Date: Wed, 04 Apr 2001 12:03:39 +1200 From: David Preece <davep@afterswish.com> To: freebsd-questions@freebsd.org Subject: Hacked? Message-ID: <5.0.2.1.1.20010404120017.02239310@pop3.paradise.net.nz>
next in thread | raw e-mail | index | archive | help
Hi,
This is a copy of something I just posted to usenet (nz.comp). In a
nutshell it is to do with how I think my FreeBSD machine has just been
compromised and what they're doing with it. Could someone who knows about
network security please comment on all this?
Very much looking forward to finding a sensible explaination.
Dave :(
--------------------------------------------------------
Subject: Storm brewing on cable modem network.
Having got used to the 'incoming' light on my cable modem being
bombarded with broadcast traffic, I was less than impressed to the the
'outgoing' light joining in the fun this morning.
Now, I've had a FreeBSD machine permanently on acting as a firewall
and address translator. Despite inetd being turned off and very VERY
few daemons running...
bash-2.03# ps ax
PID TT STAT TIME COMMAND
0 ?? DLs 0:00.01 (swapper)
1 ?? SLs 0:00.04 /sbin/init --
2 ?? DL 0:00.73 (pagedaemon)
3 ?? DL 0:00.00 (vmdaemon)
4 ?? DL 0:00.03 (bufdaemon)
5 ?? DL 0:00.76 (syncer)
27 ?? Is 0:00.00 adjkerntz -i
73 ?? Is 0:00.04 dhcpd ep1
86 ?? Ss 0:38.12 /sbin/natd -n ep0
103 ?? Is 0:00.44 syslogd
168 d0 Ss 0:01.17 -bash (bash)
250 d0 R+ 0:00.00 ps ax
...I was never entirely convinced about the security of the thing so
this was not a huge surprise, but very unwelcome none the less. So
rather than swear and rebuild the thing, I tried having a look to see
what's going on. Now, the root kit that is now no doubt installed will
be hiding itself on ps, netstat, things like that. None the less, we
can get some idea of the traffic:
bash-2.03# netstat -I ep0 -w 1
input (ep0) output
packets errs bytes packets errs bytes colls
9 0 788 1 0 110 0
13 0 1884 9 0 1384 0
12 0 1145 7 0 795 0
9 0 861 6 0 681 0
9 0 1263 4 0 519 0
14 0 1836 9 0 1474 0
8 0 1045 5 0 786 0
14 0 1611 6 0 854 0
12 0 1401 7 0 1097 0
10 0 1741 5 0 897 0
Hmmmm. Game on. Let's try and capture some of the packets using a copy
of tcpdump bought over from a non-compromised machine:
bash-2.03# ./tcpdump -i ep0 > snarf.txt
Apr 4 11:58:12 firewall /kernel: ep0: promiscuous mode enabled
tcpdump: listening on ep0
^C
3704 packets received by filter
2765 packets dropped by kernel
This worries me. I didn't specify any filtering, and yet we're getting
lots of packets dropped by the kernel. Can anyone comment on this?
Looking at the contents of snarf.txt we see that......
11:58:16.312626 bash-2.03# cat snarf.txt | grep 203-79-83-91
11:58:12.420976 203-79-83-91.cable.paradise.net.nz.netbios-ns >
203.96.144.255.netbios-ns:
11:58:12.585980 203-79-83-91.cable.paradise.net.nz.41744 >
169.254.255.255.netbios-dgm:
11:58:12.586358 203-79-83-91.cable.paradise.net.nz.35599 >
169.254.255.255.netbios-ns:
11:58:13.062149 203-79-83-91.cable.paradise.net.nz.63085 >
172.20.31.255.netbios-ns:
11:58:13.107199 203-79-83-91.cable.paradise.net.nz.netbios-dgm >
203.96.144.255.netbios-dgm:
11:58:13.109694 203-79-83-91.cable.paradise.net.nz.netbios-ns >
203.96.144.255.netbios-ns:
11:58:13.339495 203-79-83-91.cable.paradise.net.nz.35599 >
169.254.255.255.netbios-ns:
[snip]
We certainly have a shitload of traffic eminating from my machine, and
it looks like it is concerned with netbios naming??? Maybe this would
imply it's my windows box that has been compromised and someone is
running around the network on the private side?
