Well, darn it all, I _have_ been hacked... I found a copy of netcat
(/usr/sbin/netcat), and that's been causing the heartaches... I will
delete it now, & order a copy of RH6.2 today, I suppose.
I've been thinking of a complete re-install of a newer version, anyway...
Here's a question: When doing a reinstall, I want to save my file-serving
directories... Is this hard to format & install everything but these
directories?
Fortunately, they are on different partitions, but since I have never done
this
before, I could use some pointers.
> -----Original Message-----
> From: Nikki Cook [SMTP:[EMAIL PROTECTED]]
> Sent: Friday, April 07, 2000 5:54 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Hacked?
>
> Looks like a trin00 server is what's going on, Thomas.
>
> Check http://staff.washington.edu/dittrich/misc/trinoo.analysis for more
> information.
>
> Communication ports typically are:
>
> Attacker to Master(s): 27665/tcp
> Master to daemon(s): 27444/udp
> Daemon to Master(s): 31335/udp
>
> As a quick workaround, you may want to block those ports until you
> investigate your machine thoroughly.
>
> Nikki
>
> At 03:16 PM 04/07/2000 , you wrote:
> >In a nutshell... What the heck is going on here?!
> >
> >~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
> >tcdump from last night (tcdump -ippp0) - All machines on the internal net
> >turned OFF:
> >
> >21:40:21.010000 classifieds2000.com.http > ##MY.MACHINE##.62267: R
> >2140746213:2140746213(0) win 0 (DF)
> >21:40:21.010000 ##MY.MACHINE##.1774 > ns2.dns.rcn.net.domain: 11760+ (42)
> >21:40:21.360000 ns2.dns.rcn.net.domain > ##MY.MACHINE##.1774: 11760*
> 1/4/4
> >(246) (DF)
> >21:40:21.360000 ##MY.MACHINE##.1776 > ns2.dns.rcn.net.domain: 11761+ (42)
> >21:40:21.580000 ns2.dns.rcn.net.domain > ##MY.MACHINE##.1776: 11761 1/3/3
> >(221) (DF)
> >
> >21:48:17.940000 165.113.216.6.52501 > ##MY.MACHINE##.27444: udp 11 (DF)
> >21:48:17.940000 ##MY.MACHINE##.1777 > 165.113.216.6.31335: udp 4
> >21:48:17.940000 ##MY.MACHINE##.1778 > ns2.dns.rcn.net.domain: 11762+ (44)
> >21:48:18.260000 ns2.dns.rcn.net.domain > ##MY.MACHINE##.1778: 11762
> >NXDomain* 0/1/0 (112) (DF)
> >21:51:12.230000 165.113.216.6.52502 > ##MY.MACHINE##.27444: udp 11 (DF)
> >21:51:12.230000 ##MY.MACHINE##.1779 > 165.113.216.6.31335: udp 4
> >
> >21:51:59.340000 165.113.216.6.52504 > ##MY.MACHINE##.27444: udp 16 (DF)
> >21:52:04.660000 165.113.216.6.52505 > ##MY.MACHINE##.27444: udp 25 (DF)
> >
> >22:11:36.720000 165.113.216.6.52507 > ##MY.MACHINE##.27444: udp 15 (DF)
> >
> >22:11:43.980000 165.113.216.6.52508 > ##MY.MACHINE##.27444: udp 15 (DF)
> >
> >22:16:51.040000 165.113.216.6.52509 > ##MY.MACHINE##.27444: udp 11 (DF)
> >22:18:58.030000 165.113.216.6.52510 > ##MY.MACHINE##.27444: udp 11 (DF)
> >
> >22:22:46.060000 165.113.216.6.52511 > ##MY.MACHINE##.27444: udp 11 (DF)
> >22:22:58.270000 165.113.216.6.52514 > ##MY.MACHINE##.27444: udp 25 (DF)
> >22:26:30.900000 165.113.216.6.52515 > ##MY.MACHINE##.27444: udp 11 (DF)
> >
> >22:28:17.000000 ##MY.MACHINE##.1780 > 165.113.216.6.31335: udp 4
> >22:28:17.000000 ##MY.MACHINE##.1781 > 165.113.216.6.31335: udp 4
> >22:28:17.000000 ##MY.MACHINE##.1782 > 165.113.216.6.31335: udp 4
> >
> >22:31:38.000000 ##MY.MACHINE##.1783 > 165.113.216.6.31335: udp 4
> >
> >23:03:51.930000 165.113.216.6.52517 > ##MY.MACHINE##.27444: udp 11 (DF)
> >23:03:51.930000 ##MY.MACHINE##.1784 > 165.113.216.6.31335: udp 4
