Security Incidents mailing list archives

sendmail/identd attack

From: gyst () NFG NL (Guido A.J. Stevens)
Date: Fri, 31 Mar 2000 09:57:43 +0200


We've been subjected to two prolonged attacks yesterday. The attacks
were from different ip's and have slightly different signatures. Both
were sourced from port 113 and targeted at port 25.

What bothers me is that we suffered a general protection error on our
own identd process after the first attack. Which triggers a paranoia
protection error in my mindware, asking: is anybody aware of a new
tool that uses a compromised identd to propagate itself via a sendmail
channel? Or something like that.......

Has anybody seen an attack like this before? Is anybody aware of a
(new) tool with these signatures? I'm hoping somebody here can provide
some insights.

A more detailed description of the progression of events follows
below. I did a bit of ip/hostname obfuscation, of course, if only to
protect the 0wned machine that was used to attack us :-[

The attack starts by a port 25 scan.

Mar 30 16:14:16 abyss libnids: Scan from attacker.1.ip. Scanned ports: 
target.b1.cnet.131:25,target.b1.cnet.209:25,target.b1.cnet.217:25,target.b1.cnet.211:25,target.b1.cnet.213:25,target.b1.cnet.210:25,target.b1.cnet.214:25,target.b1.cnet.208:25,target.b1.cnet.216:25,target.b1.cnet.215:25,target.b1.cnet.212:25,scan
 type: SYN

This passes our incoming firewall. Some of those probes just elicit responses that are
blocked and logged:

Mar 30 16:14:17 abyss kernel: IP fw-out deny eth0 TCP target.b1.cnet.219:17521 attacker.1.ip:113 L=44 S=0x00 I=58938 
F=0x0000 T=64
Mar 30 16:14:17 abyss kernel: IP fw-out deny eth0 TCP target.b1.cnet.218:17522 attacker.1.ip:113 L=44 S=0x00 I=58945 
F=0x0000
T=64

But some seem to make it through to the application layer:

Mar 30 16:14:18 abyss sendmail[11823]: NOQUEUE: Null connection from IDENT:root () 0wned machine edu [attacker.1.ip]
Mar 30 16:14:19 abyss sendmail[11828]: NOQUEUE: Null connection from IDENT:root () 0wned machine edu [attacker.1.ip]
Mar 30 16:14:19 abyss kernel: IP fw-out deny eth0 TCP target.b1.cnet.211:17492 attacker.1.ip:113 L=44 S=0x00 I=59024 
F=0x0000 T=64
Mar 30 16:14:20 abyss kernel: IP fw-out deny eth0 TCP target.b1.cnet.217:17512 attacker.1.ip:113 L=44 S=0x00 I=59031 
F=0x0000 T=64

So far, so good. What really bothers me though, is the kernel general
protection error on identd that follows some hours later:

Mar 30 22:27:56 abyss kernel: general protection: 0000
Mar 30 22:27:56 abyss kernel: CPU:    0
Mar 30 22:27:56 abyss kernel: EIP:    0010:[get__netinfo+334/684]
Mar 30 22:27:56 abyss kernel: EFLAGS: 00010206
Mar 30 22:27:56 abyss kernel: eax: 7001285c   ebx: 04cb2c0c   ecx: 00000000   edx: 00000000
Mar 30 22:27:56 abyss kernel: esi: 00000000   edi: 00000180   ebp: 00000000   esp: 04befe78
Mar 30 22:27:56 abyss kernel: ds: 0018   es: 0018   fs: 002b   gs: 002b   ss: 0018
Mar 30 22:27:56 abyss kernel: Process identd (pid: 29125, process nr: 60, stackpage=04bef000)
Mar 30 22:27:56 abyss kernel: Stack: 07fe4000 0019c06c 051b74c8 00000400 ffffffff 00000000 04befeb0 00004b80
Mar 30 22:27:56 abyss kernel:        00000095 04010050 08fc0435 43116dc2 2b917d81 00000000 38343120 3030203a
Mar 30 22:27:56 abyss kernel:        30303030 303a3030 20303530 30303030 30303030 3030303a 37302030 30303020
Mar 30 22:27:56 abyss kernel: Call Trace: [ip_rcv+1107/1412] [tcp_get_info+33/40] [proc_readnet+173/324] 
[sys_read+192/232] [system_call+85/124]
Mar 30 22:27:56 abyss kernel: Code: 8b 40 04 89 44 24 14 8b 54 24 14 52 31 c0 85 f6 74 06 8b 83
Mar 30 22:27:56 abyss kernel: Aiee, killing interrupt handler

Which repeats itself some 5 minutes later.

