SLUG Mailing List Archives - Re: [SLUG] Help I got hacked!!

To: slug@xxxxxxxxxxx
Subject: Re: [SLUG] Help I got hacked!!
From: andy <eageraj@xxxxxxxxxxxxxxx>
Date: Wed Jul 4 20:23:01 2001
User-agent: Mozilla/5.0 (X11; U; Linux 2.4.2-2 i686; en-US; 0.7) Gecko/20010316

Hi all,

Thanks for the replies, I havn't had a chance to get back online tillnow, so now I get to read all those words of wisdom... One of which isto check your config files before restoring them after an attack...


Bevan Broun wrote:


And data/config files must be checked. No point pointing back nice secure
binaries if a config file allows something it shouldnt.

OK, so I rebuilt an old RH6.2 system and upgraded to RH7.1 in theprocess. I got the RH7.1 install to format everything except my swapdrive.About an hour after I rebooted my nicely rebuilt system (using my oldipchains rules - which are obviously lacking) I noticed the followingtell-tale signs of intrusion yet again:

... 17:13:16 kernel: Packet log: input log-in ppp0 PROTO=6208.176.183.26:4170 ...

... 17:13:16 kernel: Packet log: output log-out ppp0 PROTO=6203.12.255.8:111 ...

... 17:13:17 kernel: Packet log: input log-in ppp0 PROTO=6208.176.183.26:4170 ...

... 17:13:17 kernel: Packet log: input log-in ppp0 PROTO=17208.176.183.26:835 ...

... 17:13:17 kernel: Packet log: output log-out ppp0 PROTO=17203.12.255.8:111

... 17:13:17 rpc.statd[844]: gethostbyname error for^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8

x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220\220\220
\220\220\220\220\220\220\220\220.......   heaps of this

...17:13:17 kernel: Packet log: input log-in ppp0 PROTO=17 .....

...17:13:17 kernel: Packet log: output log-out ppp0 PROTO=17203.12.255.8:1024


...17:13:18 kernel: Packet log: input log-in ppp0 PROTO=6 .....

...17:13:18 kernel: Packet log: output log-out ppp0 PROTO=6 203.12.255.8:111

... 17:13:18kernel: Packet log: input log-in ppp0 PROTO=6 ....

The IP addresses don't seem to mean much other than one of them is mine! (dial up so it varies each time)

The same thing happened on RH6.2 just before I got attacked (though thiscould be just coincidence) but I beleive the vulnerability exploited inmy case was via rpc.statd (they loaded 'luckroot' onto my system plus arootkit. Unfortunately NFS uses rpc.statd for its locking (?) schemesso I can't just ditch it.



Has anyone else experienced this.  What the hell is going on ????

Jul  4 17:13:16 Node10 kernel: Packet log: input log-in ppp0 PROTO=6 208.176.183.26:4170 203.12.255.8:111 L=60 S=0x00 I=62112 F=0x4000 T=48 SYN (#1)
Jul  4 17:13:16 Node10 kernel: Packet log: output log-out ppp0 PROTO=6 203.12.255.8:111 208.176.183.26:4170 L=60 S=0x00 I=0 F=0x4000 T=64 (#1)
Jul  4 17:13:17 Node10 kernel: Packet log: input log-in ppp0 PROTO=6 208.176.183.26:4170 203.12.255.8:111 L=52 S=0x00 I=62378 F=0x4000 T=48 (#1)
Jul  4 17:13:17 Node10 kernel: Packet log: input log-in ppp0 PROTO=17 208.176.183.26:835 203.12.255.8:111 L=84 S=0x00 I=62381 F=0x0000 T=48 (#4)
Jul  4 17:13:17 Node10 kernel: Packet log: output log-out ppp0 PROTO=17 203.12.255.8:111 208.176.183.26:835 L=56 S=0x00 I=0 F=0x4000 T=64 (#3)
Jul  4 17:13:17 Node10 rpc.statd[844]: gethostbyname error for ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
Jul  4 17:13:17 Node10 kernel: Packet log: input log-in ppp0 PROTO=17 208.176.183.26:836 203.12.255.8:1024 L=1104 S=0x00 I=62592 F=0x0000 T=48 (#4)
Jul  4 17:13:17 Node10 kernel: Packet log: output log-out ppp0 PROTO=17 203.12.255.8:1024 208.176.183.26:836 L=60 S=0x00 I=0 F=0x4000 T=64 (#3)
Jul  4 17:13:18 Node10 kernel: Packet log: input log-in ppp0 PROTO=6 208.176.183.26:4170 203.12.255.8:111 L=52 S=0x00 I=62614 F=0x4000 T=48 (#1)
Jul  4 17:13:18 Node10 kernel: Packet log: output log-out ppp0 PROTO=6 203.12.255.8:111 208.176.183.26:4170 L=52 S=0x00 I=28609 F=0x4000 T=64 (#1)
Jul  4 17:13:18 Node10 kernel: Packet log: input log-in ppp0 PROTO=6 208.176.183.26:4170 203.12.255.8:111 L=52 S=0x00 I=62972 F=0x4000 T=48 (#1)

Follow-Ups:
- Re: [SLUG] Help I got hacked!!
  - From: Jeff Waugh
- Re: [SLUG] Help I got hacked!!
  - From: Tom Massey

References:
- [SLUG] Help I got hacked!!
  - From: Andy Eager
- Re: [SLUG] Help I got hacked!!
  - From: Jon Austin
- Re: [SLUG] Help I got hacked!!
  - From: Bevan Broun

Messages sorted by: [ date | thread ]
Prev by Date: Re: [SLUG] Pam and mod_auth_pam problems
Next by Date: Re: [SLUG] Help I got hacked!!
Previous by thread: Re: [SLUG] Help I got hacked!!
Next by thread: Re: [SLUG] Help I got hacked!!