From owner-freebsd-security Mon Oct 12 16:04:13 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA05116 for freebsd-security-outgoing; Mon, 12 Oct 1998 16:04:13 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from icarus.reshall.berkeley.edu (icarus.Reshall.Berkeley.EDU [169.229.87.90]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA05106 for ; Mon, 12 Oct 1998 16:04:04 -0700 (PDT) (envelope-from leonardc9@usa.net) Received: from [10.0.0.2] (power.leonard.com [10.0.0.2]) by icarus.reshall.berkeley.edu (8.8.8/8.8.8) with ESMTP id QAA09448 for ; Mon, 12 Oct 1998 16:14:02 -0700 (PDT) (envelope-from leonardc9@usa.net) Mime-Version: 1.0 X-Sender: leonardc@uclink4.berkeley.edu Message-Id: X-mailer: Eudora Pro 4.0.1 Macintosh Date: Mon, 12 Oct 1998 16:09:59 -0700 To: security@FreeBSD.ORG From: "Leonard C." Subject: URGENT! Need help determining scope of attack... Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 When I checked my system's daily report today, I found this: > pid 7081 (telnet), uid 0: exited on signal 3 (core dumped) > Connection attempt to UDP 169.229.87.xx:31337 from 169.229.93.66:1335 > Connection attempt to UDP 169.229.87.xx:31337 from 169.229.93.66:1335 > Connection attempt to UDP 169.229.87.xx:31337 from 169.229.93.66:1335 > Connection attempt to UDP 169.229.87.xx:31337 from 169.229.84.53:1896 With the core dump and then the attempted connections to port 31337, I'm suspecting that this is a script kiddy. What worries me is I'm unsure of the scope of the attack. In the logs, right after the attack, there was an su to root, but no new accounts have been added, nor any new uid 0 accounts. There are also no new setuid programs either. Netstat also doesn't report anything listening on any new ports. Right now, I've disabled all services except for ssh, but I'm not too sure what the next steps to take are. Also, I noticed that the attacks came from two seperate IPs. Everybody here on the internal network has to use a gateway in order to reach the outside network with a netmask of 255.255.255.0 (so, for me, it's 169.229.87.1). This gateway logs everybody's MAC address before activating the port, and partitions it if a different MAC address is later used. Can I be fairly certain then that the IPs that the attacks came from are the correct ones? What are the next steps from here? Is there anything I can do to prevent something like this from happening next time? Also, the core dump was from telnet and I haven't heard of any new exploits on that. Any ideas on what exactly happened? I know this is a lot of questions to throw at you, but I'm not really sure what to do next. Thanks in advance for all of your help, Leonard **************************** Note: The errors on the ed1 ethernet card are normal. I've tried to fudge with the IRQ's, to no avail, but I keep getting these messages. Other than errors, I've had no problems though. The power.leonard.com is a computer on my internal network (10.0.0.0), so errors from qpopper on that are mainly just me playing around with it. /var/log/messages: Oct 10 03:51:22 icarus /kernel: Connection attempt to UDP 169.229.87.90:31337 fr om 169.229.84.53:3039 Oct 10 04:27:03 icarus /kernel: ed1: NIC memory corrupt - invalid packet length 2297 Oct 10 04:39:10 icarus /kernel: ed1: device timeout Oct 10 11:02:04 icarus /kernel: Connection attempt to UDP 169.229.87.90:31337 fr om 169.229.84.53:3649 Oct 10 