Re: Cracked by the Brazilians

[blaise () GEEKY NET (Blaise St-Laurent)]

This is starting to be a major problem. I've just discovered that i also
have /var/named/ADMROCKS. The issue here is that i've upgraded my bind to
bind-8.2.2-P3-1. This version seems to also be vulnerable. The security hole
seems to be with named binding to the outside interface, which i've been
told can be dissabled, though i've been unable to find out exactly how.

does anyone know if bind-8.2.2-P3-1.rpm was patched for the named-xfer bug?
the changelog doesn't mention it.

What's worse, another linux box that was a decently hacked was so trashed
that the owner (a friend of mine) had to be reformatted. Rogers @Home
recieved 20 or so complaints  about being portscaned by the machine and shut
off their access. The load when we logged in was around 20, and nothing
seemed to work anymore.

I'm surprised, RedHat usually has a better reaction time for stuff like
this.

> -----Original Message-----
> From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On
> Behalf Of Seth Milder
> Sent: March 30, 2000 1:23 PM
> To: INCIDENTS () SECURITYFOCUS COM
> Subject: Cracked by the Brazilians
>
>
> Hi.
>
> I am running a Linux server that is running RH 6.0. I have implemented
> TCP wrappers, portsentry, logcheck and religiously applied any patches
> as soon as possible. Still, I get cracked. My server runs Bind-8.2
> (caching nameserver only, which is bound to an ethernet card with
> private addresses), PostgreSQL, NFS, ssh2 (no root login allowed),
> ipop3d, and NIS. It also serves as a IP MASQ server for a computer lab
> through a second ethernet card. I found the usual BitchX stuff along
> with the package bscan.tar which contains:
>
> README  binfo  bscan  bscan.conf  core  dupecheck
>
> The README says:
>
>       BinD    bInD    biNd    BinD    bINd    BiNd    biNd    BInd    biND
>
>       Bind scanner by sagi.
>
>       This scanner is PRIVATE, so dont fucking send it to anyone!
>       if you do, you will die.
>
>       I'll bet you're sitting down teling yourself "Ok shuttup
> just tell me
>       how to use it."
>
>       If I'm right, than it means you are a fucking idiot and I'm
> NOT going
>       to teach the lamest script kiddie on earth how to use it.
>       Figure it out, it's easy.
>
>
>       - sagi & I_D_F.
>
>       *** CrEdiTs:
>       1. spwny :-) for his kewl dupecheck program.
>       2. 'Joshua James Drake' for the binfo program ;p.
>       3. I_D_F for helping with this README :)
>
>
> I guess this may have something to do with this:
>       [root@physics ADMROCKS]# pwd
>       /var/named/ADMROCKS
>
> But this is an empty directory. I think maybe it did not work. I can't
> remember what this is but I have seen it before. There is also the
> directory /usr4/.usr which contains:
>
> [root@physics .usr]# ls
> BitchX
> [LASF]_Hanging_Up_[Telesync][1of2].asf
> [LASF]_Mission_To_Mars_[GOOD.Telesync][1of2].asf  scr-bx      sexet2.mpg
> BitchX-75p3-Linux-glibc2-i386.tar
> [LASF]_Hanging_Up_[Telesync][2of2].asf
> [LASF]_Mission_To_Mars_[GOOD.Telesync][2of2].asf  sexet1.mpg  wserv
>
> I still do not know how they got in. Furthermore, I do not know how they
> obtained root access even if they did compromise a user account. I do
> know that ls and netstat are changed as well.
>
>
> Here is the first suspicious log entry:
>
>
> Mar 28 23:55:13 physics kernel: adm uses obsolete (PF_INET,SOCK_PACKET)
> Mar 28 23:55:13 physics kernel: eth0: Setting promiscuous mode.
> Mar 28 23:55:13 physics kernel: device eth0 entered promiscuous mode
> Mar 29 00:00:43 physics portsentry[638]: attackalert: SYN/Normal scan
