Re: BIND exploited ? -UPDATE
On Sat, Jan 05, 2002 at 01:43:24AM -0500, Thedore Knab wrote: [snip] Starting nmap V. 2.54BETA25 ( www.insecure.org/nmap/ ) Interesting ports on dns1.mywork.edu : (The 1540 ports scanned but not shown below are in state: closed) Port State Service 21/tcp openftp 23/tcp opentelnet [snip] Do you really need telnet? Can't you use ssh instead? -- Michael Wood [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: BIND exploited ? -UPDATE
On Sat, Jan 05, 2002 at 01:43:24AM -0500, Thedore Knab wrote: [snip] Starting nmap V. 2.54BETA25 ( www.insecure.org/nmap/ ) Interesting ports on dns1.mywork.edu : (The 1540 ports scanned but not shown below are in state: closed) Port State Service 21/tcp openftp 23/tcp opentelnet [snip] Do you really need telnet? Can't you use ssh instead? -- Michael Wood [EMAIL PROTECTED]
RE: BIND exploited ? -UPDATE
You dumbass. Everybody knows you don't try to fix a compromised machine. You take it in stride, wipe the drives and start all over from a clean install. j. -- Jeremy L. Gaddis [EMAIL PROTECTED] -Original Message- From: Ted Knab [mailto:[EMAIL PROTECTED]]On Behalf Of Thedore Knab Sent: Saturday, January 05, 2002 1:43 AM To: [EMAIL PROTECTED] Subject: Re: BIND exploited ? -UPDATE Thanks for your help. This was not a debian box. Maybe the next one will be. I think it was updated from an earilier version that was hacked. I am under the assumption that this server was this way for over 1 year. [ted@moe chkrootkit-0.34]$ cat /etc/redhat-release Red Hat Linux release 6.2 (Zoot) I just started this .edu sys admin job last week. It is fun. I am finding all types of crazy stuff that would send most normal people to the nut house. It is an adventure. I don't think I will be able to rebuild this DNS for a few days. I have some other projects that need to be rolled out for .edu political reasons. It has been rooted for sometime, so I have a lot of fixing to do. I told everyone that needs to be informed, but they just don't get the gravity of the situation. Since I won't be able to build another, I tried isolating the services. It also seems more fun to try and fix the broken box. I think I have most of the cracked services isolated. Behind door number 1 - less services A nmap scan from my laptop reveals: Starting nmap V. 2.54BETA25 ( www.insecure.org/nmap/ ) Interesting ports on dns1.mywork.edu : (The 1540 ports scanned but not shown below are in state: closed) Port State Service 21/tcp openftp 23/tcp opentelnet 53/tcp opendomain 113/tcpopenauth This is an improvement over what it looked like this morning: See your advice helped... :-) Nmap run completed -- 1 IP address (1 host up) scanned in 5 seconds Starting nmap V. 2.54BETA25 ( www.insecure.org/nmap/ ) Interesting ports on dns1.mywork.edu : (The 1533 ports scanned but not shown below are in state: closed) Port State Service 21/tcp openftp 23/tcp opentelnet 53/tcp opendomain 79/tcp openfinger 98/tcp openlinuxconf 111/tcpopensunrpc 113/tcpopenauth 513/tcpopenlogin 514/tcpopenshell 943/tcpopenunknown 1024/tcp openkdm I found the startup location for the scripts. The scripts were starting every reboot. I guess the last time it started was: [ted@moe chkrootkit-0.34]$ uptime 1:40am up 154 days, 9:15, 1 user, load average: 0.00, 0.00, 0.00 [root@moe /etc]# cat rc.d/rc.local #!/bin/sh # This script will be executed *after* all the other init scripts. # You can put your own initialization stuff in here if you don't # want to do the full Sys V style init stuff. if [ -f /etc/redhat-release ]; then R=$(cat /etc/redhat-release) ... cut fi ### #The Little Bastards Startup scripts #not very complicated #/etc/.../bindshell #/etc/.../bnc #/etc/.../snif #/etc/.../lsh 31333 v0idzz checkroot kit did not seem to find anything except a snifer. This maybe because I did a chmod 0 on a bunch of the binaries I didn't want starting ever again. [root@moe chkrootkit-0.34]# ./chkrootkit ROOTDIR is `/' Checking `amd'... not found Checking `basename'... not infected Checking `biff'... not found Checking `chfn'... not infected Checking `chsh'... not infected Checking `cron'... not infected Checking `date'... not infected Checking `du'... not infected Checking `dirname'... not infected Checking `echo'... not infected Checking `egrep'... not infected Checking `env'... not infected Checking `find'... not infected Checking `fingerd'... not infected Checking `gpm'... not infected Checking `grep'... not infected Checking `hdparm'... not infected Checking `su'... not infected Checking `ifconfig'... not infected Checking `inetd'... not infected Checking `inetdconf'... not infected Checking `identd'... not infected Checking `killall'... not infected Checking `login'... not infected Checking `ls'... not infected Checking `mail'... not infected Checking `mingetty'... not infected Checking `netstat'... not infected Checking `named'... not infected Checking `passwd'... not infected Checking `pidof'... not infected Checking `pop2'... not found Checking `pop3'... not found Checking `ps'... not infected Checking `pstree'... not infected Checking `rpcinfo'... not infected Checking `rlogind'... not infected Checking `rshd'... not infected Checking `slogin'... not found Checking `sendmail'... not infected Checking `sshd'... not infected Checking `syslogd'... not infected Checking `tar'... not infected Checking `tcpd'... not infected Checking `top'... not infected Checking `telnetd'... not infected Checking `timed'... not infected Checking `traceroute'... not infected Checking `write'... not infected Checking `aliens'... /dev/.v0id/ptyq /dev/ptyp /dev/ptypr
RE: BIND exploited ? -UPDATE
On Sat, 5 Jan 2002, Jeremy L. Gaddis wrote: You dumbass. Everybody knows you don't try to fix a compromised machine. You take it in stride, wipe the drives and start all over from a clean install. Would you mind terribly not airing your oh-so-superior views in public? With such unbridled arrogance? I'm sure I'm not the only one who finds it offensive and not at all representative of the maturity of discussion expected of this list. The aim of a self-help list such as this is to help and educate -- not to sneer and ridicule. OH -- and would you also mind terribly NOT re-posting the complete history of the current thread in your public e-mails? It's a clear sign of inability to either understand or use the medium properly. Thank you. -- Martin Wheeler [EMAIL PROTECTED] [gpg:1024D/01269BEB 2001-09-29] /debian/ msw [EMAIL PROTECTED] [gpg:1024D/8D6B948B 2001-07-04] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: BIND exploited ? -UPDATE
On Sat, Jan 05, 2002 at 01:43:24AM -0500, Thedore Knab wrote: Starting nmap V. 2.54BETA25 ( www.insecure.org/nmap/ ) Interesting ports on dns1.mywork.edu : (The 1540 ports scanned but not shown below are in state: closed) ^^ You seem to have only scanned your well-known ports? Joachim -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: BIND exploited ? -UPDATE #2
How does this sound ? The system has been rebuilt. It is running Bind 9.2 chroot version on RH 7.2. Someone else built it. I prefer Debian or OpenBSD. I will add tripwire and chkroot kit to run as a cron job. The harddrives will be saved for further investigation at a later date. Since the harddrives have been modified in a hack effort to patch the problem, I don't think it can be used as evidence. Snort will also be installed on an OPENBSD box at the edge of the nework to monitor the administrave network, and on the administrative network. -Ted -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: BIND exploited ? -UPDATE
You dumbass. Everybody knows you don't try to fix a compromised machine. You take it in stride, wipe the drives and start all over from a clean install. j. -- Jeremy L. Gaddis [EMAIL PROTECTED] -Original Message- From: Ted Knab [mailto:[EMAIL PROTECTED] Behalf Of Thedore Knab Sent: Saturday, January 05, 2002 1:43 AM To: debian-isp@lists.debian.org Subject: Re: BIND exploited ? -UPDATE Thanks for your help. This was not a debian box. Maybe the next one will be. I think it was updated from an earilier version that was hacked. I am under the assumption that this server was this way for over 1 year. [EMAIL PROTECTED] chkrootkit-0.34]$ cat /etc/redhat-release Red Hat Linux release 6.2 (Zoot) I just started this .edu sys admin job last week. It is fun. I am finding all types of crazy stuff that would send most normal people to the nut house. It is an adventure. I don't think I will be able to rebuild this DNS for a few days. I have some other projects that need to be rolled out for .edu political reasons. It has been rooted for sometime, so I have a lot of fixing to do. I told everyone that needs to be informed, but they just don't get the gravity of the situation. Since I won't be able to build another, I tried isolating the services. It also seems more fun to try and fix the broken box. I think I have most of the cracked services isolated. Behind door number 1 - less services A nmap scan from my laptop reveals: Starting nmap V. 2.54BETA25 ( www.insecure.org/nmap/ ) Interesting ports on dns1.mywork.edu : (The 1540 ports scanned but not shown below are in state: closed) Port State Service 21/tcp openftp 23/tcp opentelnet 53/tcp opendomain 