Date: Tue, 13 Oct 1998 18:12:41 -0500 (CDT) From: Jay Nelson <jdn@acp.qiv.com> To: "Leonard C." <leonardc9@usa.net> Cc: security@FreeBSD.ORG Subject: Re: URGENT! Need help determining scope of attack... Message-ID: <Pine.BSF.3.96.981013174940.1244B-100000@acp.qiv.com> In-Reply-To: <v04011702b24835d1f943@[10.0.0.2]>
next in thread | previous in thread | raw e-mail | index | archive | help
I had a similar experience. In my case, an "Admin" claimed he was checking his network for BO vulnerability (a different ISP than ours) and also checked all the "dial-in" ips of _our_ ISP since many of his users had accounts with our ISP. He apologized for his "mistake." A call to his ISP resolved the issue. I've seen a Linux box that was breached (through imap, I think) that substituted a number of trojaned binaries and added a line to inetd.conf for service 31336 that called telnetd (one of the trojaned binaries.) They put a script called "d" in /sbin that inventoried the machine and shipped all the relevant information off to an ftp server that had a 5 second timeout. They ended up installing a port bomb and sniffer in a directory with permission 000 and used it against other machines. The back doors they use are configurable as to which port they attach and they seem to like 3133[5-9] because of all the BO publicity. So I'm a little sensitive to anything touching those ports. I contact their administrators, hostmasters or whomever I can locate when I see anything like this. Others have suggested you do the same and I would agree. -- Jay On Mon, 12 Oct 1998, Leonard C. wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >When I checked my system's daily report today, I found this: > >> pid 7081 (telnet), uid 0: exited on signal 3 (core dumped) >> Connection attempt to UDP 169.229.87.xx:31337 from 169.229.93.66:1335 >> Connection attempt to UDP 169.229.87.xx:31337 from 169.229.93.66:1335 >> Connection attempt to UDP 169.229.87.xx:31337 from 169.229.93.66:1335 >> Connection attempt to UDP 169.229.87.xx:31337 from 169.229.84.53:1896 > >With the core dump and then the attempted connections to port 31337, I'm >suspecting that this is a script kiddy. What worries me is I'm unsure of >the scope of the attack. In the logs, right after the attack, there was an >su to root, but no new accounts have been added, nor any new uid 0 >accounts. There are also no new setuid programs either. > >Netstat also doesn't report anything listening on any new ports. > >Right now, I've disabled all services except for ssh, but I'm not too sure >what the next steps to take are. Also, I noticed that the attacks came >from two seperate IPs. Everybody here on the internal network has to use a >gateway in order to reach the outside network with a netmask of >255.255.255.0 (so, for me, it's 169.229.87.1). This gateway logs >everybody's MAC address before activating the port, and partitions it if a >different MAC address is later used. Can I be fairly certain then that the >IPs that the attacks came from are the correct ones? > >What are the next steps from here? Is there anything I can do to prevent >something like this from happening next time? Also, the core dump was from >telnet and I haven't heard of any new exploits on that. Any ideas on what >exactly happened? > >I know this is a lot of questions to throw at you, but I'm not really sure >what to do next. > >Thanks in advance for all of your help, > >Leonard > >**************************** >Note: The errors on the ed1 ethernet card are normal. I've tried to fudge >with the IRQ's, to no avail, but I keep getting these messages. Other than >errors, I've had no problems though. The power.leonard.com is a computer >on my internal network (10.0.0.0), so errors from qpopper on that are >mainly