Security Incidents mailing list archives
DDOS attacks on IRC
From: Elias Levy <aleph1 () SECURITYFOCUS COM>
Date: Wed, 13 Sep 2000 10:22:25 -0700
Return-Path: <owner-focus-linux () securityfocus com>
Delivered-To: focus-linux () lists securityfocus com
Received: from securityfocus.com (mail.securityfocus.com [207.126.127.78])
by lists.securityfocus.com (Postfix) with SMTP id DF5151EEAA
for <focus-linux () lists securityfocus com>; Wed, 13 Sep 2000 05:46:01 -0700 (PDT)
Received: (qmail 19964 invoked by alias); 13 Sep 2000 12:47:34 -0000
Delivered-To: FOCUS-LINUX () SECURITYFOCUS COM
Received: (qmail 19960 invoked from network); 13 Sep 2000 12:47:34 -0000
Received: from fes-qout.whowhere.com (HELO mailcity.com) (209.185.123.96)
by mail.securityfocus.com with SMTP; 13 Sep 2000 12:47:34 -0000
Received: from Unknown/Local ([?.?.?.?]) by mailcity.com; Wed Sep 13 05:46:01 2000
To: LINUX () SECURITYFOCUS COM
Date: Wed, 13 Sep 2000 05:46:01 -0700
From: "Email for LA" <digex () lycos com>
Message-ID: <GIPPDKGGENIMCAAA () mailcity com>
Mime-Version: 1.0
Cc: FOCUS-LINUX () SECURITYFOCUS COM
X-Sent-Mail: on
Reply-To: digex () lycos com
X-Expiredinmiddle: true
X-Mailer: MailCity Service
Subject: Red Hat Linux release 6.0/6.1 (Hedwig) (Cartman) bug?
X-Sender-Ip: 63.23.223.26
Organization: Lycos Communications (http://comm.lycos.com:80)
Content-Type: text/plain; charset=us-ascii
Content-Language: en
Content-Length: 3935
Content-Transfer-Encoding: 7bit
Sender: digex () mailcity com
Greetings,
Ok As most of you know about IRC and how DDOS-attack tool became a play-land for some kids, I realized that when I
tryed invistegating those who hacked into our channel after MASS DDOS and their ability to to tale my uplink via
above.net down for almost 4 hours, please look into this logfile and the work I went throw:
users on hacked boxes:
#kuwait rsync H@ rsync () c137-s2-r11h5 upc chello no (resync)
#kuwait rish H@ rishi () c228044-b plano1 tx home com (me)
#kuwait mkdir H@ tom@208.238.180.130 (Tom Conlee)
#kuwait poo` H@ nobody () hb static nanosecond com (poo)
#kuwait repo H@ repo () ns gymtv sk (repo repo)
#kuwait squid H@ squid@195.226.110.10 (squid)
#kuwait statd H@ adm () w149 z208037132 sjc-ca dsl cnc net ()
#kuwait rfe H@ uucp@207.228.223.3 ()
#kuwait scx H@ bin () adsl-208-189-190-226 interviewmanager com (scx)
#kuwait aaron H@ aaron@24.222.15.7 (Aaron's Boat Charters)
#kuwait daemon` H@ daemon () w045 z208036043 lax-ca dsl cnc net (daemon)
#kuwait shad H@ shad () adsl-208-189-195-17 dsl rcsntx swbell net (me)
along with that there is a security hole for sure, I tryed to telnetd into each host and this is what I got: please
scroll downward..
-
Trying 212.186.113.137...
Connected to c137-s2-r11h5.upc.chello.no.
Escape character is '^]'.
Red Hat Linux release 6.0 (Hedwig)
Kernel 2.2.5-15 on an i486
-
Trying 24.17.167.99...
Connected to c228044-b.plano1.tx.home.com.
Escape character is '^]'.
Red Hat Linux release 6.0 (Hedwig)
Kernel 2.2.5-15 on an i686
-
Trying 208.238.180.130...
Connected to 208.238.180.130.
Escape character is '^]'.
Red Hat Linux release 6.1 (Cartman)
Kernel 2.2.12-20 on an i586
-
Trying 207.228.44.119...
Connected to hb.static.nanosecond.com.
Escape character is '^]'.
Red Hat Linux release 6.0 (Hedwig)
Kernel 2.2.13 on an i586
login:
-
ns.gymtv.sk telnet has been disabeld. however same version last I checked.
-
Trying 195.226.110.10...
Connected to 195.226.110.10.
Escape character is '^]'.
Red Hat Linux release 6.0 (Hedwig)
Kernel 2.2.5-15 on an i686
-
Trying 208.37.132.149...
Connected to w149.z208037132.sjc-ca.dsl.cnc.net.
Escape character is '^]'.
Red Hat Linux release 6.0 (Hedwig)
Kernel 2.2.5-15 on an i586
-
Trying 207.228.223.3...
Connected to 207.228.223.3.
Escape character is '^]'.
ns.tandj.net Login
Linux Kernel 2.2.5 on an i586
Unauthorized use will get you killed.
-
Trying 208.189.190.226...
Connected to adsl-208-189-190-226.interviewmanager.com.
Escape character is '^]'.
Red Hat Linux release 6.0 (Hedwig)
Kernel 2.2.14 on an i486
-
Trying 24.222.15.7...
Connected to 24.222.15.7.
Escape character is '^]'.
Red Hat Linux release 6.0 Publisher's Edition (Hedwig)
Kernel 2.2.5-15 on an i486
-
Trying 208.36.43.45...
Connected to w045.z208036043.lax-ca.dsl.cnc.net.
Escape character is '^]'.
Red Hat Linux release 6.0 (Hedwig)
Kernel 2.2.5-22 on an i686
-
Trying 208.189.195.17...
Connected to adsl-208-189-195-17.dsl.rcsntx.swbell.net.
Escape character is '^]'.
Red Hat Linux release 6.0 (Hedwig)
Kernel 2.2.10 on an i586
-
<END>
Now, those attackers are smart mostely dialup's/DSL/cabelmodem and hacked Linux-boxes, now even the owner of this box
wount and cant locate any processor ps,netstat..etc wont show, I'm sure those kids are in the process on hacking more
redhat6.0 machines, I'm not sure how they got into all those boxes, I'll be more than happy to contact their ISP's and
give them some feekback into this. to shut those boxes OFF or maybe to try to reinstal the lame OS version please let
me know if you know anything about this release.
best regards;
-raed
LA@IRC
Senior Engineer.
digex () lycos com
Get your FREE Email and Voicemail at Lycos Communications at
http://comm.lycos.com
----- End forwarded message -----
--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum
Current thread:
- DDOS attacks on IRC Elias Levy (Sep 13)