But how did the hacker use RPC to hack my machine?
Any help?
Shu
Alex Belits wrote:
> On Thu, 2 Dec 1999, Shu Xiao wrote:
>
> > Now we have to recover the binary code with clean copies from the
> > other machine having same RH 6.0, and telnet works now.
>
> Save your non-executable files on some other box, re-format and reinstall the
> compromised box, change passwords everywhere -- otherwise you wouldn't be able
> to tell if it still havs backdoors installed, or that passwords were sniffed.
>
> > I also telneted
> > to 210.114.231.130. Surprisely, it gave me a prompt like 'Wingate>', after
> > I entered some host name, it then tried to connect me to that machine.
> > It seems that it can masquarade the hacker behind. Where is 210.114.231.130?
>
> 210.114.231.130 is ns.samsan.com, but reverse DNS is broken on
> ns3.shinbiro.com and ns2.shinbiro.com, so it doesn't resolve back. However it
> is registered in whois database as a nameserver for samsan.com domain.
>
> That host:
>
> 1. Is a Windows box.
> 2. Is a primary nameserver for smasan.com and secondary nameserver for
> samsan.co.kr.
> 3. Runs an unrestricted wingate proxy.
> 4. Runs IMS SMTP and POP3 services, SMTP server is configured as an
> unrestricted relay.
> 5. samsan.com has no MX or A record pointing there or anywhere else.
> 6. samsan.co.kr has no MX record yet has A record pointing to the same host.
>
> Whois record for the samsan.com domain is:
> ---8<---
> Registrant:
> Samsan Corporatopn (SAMSAN2-DOM)
> Samsan Bldg., 506-7, Amsa-dong,
> Kangdong-ku,
> seoul, Seoul 134-050
> KR
>
> Domain Name: SAMSAN.COM
>
> Administrative Contact, Technical Contact, Zone Contact:
> Kim, Gwansick (GK1104) [EMAIL PROTECTED]
> +82-2-3427-3672 (FAX) +82-2-3427-3671
> Billing Contact:
> Kim, Gwansick (GK1105) [EMAIL PROTECTED]
> +82-2-3427-3672 (FAX) +82-2-3427-3671
>
> Record last updated on 01-Aug-1999.
> Record created on 04-Mar-1997.
> Database last updated on 2-Dec-1999 12:28:08 EST.
>
> Domain servers in listed order:
>
> NS.SAMSAN.COM 210.114.231.130
> HICON.HYUNDAI.NET 203.251.201.1
> --->8---
>
> Address [EMAIL PROTECTED] does not work (obviously because MX record is
> missing).
>
> At the same time 210.114.231.130 is a secondary nameserver for SAMSAN.CO.KR,
> a domain that still has no MX record, yet has A record pointing to the same
> box, so [EMAIL PROTECTED] does work and actually sends mail to the same box --
> this is why it is running SMTP server.
>
> This kind of configuration means that its sysadmin (most likely Gwansick Kim)
> is too stupid to be of any help to you or anyone else but people who used his
> wingate proxy to hide their IP address, or possibly spammers who can use his
> SMTP server as a relay.
>
> > Any people for suggestion and comment? I still don't know how this guy
> > first access into our system. We have strict account adminstration. Where can
> > I find more about Linux security? Thanks in advance.
>
> First, if you use Red Hat you should look at security updates at the "Errata"
> section at Red Hat site. Second, you need to study Unix security and system
> administration, however I can't recommend any particular book on it. Third, it
> is always a good idea to subscribe to security mailing lists -- in case of
> Linux it will be [EMAIL PROTECTED] (Linux-specific) and
> [EMAIL PROTECTED] (general, more informative).
>
> Also see archives at http://www2.merton.ox.ac.uk/~security/
>
> --
> Alex
>
> ----------------------------------------------------------------------
> Excellent.. now give users the option to cut your hair you hippie!
> -- Anonymous Coward
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-net" in
> the body of a message to [EMAIL PROTECTED]
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