bash-2.03# netstat -I ep1 -w 1
input (ep1) output
packets errs bytes packets errs bytes colls
0 0 0 0 0 0 0
0 0 0 0 0 0 0
0 0 0 1 0 42 0
0 0 0 0 0 0 0
0 0 0 0 0 0 0
0 0 0 0 0 0 0
0 0 0 0 0 0 0
0 0 0 0 0 0 0
0 0 0 0 0 0 0
0 0 0 0 0 0 0
0 0 0 0 0 0 0
0 0 0 0 0 0 0
Nope. No traffic apart from what appears to be a TCP keepalive
closing. The traffic also appears to be concerned with the broadcast
on three subnets: 203.96.144.0/8, 169.254.0.0/16 and 172.20.31.0/8.
The 172/24 is an RFC1918 address, and consequently should be
unreacheable. In all likelihood the next hop router is telling me
exactly this on a regular basis:
su-2.03# ./tcpdump -i ep0 icmp
tcpdump: listening on ep0
11:06:05.752512 fe7-3-2.bertha.paradise.net.nz >
203-79-83-91.cable.paradise.net.nz: icmp: host 172.20.31.255
unreachable
11:06:05.753408 203-79-83-91.cable.paradise.net.nz > 172.20.29.125:
icmp: host 203-79-83-91.cable.paradise.net.nz unreachable
11:06:06.883719 fe7-3-2.bertha.paradise.net.nz >
203-79-83-91.cable.paradise.net.nz: icmp: host 172.20.31.255
unreachable
11:06:06.884636 203-79-83-91.cable.paradise.net.nz > 172.20.28.108:
icmp: host 203-79-83-91.cable.paradise.net.nz unreachable
11:06:07.444762 203-79-83-91.cable.paradise.net.nz >
cable.gateway.xtreme.net.nz: icmp: time exceeded in-transit
11:06:09.246656 fe7-3-2.bertha.paradise.net.nz >
203-79-83-91.cable.paradise.net.nz: icmp: host 172.20.31.255
unreachable
11:06:09.247535 203-79-83-91.cable.paradise.net.nz > 172.20.28.108:
icmp: host 203-79-83-91.cable.paradise.net.nz unreachable
11:06:10.417682 fe7-3-2.bertha.paradise.net.nz >
203-79-83-91.cable.paradise.net.nz: icmp: host 172.20.31.255
unreachable
11:06:10.418578 203-79-83-91.cable.paradise.net.nz > 172.20.29.65:
icmp: host 203-79-83-91.cable.paradise.net.nz unreachable
11:06:15.395695 203-79-83-91.cable.paradise.net.nz >
rachel.paradise.net.nz: icmp: 203-79-83-91.cable.paradise.net.nz udp
port 1235 unreachable
11:06:21.018483 fe7-3-2.bertha.paradise.net.nz >
203-79-83-91.cable.paradise.net.nz: icmp: host 172.20.31.255
unreachable
11:06:21.019393 203-79-83-91.cable.paradise.net.nz > 172.20.31.119:
icmp: host 203-79-83-91.cable.paradise.net.nz unreachable
Yup, unreacheable indeed. So what the fuck is going on???? Can anyone
come up with a plausible reason why I might conclude the box hasn't
been compromised? Does it look to you like it has just become part of
a network that's running around cable networks, ADSL etc. looking for
open SMB shares? Because it appears to be working, if we take the
'grep' filter off the tcpdump output from the public interface, we get
some nasty conclusions (data snarfed from an earlier session):
10:58:32.134037 203-79-83-110.cable.paradise.net.nz.netbios-ns >
203.79.83.255.netbios-ns:
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
TrnID=0x96F8
OpCode=0
NmFlags=0x11
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
Name=ADMIN NameType=0x1C (Unknown)
QuestionType=0x20
QuestionClass=0x1
(ttl 128, id 62373)
10:58:32.160026 203-79-83-70.cable.paradise.net.nz.netbios-ns >
203.79.83.255.netbios-ns:
>>> NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
TrnID=0x12
OpCode=5
NmFlags=0x11
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=1
QuestionRecords:
Name=COMS01 NameType=0x1E (Browser Server)
QuestionType=0x20
QuestionClass=0x1
ResourceRecords:
Name=COMS01 NameType=0x1E (Browser Server)
ResType=0x20
ResClass=0x0
TTL=407543597 (0x184a9f2d)
ResourceLength=8123
ResourceData=
[000] 02 00 3C 00 00 00 ..<...
