Well guys... it has been 5 years since somone got in. They finally did it.
I've been using the floppy disk coyote linux for years now. They aren't
keeping up it seems and the last update I got was in January. The first clue
was zone alarm on my boys box popped up some denials. Regrettably, I walked
over to my firewall, hit the reset button and didn't give it another thought.
Now I've lost all the logs on that server and don't know what state it was
in.
About an hour later I notice that my linux box was showing 2 ip addresses in
my samba server list that weren't even on my subnet! NOW it has my full
attention!!! I did not have tripwire installed. Just ran out of time, but I
DID have snort loaded and not fully or properly configured I don't think.
However, I DID get some interesting log entries that I thought I'd pass on to
see what you guys thought, and perhaps shed some light on how they are
whacking my firewall. I'm in the process of setting up an openbsd firewall.
That should give them something to chew on for awhile.
I'm sure I've been hacked but good, because they screwed up my ntp, set my nic
to promisuous mode, and looks like they gained root access.
Here are some snippets of what my messages log shows:
Nov 24 10:50:24 mandrake snort[1213]: [1:485:2] ICMP Destination Unreachable
(Communication Administratively Prohibited) [Classification: Misc activity]
[Priority:
3]: {ICMP} 150.176.17.242 -> 192.168.100.7
Nov 24 11:07:52 mandrake snort[1213]: [1:466:1] ICMP L3retriever Ping
[Classification: Attempted Information Leak] [Priority: 2]: {ICMP}
192.168.100.8 -> 192.168.10
0.7
Nov 24 11:23:31 mandrake snort[1213]: [1:1171:6] WEB-MISC whisker HEAD with
large datagram [Classification: Attempted Information Leak] [Priority: 2]:
{TCP} 192.168
.100.8:4232 -> 66.150.3.68:80
port scans it appears, or buffer overflows on numerous ports?
{TCP} 192.168
.100.8:4246 -> 66.150.3.68:80
Nov 24 11:23:34 mandrake snort[1213]: [1:1171:6] WEB-MISC whisker HEAD with
large datagram [Classification: Attempted Information Leak] [Priority: 2]:
{TCP} 192.168
.100.8:4249 -> 66.150.3.68:80
Nov 24 11:23:34 mandrake snort[1213]: [1:1171:6] WEB-MISC whisker HEAD with
large datagram [Classification: Attempted Information Leak] [Priority: 2]:
{TCP} 192.168
.100.8:4252 -> 66.150.3.68:80
Nov 24 11:23:34 mandrake snort[1213]: [1:1171:6] WEB-MISC whisker HEAD with
large datagram [Classification: Attempted Information Leak] [Priority: 2]:
{TCP} 192.168
.100.8:4255 -> 66.150.3.68:80
Nov 24 14:07:36 mandrake snort[1213]: [1:1287:5] WEB-IIS scripts access
[Classification: sid] [Priority: 2]: {TCP} 192.168.100.8:4756 ->
204.155.175.40:80
Nov 24 07:49:40 mandrake snort[1213]: [1:895:5] WEB-CGI redirect access
[Classification: Attempted Information Leak] [Priority: 2]: {TCP}
192.168.100.6:1087 -> 64.2
36.17.133:80
Nov 24 07:55:20 mandrake snort[1213]: [1:895:5] WEB-CGI redirect access
[Classification: Attempted Information Leak] [Priority: 2]: {TCP}
192.168.100.6:1126 -> 64.2
36.17.133:80
Nov 24 08:04:07 mandrake snort[1213]: [1:1564:4] WEB-MISC login.htm access
[Classification: sid] [Priority: 2]: {TCP} 192.168.100.6:1242 ->
207.25.71.118:80
Nov 24 08:06:30 mandrake ntpd[1251]: time correction of 25199 seconds exceeds
sanity limit (1000); set clock manually to the correct UTC time.
Nov 24 08:06:30 mandrake kernel: eth0: Setting promiscuous mode.
Nov 24 08:14:02 mandrake snort[1213]: [1:882:4] WEB-CGI calendar access
[Classification: Attempted Information Leak] [Priority: 2]: {TCP}
192.168.100.6:1356 -> 64.1
24.82.22:80
Nov 24 09:24:42 mandrake snort[1213]: [1:1171:6] WEB-MISC whisker HEAD with
large datagram [Classification: Attempted Information Leak] [Priority: 2]:
{TCP} 192.168
.100.5:1353 -> 216.239.51.101:80
Nov 24 12:25:37 mandrake snort[1213]: [1:853:5] WEB-CGI wrap access
[Classification: Attempted Information Leak] [Priority: 2]: {TCP}
192.168.100.6:3018 -> 64.124.8
2.13:80
Nov 24 14:45:45 mandrake snort[1213]: [1:1408:5] DOS MSDTC attempt
[Classification: Attempted Denial of Service] [Priority: 2]: {TCP}
66.150.3.68:80 -> 192.168.100.
8:3372
Nov 24 15:03:09 mandrake snort[1213]: [1:654:5] SMTP RCPT TO overflow
[Classification: Attempted Administrator Privilege Gain] [Priority: 1]: {TCP}
192.168.100.5:15
09 -> 68.6.19.4:25
Nov 24 15:04:54 mandrake snort[1213]: [1:654:5] SMTP RCPT TO overflow
[Classification: Attempted Administrator Privilege Gain] [Priority: 1]: {TCP}
192.168.100.5:15
10 -> 68.6.19.4:25
****** somehow right in here, my samba server goes absolutely nuts. It has
been forced to be master browser and he gets into a pissing match with my xp
box, forcing election after election. My guess is to find out who is running
shares on my little network. ?
Nov 24 23:57:49 mandrake su(pam_unix)[7357]: session opened for user root by
(uid=503)
Nov 24 23:57:49 mandrake su(pam_unix)[7357]: session closed for user root
Nov 24 23:57:50 mandrake su(pam_unix)[7362]: session opened for user root by
(uid=503)
Nov 24 23:58:03 mandrake snort[1213]: [1:882:4] WEB-CGI calendar access
[Classification: Attempted Information Leak] [Priority: 2]: {TCP}
192.168.100.6:3190 -> 63.2
41.29.144:80
There you go, I'm screwed. SU access. So at this point, I'm thinking rebuild
eh? I ran a chkrootkit, nothing showed, but who knows what has been done. I'm
thinking I need to learn tripwire eh? :(
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
