Tugger the SLUGger!SLUG Mailing List Archives

Re: [SLUG] Help I got hacked!!


Hi all,

Thanks for the replies, I havn't had a chance to get back online till now, so now I get to read all those words of wisdom... One of which is to check your config files before restoring them after an attack...

Bevan Broun wrote:


And data/config files must be checked. No point pointing back nice secure
binaries if a config file allows something it shouldnt.

OK, so I rebuilt an old RH6.2 system and upgraded to RH7.1 in the process. I got the RH7.1 install to format everything except my swap drive. About an hour after I rebooted my nicely rebuilt system (using my old ipchains rules - which are obviously lacking) I noticed the following tell-tale signs of intrusion yet again:

... 17:13:16 kernel: Packet log: input log-in ppp0 PROTO=6 208.176.183.26:4170 ...

... 17:13:16 kernel: Packet log: output log-out ppp0 PROTO=6 203.12.255.8:111 ...

... 17:13:17 kernel: Packet log: input log-in ppp0 PROTO=6 208.176.183.26:4170 ...

... 17:13:17 kernel: Packet log: input log-in ppp0 PROTO=17 208.176.183.26:835 ...

... 17:13:17 kernel: Packet log: output log-out ppp0 PROTO=17 203.12.255.8:111

... 17:13:17 rpc.statd[844]: gethostbyname error for ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8
x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220\220\220
\220\220\220\220\220\220\220\220.......   heaps of this

...17:13:17 kernel: Packet log: input log-in ppp0 PROTO=17 .....

...17:13:17 kernel: Packet log: output log-out ppp0 PROTO=17 203.12.255.8:1024

...17:13:18 kernel: Packet log: input log-in ppp0 PROTO=6 .....

...17:13:18 kernel: Packet log: output log-out ppp0 PROTO=6 203.12.255.8:111

... 17:13:18kernel: Packet log: input log-in ppp0 PROTO=6 ....


The IP addresses don't seem to mean much other than one of them is mine ! (dial up so it varies each time)

The same thing happened on RH6.2 just before I got attacked (though this could be just coincidence) but I beleive the vulnerability exploited in my case was via rpc.statd (they loaded 'luckroot' onto my system plus a rootkit. Unfortunately NFS uses rpc.statd for its locking (?) schemes so I can't just ditch it.


Has anyone else experienced this.  What the hell is going on ????


Jul  4 17:13:16 Node10 kernel: Packet log: input log-in ppp0 PROTO=6 208.176.183.26:4170 203.12.255.8:111 L=60 S=0x00 I=62112 F=0x4000 T=48 SYN (#1)
Jul  4 17:13:16 Node10 kernel: Packet log: output log-out ppp0 PROTO=6 203.12.255.8:111 208.176.183.26:4170 L=60 S=0x00 I=0 F=0x4000 T=64 (#1)
Jul  4 17:13:17 Node10 kernel: Packet log: input log-in ppp0 PROTO=6 208.176.183.26:4170 203.12.255.8:111 L=52 S=0x00 I=62378 F=0x4000 T=48 (#1)
Jul  4 17:13:17 Node10 kernel: Packet log: input log-in ppp0 PROTO=17 208.176.183.26:835 203.12.255.8:111 L=84 S=0x00 I=62381 F=0x0000 T=48 (#4)
Jul  4 17:13:17 Node10 kernel: Packet log: output log-out ppp0 PROTO=17 203.12.255.8:111 208.176.183.26:835 L=56 S=0x00 I=0 F=0x4000 T=64 (#3)
Jul  4 17:13:17 Node10 rpc.statd[844]: gethostbyname error for ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
Jul  4 17:13:17 Node10 kernel: Packet log: input log-in ppp0 PROTO=17 208.176.183.26:836 203.12.255.8:1024 L=1104 S=0x00 I=62592 F=0x0000 T=48 (#4)
Jul  4 17:13:17 Node10 kernel: Packet log: output log-out ppp0 PROTO=17 203.12.255.8:1024 208.176.183.26:836 L=60 S=0x00 I=0 F=0x4000 T=64 (#3)
Jul  4 17:13:18 Node10 kernel: Packet log: input log-in ppp0 PROTO=6 208.176.183.26:4170 203.12.255.8:111 L=52 S=0x00 I=62614 F=0x4000 T=48 (#1)
Jul  4 17:13:18 Node10 kernel: Packet log: output log-out ppp0 PROTO=6 203.12.255.8:111 208.176.183.26:4170 L=52 S=0x00 I=28609 F=0x4000 T=64 (#1)
Jul  4 17:13:18 Node10 kernel: Packet log: input log-in ppp0 PROTO=6 208.176.183.26:4170 203.12.255.8:111 L=52 S=0x00 I=62972 F=0x4000 T=48 (#1)