(ttl 128, id 9216)
10:58:32.178975 arp who-has fe7-3-2.bertha.paradise.net.nz tell
203-79-92-90.cable.paradise.net.nz
10:58:32.211216 202-0-33-223.cable.paradise.net.nz.netbios-ns >
202.0.33.255.netbios-ns:
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
TrnID=0x800F
OpCode=0
NmFlags=0x11
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
Name=MYPLACE NameType=0x1C (Unknown)
QuestionType=0x20
QuestionClass=0x1
(ttl 128, id 22)
10:58:32.212149 203-79-83-91.cable.paradise.net.nz.62262 >
202.0.33.255.netbios-ns:
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
TrnID=0x800F
OpCode=0
NmFlags=0x11
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
Name=MYPLACE NameType=0x1C (Unknown)
QuestionType=0x20
QuestionClass=0x1
(ttl 127, id 22)
10:58:32.237432 0:1:42:e3:2d:1 > 1:80:c2:0:0:0 802.1d ui/C
>>> Unknown IPX Data: (47 bytes)
[000] 00 00 00 00 00 80 00 00 01 42 E3 2D 0C 00 00 00 ........
.B.-....
[010] 00 80 00 00 01 42 E3 2D 0C 80 0D 00 00 14 00 02 .....B.-
........
[020] 00 0F 00 00 00 00 00 00 00 00 00 78 00 0C 00 ........
...x...
len=47
0000 0000 0080 0000 0142 e32d 0c00 0000
0080 0000 0142 e32d 0c80 0d00 0014 0002
000f 0000 0000 0000 0000 0078 000c 00
10:58:32.538824 arp who-has 202-0-33-124.cable.paradise.net.nz tell
fe7-3-5.bertha.paradise.net.nz
10:58:32.544176 snap 8:0:7:80:9b et1 65283.42.254 > 0.nis: nbp-lkup 6:
"Room 6 Mac:At Ease@*"
10:58:32.551474 203-79-83-91.cable.paradise.net.nz.nim >
rachel.paradise.net.nz.domain: 7912+ PTR?
190.144.96.203.in-addr.arpa. (45) (ttl 64, id 2012)
10:58:32.608610 rachel.paradise.net.nz.domain >
203-79-83-91.cable.paradise.net.nz.nim: 7912* 1/2/2
190.144.96.203.in-addr.arpa. (169) (ttl 63, id 61018)
10:58:32.615171 203-79-83-91.cable.paradise.net.nz.nimreg >
rachel.paradise.net.nz.domain: 7913+ PTR? 91.83.79.203.in-addr.arpa.
(43) (ttl 64, id 2014)
10:58:32.645253 rachel.paradise.net.nz.domain >
203-79-83-91.cable.paradise.net.nz.nimreg: 7913* 1/2/2
91.83.79.203.in-addr.arpa. (165) (ttl 63, id 61025)
10:58:32.650325 203-79-83-91.cable.paradise.net.nz.1060 >
rachel.paradise.net.nz.domain: 7914+ PTR? 52.22.20.172.in-addr.arpa.
