Date: Wed, 04 Apr 2001 08:37:05 -0400 From: Mikel <mikel@ocsinternet.com> To: David Preece <davep@afterswish.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Hacked? Message-ID: <3ACB1570.5772CB24@ocsinternet.com> References: <5.0.2.1.1.20010404120017.02239310@pop3.paradise.net.nz>
next in thread | previous in thread | raw e-mail | index | archive | help
David,
One thing you could try is to repull the source from some where safe like
CD. and then rebuild the system. Also for future, I would consider adding
ipfw or ipf to the mix. On a side not it would be interesting to see what
they did do to the box. I've come accross a few where the hackers left a
version of ps that initiated an ssh connection back to them....
Cheers,
Mikel
David Preece wrote:
> Hi,
>
> This is a copy of something I just posted to usenet (nz.comp). In a
> nutshell it is to do with how I think my FreeBSD machine has just been
> compromised and what they're doing with it. Could someone who knows about
> network security please comment on all this?
>
> Very much looking forward to finding a sensible explaination.
>
> Dave :(
>
> --------------------------------------------------------
>
> Subject: Storm brewing on cable modem network.
>
> Having got used to the 'incoming' light on my cable modem being
> bombarded with broadcast traffic, I was less than impressed to the the
> 'outgoing' light joining in the fun this morning.
>
> Now, I've had a FreeBSD machine permanently on acting as a firewall
> and address translator. Despite inetd being turned off and very VERY
> few daemons running...
>
> bash-2.03# ps ax
> PID TT STAT TIME COMMAND
> 0 ?? DLs 0:00.01 (swapper)
> 1 ?? SLs 0:00.04 /sbin/init --
> 2 ?? DL 0:00.73 (pagedaemon)
> 3 ?? DL 0:00.00 (vmdaemon)
> 4 ?? DL 0:00.03 (bufdaemon)
> 5 ?? DL 0:00.76 (syncer)
> 27 ?? Is 0:00.00 adjkerntz -i
> 73 ?? Is 0:00.04 dhcpd ep1
> 86 ?? Ss 0:38.12 /sbin/natd -n ep0
> 103 ?? Is 0:00.44 syslogd
> 168 d0 Ss 0:01.17 -bash (bash)
> 250 d0 R+ 0:00.00 ps ax
>
> ...I was never entirely convinced about the security of the thing so
> this was not a huge surprise, but very unwelcome none the less. So
> rather than swear and rebuild the thing, I tried having a look to see
> what's going on. Now, the root kit that is now no doubt installed will
> be hiding itself on ps, netstat, things like that. None the less, we
> can get some idea of the traffic:
>
> bash-2.03# netstat -I ep0 -w 1
> input (ep0) output
> packets errs bytes packets errs bytes colls
> 9 0 788 1 0 110 0
> 13 0 1884 9 0 1384 0
> 12 0 1145 7 0 795 0
> 9 0 861 6 0 681 0
> 9 0 1263 4 0 519 0
> 14 0 1836 9 0 1474 0
> 8 0 1045 5 0 786 0
> 14 0 1611 6 0 854 0
> 12 0 1401 7 0 1097 0
> 10 0 1741 5 0 897 0
>
> Hmmmm. Game on. Let's try and capture some of the packets using a copy
> of tcpdump bought over from a non-compromised machine:
>
> bash-2.03# ./tcpdump -i ep0 > snarf.txt
> Apr 4 11:58:12 firewall /kernel: ep0: promiscuous mode enabled
> tcpdump: listening on ep0
> ^C
> 3704 packets received by filter
> 2765 packets dropped by kernel
>
> This worries me. I didn't specify any filtering, and yet we're getting
> lots of packets dropped by the kernel. Can anyone comment on this?
>
> Looking at the contents of snarf.txt we see that......
