Exodus: this is bad

Dalvenjah FoxFire dalvenjah at dal.net
Tue Nov 17 02:29:25 UTC 1998 

On Mon, Nov 16, 1998 at 08:34:23PM -0500, Richard Irving put this into my mailbox:

> It looks worse Jared,
> 
>   This appears to be a concerted effort. This type of attack
> is propogating to new origin IP's by the hour. There seems to
> be a pattern forming....
> 
>   DNS server is compromised.  (Bind ? Autohack ?)
>   local programs set up to crack local passwords.
>   (Dumps results to FTP directory)
>   local program set up to port probe/asttack other DNS's.
>   (Dumps results to FTP directory)
> 
>   Someone said Linux servers appear to be primary targets..
>   I suggest maybe Linux servers were more likely to have a vulnerable
>   configuration... Probers running locally,( that I saw), did not *seem*
>   to discriminate. (Conjecture Based on output of parasitic programs)

Based on what I have seen since roughly May 1998, I would guess that all
these nameservers are the victims of the old named-4.9.6 buffer overflow.
They then get compromised, trojaned, and get 'mscan' (available on rootshell)
installed.

Mscan then performs DNS walks (via AXFR) across entire domains, probing for
named vulnerabilities, imap vulnerabilities, sunrpc(statd) vulnerabilities,
and pop3 vulnerabilities. Chances are it's been upgraded to do more.
Essentially, all the person has to do is point mscan at some large
institution, net/com/edu, let it run for a few hours, come back, and
they will most likely have in their list of vulnerable servers 5 or 10
more servers that can be hacked in the same manner.

Solutions, to either prevent or at least delay people from hacking your
boxes (if they haven't been there for months already):

* Turn off public AXFR from your nameservers. bind 8 makes this very easy.

* KEEP YOUR SYSTEMS UP TO DATE. Make sure your customers are doing this too.
  Almost all of the systems comprimised in this manner had RedHat or FreeBSD
  or Solaris installed, and then nobody installed patches. RPMs are easy to
  download and install for RedHat, and Solaris makes this almost as easy with
  patchadd.

* NEVER connect a new machine to the network unless it has been fully patched
  and tested. This is old sysadmin knowledge, but it seems to have been
  forgotten in this day and age of plug and play operating systems. I know
  of a researcher who installed Linux on his home machine (connected via ISDN),
  got hacked into and was completely plowed 3 days later. I am not
  exaggerating. If you are vulnerable, they will find you, and they will
  find you *before* you 'get a chance' to patch your boxes.

* If you see this message and run out to test your machine with ISS or
  somesuch because you haven't patched in a year, do not assume that you
  are safe simply because ISS says so. The folks who hack into boxes like
  this almost always patch the hole they used to get in. Look for hidden
  files, stuff in /dev that's not supposed to be there, etc - essentially
  anything suspicious.

At least once per day, sometimes more often, my machines are probed by
people using mscan, backorifice, NetBus, wingate scanners, and other
nefarious utilities. Would that I had the time to report them all -
unfortunately, I don't, and until I can come up with some intelligent
scripts to process the reports, my Incident Pile is growing. This is
a bad sign.

This is getting to be off topic, but I am not seeing anything new
here. These are the *same* old hacks, the *same* old probes, that have been
going on continuously for 6 months to a year now. You're just finding more
and more people stupid enough not to cover their tracks. (Or more sysadmins
wising up to the fact that their new PII-300 running linux isn't supposed to
take 5 minutes to come up with a shell prompt.)

Most importantly, if you find yourself hacked into, before you rm -rf the
drive, before you do anything other than unplug its ethernet, notify CERT
and your local law enforcement agency (FBI in the US). Even if they aren't
able to trace your specific cracker, it helps *very* much to have a paper
trail and to have Actual Law Enforcement Agents look at your case, just
on the off chance that it might turn into something large. Your local FBI
agent is very friendly, and is there to help you.

The other portion is communication. If your box has been hacked, and
you don't know what to do, ask for help. It is not a disgrace to get
hacked; even I've overlooked patches and gotten myself hacked a few
times. It happens. You clean up, reinstall, and life goes on.

(and who ever said IRC wasn't good for anything? }:P )

-dalvenjah

--
 Dalvenjah FoxFire (aka Sven Nielsen) "Hath not a dude eyes? If you prick us,
 Founder, the DALnet IRC Network       do we not get bummed? If we eat bad
                                       guacamole, do we not blow chunks?"
 e-mail: dalvenjah at dal.net              - Keanu Reeves as Shylock in The Critic
 whois: SN90			     WWW: http://www.dal.net/~dalvenjah/

More information about the NANOG mailing list