Penetration Testing mailing list archives

Re: [PEN-TEST] DOS Attack

From: H D Moore <hdm () SECUREAUSTIN COM>
Date: Sun, 15 Oct 2000 17:43:52 -0500

Craig,

From your port listing I can see at least 6 ports of entry:


1. Secure Shell - Are you running an old version of SSH linked against
rsaref? How many user acocunts do you have?
2. LPD - There have been quite a few lpd/lpngd exploits floating aorund
over the last few years.
3. MDBMS - Suse Linux (maybe others) distributed a version of mdbms that
allowed remote root compromise.
4  rpc.mountd - Probably running on one of those unknown ports, there
have been some buffer overflows in older versions (r00t)
5. NFS - Are you exporting any file systems?  Do these include a user's
home directory, root directory, or a directory containing passwords or
executables?
6. X11 - What hosts are you allowing to connect to your X server?
Somone may have sniffed your keystrokes.

I havent seen rwhois in use before, is it a valid daemon?  What other
RPC services are you running?
$ rpcinfo -p <host>

-HD

http://www.digitaldefense.net (work)
http://www.digitaloffense.net (play)


"Craig T. Hancock" wrote:

Hello all I am doing some reasearch for a friend for a DOS attack on an IRIX 6.5 the attack from what I was told can
be ported to
an unix machine. So I am trying here this is the info that I have on the attack. It is called Hack a Tick.

Hello all a machine that I administer has been involved in a DOS attack on my subnet. THe networking monitor group as
told me that
a person was connecting to my machine via prt 31789 which is a udp port that cause a huge amount of overhead on the
network.
The thing I don't understand is how is this attacked is cause also I don't understand how the person could have
gotten in.
I didn't see any relevant info from the logs, but then again those could have been doctored.
Port State Protocol Service
22 open tcp ssh
111 open tcp sunrpc
515 open tcp printer
620 open tcp unknown
800 open tcp mdbs_daemon
801 open tcp device
1024 open tcp unknown
1025 open tcp listen
1026 open tcp nterm
1030 open tcp iad1
1455 open tcp esl-lm
2049 open tcp nfs
4321 open tcp rwhois
6000 open tcp X11
I would like to know exactly how is this attack done, I mean I haven't been able to find out any specifics and how
is this prevented. I have checked the logs but I haven't been able to find out if the person ever got in. It looks
like no one was logged in at the time, but then again the logs could have been doctored. Here is a reference to the
attack
this is the only info that I have been able to find.

Current thread:

[PEN-TEST] Password Protection in0m of the s0d crew (Oct 07)
- Re: [PEN-TEST] Password Protection Mark Teicher (Oct 09)
- Re: [PEN-TEST] Password Protection Fred Mobach (Oct 09)
- Re: [PEN-TEST] Password Protection Patrick Feisthammel (Oct 09)
- Re: [PEN-TEST] Password Protection Allen, Peter (Oct 09)
- [PEN-TEST] DOS Attack Craig T. Hancock (Oct 10)
  - Re: [PEN-TEST] DOS Attack James Kelly (Oct 10)
  - Re: [PEN-TEST] DOS Attack H D Moore (Oct 15)
- <Possible follow-ups>
- Re: [PEN-TEST] Password Protection Ben Ford (Oct 09)
- Re: [PEN-TEST] Password Protection Jensen, Greg (Oct 10)
  - Re: [PEN-TEST] Password Protection White Vampire (Oct 10)
- Re: [PEN-TEST] Password Protection Dunker, Noah (Oct 10)
- Re: [PEN-TEST] Password Protection White Vampire (Oct 11)