>
> 11:58:16.312626 bash-2.03# cat snarf.txt | grep 203-79-83-91
> 11:58:12.420976 203-79-83-91.cable.paradise.net.nz.netbios-ns >
> 203.96.144.255.netbios-ns:
> 11:58:12.585980 203-79-83-91.cable.paradise.net.nz.41744 >
> 169.254.255.255.netbios-dgm:
> 11:58:12.586358 203-79-83-91.cable.paradise.net.nz.35599 >
> 169.254.255.255.netbios-ns:
> 11:58:13.062149 203-79-83-91.cable.paradise.net.nz.63085 >
> 172.20.31.255.netbios-ns:
> 11:58:13.107199 203-79-83-91.cable.paradise.net.nz.netbios-dgm >
> 203.96.144.255.netbios-dgm:
> 11:58:13.109694 203-79-83-91.cable.paradise.net.nz.netbios-ns >
> 203.96.144.255.netbios-ns:
> 11:58:13.339495 203-79-83-91.cable.paradise.net.nz.35599 >
> 169.254.255.255.netbios-ns:
> [snip]
>
> We certainly have a shitload of traffic eminating from my machine, and
> it looks like it is concerned with netbios naming??? Maybe this would
> imply it's my windows box that has been compromised and someone is
> running around the network on the private side?
>
> bash-2.03# netstat -I ep1 -w 1
> input (ep1) output
> packets errs bytes packets errs bytes colls
> 0 0 0 0 0 0 0
> 0 0 0 0 0 0 0
> 0 0 0 1 0 42 0
> 0 0 0 0 0 0 0
> 0 0 0 0 0 0 0
> 0 0 0 0 0 0 0
> 0 0 0 0 0 0 0
> 0 0 0 0 0 0 0
> 0 0 0 0 0 0 0
> 0 0 0 0 0 0 0
> 0 0 0 0 0 0 0
> 0 0 0 0 0 0 0
>
> Nope. No traffic apart from what appears to be a TCP keepalive
> closing. The traffic also appears to be concerned with the broadcast
> on three subnets: 203.96.144.0/8, 169.254.0.0/16 and 172.20.31.0/8.
> The 172/24 is an RFC1918 address, and consequently should be
> unreacheable. In all likelihood the next hop router is telling me
> exactly this on a regular basis:
>
> su-2.03# ./tcpdump -i ep0 icmp
> tcpdump: listening on ep0
> 11:06:05.752512 fe7-3-2.bertha.paradise.net.nz >
> 203-79-83-91.cable.paradise.net.nz: icmp: host 172.20.31.255
> unreachable
> 11:06:05.753408 203-79-83-91.cable.paradise.net.nz > 172.20.29.125:
> icmp: host 203-79-83-91.cable.paradise.net.nz unreachable
> 11:06:06.883719 fe7-3-2.bertha.paradise.net.nz >
> 203-79-83-91.cable.paradise.net.nz: icmp: host 172.20.31.255
> unreachable
> 11:06:06.884636 203-79-83-91.cable.paradise.net.nz > 172.20.28.108:
> icmp: host 203-79-83-91.cable.paradise.net.nz unreachable
> 11:06:07.444762 203-79-83-91.cable.paradise.net.nz >
> cable.gateway.xtreme.net.nz: icmp: time exceeded in-transit
> 11:06:09.246656 fe7-3-2.bertha.paradise.net.nz >
> 203-79-83-91.cable.paradise.net.nz: icmp: host 172.20.31.255
> unreachable
> 11:06:09.247535 203-79-83-91.cable.paradise.net.nz > 172.20.28.108:
> icmp: host 203-79-83-91.cable.paradise.net.nz unreachable
> 11:06:10.417682 fe7-3-2.bertha.paradise.net.nz >
> 203-79-83-91.cable.paradise.net.nz: icmp: host 172.20.31.255
> unreachable
> 11:06:10.418578 203-79-83-91.cable.paradise.net.nz > 172.20.29.65:
> icmp: host 203-79-83-91.cable.paradise.net.nz unreachable
> 11:06:15.395695 203-79-83-91.cable.paradise.net.nz >
> rachel.paradise.net.nz: icmp: 203-79-83-91.cable.paradise.net.nz udp
