Date: Tue, 1 May 2001 22:23:17 -0700 From: Everett F Batey <efb@cotdazr.org> To: security@freebsd.org Cc: efb-all@cotdazr.org Subject: Re: [GorrellCD@phdnswc.navy.mil: ] Message-ID: <20010501222316.B14264@cotdazr.org> In-Reply-To: <20010501220704.A14264@cotdazr.org>; from Everett F Batey on Tue, May 01, 2001 at 10:07:04PM -0700 References: <20010501220704.A14264@cotdazr.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Dear FreeBSD Security Guru,
I need some guidance. My employer with which I have had problems over
the past 5 years has suggested I (or my IP) am(/is) trying to attack
hisIP space on UPD 111, and sent me the below attached log file.
I am running a pretty sanitized version of FreeBSD 2.2.8, at my home,
with many patches. Hope soon to be able to go 4.X but can NOT now. I
am concerned of several possibilities: (1) I could have been root
kitted, (2) someone could be spoofing my primary address, or (3) I am
getting some fully B/s stories about what is showing up at the far end
on their firewall..
I do not know of anything that I do which would cause my FBsd to poke
at port 111 on the supposed system at the far end. (per attachment).
That IP IS a computer running Solaris which I have done work INSIDE
semi firewalled 137.24/16.
The admin of that system advises me there are port 111 assaults on his
firewall from me, from Navy NCIS, 199 something, from oxnardsd.org,
where I used to do volunteer work some years ago.
I would appreciate if you could help me assess those possibilities.
For Item (1) I understand a rootkit involves replacing some or all of
ls, ps, netstat, ifconfig, md5.
AT THIS time MD5 reports the following ..
gcpacix:<efb>~{138} foreach i ( ls ps netstat md5 ifconfig )
foreach? md5 `which $i`
foreach? end
MD5 (/bin/ls) = b09da2ac24e0597ee5437a106a9973b0
MD5 (/bin/ps) = 606cf612681a75162100d6ddcfec3a70
MD5 (/usr/bin/netstat) = 0613ecb7d018d0b058396562b2abf065
MD5 (/sbin/md5) = e38c532609c44bb01ad627952d495cf0
MD5 (/sbin/ifconfig) = d87d850c07066ba90ac9e7340c425619
Are any of these values possibly correct for FreeBSD 228 ? Can you
point me at where I can download replacements of ..
ls ps netstat md5 ifconfig
to retest that I have not been Root-Kitted ?
For item (2) can you tell me if you have seen many reports of anyone
attacking port 111 with spoofed IP source address ???
Appreciate any help or guidance you can offer me.
/Everett Batey/ 800 545-6998
--
+ http://www.vhwy.com efb@vhwy.com WA6CRE@arrl.net http://www.cotdazr.org +
+ PocketNet Mail to efbatey@mobile.att.net / Cell/VoiceMail 805 340-6471 +
+ Unix BSD, Sun, HP SCO Linux Security Cisco Routing DataFellows QMail DNS +
> Received: from MAINS2.PHDNSWC.NAVY.MIL (root@mains2.phdnswc.navy.mil [137.24.144.30])
> Subject:
> Date: Tue, 1 May 2001 13:34:32 -0700
>
> Ev,
>
> Please call me regarding the traffic below. 8-0701
>
> CG...
>
> May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65422 UDP
> May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65423 UDP
> May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65424 UDP
> May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65425 UDP
> May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65426 UDP
> May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65427 UDP
> May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65428 UDP
> May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65429 UDP
> May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65430 UDP
> May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65431 UDP
> May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65432 UDP
> May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65433 UDP
> May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65434 UDP
> May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65435 UDP
> May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65436 UDP
> May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65437 UDP
> May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65438 UDP
> May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65439 UDP
> May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65440 UDP
> May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65441 UDP
> May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65442 UDP
> May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65443 UDP
> May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65444 UDP
> May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65445 UDP
> May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34004 UDP
> May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34005 UDP
> May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34006 UDP
> May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34007 UDP
> May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34008 UDP
> May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34009 UDP
> May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34010 UDP
> May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34011 UDP
> May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34012 UDP
> May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34013 UDP
> May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34014 UDP
> May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34015 UDP
> May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34016 UDP
> May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34017 UDP
> May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34018 UDP
> May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34019 UDP
> May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34020 UDP
> May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34021 UDP
> May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34022 UDP
> May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34023 UDP
> May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34024 UDP
> May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34025 UDP
> May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34026 UDP
> May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34027 UDP
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010501222316.B14264>