(43) (ttl 64, id 2015)
10:58:32.666364 210.48.16.5.netbios-ns > 210.48.16.255.netbios-ns:
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
TrnID=0x812
OpCode=0
NmFlags=0x11
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
Name=WORKGROUP NameType=0x1B (Domain Controller)
QuestionType=0x20
QuestionClass=0x1
(ttl 128, id 21776)
10:58:32.667406 203-79-83-91.cable.paradise.net.nz.netbios-ns >
210.48.16.255.netbios-ns:
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
TrnID=0x812
OpCode=0
NmFlags=0x11
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
Name=WORKGROUP NameType=0x1B (Domain Controller)
QuestionType=0x20
QuestionClass=0x1
(ttl 127, id 21776)
10:58:32.760418 172.20.22.52.netbios-ns > 172.20.31.255.netbios-ns:
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
TrnID=0x888E
OpCode=0
NmFlags=0x11
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
Name=ASIA_NEWZEALAND NameType=0x00 (Workstation)
QuestionType=0x20
QuestionClass=0x1
(ttl 128, id 26756)
10:58:32.761488 203-79-83-91.cable.paradise.net.nz.42605 >
172.20.31.255.netbios-ns:
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
TrnID=0x888E
OpCode=0
NmFlags=0x11
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
Name=ASIA_NEWZEALAND NameType=0x00 (Workstation)
QuestionType=0x20
QuestionClass=0x1
(ttl 127, id 26756)
10:58:32.773345 192.168.0.1.1015 > 255.255.255.255.1015: udp 148 (ttl
128, id 64705)
10:58:32.775521 192.168.0.1.1015 > 255.255.255.255.1015: udp 148 (ttl
128, id 64961)
10:58:32.938233 202-0-33-223.cable.paradise.net.nz.netbios-ns >
202.0.33.255.netbios-ns:
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
TrnID=0x800F
OpCode=0
NmFlags=0x11
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
Name=MYPLACE NameType=0x1C (Unknown)
QuestionType=0x20
QuestionClass=0x1
(ttl 128, id 23)
10:58:32.939209 203-79-83-91.cable.paradise.net.nz.62262 >
202.0.33.255.netbios-ns:
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
TrnID=0x800F
OpCode=0
NmFlags=0x11
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
Name=MYPLACE NameType=0x1C (Unknown)
QuestionType=0x20
QuestionClass=0x1
(ttl 127, id 23)
^C10:58:33.021341
802 packets received by filter
51 packets dropped by kernel
su-2.03# ./tcpdump -i ep0
tcpdump: listening on ep0
10:59:28.909636 10.1.10.20.iad1 > 229.55.150.208.1345: udp 150 [ttl
1]
10:59:29.012908 arp who-has 202-0-33-20.cable.paradise.net.nz tell
fe7-3-5.bertha.paradise.net.nz
10:59:29.123744 202-0-35-80.cable.paradise.net.nz.netbios-dgm >
202.0.35.255.netbios-dgm:
>>> NBT UDP PACKET(138) Res=0x1102 ID=0x572 IP=202 (0xca).0 (0x0).35
(0x23).80 (0x50) Port=138 (0x8a) Length=160 (0xa0) Res2=0x0
SourceName=JOY NameType=0x20 (Server)
DestName=HO NameType=0x00 (Workstation)
SMB PACKET: SMBunknown (REQUEST)
10:59:29.125059 203-79-83-91.cable.paradise.net.nz.netbios-dgm >
202.0.35.255.netbios-dgm:
>>> NBT UDP PACKET(138) Res=0x1102 ID=0x572 IP=203 (0xcb).79 (0x4f).83
(0x53).91 (0x5b) Port=138 (0x8a) Length=160 (0xa0) Res2=0x0
SourceName=JOY NameType=0x20 (Server)
DestName=HO NameType=0x00 (Workstation)
SMB PACKET: SMBmkdir (REPLY)
10:59:29.417119 gatekeeper.ffei.co.uk.851 >
203-96-144-245.cable.paradise.net.nz.domain: 794 ANY?
cpi.group.co.nz. (33) (DF)
10:59:29.417324 gatekeeper.ffei.co.uk.851 >
203-96-144-245.cable.paradise.net.nz.domain: 8250 ANY?