> >23:03:53.940000 165.113.216.6.52518 > ##MY.MACHINE##.27444: udp 11 (DF)
> >23:03:57.010000 165.113.216.6.52519 > ##MY.MACHINE##.27444: udp 15 (DF)
> >23:04:45.040000 165.113.216.6.52520 > ##MY.MACHINE##.27444: udp 61 (DF)
> >
> >23:21:04.330000 165.113.216.6.52521 > ##MY.MACHINE##.27444: udp 11 (DF)
> >23:21:07.210000 165.113.216.6.52522 > ##MY.MACHINE##.27444: udp 15 (DF)
> >23:21:07.870000 165.113.216.6.52523 > ##MY.MACHINE##.27444: udp 23 (DF)
> >
> >23:30:01.190000 165.113.216.6.52524 > ##MY.MACHINE##.27444: udp 11 (DF)
> >23:30:01.190000 ##MY.MACHINE##.1785 > 165.113.216.6.31335: udp 4
> >23:30:08.820000 165.113.216.6.52526 > ##MY.MACHINE##.27444: udp 15 (DF)
> >
> >23:45:08.290000 165.113.216.6.52530 > ##MY.MACHINE##.27444: udp 15 (DF)
> >
> >01:06:04.860000 165.113.216.6.52537 > ##MY.MACHINE##.27444: udp 11 (DF)
> >01:06:07.430000 165.113.216.6.52538 > ##MY.MACHINE##.27444: udp 16 (DF)
> >01:06:09.950000 165.113.216.6.52539 > ##MY.MACHINE##.27444: udp 26 (DF)
> >
> >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
> >Related parts of my logs:
> >
> >Apr 6 21:52:05 tomii-gate kernel: IP fw-out deny ppp0 TCP
> >193.26.175.63:34277 209.67.45.225:13009 L=40 S=0x08 I=54333 F=0x0000
> T=255
> >Apr 6 21:52:05 tomii-gate kernel: IP fw-out deny ppp0 TCP
> >152.227.250.6:34533 209.67.45.225:50856 L=40 S=0x08 I=54589 F=0x0000
> T=255
> >Apr 6 21:52:05 tomii-gate kernel: IP fw-out deny ppp0 TCP
> >212.138.249.60:34789 209.67.45.225:552 L=40 S=0x08 I=54845 F=0x0000 T=255
> >.
> >.
> >.
> >Apr 6 22:07:55 tomii-gate kernel: IP fw-out deny ppp0 TCP
> 46.7.71.7:50521
> >209.67.45.225:17926 L=40 S=0x08 I=5298 F=0x0000 T=255
> >Apr 6 22:07:55 tomii-gate kernel: IP fw-out deny ppp0 TCP
> >72.28.202.58:50777 209.67.45.225:45 fw-out deny ppp0 TCP
> >215.165.249.95:48932 209.67.45.225:52711 L=40 S=0x08 I=3709 F=0x0000
> T=255
> >.
> >.
> >.
> >Apr 6 22:31:44 tomii-gate kernel: IP fw-out deny ppp0 TCP
> >91.86.116.82:19139 154.11.89.164:3888 L=40 S=0x08 I=46375 F=0x0000 T=255
> >Apr 6 22:31:45 tomii-gate kernel: IP fw-out deny ppp0 TCP
> >230.7.181.106:19395 154.11.89.164:23482 L=40 S=0x08 I=46631 F=0x0000
> T=255
> >.
> >.
> >.
> >Apr 6 23:04:45 tomii-gate kernel: IP fw-out deny ppp0 TCP
> >212.218.143.80:7264 62.236.92.186:11648 L=40 S=0x08 I=40912 F=0x0000
> T=255
> >Apr 6 23:04:45 tomii-gate kernel: IP fw-out deny ppp0 TCP
> >21.210.177.114:36222 199.174.197.117:51372 L=40 S=0x08 I=1752 F=0x0000
> T=255
> >.
> >.
> >.
> >Apr 6 23:14:51 tomii-gate kernel: IP fw-out deny ppp0 TCP
> >102.241.197.103:34790 129.116.18.120:17040 L=40 S=0x08 I=11762 F=0x0000
> >T=255
> >Apr 6 23:14:51 tomii-gate kernel: IP fw-out deny ppp0 TCP
> 224.155.34.51:172
> >62.236.92.186:46889 L=40 S=0x08 I=5203 F=0x0000 T=255
> >.
> >.
> >.
> >Apr 6 23:28:45 tomii-gate kernel: IP fw-out deny ppp0 TCP
> >150.169.177.45:19214 24.141.1.55:17985 L=40 S=0x08 I=46985 F=0x0000 T=255
> >Apr 6 23:28:45 tomii-gate kernel: IP fw-out deny ppp0 TCP
> >238.31.244.59:19470 24.141.1.55:7161 L=40 S=0x08 I=47241 F=0x0000 T=255
> >Apr 7 01:06:10 tomii-gate kernel: IP fw-out deny ppp0 TCP
> >35.128.116.121:49889 129.111.249.53:9837 L=40 S=0x08 I=12673 F=0x0000
> T=255
> >Apr 7 01:06:10 tomii-gate kernel: IP fw-out deny ppp0 TCP
> >212.104.245.43:50145 129.111.249.53:16172 L=40 S=0x08 I=12929 F=0x0000
> T=255
> >Apr 7 01:06:10 tomii-gate kernel: IP fw-out deny ppp0 TCP
> >195.16.60.120:50401 129.111.249.53:35045 L=40 S=0x08 I=13185 F=0x0000
> T=255
> >.