> port 1235 unreachable
> 11:06:21.018483 fe7-3-2.bertha.paradise.net.nz >
> 203-79-83-91.cable.paradise.net.nz: icmp: host 172.20.31.255
> unreachable
> 11:06:21.019393 203-79-83-91.cable.paradise.net.nz > 172.20.31.119:
> icmp: host 203-79-83-91.cable.paradise.net.nz unreachable
>
> Yup, unreacheable indeed. So what the fuck is going on???? Can anyone
> come up with a plausible reason why I might conclude the box hasn't
> been compromised? Does it look to you like it has just become part of
> a network that's running around cable networks, ADSL etc. looking for
> open SMB shares? Because it appears to be working, if we take the
> 'grep' filter off the tcpdump output from the public interface, we get
> some nasty conclusions (data snarfed from an earlier session):
>
> 10:58:32.134037 203-79-83-110.cable.paradise.net.nz.netbios-ns >
> 203.79.83.255.netbios-ns:
> >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
> TrnID=0x96F8
> OpCode=0
> NmFlags=0x11
> Rcode=0
> QueryCount=1
> AnswerCount=0
> AuthorityCount=0
> AddressRecCount=0
> QuestionRecords:
> Name=ADMIN NameType=0x1C (Unknown)
> QuestionType=0x20
> QuestionClass=0x1
>
> (ttl 128, id 62373)
> 10:58:32.160026 203-79-83-70.cable.paradise.net.nz.netbios-ns >
> 203.79.83.255.netbios-ns:
> >>> NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
> TrnID=0x12
> OpCode=5
> NmFlags=0x11
> Rcode=0
> QueryCount=1
> AnswerCount=0
> AuthorityCount=0
> AddressRecCount=1
> QuestionRecords:
> Name=COMS01 NameType=0x1E (Browser Server)
> QuestionType=0x20
> QuestionClass=0x1
>
> ResourceRecords:
> Name=COMS01 NameType=0x1E (Browser Server)
> ResType=0x20
> ResClass=0x0
> TTL=407543597 (0x184a9f2d)
> ResourceLength=8123
> ResourceData=
> [000] 02 00 3C 00 00 00 ..<...
>
> (ttl 128, id 9216)
> 10:58:32.178975 arp who-has fe7-3-2.bertha.paradise.net.nz tell
> 203-79-92-90.cable.paradise.net.nz
> 10:58:32.211216 202-0-33-223.cable.paradise.net.nz.netbios-ns >
> 202.0.33.255.netbios-ns:
> >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
> TrnID=0x800F
> OpCode=0
> NmFlags=0x11
> Rcode=0
> QueryCount=1
> AnswerCount=0
> AuthorityCount=0
> AddressRecCount=0
> QuestionRecords:
> Name=MYPLACE NameType=0x1C (Unknown)
> QuestionType=0x20
> QuestionClass=0x1
>
> (ttl 128, id 22)
> 10:58:32.212149 203-79-83-91.cable.paradise.net.nz.62262 >
> 202.0.33.255.netbios-ns:
> >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
> TrnID=0x800F
> OpCode=0
> NmFlags=0x11
> Rcode=0
> QueryCount=1
> AnswerCount=0
> AuthorityCount=0
> AddressRecCount=0
> QuestionRecords:
> Name=MYPLACE NameType=0x1C (Unknown)
> QuestionType=0x20
> QuestionClass=0x1
>
> (ttl 127, id 22)
> 10:58:32.237432 0:1:42:e3:2d:1 > 1:80:c2:0:0:0 802.1d ui/C
> >>> Unknown IPX Data: (47 bytes)
> [000] 00 00 00 00 00 80 00 00 01 42 E3 2D 0C 00 00 00 ........
> .B.-....
> [010] 00 80 00 00 01 42 E3 2D 0C 80 0D 00 00 14 00 02 .....B.-
> ........
> [020] 00 0F 00 00 00 00 00 00 00 00 00 78 00 0C 00 ........
> ...x...
