Date: Wed, 04 Apr 2001 12:03:39 +1200 From: David Preece <davep@afterswish.com> To: freebsd-questions@freebsd.org Subject: Hacked? Message-ID: <5.0.2.1.1.20010404120017.02239310@pop3.paradise.net.nz>
next in thread | raw e-mail | index | archive | help
Hi, This is a copy of something I just posted to usenet (nz.comp). In a nutshell it is to do with how I think my FreeBSD machine has just been compromised and what they're doing with it. Could someone who knows about network security please comment on all this? Very much looking forward to finding a sensible explaination. Dave :( -------------------------------------------------------- Subject: Storm brewing on cable modem network. Having got used to the 'incoming' light on my cable modem being bombarded with broadcast traffic, I was less than impressed to the the 'outgoing' light joining in the fun this morning. Now, I've had a FreeBSD machine permanently on acting as a firewall and address translator. Despite inetd being turned off and very VERY few daemons running... bash-2.03# ps ax PID TT STAT TIME COMMAND 0 ?? DLs 0:00.01 (swapper) 1 ?? SLs 0:00.04 /sbin/init -- 2 ?? DL 0:00.73 (pagedaemon) 3 ?? DL 0:00.00 (vmdaemon) 4 ?? DL 0:00.03 (bufdaemon) 5 ?? DL 0:00.76 (syncer) 27 ?? Is 0:00.00 adjkerntz -i 73 ?? Is 0:00.04 dhcpd ep1 86 ?? Ss 0:38.12 /sbin/natd -n ep0 103 ?? Is 0:00.44 syslogd 168 d0 Ss 0:01.17 -bash (bash) 250 d0 R+ 0:00.00 ps ax ...I was never entirely convinced about the security of the thing so this was not a huge surprise, but very unwelcome none the less. So rather than swear and rebuild the thing, I tried having a look to see what's going on. Now, the root kit that is now no doubt installed will be hiding itself on ps, netstat, things like that. None the less, we can get some idea of the traffic: bash-2.03# netstat -I ep0 -w 1 input (ep0) output packets errs bytes packets errs bytes colls 9 0 788 1 0 110 0 13 0 1884 9 0 1384 0 12 0 1145 7 0 795 0 9 0 861 6 0 681 0 9 0 1263 4 0 519 0 14 0 1836 9 0 1474 0 8 0 1045 5 0 786 0 14 0 1611 6 0 854 0 12 0 1401 7 0 1097 0 10 0 1741 5 0 897 0 Hmmmm. Game on. Let's try and capture some of the packets using a copy of tcpdump bought over from a non-compromised machine: bash-2.03# ./tcpdump -i ep0 > snarf.txt Apr 4 11:58:12 firewall /kernel: ep0: promiscuous mode enabled tcpdump: listening on ep0 ^C 3704 packets received by filter 2765 packets dropped by kernel This worries me. I didn't specify any filtering, and yet we're getting lots of packets dropped by the kernel. Can anyone comment on this? Looking at the contents of snarf.txt we see that...... 11:58:16.312626 bash-2.03# cat snarf.txt | grep 203-79-83-91 11:58:12.420976 203-79-83-91.cable.paradise.net.nz.netbios-ns > 203.96.144.255.netbios-ns: 11:58:12.585980 203-79-83-91.cable.paradise.net.nz.41744 > 169.254.255.255.netbios-dgm: 11:58:12.586358 203-79-83-91.cable.paradise.net.nz.35599 > 169.254.255.255.netbios-ns: 11:58:13.062149 203-79-83-91.cable.paradise.net.nz.63085 > 172.20.31.255.netbios-ns: 11:58:13.107199 203-79-83-91.cable.paradise.net.nz.netbios-dgm > 203.96.144.255.netbios-dgm: 11:58:13.109694 203-79-83-91.cable.paradise.net.nz.netbios-ns > 