113/tcpopenauth This is an improvement over what it looked like this morning: See your advice helped... :-) Nmap run completed -- 1 IP address (1 host up) scanned in 5 seconds Starting nmap V. 2.54BETA25 ( www.insecure.org/nmap/ ) Interesting ports on dns1.mywork.edu : (The 1533 ports scanned but not shown below are in state: closed) Port State Service 21/tcp openftp 23/tcp opentelnet 53/tcp opendomain 79/tcp openfinger 98/tcp openlinuxconf 111/tcpopensunrpc 113/tcpopenauth 513/tcpopenlogin 514/tcpopenshell 943/tcpopenunknown 1024/tcp openkdm I found the startup location for the scripts. The scripts were starting every reboot. I guess the last time it started was: [EMAIL PROTECTED] chkrootkit-0.34]$ uptime 1:40am up 154 days, 9:15, 1 user, load average: 0.00, 0.00, 0.00 [EMAIL PROTECTED] /etc]# cat rc.d/rc.local #!/bin/sh # This script will be executed *after* all the other init scripts. # You can put your own initialization stuff in here if you don't # want to do the full Sys V style init stuff. if [ -f /etc/redhat-release ]; then R=$(cat /etc/redhat-release) ... cut fi ### #The Little Bastards Startup scripts #not very complicated #/etc/.../bindshell #/etc/.../bnc #/etc/.../snif #/etc/.../lsh 31333 v0idzz checkroot kit did not seem to find anything except a snifer. This maybe because I did a chmod 0 on a bunch of the binaries I didn't want starting ever again. [EMAIL PROTECTED] chkrootkit-0.34]# ./chkrootkit ROOTDIR is `/' Checking `amd'... not found Checking `basename'... not infected Checking `biff'... not found Checking `chfn'... not infected Checking `chsh'... not infected Checking `cron'... not infected Checking `date'... not infected Checking `du'... not infected Checking `dirname'... not infected Checking `echo'... not infected Checking `egrep'... not infected Checking `env'... not infected Checking `find'... not infected Checking `fingerd'... not infected Checking `gpm'... not infected Checking `grep'... not infected Checking `hdparm'... not infected Checking `su'... not infected Checking `ifconfig'... not infected Checking `inetd'... not infected Checking `inetdconf'... not infected Checking `identd'... not infected Checking `killall'... not infected Checking `login'... not infected Checking `ls'... not infected Checking `mail'... not infected Checking `mingetty'... not infected Checking `netstat'... not infected Checking `named'... not infected Checking `passwd'... not infected Checking `pidof'... not infected Checking `pop2'... not found Checking `pop3'... not found Checking `ps'... not infected Checking `pstree'... not infected Checking `rpcinfo'... not infected Checking `rlogind'... not infected Checking `rshd'... not infected Checking `slogin'... not found Checking `sendmail'... not infected Checking `sshd'... not infected Checking `syslogd'... not infected Checking `tar'... not infected Checking `tcpd'... not infected Checking `top'... not infected Checking `telnetd'... not infected Checking `timed'... not infected Checking `traceroute'... not infected Checking `write'... not infected Checking `aliens
RE: BIND exploited ? -UPDATE
On Sat, 5 Jan 2002, Jeremy L. Gaddis wrote: You dumbass. Everybody knows you don't try to fix a compromised machine. You take it in stride, wipe the drives and start all over from a clean install. Would you mind terribly not airing your oh-so-superior views in public? With such unbridled arrogance? I'm sure I'm not the only one who finds it offensive and not at all representative of the maturity of discussion expected of this list. The aim of a self-help list such as this is to help and educate -- not to sneer and ridicule. OH -- and would you also mind terribly NOT re-posting the complete history of the current thread in your public e-mails? It's a clear sign of inability to either understand or use the medium properly. Thank you. -- Martin Wheeler [EMAIL PROTECTED] [gpg:1024D/01269BEB 2001-09-29] /debian/ msw [EMAIL PROTECTED] [gpg:1024D/8D6B948B 2001-07-04]
Re: BIND exploited ? -UPDATE
On Sat, Jan 05, 2002 at 01:43:24AM -0500, Thedore Knab wrote: Starting nmap V. 2.54BETA25 ( www.insecure.org/nmap/ ) Interesting ports on dns1.mywork.edu : (The 1540 ports scanned but not shown below are in state: closed) ^^ You seem to have only scanned your well-known ports? Joachim
Re: BIND exploited ? -UPDATE #2
How does this sound ? The system has been rebuilt. It is running Bind 9.2 chroot version on RH 7.2. Someone else built it. I prefer Debian or OpenBSD. I will add tripwire and chkroot kit to run as a cron job. The harddrives will be saved for further investigation at a later date. Since the harddrives have been modified in a hack effort to patch the problem, I don't think it can be used as evidence. Snort will also be installed on an OPENBSD box at the edge of the nework to monitor the administrave network, and on the administrative network. -Ted
