black hat .cn networks

Justin Hinderliter justin at
Mon May 7 17:41:29 UTC 2001

For those looking for evidence of attacks, I personally know of 3 boxes that
were hit and rooted this morning.  The three attacks happened between 6:20am
and 7:04am.  One NT box, one Linux box, and one as of yet unknown OS
(haven't gotten ahold of the person yet, but his bandwidth's maxed out and
way over what it ever is by about 15x).  They're hitting port 80 this
morning.  One hit from a Mapquest IP, one from,  and one from an APNIC netblock .   The webpages
they left indicated "fuq you, Americans" and indicated that they were part
of the Chinese offensive.  PAM session authentication on the linux box noted
that a session was opened by user htdig (uid 0) and closed 4ms later.
Syslogs were wiped, so were last and lastlog output.  The logs are available
still despite their efforts since the precaution was taken to have them sent
elsewhere and mailed immediately to boot.  Other boxes may have been gotten
to as well, still looking at them all and unplugging them as I go/advising
suspected customers to unplug as well as I find them.

Fuq U2, Chinese. Got plenty of evidence here, and there's a death sentence
in China for doing this... provided it was really Chinese responsible.  I'm
happily contributing all info I have towards investigation and prosecution,
and am going to get Mapquest and to dig up all info they can to
track this shit back to where they got hit from.

Hey, just found another one.  Note that all Linux boxes were locked pretty
damned tight, and even blocked numerous connection attempts on port 80 with
portsentry killing the connection and then dropping them to a null route.
But all it took was 4ms to run that script.  Apparently there's probably a
hole in apache 1.3.14-2, as there were no world-writable files in the htp
root structure...  bugtraq should be interested in this.  Have to see what I
can dig up post mortem as far as what they used.

"Time for a  malenki lemtock of the ole ultraviolence, me droogs."


More information about the NANOG mailing list