> >.
> >.
> >Apr 7 01:22:57 tomii-gate kernel: IP fw-out deny ppp0 TCP
> >70.41.138.30:49428 129.111.249.53:39115 L=40 S=0x08 I=12468 F=0x0000
> T=255
> >Apr 7 01:22:57 tomii-gate kernel: IP fw-out deny ppp0 TCP
> >139.222.87.115:49684 129.111.249.53:11940 L=40 S=0x08 I=12724 F=0x0000
> T=255
> >
> >
> >
> >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
> >Traceroute output:
> >
> >[root@tomii-gate /root]# traceroute -ippp0 165.113.216.6
> >traceroute to 165.113.216.6 (165.113.216.6), 30 hops max, 40 byte packets
> > 1 as4.anp.md.rcn.net (10.65.34.14) 444.075 ms 549.621 ms 389.890 ms
> > 2 fe0-0-0.core1.anp.md.rcn.net (10.65.34.1) 239.821 ms 309.810 ms
> >399.957 ms
> > 3 poet0-0-1.core1.col.md.rcn.net (207.172.9.197) 299.799 ms 569.799
> ms
> >419.907 ms
> > 4 poet6-0-0.core1.blb.md.rcn.net (207.172.19.170) 629.828 ms 309.800
> ms
> >389.895 ms
> > 5 poet1-0-0.core1.blba.md.rcn.net (207.172.9.53) 659.849 ms 569.777
> ms
> >379.830 ms
> > 6 poet4-0-1.core1.dcb.dc.rcn.net (207.172.9.49) 269.858 ms
> >poet5-1-0.core1.dcb.dc.rcn.net (207.172.19.178) 309.767 ms
> >poet4-1-0.core1.dcb.dc.rcn.net (207.17
> >2.19.218) 509.764 ms
> > 7 pos1-1-0.border1.tcob.va.rcn.net (207.172.19.249) 519.685 ms
> 579.809
> >ms 389.905 ms
> > 8 ge3-0-0.core1.tco.va.rcn.net (207.172.19.213) 389.821 ms 680.031 ms
> >669.662 ms
> > 9 fe1-1-0.border1.tco.va.rcn.net (207.172.9.230) 609.829 ms 569.745
> ms
> >469.894 ms
> >10 mae-e-1.e0.crl.com (192.41.177.104) 569.879 ms 439.767 ms 640.375
> ms
> >11 careerblazer.atm-e.us.crl.net (165.113.99.37) 649.369 ms 390.484 ms
> >659.205 ms
> >12 165.113.216.6 (165.113.216.6) 379.852 ms 649.748 ms *
> >
> >
> >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
> >My firewall script:
> >
> >ipfwadm -I -f
> >ipfwadm -I -p deny
> >ipfwadm -I -a accept -V 192.168.68.1 -S 192.168.0.0/16 -D 0.0.0.0/0
> >ipfwadm -I -a deny -V ##MY.MACHINE.IP.ADDR## -S 192.168.0.0/16 -D
> 0.0.0.0/0
> >-o
> >ipfwadm -I -a accept -V ##MY.MACHINE.IP.ADDR## -S 0.0.0.0/0 -D
> >##MY.MACHINE.IP.ADDR##/32
> >ipfwadm -I -a accept -V 127.0.0.1 -S 0.0.0.0/0 -D 0.0.0.0/0
> ># ??
> >ipfwadm -I -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 -o
> >
> >ipfwadm -O -f
> >ipfwadm -O -p deny
> >ipfwadm -O -a accept -V 192.168.68.1 -S 0.0.0.0/0 -D 192.168.0.0/16
> >ipfwadm -O -a deny -V ##MY.MACHINE.IP.ADDR## -S 0.0.0.0/0 -D
> 192.168.0.0/16
> >-o
> >ipfwadm -O -a deny -V ##MY.MACHINE.IP.ADDR## -S 192.168.0.0/16 -D
> 0.0.0.0/0
> >-o
> >ipfwadm -O -a deny -V ##MY.MACHINE.IP.ADDR## -S 0.0.0.0/0 -D
> 192.168.0.0/16
> >-o
> >ipfwadm -O -a accept -V ##MY.MACHINE.IP.ADDR## -S ##MY.MACHINE.IP.ADDR##
> -D
> >0.0.0.0/0
> >ipfwadm -O -a accept -V 127.0.0.1 -S 0.0.0.0/0 -D 0.0.0.0/0
> >ipfwadm -O -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 -o
> >
> >ipfwadm -F -f
> >ipfwadm -F -p deny
> >ipfwadm -F -a masquerade -W ppp0 -S 192.168.0.0/16 -D 0.0.0.0/0
> >ipfwadm -F -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 -o
> >
> >#ipfwadm -F -p deny
> >#ipfwadm -F -a m -S 192.168.68.0/24 -D 0.0.0.0/0
> >
> >
> >--
> >To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
> >as the Subject.
> >
>
>
> Nikki
>
>
> --
> To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
> as the Subject.
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
