Security Incidents mailing list archives
Re: Cracked by the Brazilians
From: bugtraq () NETWORKICE COM (Robert Graham)
Date: Thu, 30 Mar 2000 15:25:56 -0800
Message begins: "My Server runs Bind-8.2" Message queries: "How did they get in?" Answer: http://www.securityfocus.com/bid/788.html It is also extremely dangerous to expose PostgreSQL, NFS, and NIS to the Internet. You should probably reconsider that. -----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () securityfocus com]On Behalf Of Seth Milder Sent: Thursday, March 30, 2000 10:23 AM To: INCIDENTS () securityfocus com Subject: Cracked by the Brazilians Hi. I am running a Linux server that is running RH 6.0. I have implemented TCP wrappers, portsentry, logcheck and religiously applied any patches as soon as possible. Still, I get cracked. My server runs Bind-8.2 (caching nameserver only, which is bound to an ethernet card with private addresses), PostgreSQL, NFS, ssh2 (no root login allowed), ipop3d, and NIS. It also serves as a IP MASQ server for a computer lab through a second ethernet card. I found the usual BitchX stuff along with the package bscan.tar which contains: README binfo bscan bscan.conf core dupecheck The README says: BinD bInD biNd BinD bINd BiNd biNd BInd biND Bind scanner by sagi. This scanner is PRIVATE, so dont fucking send it to anyone! if you do, you will die. I'll bet you're sitting down teling yourself "Ok shuttup just tell me how to use it." If I'm right, than it means you are a fucking idiot and I'm NOT going to teach the lamest script kiddie on earth how to use it. Figure it out, it's easy. - sagi & I_D_F. *** CrEdiTs: 1. spwny :-) for his kewl dupecheck program. 2. 'Joshua James Drake' for the binfo program ;p. 3. I_D_F for helping with this README :) I guess this may have something to do with this: [root@physics ADMROCKS]# pwd /var/named/ADMROCKS But this is an empty directory. I think maybe it did not work. I can't remember what this is but I have seen it before. There is also the directory /usr4/.usr which contains: [root@physics .usr]# ls BitchX [LASF]_Hanging_Up_[Telesync][1of2].asf [LASF]_Mission_To_Mars_[GOOD.Telesync][1of2].asf scr-bx sexet2.mpg BitchX-75p3-Linux-glibc2-i386.tar [LASF]_Hanging_Up_[Telesync][2of2].asf [LASF]_Mission_To_Mars_[GOOD.Telesync][2of2].asf sexet1.mpg wserv I still do not know how they got in. Furthermore, I do not know how they obtained root access even if they did compromise a user account. I do know that ls and netstat are changed as well. Here is the first suspicious log entry: Mar 28 23:55:13 physics kernel: adm uses obsolete (PF_INET,SOCK_PACKET) Mar 28 23:55:13 physics kernel: eth0: Setting promiscuous mode. Mar 28 23:55:13 physics kernel: device eth0 entered promiscuous mode Mar 29 00:00:43 physics portsentry[638]: attackalert: SYN/Normal scan from host: slip-32-101-214-193.ri.br.prserv.net/32.101.214.193 to TCP port: 15 Mar 29 00:00:43 physics portsentry[638]: attackalert: Host 32.101.214.193 has been blocked via wrappers with string: "ALL: 32.101.214.193" Mar 29 00:00:43 physics portsentry[638]: attackalert: Host 32.101.214.193 has been blocked via dropped route using command: "/sbin/ipchains -I input -s 32.101.214.193 -j DENY - l" Mar 29 00:00:49 physics kernel: Packet log: input DENY eth0 PROTO=6 32.101.214.193:4640 129.174.44.73:4380 L=60 S=0x00 I=39469 F=0x4000 T=54 SYN (#1) Mar 29 00:00:52 physics kernel: Packet log: input DENY eth0 PROTO=6 32.101.214.193:4640 129.174.44.73:4380 L=60 S=0x00 I=39473 F=0x4000 T=54 SYN (#1) Mar 29 00:00:58 physics kernel: Packet log: input DENY eth0 PROTO=6 32.101.214.193:4640 129.174.44.73:4380 L=60 S=0x00 I=39476 F=0x4000 T=54 SYN (#1) Mar 29 00:02:49 physics kernel: Packet log: input DENY eth0 PROTO=6 32.101.214.193:4638 129.174.44.73:4380 L=55 S=0x00 I=39520 F=0x4000 T=54 (#1) Then I get this: Mar 30 05:00:19 physics login[10906]: FAILED LOGIN 1 FROM ABD73C7E.ipt.aol.com