Security Incidents mailing list archives
Compromise and Bind Replacement
From: sbrown () CYBERCYCLONE COM (Scott Brown)
Date: Wed, 28 Jun 2000 16:18:18 -0400
-----BEGIN PGP SIGNED MESSAGE----- Our company has see a host on our DMZ compromised and the hacker replaced the in.named to in.bind on the box. That program had some strange text in it when we did a strings on it. We were able to gather information from a sniffer as follows. Any idea as to what this may be, or where I may look for more information. It appeared to be a DoS attack or something like that because our Internet router was having trouble keeping up with the requests. Below is a small log of what we were able to gather. The logs reflect real data except the 10.0.0.0 address is the compromised host. Any help with this would be great The test machine was removed from the network and is being rebuild from scratch to be safe. Frame Status Source Address Dest. Address Size Rel. Time Delta Time Abs. Time Summary 1 M [10.0.0.0] [195.120.118.14] 60 0:00:00.000 0.000.000 06/20/2000 10:24:43 AM TCP: D=10 S=1086 ACK=1595927031 WIN=65535 2 [10.0.0.0] [194.183.2.245] 60 0:00:00.037 0.037.799 06/20/2000 10:24:43 AM TCP: D=110 S=1746 ACK=1595927031 WIN=65535 3 [10.0.0.0] [212.41.210.197] 60 0:00:00.039 0.001.468 06/20/2000 10:24:43 AM TCP: D=113 S=1337 ACK=1595927031 WIN=65535 4 [10.0.0.0] [204.216.206.48] 60 0:00:00.046 0.007.292 06/20/2000 10:24:43 AM TCP: D=132 S=1544 ACK=1595927031 WIN=65535 5 [10.0.0.0] [194.133.0.210] 60 0:00:00.072 0.025.521 06/20/2000 10:24:43 AM TCP: D=58 S=1883 ACK=1595927031 WIN=65535 6 [10.0.0.0] [193.42.168.26] 60 0:00:00.232 0.160.194 06/20/2000 10:24:43 AM TCP: D=53 S=1480 ACK=1595927031 WIN=65535 7 [10.0.0.0] [204.216.206.48] 60 0:00:00.301 0.069.379 06/20/2000 10:24:43 AM TCP: D=90 S=1646 ACK=1595927031 WIN=65535 8 [10.0.0.0] [64.37.70.61] 60 0:00:00.500 0.198.636 06/20/2000 10:24:44 AM TCP: D=41 S=1034 ACK=1595927031 WIN=65535 9 [10.0.0.0] [216.65.109.5] 60 0:00:00.601 0.100.715 06/20/2000 10:24:44 AM TCP: D=18 S=1266 ACK=878963338 WIN=65535 10 [10.0.0.0] [212.41.210.197] 60 0:00:00.724 0.123.616 06/20/2000 10:24:44 AM TCP: D=57 S=1769 ACK=878963338 WIN=65535 11 [10.0.0.0] [195.120.118.14] 60 0:00:00.852 0.128.028 06/20/2000 10:24:44 AM TCP: D=108 S=1333 ACK=878963338 WIN=65535 12 [10.0.0.0] [62.11.58.95] 60 0:00:00.872 0.020.278 06/20/2000 10:24:44 AM TCP: D=21 S=1542 ACK=878963338 WIN=65535 13 [10.0.0.0] [216.65.109.5] 60 0:00:00.942 0.069.410 06/20/2000 10:24:44 AM TCP: D=60 S=1003 ACK=878963338 WIN=65535 14 [10.0.0.0] [212.141.98.142] 60 0:00:00.974 0.032.505 06/20/2000 10:24:44 AM TCP: D=3776 S=1915 ACK=878963338 WIN=65535 15 # [195.130.229.143] [10.0.0.0] 70 0:00:01.027 0.052.745 06/20/2000 10:24:44 AM Expert: Time-to-live exceeded in transmit ICMP: Time exceeded (Time to live exceeded in transit) 16 [10.0.0.0] [194.183.2.245] 60 0:00:01.055 0.028.251 06/20/2000 10:24:44 AM TCP: D=68 S=1464 ACK=878963338 WIN=65535 17 [10.0.0.0] [64.37.70.61] 60 0:00:01.066 0.011.069 06/20/2000 10:24:44 AM TCP: D=97 S=1970 ACK=878963338 WIN=65535 18 [10.0.0.0] [194.133.0.210] 60 0:00:01.209 0.142.463 06/20/2000 10:24:44 AM TCP: D=44 S=1459 