Date: Tue, 11 May 1999 16:10:59 -0700 From: Jay Doscher <JDoscher@vid-h2o.org> To: 'Jim Cassata' <jim@web-ex.com> Cc: "'freebsd-security@FreeBSD.ORG'" <freebsd-security@FreeBSD.ORG> Subject: RE: new type of attack? Message-ID: <D118E1C03C10D211BF6A00805FFE496214D3D8@VIDNT2>
next in thread | raw e-mail | index | archive | help
I experienced this kind of attack on a Redhat Linux 5.1 machine that had not been patched. My experience was that the attacker was using a set of tools such as cracker.pl and queso ( a port redirector) in a script that scanned a subnet for slackware or redhat machines that were unpatched against the mountd exploit. The scripts run and when they find a machine whose IP stack matches one of these OS'es it attempts to run the mountd exploit, after it does it proceeds to root the machine and run cracker.pl against all the other accounts. I recieved several complaints of scans and probes from this box against other sysadmins. I traced the IP back to an ISP whom when notified found one of his routers had been compromised and was propagating a spoofed IP (or running nat, i dunno) without his knowledge. The script seems to exploit a machine, then use that machine as a springboard to launch further attacks. I know this isn't a BSD issue, but I think it would explain the probes. Jay -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Jim Cassata Sent: Tuesday, May 11, 1999 3:58 PM To: freebsd-security@FreeBSD.ORG Subject: new type of attack? i just received this.... > We have been tracking a long series of subtle network probes that >use TCP packets constructed with ACK and RST bits set. This bit >combination allows these packets to pass through common packet filters. >The attackers have breached many systems around the net, focusing on >Linux and FreeBSD systems. These breached systems are used to either >receive directly or through packet sniffing the responses from forged >packets sent by the attackers. On Sunday (5-9-99), we collected some >probe packets from address 209.54.43.133. This host is called >sex.fiend.cx and appears to be part of your network. There is a strong >possiblity that this host or one very near it has been breached and is >being used to collect data probed from other networks. Our logs go back >over a month and this is the first time this particular host has been >seen on our network. The attackers seem to be able to move on to new >systems very quickly as there are apparently plenty of vulnerable >systems to breach. Our mail server was breached back in December and >was used for similar activities for 2 days. The attackers created 2 >accounts, udp and reboot. The udp account had root privs and no >password. > >The time of the probe was 14:05 CDT has anyone seen this kind of thing? Jim Cassata 516.421.6000 jim@web-ex.com Web Express 20 Broadhollow Road Suite 3011 Melville, NY 11747 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D118E1C03C10D211BF6A00805FFE496214D3D8>