203.96.144.255.netbios-ns: 11:58:13.339495 203-79-83-91.cable.paradise.net.nz.35599 > 169.254.255.255.netbios-ns: [snip] We certainly have a shitload of traffic eminating from my machine, and it looks like it is concerned with netbios naming??? Maybe this would imply it's my windows box that has been compromised and someone is running around the network on the private side? bash-2.03# netstat -I ep1 -w 1 input (ep1) output packets errs bytes packets errs bytes colls 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 42 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Nope. No traffic apart from what appears to be a TCP keepalive closing. The traffic also appears to be concerned with the broadcast on three subnets: 203.96.144.0/8, 169.254.0.0/16 and 172.20.31.0/8. The 172/24 is an RFC1918 address, and consequently should be unreacheable. In all likelihood the next hop router is telling me exactly this on a regular basis: su-2.03# ./tcpdump -i ep0 icmp tcpdump: listening on ep0 11:06:05.752512 fe7-3-2.bertha.paradise.net.nz > 203-79-83-91.cable.paradise.net.nz: icmp: host 172.20.31.255 unreachable 11:06:05.753408 203-79-83-91.cable.paradise.net.nz > 172.20.29.125: icmp: host 203-79-83-91.cable.paradise.net.nz unreachable 11:06:06.883719 fe7-3-2.bertha.paradise.net.nz > 203-79-83-91.cable.paradise.net.nz: icmp: host 172.20.31.255 unreachable 11:06:06.884636 203-79-83-91.cable.paradise.net.nz > 172.20.28.108: icmp: host 203-79-83-91.cable.paradise.net.nz unreachable 11:06:07.444762 203-79-83-91.cable.paradise.net.nz > cable.gateway.xtreme.net.nz: icmp: time exceeded in-transit 11:06:09.246656 fe7-3-2.bertha.paradise.net.nz > 203-79-83-91.cable.paradise.net.nz: icmp: host 172.20.31.255 unreachable 11:06:09.247535 203-79-83-91.cable.paradise.net.nz > 172.20.28.108: icmp: host 203-79-83-91.cable.paradise.net.nz unreachable 11:06:10.417682 fe7-3-2.bertha.paradise.net.nz > 203-79-83-91.cable.paradise.net.nz: icmp: host 172.20.31.255 unreachable 11:06:10.418578 203-79-83-91.cable.paradise.net.nz > 172.20.29.65: icmp: host 203-79-83-91.cable.paradise.net.nz unreachable 11:06:15.395695 203-79-83-91.cable.paradise.net.nz > rachel.paradise.net.nz: icmp: 203-79-83-91.cable.paradise.net.nz udp port 1235 unreachable 11:06:21.018483 fe7-3-2.bertha.paradise.net.nz > 203-79-83-91.cable.paradise.net.nz: icmp: host 172.20.31.255 unreachable 11:06:21.019393 203-79-83-91.cable.paradise.net.nz > 172.20.31.119: icmp: host 203-79-83-91.cable.paradise.net.nz unreachable Yup, unreacheable indeed. So what the fuck is going on???? Can anyone come up with a plausible reason why I might conclude the box hasn't been compromised? Does it look to you like it has just become part of a network that's running around cable networks, ADSL etc. looking for open SMB shares? Because it appears to be working, if we take the 'grep' filter off the tcpdump output from the public interface, we get some nasty conclusions (data snarfed from an earlier session): 10:58:32.134037 203-79-83-110.cable.paradise.net.nz.netbios-ns > 203.79.83.255.netbios-ns: >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST TrnID=0x96F8 OpCode=0 NmFlags=0x11 Rcode=0 QueryCount=1 AnswerCount=0 