ACK=878963338 WIN=65535 19 [10.0.0.0] [212.141.98.142] 60 0:00:01.301 0.092.311 06/20/2000 10:24:44 AM TCP: D=21954 S=1031 ACK=878963338 WIN=65535 20 [10.0.0.0] [194.133.0.210] 60 0:00:01.458 0.157.119 06/20/2000 10:24:45 AM TCP: D=128 S=1107 ACK=878963338 WIN=65535 21 [10.0.0.0] [64.37.70.37] 60 0:00:01.467 0.008.405 06/20/2000 10:24:45 AM TCP: D=9 S=1358 ACK=878963338 WIN=65535 22 [10.0.0.0] [212.41.210.197] 60 0:00:01.495 0.028.637 06/20/2000 10:24:45 AM TCP: D=85 S=1035 ACK=878963338 WIN=65535 23 [10.0.0.0] [64.37.70.61] 60 0:00:01.538 0.042.456 06/20/2000 10:24:45 AM TCP: D=55 S=1283 ACK=878963338 WIN=65535 24 [10.0.0.0] [204.216.206.56] 60 0:00:01.971 0.433.116 06/20/2000 10:24:45 AM TCP: D=129 S=1038 ACK=161999645 WIN=65535 25 [10.0.0.0] [194.133.0.210] 60 0:00:02.008 0.037.434 06/20/2000 10:24:45 AM TCP: D=86 S=1220 ACK=161999645 WIN=65535 26 [10.0.0.0] [64.37.70.37] 60 0:00:02.054 0.045.471 06/20/2000 10:24:45 AM TCP: D=65 S=1321 ACK=161999645 WIN=65535 27 [10.0.0.0] [195.120.118.14] 60 0:00:02.292 0.238.073 06/20/2000 10:24:45 AM TCP: D=122 S=1344 ACK=161999645 WIN=65535 28 [10.0.0.0] [194.183.2.245] 60 0:00:02.375 0.083.113 06/20/2000 10:24:46 AM TCP: D=54 S=1761 ACK=161999645 WIN=65535 29 [10.0.0.0] [194.133.0.210] 60 0:00:02.403 0.028.424 06/20/2000 10:24:46 AM TCP: D=128 S=1346 ACK=161999645 WIN=65535 30 [10.0.0.0] [212.141.98.142] 60 0:00:02.435 0.031.760 06/20/2000 10:24:46 AM TCP: D=70 S=1051 ACK=161999645 WIN=65535 31 [10.0.0.0] [195.120.118.14] 60 0:00:02.504 0.068.422 06/20/2000 10:24:46 AM TCP: D=108 S=1893 ACK=161999645 WIN=65535 32 [10.0.0.0] [62.11.58.95] 60 0:00:02.633 0.129.207 06/20/2000 10:24:46 AM TCP: D=21 S=1702 ACK=1592519600 WIN=65535 33 [10.0.0.0] [194.183.2.245] 60 0:00:02.836 0.203.519 06/20/2000 10:24:46 AM TCP: D=124 S=1149 ACK=1592519600 WIN=65535 Thank You Scott Brown -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQDVAwUBOVpdguR1bNjZZPIhAQEyJwYAkn2MNFMIuqCyfYUW7CT7/3t47Wh+MVJW qVvO2O+pWp9Xs21AGnLod+hFNNBKWdFNTWYDXqY8mOompslI4gIBZTUd/pVEr0Rg 4Vl3yM/IZWXz70xa+I7fhciw3ugKkZc2rTGPN+mfN67nb9Xpa358r7YpKwTwQLSM HvCOBRaiRkYSoPIDbi9H3aVlI1WcO3SzTMqm8KkxxvgId+Wjob8nqbmX0ly6voyX deFuAduf/SHkLWO/Dpo66gk3N8v6lKEw =8daS -----END PGP SIGNATURE-----
Current thread:
- Re: funky syslog entry, (continued)
- Re: funky syslog entry UnixGeek (Jun 29)
- Re: funky syslog entry Chris West (Jun 29)
- wuftp exploit Toby Miller (Jun 28)
- Re: wuftp exploit Daniel Jacobowitz (Jun 28)
- Permissions Derick Schuetz (Jun 27)
- Re: Permissions Valdis Kletnieks (Jun 27)
- Re: Permissions Jon Lewis (Jun 27)
- Probes for MySQL under Linux? Ralf G. R. Bergs (Jun 27)
- Re: Probes for MySQL under Linux? Tabor J. Wells (Jun 27)
- Port scan (106 and 389) Chris Laycock (Jun 28)
- Compromise and Bind Replacement Scott Brown (Jun 28)
- Re: Port scan (106 and 389) Fabio Pietrosanti (Jun 28)
- Re: Probes for MySQL under Linux? Al Huger - Mail Account (Jun 28)
- Was I exploited? Narins, Joshua (Jun 29)
- Re: Was I exploited? Russ Spooner (Jun 29)
- Re: Nike Site taken over Ballard, James (Jun 27)
- port 1433? Sir Scriptzalot (Jun 25)
- Re: port 1433? Jason Witty (Jun 27)
- Port 1433 Edwin Concepcion (Jun 26)