927031 WIN=65535
     2        [10.0.0.0] [194.183.2.245]      60 0:00:00.037
0.037.799     06/20/2000 10:24:43 AM TCP: D=110 S=1746
ACK=1595927031 WIN=65535
     3        [10.0.0.0] [212.41.210.197]     60 0:00:00.039
0.001.468     06/20/2000 10:24:43 AM TCP: D=113 S=1337
ACK=1595927031 WIN=65535
     4        [10.0.0.0] [204.216.206.48]     60 0:00:00.046
0.007.292     06/20/2000 10:24:43 AM TCP: D=132 S=1544
ACK=1595927031 WIN=65535
     5        [10.0.0.0] [194.133.0.210]      60 0:00:00.072
0.025.521     06/20/2000 10:24:43 AM TCP: D=58 S=1883
ACK=1595927031 WIN=65535
     6        [10.0.0.0] [193.42.168.26]      60 0:00:00.232
0.160.194     06/20/2000 10:24:43 AM TCP: D=53 S=1480
ACK=1595927031 WIN=65535
     7        [10.0.0.0] [204.216.206.48]     60 0:00:00.301
0.069.379     06/20/2000 10:24:43 AM TCP: D=90 S=1646
ACK=1595927031 WIN=65535
     8        [10.0.0.0] [64.37.70.61]        60 0:00:00.500
0.198.636     06/20/2000 10:24:44 AM TCP: D=41 S=1034
ACK=1595927031 WIN=65535
     9        [10.0.0.0] [216.65.109.5]       60 0:00:00.601
0.100.715     06/20/2000 10:24:44 AM TCP: D=18 S=1266
ACK=878963338 WIN=65535
    10        [10.0.0.0] [212.41.210.197]     60 0:00:00.724
0.123.616     06/20/2000 10:24:44 AM TCP: D=57 S=1769
ACK=878963338 WIN=65535
    11        [10.0.0.0] [195.120.118.14]     60 0:00:00.852
0.128.028     06/20/2000 10:24:44 AM TCP: D=108 S=1333
ACK=878963338 WIN=65535
    12        [10.0.0.0] [62.11.58.95]        60 0:00:00.872
0.020.278     06/20/2000 10:24:44 AM TCP: D=21 S=1542
ACK=878963338 WIN=65535
    13        [10.0.0.0] [216.65.109.5]       60 0:00:00.942
0.069.410     06/20/2000 10:24:44 AM TCP: D=60 S=1003
ACK=878963338 WIN=65535
    14        [10.0.0.0] [212.141.98.142]     60 0:00:00.974
0.032.505     06/20/2000 10:24:44 AM TCP: D=3776 S=1915
ACK=878963338 WIN=65535
    15 #      [195.130.229.143] [10.0.0.0]    70 0:00:01.027
0.052.745     06/20/2000 10:24:44 AM Expert: Time-to-live exceeded in
transmit

