Security Incidents mailing list archives

Re: Scanners using netcraft?

From: bugtraq () ORGONE NEGATION NET (sekurity)
Date: Wed, 5 Jan 2000 11:41:19 -0800


if you run tcpdump and then killall -9 tcpdump, eth0 gets left in promisc
mode, for example.

its so trivial to cover up a promisc interface by trojaning netstat and
wh0ring logs, theres room to look for a innocuous answer when you find
one.

also, i thought mandrake was based on redhat, so most redhat exploits
should apply it would seem.

hope this helps,

jms
negation.net

On Wed, 5 Jan 2000, Michael Damm wrote:

-----BEGIN PGP SIGNED MESSAGE-----

Hello.

I helped a good friend do some basic security on this small business
webserver a while back.
Tonight I received a message from him stating that it something was
up and he didn't quite understand it.

His eth0 device was put into promisc, as I told him, an obvious sign
the box was owned somehow.

The only things I was able to dig out of the logs was:
httpd log:
195.188.192.12 - - [03/Jan/2000:00:05:46 -0800] "HEAD / HTTP/1.1" 200
0
(resolves to zanussi.netcraft.com)

then syslog:
Jan  4 15:58:54 [boxname] kernel: eth0: Setting promiscuous mode.
Jan  4 15:58:54 [boxname] kernel: device eth0 entered promiscuous
mode
Jan  4 15:58:55 [boxname] kernel: eth0: Setting promiscuous mode.
Jan  4 15:58:55 [boxname] kernel: device eth0 left promiscuous mode
(All clock times approx. 20 min off from Pacific time)

A quick run over to my favorite 0day site gave me only a local
exploit for his OS (Mandrake 6)

All daemons that were running were the latest version, and those were
minimal, taking my security advice. I cant get an exact list or any
further data right now, it appears he 'eth0 down'ed the box.

My questions for the list:
1. is netcraft.com being used it some mass scan for a httpd related
or other remote overflow?
2. Is Mandrake 6 obviously vulnerable to something I'm not aware of?


Thanks,
    Mike
    Security and stuff. Hire me.

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.2

iQCVAwUBOHL/IXdViB0XYAcrAQHczwP/WFqcmtLDccPI3R8LDVXsQk3IDYyFQLe9
Yfr0Yz5y5ks3493tabI2eAoUdLVRN1pqoH9wrrrs8zdRuOp3Xk3rdL2CD+dV5E+g
etheVtFnUsKSfuirUwMMpbDVrzDxsW2lrpNSUJ83Ft90hONaG89bIo00ofeHvq1m
u+pZdbX8RJw=
=N2kW
-----END PGP SIGNATURE-----

Current thread:

Scanners using netcraft? Michael Damm (Jan 05)
- Re: Scanners using netcraft? Richard Trott (Jan 05)
- Re: Scanners using netcraft? Mike Johnson (Jan 05)
  - Got cracked/attacked this morning Filip M. Gieszczykiewicz (Jan 08)
  - god damn - we got rooted again (long, alas) Filip M. Gieszczykiewicz (Jan 09)
  - rootkit site found in sniff log (??) Filip M. Gieszczykiewicz (Jan 09)
- Re: Scanners using netcraft? Al Huger - Mail Account (Jan 05)
- Port 3593 Raistlin (Jan 05)
- Re: Scanners using netcraft? sekurity (Jan 05)
- <Possible follow-ups>
- Re: Scanners using netcraft? Eric Cholet (Jan 05)
  - Re: Scanners using netcraft? mea culpa (Jan 10)