AuthorityCount=0 AddressRecCount=0 QuestionRecords: Name=ADMIN NameType=0x1C (Unknown) QuestionType=0x20 QuestionClass=0x1 (ttl 128, id 62373) 10:58:32.160026 203-79-83-70.cable.paradise.net.nz.netbios-ns > 203.79.83.255.netbios-ns: >>> NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST TrnID=0x12 OpCode=5 NmFlags=0x11 Rcode=0 QueryCount=1 AnswerCount=0 AuthorityCount=0 AddressRecCount=1 QuestionRecords: Name=COMS01 NameType=0x1E (Browser Server) QuestionType=0x20 QuestionClass=0x1 ResourceRecords: Name=COMS01 NameType=0x1E (Browser Server) ResType=0x20 ResClass=0x0 TTL=407543597 (0x184a9f2d) ResourceLength=8123 ResourceData= [000] 02 00 3C 00 00 00 ..<... (ttl 128, id 9216) 10:58:32.178975 arp who-has fe7-3-2.bertha.paradise.net.nz tell 203-79-92-90.cable.paradise.net.nz 10:58:32.211216 202-0-33-223.cable.paradise.net.nz.netbios-ns > 202.0.33.255.netbios-ns: >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST TrnID=0x800F OpCode=0 NmFlags=0x11 Rcode=0 QueryCount=1 AnswerCount=0 AuthorityCount=0 AddressRecCount=0 QuestionRecords: Name=MYPLACE NameType=0x1C (Unknown) QuestionType=0x20 QuestionClass=0x1 (ttl 128, id 22) 10:58:32.212149 203-79-83-91.cable.paradise.net.nz.62262 > 202.0.33.255.netbios-ns: >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST TrnID=0x800F OpCode=0 NmFlags=0x11 Rcode=0 QueryCount=1 AnswerCount=0 AuthorityCount=0 AddressRecCount=0 QuestionRecords: Name=MYPLACE NameType=0x1C (Unknown) QuestionType=0x20 QuestionClass=0x1 (ttl 127, id 22) 10:58:32.237432 0:1:42:e3:2d:1 > 1:80:c2:0:0:0 802.1d ui/C >>> Unknown IPX Data: (47 bytes) [000] 00 00 00 00 00 80 00 00 01 42 E3 2D 0C 00 00 00 ........ .B.-.... [010] 00 80 00 00 01 42 E3 2D 0C 80 0D 00 00 14 00 02 .....B.- ........ [020] 00 0F 00 00 00 00 00 00 00 00 00 78 00 0C 00 ........ ...x... len=47 0000 0000 0080 0000 0142 e32d 0c00 0000 0080 0000 0142 e32d 0c80 0d00 0014 0002 000f 0000 0000 0000 0000 0078 000c 00 10:58:32.538824 arp who-has 202-0-33-124.cable.paradise.net.nz tell fe7-3-5.bertha.paradise.net.nz 10:58:32.544176 snap 8:0:7:80:9b et1 65283.42.254 > 0.nis: nbp-lkup 6: "Room 6 Mac:At Ease@*" 10:58:32.551474 203-79-83-91.cable.paradise.net.nz.nim > rachel.paradise.net.nz.domain: 7912+ PTR? 190.144.96.203.in-addr.arpa. (45) (ttl 64, id 2012) 10:58:32.608610 rachel.paradise.net.nz.domain > 203-79-83-91.cable.paradise.net.nz.nim: 7912* 1/2/2 190.144.96.203.in-addr.arpa. (169) (ttl 63, id 61018) 10:58:32.615171 203-79-83-91.cable.paradise.net.nz.nimreg > rachel.paradise.net.nz.domain: 7913+ PTR? 91.83.79.203.in-addr.arpa. (43) (ttl 64, id 2014) 10:58:32.645253 rachel.paradise.net.nz.domain > 203-79-83-91.cable.paradise.net.nz.nimreg: 7913* 1/2/2 91.83.79.203.in-addr.arpa. (165) (ttl 63, id 61025) 10:58:32.650325 203-79-83-91.cable.paradise.net.nz.1060 > rachel.paradise.net.nz.domain: 7914+ PTR? 52.22.20.172.in-addr.arpa. (43) (ttl 64, id 2015) 10:58:32.666364 210.48.16.5.netbios-ns > 210.48.16.255.netbios-ns: >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST TrnID=0x812 OpCode=0 NmFlags=0x11 Rcode=0 QueryCount=1 AnswerCount=0 AuthorityCount=0 AddressRecCount=0 QuestionRecords: Name=WORKGROUP NameType=0x1B (Domain