> len=47
> 0000 0000 0080 0000 0142 e32d 0c00 0000
> 0080 0000 0142 e32d 0c80 0d00 0014 0002
> 000f 0000 0000 0000 0000 0078 000c 00
> 10:58:32.538824 arp who-has 202-0-33-124.cable.paradise.net.nz tell
> fe7-3-5.bertha.paradise.net.nz
> 10:58:32.544176 snap 8:0:7:80:9b et1 65283.42.254 > 0.nis: nbp-lkup 6:
> "Room 6 Mac:At Ease@*"
> 10:58:32.551474 203-79-83-91.cable.paradise.net.nz.nim >
> rachel.paradise.net.nz.domain: 7912+ PTR?
> 190.144.96.203.in-addr.arpa. (45) (ttl 64, id 2012)
> 10:58:32.608610 rachel.paradise.net.nz.domain >
> 203-79-83-91.cable.paradise.net.nz.nim: 7912* 1/2/2
> 190.144.96.203.in-addr.arpa. (169) (ttl 63, id 61018)
> 10:58:32.615171 203-79-83-91.cable.paradise.net.nz.nimreg >
> rachel.paradise.net.nz.domain: 7913+ PTR? 91.83.79.203.in-addr.arpa.
> (43) (ttl 64, id 2014)
> 10:58:32.645253 rachel.paradise.net.nz.domain >
> 203-79-83-91.cable.paradise.net.nz.nimreg: 7913* 1/2/2
> 91.83.79.203.in-addr.arpa. (165) (ttl 63, id 61025)
> 10:58:32.650325 203-79-83-91.cable.paradise.net.nz.1060 >
> rachel.paradise.net.nz.domain: 7914+ PTR? 52.22.20.172.in-addr.arpa.
> (43) (ttl 64, id 2015)
> 10:58:32.666364 210.48.16.5.netbios-ns > 210.48.16.255.netbios-ns:
> >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
> TrnID=0x812
> OpCode=0
> NmFlags=0x11
> Rcode=0
> QueryCount=1
> AnswerCount=0
> AuthorityCount=0
> AddressRecCount=0
> QuestionRecords:
> Name=WORKGROUP NameType=0x1B (Domain Controller)
> QuestionType=0x20
> QuestionClass=0x1
>
> (ttl 128, id 21776)
> 10:58:32.667406 203-79-83-91.cable.paradise.net.nz.netbios-ns >
> 210.48.16.255.netbios-ns:
> >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
> TrnID=0x812
> OpCode=0
> NmFlags=0x11
> Rcode=0
> QueryCount=1
> AnswerCount=0
> AuthorityCount=0
> AddressRecCount=0
> QuestionRecords:
> Name=WORKGROUP NameType=0x1B (Domain Controller)
> QuestionType=0x20
> QuestionClass=0x1
>
> (ttl 127, id 21776)
> 10:58:32.760418 172.20.22.52.netbios-ns > 172.20.31.255.netbios-ns:
> >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
> TrnID=0x888E
> OpCode=0
> NmFlags=0x11
> Rcode=0
> QueryCount=1
> AnswerCount=0
> AuthorityCount=0
> AddressRecCount=0
> QuestionRecords:
> Name=ASIA_NEWZEALAND NameType=0x00 (Workstation)
> QuestionType=0x20
> QuestionClass=0x1
>
> (ttl 128, id 26756)
> 10:58:32.761488 203-79-83-91.cable.paradise.net.nz.42605 >
> 172.20.31.255.netbios-ns:
> >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