FOR ftp, User not known to the underlying authentication module Mar 30 05:00:28 physics PAM_pwdb[10906]: authentication failure; (uid=0) -> postgres for login service Mar 30 05:00:29 physics login[10906]: FAILED LOGIN 2 FROM ABD73C7E.ipt.aol.com FOR postgres, Authentication failure Mar 30 05:00:33 physics PAM_pwdb[10906]: (login) session opened for user postgres by (uid=0) Mar 30 05:01:26 physics PAM_pwdb[10927]: (login) session opened for user postgres by (uid=0) Mar 30 05:01:31 physics PAM_pwdb[10943]: (su) session opened for user x by postgres(uid=40) Mar 30 05:04:47 physics identd[10961]: Connection from irc.Stanford.EDU Mar 30 05:04:57 physics identd[10961]: from: 198.94.52.220 ( irc.Stanford.EDU ) for: 4160, 6667 Mar 30 05:05:46 physics identd[10963]: Connection from irc.Stanford.EDU Mar 30 05:05:56 physics identd[10963]: from: 198.94.52.220 ( irc.Stanford.EDU ) for: 4179, 6667 Mar 30 05:05:57 physics identd[10965]: Connection from cypher.core.com Mar 30 05:05:57 physics identd[10965]: from: 208.133.73.83 ( cypher.core.com ) for: 4190, 6667 Mar 30 05:06:06 physics identd[10967]: Connection from irc.Stanford.EDU Mar 30 05:06:08 physics identd[10967]: from: 198.94.52.220 ( irc.Stanford.EDU ) for: 4191, 6667 Mar 30 05:06:15 physics identd[10969]: Connection from Irc.mcs.net Mar 30 05:06:15 physics identd[10969]: from: 192.160.127.97 ( Irc.mcs.net ) for: 4198, 6667 Mar 30 05:21:18 physics identd[11003]: Connection from osf1.gmu.edu Mar 30 05:21:18 physics identd[11003]: from: 129.174.1.13 ( osf1.gmu.edu ) for: 4507, 25 Mar 30 06:11:26 physics PAM_pwdb[10943]: (su) session closed for user x Mar 30 06:13:09 physics kernel: VFS: file-max limit 4096 reached Mar 30 06:22:58 physics kernel: Unable to load interpreter Mar 30 06:23:59 physics kernel: Unable to load interpreter Mar 30 06:30:19 physics kernel: Unable to load interpreter Mar 30 06:32:37 physics kernel: Unable to load interpreter Mar 30 06:32:37 physics kernel: Unable to load interpreter Then they try to log on as a faculty member: Mar 30 10:52:04 physics login[26695]: FAILED LOGIN 1 FROM slip-32-101-214-192.ri.br.prserv.net FOR xxxxx, Authentication failure Mar 30 10:52:09 physics login[26695]: FAILED LOGIN 2 FROM slip-32-101-214-192.ri.br.prserv.net FOR xxxxx, Authentication failure Any ideas how they got in? Thanks, Seth
Current thread:
- Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service) probeactivity, (continued)
- Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service) probeactivity Christoph Schneeberger (Mar 29)
- Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service)probeactivity Bill Pennington (Mar 29)
- Re: 169.254.x.x (Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity) Pavel Kankovsky (Mar 29)
- Re: 169.254.x.x (Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity) Joshua Krage (Mar 29)
- Re: 169.254.x.x (Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity) Greg A. Woods (Mar 29)
- Re: 169.254.x.x Robert Graham (Mar 29)
- Re: 169.254.x.x Pavel Kankovsky (Mar 30)
- Cracked by the Brazilians Seth Milder (Mar 30)
- Re: Cracked by the Brazilians Michael Damm (Mar 30)
- Re: Cracked by the Brazilians Seth Milder (Mar 30)
- Re: Cracked by the Brazilians Robert Graham (Mar 30)
- Re: Cracked by the Brazilians Seth Milder (Mar 30)
- Re: Cracked by the Brazilians Michael H. Warfield (Mar 30)
- Re: Cracked by the Brazilians Omachonu Ogali (Mar 30)
- Re: Cracked by the Brazilians Blaise St-Laurent (Mar 30)
- Re: Cracked by the Brazilians Ralf Spenneberg (Mar 30)
- Re: Cracked by the Brazilians Seth Milder (Mar 30)
- link-local IPs (Was "Re: 169.254.x.x (Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity)") Richard Johnson (Mar 30)
- unapproved queries for "aol.com" Francis A. Vidal (Mar 26)
- Linux-box hacked, ls, ps, login modified Frank Derichsweiler (Mar 22)
- Re: Linux-box hacked, ls, ps, login modified Rick Tait (Mar 22)