From owner-freebsd-security Tue May 1 22:23:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from cotdazr.org (cotdazr.org [209.239.229.90]) by hub.freebsd.org (Postfix) with SMTP id CD00637B422 for ; Tue, 1 May 2001 22:23:18 -0700 (PDT) (envelope-from efb@cotdazr.org) Received: (qmail 14372 invoked by uid 1001); 2 May 2001 05:23:17 -0000 Date: Tue, 1 May 2001 22:23:17 -0700 From: Everett F Batey To: security@freebsd.org Cc: efb-all@cotdazr.org Subject: Re: [GorrellCD@phdnswc.navy.mil: ] Message-ID: <20010501222316.B14264@cotdazr.org> Reply-To: efb-all@vhwy.com References: <20010501220704.A14264@cotdazr.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.5i In-Reply-To: <20010501220704.A14264@cotdazr.org>; from Everett F Batey on Tue, May 01, 2001 at 10:07:04PM -0700 X-Operating-System: gcpacix.cotdazr.org FreeBSD X-Tele: +1 805 985.3146 / 805 340.6471 Pg 888 522-VHWY X-URL: http://www.cotdazr.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dear FreeBSD Security Guru, I need some guidance. My employer with which I have had problems over the past 5 years has suggested I (or my IP) am(/is) trying to attack hisIP space on UPD 111, and sent me the below attached log file. I am running a pretty sanitized version of FreeBSD 2.2.8, at my home, with many patches. Hope soon to be able to go 4.X but can NOT now. I am concerned of several possibilities: (1) I could have been root kitted, (2) someone could be spoofing my primary address, or (3) I am getting some fully B/s stories about what is showing up at the far end on their firewall.. I do not know of anything that I do which would cause my FBsd to poke at port 111 on the supposed system at the far end. (per attachment). That IP IS a computer running Solaris which I have done work INSIDE semi firewalled 137.24/16. The admin of that system advises me there are port 111 assaults on his firewall from me, from Navy NCIS, 199 something, from oxnardsd.org, where I used to do volunteer work some years ago. I would appreciate if you could help me assess those possibilities. For Item (1) I understand a rootkit involves replacing some or all of ls, ps, netstat, ifconfig, md5. AT THIS time MD5 reports the following .. gcpacix:~{138} foreach i ( ls ps netstat md5 ifconfig ) foreach? md5 `which $i` foreach? end MD5 (/bin/ls) = b09da2ac24e0597ee5437a106a9973b0 MD5 (/bin/ps) = 606cf612681a75162100d6ddcfec3a70 MD5 (/usr/bin/netstat) = 0613ecb7d018d0b058396562b2abf065 MD5 (/sbin/md5) = e38c532609c44bb01ad627952d495cf0 MD5 (/sbin/ifconfig) = d87d850c07066ba90ac9e7340c425619 Are any of these values possibly correct for FreeBSD 228 ? Can you point me at where I can download replacements of .. ls ps netstat md5 ifconfig to retest that I have not been Root-Kitted ? For item (2) can you tell me if you have seen many reports of anyone attacking port 111 with spoofed IP source address ??? Appreciate any help or guidance you can offer me. /Everett Batey/ 800 545-6998 -- + http://www.vhwy.com efb@vhwy.com WA6CRE@arrl.net http://www.cotdazr.org + + PocketNet Mail to efbatey@mobile.att.net / Cell/VoiceMail 805 340-6471 + + Unix BSD, Sun, HP SCO Linux Security Cisco Routing DataFellows QMail DNS + > Received: from MAINS2.PHDNSWC.NAVY.MIL (root@mains2.phdnswc.navy.mil [137.24.144.30]) > Subject: > Date: Tue, 1 May 2001 13:34:32 -0700 > > Ev, > > Please call me regarding the traffic below. 8-0701 > > CG... > > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65422 UDP > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65423 UDP > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65424 UDP > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65425 UDP > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65426 UDP > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65427 UDP > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65428 UDP > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65429 UDP > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65430 UDP > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65431 UDP > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65432 UDP > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65433 UDP > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65434 UDP > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65435 UDP > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65436 UDP > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65437 UDP > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65438 UDP > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65439 UDP > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65440 UDP > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65441 UDP > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65442 UDP > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65443 UDP > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65444 UDP > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65445 UDP > May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34004 UDP > May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34005 UDP > May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34006 UDP > May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34007 UDP > May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34008 UDP > May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34009 UDP > May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34010 UDP > May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34011 UDP > May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34012 UDP > May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34013 UDP > May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34014 UDP > May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34015 UDP > May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34016 UDP > May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34017 UDP > May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34018 UDP > May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34019 UDP > May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34020 UDP > May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34021 UDP > May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34022 UDP > May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34023 UDP > May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34024 UDP > May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34025 UDP > May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34026 UDP > May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34027 UDP To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message