12:58:18 icarus afpd[5988]: afp_die: asp_shutdown: Operation timed out Oct 10 18:56:05 icarus /kernel: Connection attempt to UDP 169.229.87.90:31337 fr om 169.229.84.53:4035 Oct 10 21:59:48 icarus afpd[6475]: afp_die: asp_shutdown: Operation timed out Oct 11 00:42:40 icarus /kernel: Connection attempt to UDP 169.229.87.90:31337 fr om 169.229.84.53:1034 Oct 11 02:28:34 icarus su: leonard to root on /dev/ttyp0 Oct 11 02:45:58 icarus su: leonard to root on /dev/ttyp0 Oct 11 02:49:40 icarus syslogd: exiting on signal 15 Oct 11 02:51:13 icarus popper[7002]: @localhost.Berkeley.EDU: -ERR Unknown comma nd: "quyit". Oct 11 03:00:37 icarus syslogd: exiting on signal 15 Oct 11 03:01:43 icarus /kernel: pid 7081 (telnet), uid 0: exited on signal 3 (co re dumped) Oct 11 03:02:28 icarus popper[7090]: @localhost.Berkeley.EDU: -ERR Command "a;jf as;ldjfsdl;kjfsdl;akfjaslkd;f" (truncated) exceedes maximum permitted size. Oct 11 03:45:39 icarus popper[7152]: @power.leonard.com: -ERR Unknown command: " get". Oct 11 03:45:39 icarus popper[7152]: @power.leonard.com: -ERR Unknown command: " host:". Oct 11 03:45:39 icarus popper[7152]: @power.leonard.com: -ERR Too many arguments supplied. Oct 11 03:45:40 icarus popper[7152]: @power.leonard.com: -ERR Unknown command: " accept-language:". Oct 11 03:45:40 icarus popper[7152]: @power.leonard.com: -ERR Unknown command: " connection:". Oct 11 03:45:40 icarus popper[7152]: @power.leonard.com: -ERR Too many arguments supplied. Oct 11 03:45:40 icarus popper[7152]: @power.leonard.com: -ERR Unknown command: " ua-os:". Oct 11 03:45:40 icarus popper[7152]: @power.leonard.com: -ERR Unknown command: " ua-cpu:". Oct 11 03:45:40 icarus popper[7152]: @power.leonard.com: -ERR Unknown command: " extension:". Oct 11 03:45:48 icarus popper[7152]: @power.leonard.com: -ERR POP EOF received Oct 11 03:56:45 icarus su: leonard to root on /dev/ttyp0 re dumped) Oct 11 03:02:28 icarus popper[7090]: @localhost.Berkeley.EDU: -ERR Command "a;jf as;ldjfsdl;kjfsdl;akfjaslkd;f" (truncated) exceedes maximum permitted size. Oct 11 03:45:39 icarus popper[7152]: @power.leonard.com: -ERR Unknown command: " get". Oct 11 03:45:39 icarus popper[7152]: @power.leonard.com: -ERR Unknown command: " host:". Oct 11 03:45:39 icarus popper[7152]: @power.leonard.com: -ERR Too many arguments supplied. Oct 11 03:45:40 icarus popper[7152]: @power.leonard.com: -ERR Unknown command: " accept-language:". Oct 11 03:45:40 icarus popper[7152]: @power.leonard.com: -ERR Unknown command: " connection:". Oct 11 03:45:40 icarus popper[7152]: @power.leonard.com: -ERR Too many arguments supplied. Oct 11 03:45:40 icarus popper[7152]: @power.leonard.com: -ERR Unknown command: " ua-os:". Oct 11 03:45:40 icarus popper[7152]: @power.leonard.com: -ERR Unknown command: " ua-cpu:". Oct 11 03:45:40 icarus popper[7152]: @power.leonard.com: -ERR Unknown command: " extension:". Oct 11 03:45:48 icarus popper[7152]: @power.leonard.com: -ERR POP EOF received Oct 11 03:56:45 icarus su: leonard to root on /dev/ttyp0 Oct 11 09:18:04 icarus /kernel: Connection attempt to UDP 169.229.87.90:31337 fr om 169.229.93.66:1335 Oct 11 10:49:14 icarus /kernel: Connection attempt to UDP 169.229.87.90:31337 fr om 169.229.93.66:1335 Oct 11 11:20:32 icarus /kernel: Connection attempt to UDP 169.229.87.90:31337 fr om 169.229.93.66:1335 Oct 11 15:57:49 icarus /kernel: Connection attempt to UDP 169.229.87.90:31337 fr om 169.229.84.53:1896 