just me playing around with it. >/var/log/messages: > >Oct 10 03:51:22 icarus /kernel: Connection attempt to UDP >169.229.87.90:31337 fr >om 169.229.84.53:3039 >Oct 10 04:27:03 icarus /kernel: ed1: NIC memory corrupt - invalid packet length >2297 >Oct 10 04:39:10 icarus /kernel: ed1: device timeout >Oct 10 11:02:04 icarus /kernel: Connection attempt to UDP >169.229.87.90:31337 fr >om 169.229.84.53:3649 >Oct 10 12:58:18 icarus afpd[5988]: afp_die: asp_shutdown: Operation timed out >Oct 10 18:56:05 icarus /kernel: Connection attempt to UDP >169.229.87.90:31337 fr >om 169.229.84.53:4035 >Oct 10 21:59:48 icarus afpd[6475]: afp_die: asp_shutdown: Operation timed out >Oct 11 00:42:40 icarus /kernel: Connection attempt to UDP >169.229.87.90:31337 fr >om 169.229.84.53:1034 >Oct 11 02:28:34 icarus su: leonard to root on /dev/ttyp0 >Oct 11 02:45:58 icarus su: leonard to root on /dev/ttyp0 >Oct 11 02:49:40 icarus syslogd: exiting on signal 15 >Oct 11 02:51:13 icarus popper[7002]: @localhost.Berkeley.EDU: -ERR Unknown >comma >nd: "quyit". >Oct 11 03:00:37 icarus syslogd: exiting on signal 15 >Oct 11 03:01:43 icarus /kernel: pid 7081 (telnet), uid 0: exited on signal >3 (co >re dumped) >Oct 11 03:02:28 icarus popper[7090]: @localhost.Berkeley.EDU: -ERR Command >"a;jf >as;ldjfsdl;kjfsdl;akfjaslkd;f" (truncated) exceedes maximum permitted size. >Oct 11 03:45:39 icarus popper[7152]: @power.leonard.com: -ERR Unknown >command: " >get". >Oct 11 03:45:39 icarus popper[7152]: @power.leonard.com: -ERR Unknown >command: " >host:". >Oct 11 03:45:39 icarus popper[7152]: @power.leonard.com: -ERR Too many >arguments > supplied. >Oct 11 03:45:40 icarus popper[7152]: @power.leonard.com: -ERR Unknown >command: " >accept-language:". >Oct 11 03:45:40 icarus popper[7152]: @power.leonard.com: -ERR Unknown >command: " >connection:". >Oct 11 03:45:40 icarus popper[7152]: @power.leonard.com: -ERR Too many >arguments > supplied. >Oct 11 03:45:40 icarus popper[7152]: @power.leonard.com: -ERR Unknown >command: " >ua-os:". >Oct 11 03:45:40 icarus popper[7152]: @power.leonard.com: -ERR Unknown >command: " >ua-cpu:". >Oct 11 03:45:40 icarus popper[7152]: @power.leonard.com: -ERR Unknown >command: " >extension:". >Oct 11 03:45:48 icarus popper[7152]: @power.leonard.com: -ERR POP EOF received >Oct 11 03:56:45 icarus su: leonard to root on /dev/ttyp0 >re dumped) >Oct 11 03:02:28 icarus popper[7090]: @localhost.Berkeley.EDU: -ERR Command >"a;jf >as;ldjfsdl;kjfsdl;akfjaslkd;f" (truncated) exceedes maximum permitted size. >Oct 11 03:45:39 icarus popper[7152]: @power.leonard.com: -ERR Unknown >command: " >get". >Oct 11 03:45:39 icarus popper[7152]: @power.leonard.com: -ERR Unknown >command: " >host:". >Oct 11 03:45:39 icarus popper[7152]: @power.leonard.com: -ERR Too many >arguments > supplied. >Oct 11 03:45:40 icarus popper[7152]: @power.leonard.com: -ERR Unknown >command: " >accept-language:". >Oct 11 03:45:40 icarus popper[7152]: @power.leonard.com: -ERR Unknown >command: " >connection:". >Oct 11 03:45:40 icarus popper[7152]: @power.leonard.com: -ERR Too many >arguments > supplied. >Oct 11 03:45:40 icarus popper[7152]: @power.leonard.com: -ERR Unknown >command: " >ua-os:". >Oct 11 03:45:40 icarus popper[7152]: @power.leonard.com: -ERR Unknown >command: " >ua-cpu:". >Oct 11 03:45:40 icarus popper[7152]: @power.leonard.com: -ERR Unknown >command: " >extension:". >Oct 11 03:45:48 icarus popper[7152]: @power.leonard.com: -ERR POP EOF received >Oct 11 03:56:45 icarus su: leonard to root on /dev/ttyp0 >Oct 11 09:18:04 icarus /kernel: Connection attempt to UDP >169.229.87.90:31337 fr >om 169.229.93.66:1335 >Oct 11 10:49:14 icarus /kernel: Connection attempt to UDP >169.229.87.90:31337 fr >om 169.229.93.66:1335 >Oct 11 11:20:32 icarus /kernel: Connection attempt to UDP >169.229.87.90:31337 fr >om 169.229.93.66:1335 >Oct 11 15:57:49 icarus /kernel: Connection attempt to UDP >169.229.87.90:31337 fr >om 169.229.84.53:1896 >Oct 11 20:05:48 icarus afpd[8149]: afp_die: asp_shutdown: Operation timed out >Oct 11 21:14:00 icarus /kernel: ed1: NIC memory corrupt - invalid packet length >2301 >Oct 11 21:14:12 icarus /kernel: ed1: NIC memory corrupt - invalid packet length >2203 >Oct 11 21:14:41 icarus /kernel: ed1: NIC memory corrupt - invalid packet length >2179 >Oct 11 22:32:58 icarus arpwatch: 0:40:5:68:1:7a sent bad hardware format 0xe >Oct 12 00:13:59 icarus /kernel: ed1: NIC memory corrupt - invalid packet length >6016 >Oct 12 00:38:38 icarus afpd[202]: atp_sreq: Network is unreachable >Oct 12 00:38:59 icarus /kernel: ed1: device timeout >Oct 12 00:39:08 icarus afpd[202]: atp_sreq: Network is unreachable >Oct 12 00:39:55 icarus /kernel: ed1: NIC memory corrupt - invalid packet length >2122 >Oct 12 00:40:23 icarus /kernel: ed1: NIC memory corrupt - invalid packet length >2342 >Oct 12 00:43:51 icarus /kernel: ed1: NIC memory corrupt - invalid packet length >2062 >Oct 12 00:44:10 icarus /kernel: ed1: NIC memory corrupt - invalid packet length >2128 >Oct 12 00:45:38 icarus /kernel: Connection attempt to UDP >169.229.87.90:31337 fr >om 169.229.84.53:3744 >Oct 12 00:48:38 icarus /kernel: ed1: NIC memory corrupt - invalid packet length >2157 >Oct 12 00:48:46 icarus /kernel: ed1: NIC memory corrupt - invalid packet length >2168 >Oct 12 00:50:45 icarus /kernel: ed1: NIC memory corrupt - invalid packet length >2192 >Oct 12 01:13:35 icarus /kernel: ed1: NIC memory corrupt - invalid packet length >2066 >Oct 12 07:50:58 icarus /kernel: Connection attempt to UDP >169.229.87.90:31337 fr >om 169.229.84.53:4216 >Oct 12 10:08:51 icarus arpwatch: 0:e0:29:18:58:52 sent bad hardware format >0x800 >f > >**************************** >Daily security check output: > >checking setuid files and devices: > > >checking for uids of 0: >root 0 >toor 0 > > >icarus kernel log messages: >> 2:2082 >> pid 7081 (telnet), uid 0: exited on signal 3 (core dumped) >> Connection attempt to UDP 169.229.87.90:31337 from 169.229.93.66:1335 >> Connection attempt to UDP 169.229.87.90:31337 from 169.229.93.66:1335 >> Connection attempt to UDP 169.229.87.90:31337 from 169.229.93.66:1335 >> Connection attempt to UDP 169.229.87.90:31337 from 169.229.84.53:1896 >> ed1: NIC memory corrupt - invalid packet length 2301 >> ed1: NIC memory corrupt - invalid packet length 2203 >> ed1: NIC memory corrupt - invalid packet length 2179 >> ed1: NIC memory corrupt - invalid packet length 6016 >> ed1: device timeout >> ed1: NIC memory corrupt - invalid packet length 2122 >> ed1: NIC memory corrupt - invalid packet length 2342 >> ed1: NIC memory corrupt - invalid packet length 2062 >> ed1: NIC memory corrupt - invalid packet length 2128 >> Connection attempt to UDP 169.229.87.90:31337 from 169.229.84.53:3744 >> ed1: NIC memory corrupt - invalid packet length 2157 >> ed1: NIC memory corrupt - invalid packet length 2168 >> ed1: NIC memory corrupt - invalid packet length 2192 >> ed1: NIC memory corrupt - invalid packet length 2066 > > >icarus login failures: > > >icarus refused connections: > >- -- >Support the Blue Ribbon Campaign for free speech online () >http://www.eff.org/blueribbon.html /\ >"Those who will not reason perish in the act. >Those who will not act, perish for that reason." - W. H. Auden > >-----BEGIN PGP SIGNATURE----- >Version: PGPfreeware 6.0 for non-commercial use <http://www.pgp.com>; > >iQA/AwUBNiKMUOAvLUJUxjQXEQLN2QCgwR0ANRboI2jvyXMoMUvvbW8KO2IAn2w+ >x6wRo16IjELRC9zoa7F6du35 >=lqn5 >-----END PGP SIGNATURE----- > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.981013174940.1244B-100000>