> TrnID=0x888E
> OpCode=0
> NmFlags=0x11
> Rcode=0
> QueryCount=1
> AnswerCount=0
> AuthorityCount=0
> AddressRecCount=0
> QuestionRecords:
> Name=ASIA_NEWZEALAND NameType=0x00 (Workstation)
> QuestionType=0x20
> QuestionClass=0x1
>
> (ttl 127, id 26756)
> 10:58:32.773345 192.168.0.1.1015 > 255.255.255.255.1015: udp 148 (ttl
> 128, id 64705)
> 10:58:32.775521 192.168.0.1.1015 > 255.255.255.255.1015: udp 148 (ttl
> 128, id 64961)
> 10:58:32.938233 202-0-33-223.cable.paradise.net.nz.netbios-ns >
> 202.0.33.255.netbios-ns:
> >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
> TrnID=0x800F
> OpCode=0
> NmFlags=0x11
> Rcode=0
> QueryCount=1
> AnswerCount=0
> AuthorityCount=0
> AddressRecCount=0
> QuestionRecords:
> Name=MYPLACE NameType=0x1C (Unknown)
> QuestionType=0x20
> QuestionClass=0x1
>
> (ttl 128, id 23)
> 10:58:32.939209 203-79-83-91.cable.paradise.net.nz.62262 >
> 202.0.33.255.netbios-ns:
> >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
> TrnID=0x800F
> OpCode=0
> NmFlags=0x11
> Rcode=0
> QueryCount=1
> AnswerCount=0
> AuthorityCount=0
> AddressRecCount=0
> QuestionRecords:
> Name=MYPLACE NameType=0x1C (Unknown)
> QuestionType=0x20
> QuestionClass=0x1
>
> (ttl 127, id 23)
> ^C10:58:33.021341
> 802 packets received by filter
> 51 packets dropped by kernel
> su-2.03# ./tcpdump -i ep0
> tcpdump: listening on ep0
> 10:59:28.909636 10.1.10.20.iad1 > 229.55.150.208.1345: udp 150 [ttl
> 1]
> 10:59:29.012908 arp who-has 202-0-33-20.cable.paradise.net.nz tell
> fe7-3-5.bertha.paradise.net.nz
> 10:59:29.123744 202-0-35-80.cable.paradise.net.nz.netbios-dgm >
> 202.0.35.255.netbios-dgm:
> >>> NBT UDP PACKET(138) Res=0x1102 ID=0x572 IP=202 (0xca).0 (0x0).35
> (0x23).80 (0x50) Port=138 (0x8a) Length=160 (0xa0) Res2=0x0
> SourceName=JOY NameType=0x20 (Server)
> DestName=HO NameType=0x00 (Workstation)
>
> SMB PACKET: SMBunknown (REQUEST)
>
> 10:59:29.125059 203-79-83-91.cable.paradise.net.nz.netbios-dgm >
> 202.0.35.255.netbios-dgm:
> >>> NBT UDP PACKET(138) Res=0x1102 ID=0x572 IP=203 (0xcb).79 (0x4f).83
> (0x53).91 (0x5b) Port=138 (0x8a) Length=160 (0xa0) Res2=0x0
> SourceName=JOY NameType=0x20 (Server)
> DestName=HO NameType=0x00 (Workstation)
>
> SMB PACKET: SMBmkdir (REPLY)
>
> 10:59:29.417119 gatekeeper.ffei.co.uk.851 >
> 203-96-144-245.cable.paradise.net.nz.domain: 794 ANY?
> cpi.group.co.nz. (33) (DF)
> 10:59:29.417324 gatekeeper.ffei.co.uk.851 >
> 203-96-144-245.cable.paradise.net.nz.domain: 8250 ANY?