cpi.group.co.nz. (33) (DF)
10:59:29.539150 203-79-83-70.cable.paradise.net.nz.netbios-dgm >
203.79.83.255.netbios-dgm:
>>> NBT UDP PACKET(138) Res=0x1102 ID=0x20 IP=203 (0xcb).79 (0x4f).83
(0x53).70 (0x46) Port=138 (0x8a) Length=163 (0xa3) Res2=0x0
SourceName=COMPAQ NameType=0x20 (Server)
DestName=CO NameType=0x00 (Workstation)
SMB PACKET: SMBopen (REQUEST)
10:59:29.611417 202-0-33-223.cable.paradise.net.nz.netbios-dgm >
202.0.33.255.netbios-dgm:
>>> NBT UDP PACKET(138) Res=0x1102 ID=0x8056 IP=202 (0xca).0 (0x0).33
(0x21).223 (0xdf) Port=138 (0x8a) Length=187 (0xbb) Res2=0x0
SourceName=PIII-866 NameType=0x20 (Server)
DestName=MY NameType=0x00 (Workstation)
SMB PACKET: SMBunknown (REQUEST)
10:59:29.612527 203-79-83-91.cable.paradise.net.nz.netbios-dgm >
202.0.33.255.netbios-dgm:
>>> NBT UDP PACKET(138) Res=0x1102 ID=0x8056 IP=203 (0xcb).79 (0x4f).83
(0x53).91 (0x5b) Port=138 (0x8a) Length=187 (0xbb) Res2=0x0
SourceName=PIII-866 NameType=0x20 (Server)
DestName=MY NameType=0x00 (Workstation)
SMB PACKET: SMBopen (REQUEST)
10:59:29.617949 202-0-33-223.cable.paradise.net.nz.netbios-dgm >
202.0.33.255.netbios-dgm:
>>> NBT UDP PACKET(138) Res=0x1102 ID=0x8059 IP=202 (0xca).0 (0x0).33
(0x21).223 (0xdf) Port=138 (0x8a) Length=187 (0xbb) Res2=0x0
SourceName=PIII-866 NameType=0x20 (Server)
DestName=MY NameType=0x00 (Workstation)
SMB PACKET: SMBunknown (REQUEST)
10:59:29.618898 203-79-83-91.cable.paradise.net.nz.netbios-dgm >
202.0.33.255.netbios-dgm:
>>> NBT UDP PACKET(138) Res=0x1102 ID=0x8059 IP=203 (0xcb).79 (0x4f).83
(0x53).91 (0x5b) Port=138 (0x8a) Length=187 (0xbb) Res2=0x0
SourceName=PIII-866 NameType=0x20 (Server)
DestName=MY NameType=0x00 (Workstation)
SMB PACKET: SMBopen (REQUEST)
10:59:29.636510 202-0-33-223.cable.paradise.net.nz.netbios-dgm >
202.0.33.255.netbios-dgm:
>>> NBT UDP PACKET(138) Res=0x1102 ID=0x805C IP=202 (0xca).0 (0x0).33
(0x21).223 (0xdf) Port=138 (0x8a) Length=187 (0xbb) Res2=0x0
SourceName=PIII-866 NameType=0x20 (Server)
DestName=MY NameType=0x00 (Workstation)
SMB PACKET: SMBmkdir (REQUEST)
10:59:29.637506 203-79-83-91.cable.paradise.net.nz.netbios-dgm >
202.0.33.255.netbios-dgm:
>>> NBT UDP PACKET(138) Res=0x1102 ID=0x805C IP=203 (0xcb).79 (0x4f).83
(0x53).91 (0x5b) Port=138 (0x8a) Length=187 (0xbb) Res2=0x0
SourceName=PIII-866 NameType=0x20 (Server)
DestName=MY NameType=0x00 (Workstation)
SMB PACKET: SMBmkdir (REQUEST)
......Windows machines taking it up the arse (not that I can talk)?
Who has "PIII-866" on the 202.0.33.0/16 subnet? I'm a bit concerned by
the "SMBopen, SMBunknown, SMBopen,
SMBunknown,SMBopen,SMBmkdir,SMBmkdir" sequence since it gives the
appearance of a script trying some common usernames and passwords then
finally getting in.
I've cc'd this to paradise support and some freebsd mailing lists. If
anyone wants to further discuss this I'd be more than happy. I shan't
blow away the box for a little while in case some network security
types want to wander round in it and have a look at what's going on.
Like the subject says, there's a storm brewing on the cable modem
network.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.0.2.1.1.20010404120017.02239310>