Re: BIND exploited ? -UPDATE
Thanks for your help. This was not a debian box. Maybe the next one will be. I think it was updated from an earilier version that was hacked. I am under the assumption that this server was this way for over 1 year. [ted@moe chkrootkit-0.34]$ cat /etc/redhat-release Red Hat Linux release 6.2 (Zoot) I just started this .edu sys admin job last week. It is fun. I am finding all types of crazy stuff that would send most normal people to the nut house. It is an adventure. I don't think I will be able to rebuild this DNS for a few days. I have some other projects that need to be rolled out for .edu political reasons. It has been rooted for sometime, so I have a lot of fixing to do. I told everyone that needs to be informed, but they just don't get the gravity of the situation. Since I won't be able to build another, I tried isolating the services. It also seems more fun to try and fix the broken box. I think I have most of the cracked services isolated. Behind door number 1 - less services A nmap scan from my laptop reveals: Starting nmap V. 2.54BETA25 ( www.insecure.org/nmap/ ) Interesting ports on dns1.mywork.edu : (The 1540 ports scanned but not shown below are in state: closed) Port State Service 21/tcp openftp 23/tcp opentelnet 53/tcp opendomain 113/tcpopenauth This is an improvement over what it looked like this morning: See your advice helped... :-) Nmap run completed -- 1 IP address (1 host up) scanned in 5 seconds Starting nmap V. 2.54BETA25 ( www.insecure.org/nmap/ ) Interesting ports on dns1.mywork.edu : (The 1533 ports scanned but not shown below are in state: closed) Port State Service 21/tcp openftp 23/tcp opentelnet 53/tcp opendomain 79/tcp openfinger 98/tcp openlinuxconf 111/tcpopensunrpc 113/tcpopenauth 513/tcpopenlogin 514/tcpopenshell 943/tcpopenunknown 1024/tcp openkdm I found the startup location for the scripts. The scripts were starting every reboot. I guess the last time it started was: [ted@moe chkrootkit-0.34]$ uptime 1:40am up 154 days, 9:15, 1 user, load average: 0.00, 0.00, 0.00 [root@moe /etc]# cat rc.d/rc.local #!/bin/sh # This script will be executed *after* all the other init scripts. # You can put your own initialization stuff in here if you don't # want to do the full Sys V style init stuff. if [ -f /etc/redhat-release ]; then R=$(cat /etc/redhat-release) ... cut fi ### #The Little Bastards Startup scripts #not very complicated #/etc/.../bindshell #/etc/.../bnc #/etc/.../snif #/etc/.../lsh 31333 v0idzz checkroot kit did not seem to find anything except a snifer. This maybe because I did a chmod 0 on a bunch of the binaries I didn't want starting ever again. [root@moe chkrootkit-0.34]# ./chkrootkit ROOTDIR is `/' Checking `amd'... not found Checking `basename'... not infected Checking `biff'... not found Checking `chfn'... not infected Checking `chsh'... not infected Checking `cron'... not infected Checking `date'... not infected Checking `du'... not infected Checking `dirname'... not infected Checking `echo'... not infected Checking `egrep'... not infected Checking `env'... not infected Checking `find'... not infected Checking `fingerd'... not infected Checking `gpm'... not infected Checking `grep'... not infected Checking `hdparm'... not infected Checking `su'... not infected Checking `ifconfig'... not infected Checking `inetd'... not infected Checking `inetdconf'... not infected Checking `identd'... not infected Checking `killall'... not infected Checking `login'... not infected Checking `ls'... not infected Checking `mail'... not infected Checking `mingetty'... not infected Checking `netstat'... not infected Checking `named'... not infected Checking `passwd'... not infected Checking `pidof'... not infected Checking `pop2'... not found Checking `pop3'... not found Checking `ps'... not infected Checking `pstree'... not infected Checking `rpcinfo'... not infected Checking `rlogind'... not infected Checking `rshd'... not infected Checking `slogin'... not found Checking `sendmail'... not infected Checking `sshd'... not infected Checking `syslogd'... not infected Checking `tar'... not infected Checking `tcpd'... not infected Checking `top'... not infected Checking `telnetd'... not infected Checking `timed'... not infected Checking `traceroute'... not infected Checking `write'... not infected Checking `aliens'... /dev/.v0id/ptyq /dev/ptyp /dev/ptypr Searching for sniffer's logs, it may take a while... nothing found Searching for t0rn's default files and dirs... nothing found