Controller) QuestionType=0x20 QuestionClass=0x1 (ttl 128, id 21776) 10:58:32.667406 203-79-83-91.cable.paradise.net.nz.netbios-ns > 210.48.16.255.netbios-ns: >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST TrnID=0x812 OpCode=0 NmFlags=0x11 Rcode=0 QueryCount=1 AnswerCount=0 AuthorityCount=0 AddressRecCount=0 QuestionRecords: Name=WORKGROUP NameType=0x1B (Domain Controller) QuestionType=0x20 QuestionClass=0x1 (ttl 127, id 21776) 10:58:32.760418 172.20.22.52.netbios-ns > 172.20.31.255.netbios-ns: >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST TrnID=0x888E OpCode=0 NmFlags=0x11 Rcode=0 QueryCount=1 AnswerCount=0 AuthorityCount=0 AddressRecCount=0 QuestionRecords: Name=ASIA_NEWZEALAND NameType=0x00 (Workstation) QuestionType=0x20 QuestionClass=0x1 (ttl 128, id 26756) 10:58:32.761488 203-79-83-91.cable.paradise.net.nz.42605 > 172.20.31.255.netbios-ns: >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST TrnID=0x888E OpCode=0 NmFlags=0x11 Rcode=0 QueryCount=1 AnswerCount=0 AuthorityCount=0 AddressRecCount=0 QuestionRecords: Name=ASIA_NEWZEALAND NameType=0x00 (Workstation) QuestionType=0x20 QuestionClass=0x1 (ttl 127, id 26756) 10:58:32.773345 192.168.0.1.1015 > 255.255.255.255.1015: udp 148 (ttl 128, id 64705) 10:58:32.775521 192.168.0.1.1015 > 255.255.255.255.1015: udp 148 (ttl 128, id 64961) 10:58:32.938233 202-0-33-223.cable.paradise.net.nz.netbios-ns > 202.0.33.255.netbios-ns: >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST TrnID=0x800F OpCode=0 NmFlags=0x11 Rcode=0 QueryCount=1 AnswerCount=0 AuthorityCount=0 AddressRecCount=0 QuestionRecords: Name=MYPLACE NameType=0x1C (Unknown) QuestionType=0x20 QuestionClass=0x1 (ttl 128, id 23) 10:58:32.939209 203-79-83-91.cable.paradise.net.nz.62262 > 202.0.33.255.netbios-ns: >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST TrnID=0x800F OpCode=0 NmFlags=0x11 Rcode=0 QueryCount=1 AnswerCount=0 AuthorityCount=0 AddressRecCount=0 QuestionRecords: Name=MYPLACE NameType=0x1C (Unknown) QuestionType=0x20 QuestionClass=0x1 (ttl 127, id 23) ^C10:58:33.021341 802 packets received by filter 51 packets dropped by kernel su-2.03# ./tcpdump -i ep0 tcpdump: listening on ep0 10:59:28.909636 10.1.10.20.iad1 > 229.55.150.208.1345: udp 150 [ttl 1] 10:59:29.012908 arp who-has 202-0-33-20.cable.paradise.net.nz tell fe7-3-5.bertha.paradise.net.nz 10:59:29.123744 202-0-35-80.cable.paradise.net.nz.netbios-dgm > 202.0.35.255.netbios-dgm: >>> NBT UDP PACKET(138) Res=0x1102 ID=0x572 IP=202 (0xca).0 (0x0).35 (0x23).80 (0x50) Port=138 (0x8a) Length=160 (0xa0) Res2=0x0 SourceName=JOY NameType=0x20 (Server) DestName=HO NameType=0x00 (Workstation) SMB PACKET: SMBunknown (REQUEST) 10:59:29.125059 203-79-83-91.cable.paradise.net.nz.netbios-dgm > 202.0.35.255.netbios-dgm: >>> NBT UDP PACKET(138) Res=0x1102 ID=0x572 IP=203 (0xcb).79 (0x4f).83 (0x53).91 (0x5b) Port=138 (0x8a) Length=160 (0xa0) Res2=0x0 SourceName=JOY NameType=0x20 (Server) DestName=HO NameType=0x00 (Workstation) SMB PACKET: SMBmkdir (REPLY) 10:59:29.417119 gatekeeper.ffei.co.uk.851 > 203-96-144-245.cable.paradise.net.nz.domain: 794 ANY? cpi.group.co.nz. (33) (DF) 10:59:29.417324 gatekeeper.ffei.co.uk.851 > 203-96-144-245.cable.paradise.net.nz.domain: 