                          ICMP: Time exceeded (Time to live exceeded
in transit)
    16        [10.0.0.0] [194.183.2.245]      60 0:00:01.055
0.028.251     06/20/2000 10:24:44 AM TCP: D=68 S=1464
ACK=878963338 WIN=65535
    17        [10.0.0.0] [64.37.70.61]        60 0:00:01.066
0.011.069     06/20/2000 10:24:44 AM TCP: D=97 S=1970
ACK=878963338 WIN=65535
    18        [10.0.0.0] [194.133.0.210]      60 0:00:01.209
0.142.463     06/20/2000 10:24:44 AM TCP: D=44 S=1459
ACK=878963338 WIN=65535
    19        [10.0.0.0] [212.141.98.142]     60 0:00:01.301
0.092.311     06/20/2000 10:24:44 AM TCP: D=21954 S=1031
ACK=878963338 WIN=65535
    20        [10.0.0.0] [194.133.0.210]      60 0:00:01.458
0.157.119     06/20/2000 10:24:45 AM TCP: D=128 S=1107
ACK=878963338 WIN=65535
    21        [10.0.0.0] [64.37.70.37]        60 0:00:01.467
0.008.405     06/20/2000 10:24:45 AM TCP: D=9 S=1358
ACK=878963338 WIN=65535
    22        [10.0.0.0] [212.41.210.197]     60 0:00:01.495
0.028.637     06/20/2000 10:24:45 AM TCP: D=85 S=1035
ACK=878963338 WIN=65535
    23        [10.0.0.0] [64.37.70.61]        60 0:00:01.538
0.042.456     06/20/2000 10:24:45 AM TCP: D=55 S=1283
ACK=878963338 WIN=65535
    24        [10.0.0.0] [204.216.206.56]     60 0:00:01.971
0.433.116     06/20/2000 10:24:45 AM TCP: D=129 S=1038
ACK=161999645 WIN=65535
    25        [10.0.0.0] [194.133.0.210]      60 0:00:02.008
0.037.434     06/20/2000 10:24:45 AM TCP: D=86 S=1220
ACK=161999645 WIN=65535
    26        [10.0.0.0] [64.37.70.37]        60 0:00:02.054
0.045.471     06/20/2000 10:24:45 AM TCP: D=65 S=1321
ACK=161999645 WIN=65535
    27        [10.0.0.0] [195.120.118.14]     60 0:00:02.292
0.238.073     06/20/2000 10:24:45 AM TCP: D=122 S=1344
ACK=161999645 WIN=65535
    28        [10.0.0.0] [194.183.2.245]      60 0:00:02.375
0.083.113     06/20/2000 10:24:46 AM TCP: D=54 S=1761
ACK=161999645 WIN=65535
    29        [10.0.0.0] [194.133.0.210]      60 0:00:02.403
0.028.424     06/20/2000 10:24:46 AM TCP: D=128 S=1346
ACK=161999645 WIN=65535
    30        [10.0.0.0] [212.141.98.142]     60 0:00:02.435
0.031.760     06/20/2000 10:24:46 AM TCP: D=70 S=1051
ACK=161999645 WIN=65535
    31        [10.0.0.0] [195.120.118.14]     60 0:00:02.504
0.068.422     06/20/2000 10:24:46 AM TCP: D=108 S=1893
ACK=161999645 WIN=65535
    32        [10.0.0.0] [62.11.58.95]        60 0:00:02.633
0.129.207     06/20/2000 10:24:46 AM TCP: D=21 S=1702
ACK=1592519600 WIN=65535
    33        [10.0.0.0] [194.183.2.245]      60 0:00:02.836
0.203.519     06/20/2000 10:24:46 AM TCP: D=124 S=1149
ACK=1592519600 WIN=65535

Thank You

Scott Brown

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3

iQDVAwUBOVpdguR1bNjZZPIhAQEyJwYAkn2MNFMIuqCyfYUW7CT7/3t47Wh+MVJW
qVvO2O+pWp9Xs21AGnLod+hFNNBKWdFNTWYDXqY8mOompslI4gIBZTUd/pVEr0Rg
4Vl3yM/IZWXz70xa+I7fhciw3ugKkZc2rTGPN+mfN67nb9Xpa358r7YpKwTwQLSM
HvCOBRaiRkYSoPIDbi9H3aVlI1WcO3SzTMqm8KkxxvgId+Wjob8nqbmX0ly6voyX
deFuAduf/SHkLWO/Dpo66gk3N8v6lKEw
=8daS
-----END PGP SIGNATURE-----

Current thread:

Re: funky syslog entry, (continued)
- - - Re: funky syslog entry UnixGeek (Jun 29)
    - Re: funky syslog entry Chris West (Jun 29)
    - wuftp exploit Toby Miller (Jun 28)
    - Re: wuftp exploit Daniel Jacobowitz (Jun 28)
    - Permissions Derick Schuetz (Jun 27)
    - Re: Permissions Valdis Kletnieks (Jun 27)
    - Re: Permissions Jon Lewis (Jun 27)
    - Probes for MySQL under Linux? Ralf G. R. Bergs (Jun 27)
    - Re: Probes for MySQL under Linux? Tabor J. Wells (Jun 27)
    - Port scan (106 and 389) Chris Laycock (Jun 28)
    - Compromise and Bind Replacement Scott Brown (Jun 28)
    - Re: Port scan (106 and 389) Fabio Pietrosanti (Jun 28)
    - Re: Probes for MySQL under Linux? Al Huger - Mail Account (Jun 28)
    - Was I exploited? Narins, Joshua (Jun 29)
    - Re: Was I exploited? Russ Spooner (Jun 29)
    - Re: Nike Site taken over Ballard, James (Jun 27)
    - port 1433? Sir Scriptzalot (Jun 25)
    - Re: port 1433? Jason Witty (Jun 27)
    - Port 1433 Edwin Concepcion (Jun 26)
  - Re: Nike Site taken over x-empt (Jun 23)
- Port 7070? PARKIN, MICHAEL (PBI) (Jun 22)

(Thread continues...)