Re: BIND exploited ? -UPDATE
Thanks for your help. This was not a debian box. Maybe the next one will be. I think it was updated from an earilier version that was hacked. I am under the assumption that this server was this way for over 1 year. [EMAIL PROTECTED] chkrootkit-0.34]$ cat /etc/redhat-release Red Hat Linux release 6.2 (Zoot) I just started this .edu sys admin job last week. It is fun. I am finding all types of crazy stuff that would send most normal people to the nut house. It is an adventure. I don't think I will be able to rebuild this DNS for a few days. I have some other projects that need to be rolled out for .edu political reasons. It has been rooted for sometime, so I have a lot of fixing to do. I told everyone that needs to be informed, but they just don't get the gravity of the situation. Since I won't be able to build another, I tried isolating the services. It also seems more fun to try and fix the broken box. I think I have most of the cracked services isolated. Behind door number 1 - less services A nmap scan from my laptop reveals: Starting nmap V. 2.54BETA25 ( www.insecure.org/nmap/ ) Interesting ports on dns1.mywork.edu : (The 1540 ports scanned but not shown below are in state: closed) Port State Service 21/tcp openftp 23/tcp opentelnet 53/tcp opendomain 113/tcpopenauth This is an improvement over what it looked like this morning: See your advice helped... :-) Nmap run completed -- 1 IP address (1 host up) scanned in 5 seconds Starting nmap V. 2.54BETA25 ( www.insecure.org/nmap/ ) Interesting ports on dns1.mywork.edu : (The 1533 ports scanned but not shown below are in state: closed) Port State Service 21/tcp openftp 23/tcp opentelnet 53/tcp opendomain 79/tcp openfinger 98/tcp openlinuxconf 111/tcpopensunrpc 113/tcpopenauth 513/tcpopenlogin 514/tcpopenshell 943/tcpopenunknown 1024/tcp openkdm I found the startup location for the scripts. The scripts were starting every reboot. I guess the last time it started was: [EMAIL PROTECTED] chkrootkit-0.34]$ uptime 1:40am up 154 days, 9:15, 1 user, load average: 0.00, 0.00, 0.00 [EMAIL PROTECTED] /etc]# cat rc.d/rc.local #!/bin/sh # This script will be executed *after* all the other init scripts. # You can put your own initialization stuff in here if you don't # want to do the full Sys V style init stuff. if [ -f /etc/redhat-release ]; then R=$(cat /etc/redhat-release) ... cut fi ### #The Little Bastards Startup scripts #not very complicated #/etc/.../bindshell #/etc/.../bnc #/etc/.../snif #/etc/.../lsh 31333 v0idzz checkroot kit did not seem to find anything except a snifer. This maybe because I did a chmod 0 on a bunch of the binaries I didn't want starting ever again. [EMAIL PROTECTED] chkrootkit-0.34]# ./chkrootkit ROOTDIR is `/' Checking `amd'... not found Checking `basename'... not infected Checking `biff'... not found Checking `chfn'... not infected Checking `chsh'... not infected Checking `cron'... not infected Checking `date'... not infected Checking `du'... not infected Checking `dirname'... not infected Checking `echo'... not infected Checking `egrep'... not infected Checking `env'... not infected Checking `find'... not infected Checking `fingerd'... not infected Checking `gpm'... not infected Checking `grep'... not infected Checking `hdparm'... not infected Checking `su'... not infected Checking `ifconfig'... not infected Checking `inetd'... not infected Checking `inetdconf'... not infected Checking `identd'... not infected Checking `killall'... not infected Checking `login'... not infected Checking `ls'... not infected Checking `mail'... not infected Checking `mingetty'... not infected Checking `netstat'... not infected Checking `named'... not infected Checking `passwd'... not infected Checking `pidof'... not infected Checking `pop2'... not found Checking `pop3'... not found Checking `ps'... not infected Checking `pstree'... not infected Checking `rpcinfo'... not infected Checking `rlogind'... not infected Checking `rshd'... not infected Checking `slogin'... not found Checking `sendmail'... not infected Checking `sshd'... not infected Checking `syslogd'... not infected Checking `tar'... not infected Checking `tcpd'... not infected Checking `top'... not infected Checking `telnetd'... not infected Checking `timed'... not infected Checking `traceroute'... not infected Checking `write'... not infected Checking `aliens'... /dev/.v0id/ptyq /dev/ptyp /dev/ptypr Searching for sniffer's logs, it may take a while... nothing found Searching for t0rn's default