8250 ANY? cpi.group.co.nz. (33) (DF) 10:59:29.539150 203-79-83-70.cable.paradise.net.nz.netbios-dgm > 203.79.83.255.netbios-dgm: >>> NBT UDP PACKET(138) Res=0x1102 ID=0x20 IP=203 (0xcb).79 (0x4f).83 (0x53).70 (0x46) Port=138 (0x8a) Length=163 (0xa3) Res2=0x0 SourceName=COMPAQ NameType=0x20 (Server) DestName=CO NameType=0x00 (Workstation) SMB PACKET: SMBopen (REQUEST) 10:59:29.611417 202-0-33-223.cable.paradise.net.nz.netbios-dgm > 202.0.33.255.netbios-dgm: >>> NBT UDP PACKET(138) Res=0x1102 ID=0x8056 IP=202 (0xca).0 (0x0).33 (0x21).223 (0xdf) Port=138 (0x8a) Length=187 (0xbb) Res2=0x0 SourceName=PIII-866 NameType=0x20 (Server) DestName=MY NameType=0x00 (Workstation) SMB PACKET: SMBunknown (REQUEST) 10:59:29.612527 203-79-83-91.cable.paradise.net.nz.netbios-dgm > 202.0.33.255.netbios-dgm: >>> NBT UDP PACKET(138) Res=0x1102 ID=0x8056 IP=203 (0xcb).79 (0x4f).83 (0x53).91 (0x5b) Port=138 (0x8a) Length=187 (0xbb) Res2=0x0 SourceName=PIII-866 NameType=0x20 (Server) DestName=MY NameType=0x00 (Workstation) SMB PACKET: SMBopen (REQUEST) 10:59:29.617949 202-0-33-223.cable.paradise.net.nz.netbios-dgm > 202.0.33.255.netbios-dgm: >>> NBT UDP PACKET(138) Res=0x1102 ID=0x8059 IP=202 (0xca).0 (0x0).33 (0x21).223 (0xdf) Port=138 (0x8a) Length=187 (0xbb) Res2=0x0 SourceName=PIII-866 NameType=0x20 (Server) DestName=MY NameType=0x00 (Workstation) SMB PACKET: SMBunknown (REQUEST) 10:59:29.618898 203-79-83-91.cable.paradise.net.nz.netbios-dgm > 202.0.33.255.netbios-dgm: >>> NBT UDP PACKET(138) Res=0x1102 ID=0x8059 IP=203 (0xcb).79 (0x4f).83 (0x53).91 (0x5b) Port=138 (0x8a) Length=187 (0xbb) Res2=0x0 SourceName=PIII-866 NameType=0x20 (Server) DestName=MY NameType=0x00 (Workstation) SMB PACKET: SMBopen (REQUEST) 10:59:29.636510 202-0-33-223.cable.paradise.net.nz.netbios-dgm > 202.0.33.255.netbios-dgm: >>> NBT UDP PACKET(138) Res=0x1102 ID=0x805C IP=202 (0xca).0 (0x0).33 (0x21).223 (0xdf) Port=138 (0x8a) Length=187 (0xbb) Res2=0x0 SourceName=PIII-866 NameType=0x20 (Server) DestName=MY NameType=0x00 (Workstation) SMB PACKET: SMBmkdir (REQUEST) 10:59:29.637506 203-79-83-91.cable.paradise.net.nz.netbios-dgm > 202.0.33.255.netbios-dgm: >>> NBT UDP PACKET(138) Res=0x1102 ID=0x805C IP=203 (0xcb).79 (0x4f).83 (0x53).91 (0x5b) Port=138 (0x8a) Length=187 (0xbb) Res2=0x0 SourceName=PIII-866 NameType=0x20 (Server) DestName=MY NameType=0x00 (Workstation) SMB PACKET: SMBmkdir (REQUEST) ......Windows machines taking it up the arse (not that I can talk)? Who has "PIII-866" on the 202.0.33.0/16 subnet? I'm a bit concerned by the "SMBopen, SMBunknown, SMBopen, SMBunknown,SMBopen,SMBmkdir,SMBmkdir" sequence since it gives the appearance of a script trying some common usernames and passwords then finally getting in. I've cc'd this to paradise support and some freebsd mailing lists. If anyone wants to further discuss this I'd be more than happy. I shan't blow away the box for a little while in case some network security types want to wander round in it and have a look at what's going on. Like the subject says, there's a storm brewing on the cable modem network. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.0.2.1.1.20010404120017.02239310>