> from host: slip-32-101-214-193.ri.br.prserv.net/32.101.214.193 to TCP
> port: 15
> Mar 29 00:00:43 physics portsentry[638]: attackalert: Host
> 32.101.214.193 has been blocked via wrappers with string: "ALL:
> 32.101.214.193"
> Mar 29 00:00:43 physics portsentry[638]: attackalert: Host
> 32.101.214.193 has been blocked via dropped route using command:
> "/sbin/ipchains -I input -s 32.101.214.193 -j DENY -
> l"
> Mar 29 00:00:49 physics kernel: Packet log: input DENY eth0 PROTO=6
> 32.101.214.193:4640 129.174.44.73:4380 L=60 S=0x00 I=39469 F=0x4000 T=54
> SYN (#1)
> Mar 29 00:00:52 physics kernel: Packet log: input DENY eth0 PROTO=6
> 32.101.214.193:4640 129.174.44.73:4380 L=60 S=0x00 I=39473 F=0x4000 T=54
> SYN (#1)
> Mar 29 00:00:58 physics kernel: Packet log: input DENY eth0 PROTO=6
> 32.101.214.193:4640 129.174.44.73:4380 L=60 S=0x00 I=39476 F=0x4000 T=54
> SYN (#1)
> Mar 29 00:02:49 physics kernel: Packet log: input DENY eth0 PROTO=6
> 32.101.214.193:4638 129.174.44.73:4380 L=55 S=0x00 I=39520 F=0x4000 T=54
> (#1)
>
>
>
> Then I get this:
>
>
> Mar 30 05:00:19 physics login[10906]: FAILED LOGIN 1 FROM
> ABD73C7E.ipt.aol.com FOR ftp, User not known to the underlying
> authentication module
> Mar 30 05:00:28 physics PAM_pwdb[10906]: authentication failure; (uid=0)
> -> postgres for login service
> Mar 30 05:00:29 physics login[10906]: FAILED LOGIN 2 FROM
> ABD73C7E.ipt.aol.com FOR postgres, Authentication failure
> Mar 30 05:00:33 physics PAM_pwdb[10906]: (login) session opened for user
> postgres by (uid=0)
> Mar 30 05:01:26 physics PAM_pwdb[10927]: (login) session opened for user
> postgres by (uid=0)
> Mar 30 05:01:31 physics PAM_pwdb[10943]: (su) session opened for user x
> by postgres(uid=40)
> Mar 30 05:04:47 physics identd[10961]: Connection from irc.Stanford.EDU
> Mar 30 05:04:57 physics identd[10961]: from: 198.94.52.220 (
> irc.Stanford.EDU ) for: 4160, 6667
> Mar 30 05:05:46 physics identd[10963]: Connection from irc.Stanford.EDU
> Mar 30 05:05:56 physics identd[10963]: from: 198.94.52.220 (
> irc.Stanford.EDU ) for: 4179, 6667
> Mar 30 05:05:57 physics identd[10965]: Connection from cypher.core.com
> Mar 30 05:05:57 physics identd[10965]: from: 208.133.73.83 (
> cypher.core.com ) for: 4190, 6667
> Mar 30 05:06:06 physics identd[10967]: Connection from irc.Stanford.EDU
> Mar 30 05:06:08 physics identd[10967]: from: 198.94.52.220 (
> irc.Stanford.EDU ) for: 4191, 6667
> Mar 30 05:06:15 physics identd[10969]: Connection from Irc.mcs.net
> Mar 30 05:06:15 physics identd[10969]: from: 192.160.127.97 (
> Irc.mcs.net ) for: 4198, 6667
> Mar 30 05:21:18 physics identd[11003]: Connection from osf1.gmu.edu
> Mar 30 05:21:18 physics identd[11003]: from: 129.174.1.13 ( osf1.gmu.edu
> ) for: 4507, 25
> Mar 30 06:11:26 physics PAM_pwdb[10943]: (su) session closed for user x
> Mar 30 06:13:09 physics kernel: VFS: file-max limit 4096 reached
> Mar 30 06:22:58 physics kernel: Unable to load interpreter
> Mar 30 06:23:59 physics kernel: Unable to load interpreter
> Mar 30 06:30:19 physics kernel: Unable to load interpreter
> Mar 30 06:32:37 physics kernel: Unable to load interpreter
> Mar 30 06:32:37 physics kernel: Unable to load interpreter
>
> Then they try to log on as a faculty member:
>
>
> Mar 30 10:52:04 physics login[26695]: FAILED LOGIN 1 FROM
> slip-32-101-214-192.ri.br.prserv.net FOR xxxxx, Authentication failure
> Mar 30 10:52:09 physics login[26695]: FAILED LOGIN 2 FROM
> slip-32-101-214-192.ri.br.prserv.net FOR xxxxx, Authentication failure
>
>
>
>
> Any ideas how they got in?
>
>
> Thanks,
>
>
> Seth