Oct 11 20:05:48 icarus afpd[8149]: afp_die: asp_shutdown: Operation timed out Oct 11 21:14:00 icarus /kernel: ed1: NIC memory corrupt - invalid packet length 2301 Oct 11 21:14:12 icarus /kernel: ed1: NIC memory corrupt - invalid packet length 2203 Oct 11 21:14:41 icarus /kernel: ed1: NIC memory corrupt - invalid packet length 2179 Oct 11 22:32:58 icarus arpwatch: 0:40:5:68:1:7a sent bad hardware format 0xe Oct 12 00:13:59 icarus /kernel: ed1: NIC memory corrupt - invalid packet length 6016 Oct 12 00:38:38 icarus afpd[202]: atp_sreq: Network is unreachable Oct 12 00:38:59 icarus /kernel: ed1: device timeout Oct 12 00:39:08 icarus afpd[202]: atp_sreq: Network is unreachable Oct 12 00:39:55 icarus /kernel: ed1: NIC memory corrupt - invalid packet length 2122 Oct 12 00:40:23 icarus /kernel: ed1: NIC memory corrupt - invalid packet length 2342 Oct 12 00:43:51 icarus /kernel: ed1: NIC memory corrupt - invalid packet length 2062 Oct 12 00:44:10 icarus /kernel: ed1: NIC memory corrupt - invalid packet length 2128 Oct 12 00:45:38 icarus /kernel: Connection attempt to UDP 169.229.87.90:31337 fr om 169.229.84.53:3744 Oct 12 00:48:38 icarus /kernel: ed1: NIC memory corrupt - invalid packet length 2157 Oct 12 00:48:46 icarus /kernel: ed1: NIC memory corrupt - invalid packet length 2168 Oct 12 00:50:45 icarus /kernel: ed1: NIC memory corrupt - invalid packet length 2192 Oct 12 01:13:35 icarus /kernel: ed1: NIC memory corrupt - invalid packet length 2066 Oct 12 07:50:58 icarus /kernel: Connection attempt to UDP 169.229.87.90:31337 fr om 169.229.84.53:4216 Oct 12 10:08:51 icarus arpwatch: 0:e0:29:18:58:52 sent bad hardware format 0x800 f **************************** Daily security check output: checking setuid files and devices: checking for uids of 0: root 0 toor 0 icarus kernel log messages: > 2:2082 > pid 7081 (telnet), uid 0: exited on signal 3 (core dumped) > Connection attempt to UDP 169.229.87.90:31337 from 169.229.93.66:1335 > Connection attempt to UDP 169.229.87.90:31337 from 169.229.93.66:1335 > Connection attempt to UDP 169.229.87.90:31337 from 169.229.93.66:1335 > Connection attempt to UDP 169.229.87.90:31337 from 169.229.84.53:1896 > ed1: NIC memory corrupt - invalid packet length 2301 > ed1: NIC memory corrupt - invalid packet length 2203 > ed1: NIC memory corrupt - invalid packet length 2179 > ed1: NIC memory corrupt - invalid packet length 6016 > ed1: device timeout > ed1: NIC memory corrupt - invalid packet length 2122 > ed1: NIC memory corrupt - invalid packet length 2342 > ed1: NIC memory corrupt - invalid packet length 2062 > ed1: NIC memory corrupt - invalid packet length 2128 > Connection attempt to UDP 169.229.87.90:31337 from 169.229.84.53:3744 > ed1: NIC memory corrupt - invalid packet length 2157 > ed1: NIC memory corrupt - invalid packet length 2168 > ed1: NIC memory corrupt - invalid packet length 2192 > ed1: NIC memory corrupt - invalid packet length 2066 icarus login failures: icarus refused connections: - -- Support the Blue Ribbon Campaign for free speech online () http://www.eff.org/blueribbon.html /\ "Those who will not reason perish in the act. Those who will not act, perish for that reason." - W. H. Auden -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.0 for non-commercial use iQA/AwUBNiKMUOAvLUJUxjQXEQLN2QCgwR0ANRboI2jvyXMoMUvvbW8KO2IAn2w+ x6wRo16IjELRC9zoa7F6du35 =lqn5 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message