Then, some hours later, the circus starts anew with a another attack
from another ip, in which again both sendmail and identd seem to be involved:

Mar 31 01:03:03 abyss libnids: Scan from attacker.2.ip. Scanned ports: 
target.b2.cnet.72:25,target.b2.cnet.73:25,target.b2.cnet.74:25,target.b2.cnet.75:25,target.b2.cnet.76:25,194.109
.17.77:25,target.b2.cnet.78:25,target.b2.cnet.79:25,target.b2.cnet.80:25,target.b2.cnet.81:25,target.b2.cnet.82:25,scan 
type: SYN
Mar 31 01:03:03 abyss libnids: Max number of TCP streams reached,from attacker.2.ip:3965 to  target.b2.cnet.82:25
Mar 31 01:03:03 abyss libnids: Max number of TCP streams reached,from attacker.2.ip:3966 to  target.b2.cnet.83:25
Mar 31 01:03:03 abyss libnids: Max number of TCP streams reached,from attacker.2.ip:3967 to  target.b2.cnet.84:25
Mar 31 01:03:03 abyss libnids: Max number of TCP streams reached,from attacker.2.ip:3968 to  target.b2.cnet.85:25
Mar 31 01:03:03 abyss libnids: Max number of TCP streams reached,from attacker.2.ip:3969 to  target.b2.cnet.86:25
Mar 31 01:03:03 abyss libnids: Max number of TCP streams reached,from attacker.2.ip:3970 to  target.b2.cnet.87:25
Mar 31 01:03:04 abyss kernel: IP fw-out deny eth0 TCP target.b2.cnet.64:5331 attacker.2.ip:113 L=44 S=0x00 I=39104 
F=0x0000 T=64
Mar 31 01:03:04 abyss kernel: IP fw-out deny eth0 TCP target.b2.cnet.66:5332 attacker.2.ip:113 L=44 S=0x00 I=39109 
F=0x0000 T=64
Mar 31 01:03:04 abyss libnids: Max number of TCP streams reached,from target.b2.cnet.65:5335 to  attacker.2.ip:113
Mar 31 01:03:04 abyss kernel: IP fw-out deny eth0 TCP target.b2.cnet.67:5341 attacker.2.ip:113 L=44 S=0x00 I=39121 
F=0x0000 T=64
Mar 31 01:03:04 abyss kernel: IP fw-out deny eth0 TCP target.b2.cnet.68:5394 attacker.2.ip:113 L=44 S=0x00 I=39126 
F=0x0000 T=64

etc. etc. This results in some unusual sendmail log messages:

Mar 31 01:03:34 abyss sendmail[3187]: NOQUEUE: Null connection from hostile.dialin.home.com [attacker.2.ip]
Mar 31 01:03:34 abyss sendmail[3188]: NOQUEUE: SYSERR: putoutmsg (hostile.dialin.home.com): error on output channel 
sending "220 mailserver.target.net ESMTP Sendmail 8.9.3/8.9.3/Debian/GNU; Fri, 31 Mar 2000 01:03:34 +0200": Broken pipe
Mar 31 01:03:34 abyss sendmail[3188]: NOQUEUE: Null connection from hostile.dialin.home.com [attacker.2.ip]
Mar 31 01:03:34 abyss sendmail[3189]: NOQUEUE: SYSERR: putoutmsg (hostile.dialin.home.com): error on output channel 
sending "220 mailserver.target.net ESMTP Sendmail 8.9.3/8.9.3/Debian/GNU; Fri, 31 Mar 2000 01:03:34 +0200": Broken pipe

I'm puzzled. Can anybody clue me in as to what's been going on here?

:*CU#

--
***    Guido A.J. Stevens      ***    mailto:gyst () nfg nl    ***
***    Net Facilities Group    ***    tel:+31.43.3618933    ***
***    http://www.nfg.nl       ***    fax:+31.43.3560502    ***

narratives of digital utopias attempt to engage the pragmatics of anticipation
[Coyne, ISBN 0-262-03260-0, p. 145]

Current thread:

Re: Curious HTTP related probings., (continued)
- - Re: Curious HTTP related probings. Russell Fulton (Mar 22)
  - [Fwd: [fw-wiz] Specious network performance measurements.] horio shoichi (Mar 22)
- Re: 8 hours of pinging Scott Wunsch (Mar 22)
- Re: 8 hours of pinging Robert Graham (Mar 22)
- Re: 8 hours of pinging Rainer Freis (Mar 27)
- Re: 8 hours of pinging Ed Padin (Mar 28)
  - Re: 8 hours of pinging Dragos Ruiu (Mar 29)
  - rooted by r0x - from address 212.177.241.127 Dwight Schauer (Mar 29)
    - Re: rooted by r0x - from address 212.177.241.127 Ethan King (Mar 29)
    - Re: rooted by r0x - from address 212.177.241.127 Rick Magill (Mar 30)
    - sendmail/identd attack Guido A.J. Stevens (Mar 30)
    - Re: rooted by r0x - from address 212.177.241.127 Ryan Russell (Mar 29)
    - UDP port 9200 Bobby, Paul (Mar 30)
    - Re: UDP port 9200 Robert Graham (Mar 30)
    - Re: UDP port 9200 Joey McAlerney (Mar 30)
    - Re: rooted by r0x - from address 212.177.241.127 Jens Hektor (Mar 31)
  - Re: 8 hours of pinging Robert Kulagowski (Mar 29)
- Re: 8 hours of pinging Ed Padin (Mar 29)