> cpi.group.co.nz. (33) (DF)
> 10:59:29.539150 203-79-83-70.cable.paradise.net.nz.netbios-dgm >
> 203.79.83.255.netbios-dgm:
> >>> NBT UDP PACKET(138) Res=0x1102 ID=0x20 IP=203 (0xcb).79 (0x4f).83
> (0x53).70 (0x46) Port=138 (0x8a) Length=163 (0xa3) Res2=0x0
> SourceName=COMPAQ NameType=0x20 (Server)
> DestName=CO NameType=0x00 (Workstation)
>
> SMB PACKET: SMBopen (REQUEST)
>
> 10:59:29.611417 202-0-33-223.cable.paradise.net.nz.netbios-dgm >
> 202.0.33.255.netbios-dgm:
> >>> NBT UDP PACKET(138) Res=0x1102 ID=0x8056 IP=202 (0xca).0 (0x0).33
> (0x21).223 (0xdf) Port=138 (0x8a) Length=187 (0xbb) Res2=0x0
> SourceName=PIII-866 NameType=0x20 (Server)
> DestName=MY NameType=0x00 (Workstation)
>
> SMB PACKET: SMBunknown (REQUEST)
>
> 10:59:29.612527 203-79-83-91.cable.paradise.net.nz.netbios-dgm >
> 202.0.33.255.netbios-dgm:
> >>> NBT UDP PACKET(138) Res=0x1102 ID=0x8056 IP=203 (0xcb).79 (0x4f).83
> (0x53).91 (0x5b) Port=138 (0x8a) Length=187 (0xbb) Res2=0x0
> SourceName=PIII-866 NameType=0x20 (Server)
> DestName=MY NameType=0x00 (Workstation)
>
> SMB PACKET: SMBopen (REQUEST)
>
> 10:59:29.617949 202-0-33-223.cable.paradise.net.nz.netbios-dgm >
> 202.0.33.255.netbios-dgm:
> >>> NBT UDP PACKET(138) Res=0x1102 ID=0x8059 IP=202 (0xca).0 (0x0).33
> (0x21).223 (0xdf) Port=138 (0x8a) Length=187 (0xbb) Res2=0x0
> SourceName=PIII-866 NameType=0x20 (Server)
> DestName=MY NameType=0x00 (Workstation)
>
> SMB PACKET: SMBunknown (REQUEST)
>
> 10:59:29.618898 203-79-83-91.cable.paradise.net.nz.netbios-dgm >
> 202.0.33.255.netbios-dgm:
> >>> NBT UDP PACKET(138) Res=0x1102 ID=0x8059 IP=203 (0xcb).79 (0x4f).83
> (0x53).91 (0x5b) Port=138 (0x8a) Length=187 (0xbb) Res2=0x0
> SourceName=PIII-866 NameType=0x20 (Server)
> DestName=MY NameType=0x00 (Workstation)
>
> SMB PACKET: SMBopen (REQUEST)
>
> 10:59:29.636510 202-0-33-223.cable.paradise.net.nz.netbios-dgm >
> 202.0.33.255.netbios-dgm:
> >>> NBT UDP PACKET(138) Res=0x1102 ID=0x805C IP=202 (0xca).0 (0x0).33
> (0x21).223 (0xdf) Port=138 (0x8a) Length=187 (0xbb) Res2=0x0
> SourceName=PIII-866 NameType=0x20 (Server)
> DestName=MY NameType=0x00 (Workstation)
>
> SMB PACKET: SMBmkdir (REQUEST)
>
> 10:59:29.637506 203-79-83-91.cable.paradise.net.nz.netbios-dgm >
> 202.0.33.255.netbios-dgm:
> >>> NBT UDP PACKET(138) Res=0x1102 ID=0x805C IP=203 (0xcb).79 (0x4f).83
> (0x53).91 (0x5b) Port=138 (0x8a) Length=187 (0xbb) Res2=0x0
> SourceName=PIII-866 NameType=0x20 (Server)
> DestName=MY NameType=0x00 (Workstation)
>
> SMB PACKET: SMBmkdir (REQUEST)
>
> ......Windows machines taking it up the arse (not that I can talk)?
> Who has "PIII-866" on the 202.0.33.0/16 subnet? I'm a bit concerned by
> the "SMBopen, SMBunknown, SMBopen,
> SMBunknown,SMBopen,SMBmkdir,SMBmkdir" sequence since it gives the
> appearance of a script trying some common usernames and passwords then
> finally getting in.
>
> I've cc'd this to paradise support and some freebsd mailing lists. If
> anyone wants to further discuss this I'd be more than happy. I shan't
> blow away the box for a little while in case some network security
> types want to wander round in it and have a look at what's going on.
> Like the subject says, there's a storm brewing on the cable modem
> network.
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3ACB1570.5772CB24>