Re: Exodus: this is bad

["Alex P. Rudnev" <alex () Relcom EU net>]

Folks. All (ALL) Linux-based NS servers or other LInux servers with IMAPD 
turned on (default) and withouth imapd patch (I do not know if it exist 
at all) can be treaten as COMPROMISED. I have found (and closed) more 
than 20 backdoored servers over the world in a week (and it was done by 
ONLY ONE HACKER)!

What do you discuss? This was not serious attack, it was (I think) usial 
network scanning they are doing (or was doing) EVERY DAY.




On Mon, 16 Nov 1998, Richard Irving wrote:

> Date: Mon, 16 Nov 1998 20:34:23 -0500
> From: Richard Irving <rirving () onecall net>
> To: Jared Mauch <jared () puck nether net>
> Cc: Adam Rothschild <asr () millburn net>, list () inet-access net,
>     nanog () merit edu
> Subject: Re: Exodus: this is bad
>
> It looks worse Jared,
>
>   This appears to be a concerted effort. This type of attack
> is propogating to new origin IP's by the hour. There seems to
> be a pattern forming....
>
>   DNS server is compromised.  (Bind ? Autohack ?)
>   local programs set up to crack local passwords.
>   (Dumps results to FTP directory)
>   local program set up to port probe/asttack other DNS's.
>   (Dumps results to FTP directory)
>
>   Someone said Linux servers appear to be primary targets..
>   I suggest maybe Linux servers were more likely to have a vulnerable
>   configuration... Probers running locally,( that I saw), did not *seem*
>   to discriminate. (Conjecture Based on output of parasitic programs)
>   
>   I hate to profer alt.net.conspiracy...... But...
>
>   the above data was collected both by myself, as well as another
>   NANOG member who may want to remain anonymous... 
>   (He didn't post it to the group)
>
>   CERT does have an alert posted, but I am not sure 
>   they know how pervasive this is.....
>
>
>   
>   
>
> Jared Mauch wrote:
> > On Mon, Nov 16, 1998 at 06:51:53PM -0500, Adam Rothschild wrote:
> > > Am I forgetting anything?
> >
> >         Yeah.
> >
> >         Calling the providers where the attack is originating from.
> >
> >         Calling your local law enforcement agencies and alerting
> > them to the problem at hand
> >
> >         Calling your local fbi agent and telling them what is going on.
> >
> >         Calling CERT and opening up a case
> >
> >         I'm sure if you get CERT+FBI+Local law agencies calling *ANY*
> > noc, someone is going to notice.
> >
> >         And for fun, call CNN, or some other news agency, and say
> > "xxx hasn't dealt with this after many phone calls, etc..".
> >
> >         If none of those paths provides you with the desired response,
> > unplug your ethernet cable.
> >
> >         - jared
> >
> > --
> > Jared Mauch  | pgp key available via finger from jared () puck nether net
> >              | http://puck.nether.net/~jared/

Aleksei Roudnev, Network Operations Center, Relcom, Moscow
(+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager)
(+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)