Sagonet - Failing miserably with network security Someone needs to handle this.

Chris Jester chris_jester at suavemente.net
Sun Oct 29 19:53:11 UTC 2006


> Chris,
>
> What kind of activity are you seeing once he's in the servers? At
> Webair we're primarily web hosting, and some customer boxes were
> compromised over recent months.
>
> I'm curious because you say he was very patient and methodical. I've asked
> around with a few friends and they have seen this guy too.. just as in
> your case
>
> Anyway, it fits the profile of the guy we had. He was inserting references
> to megacount.net, and some obfuscated javascript code. He has been hard to
> get rid of..
>
> Sincerely,
>
> ----------------------------------------
> Brian Hourigan
> Lead Technical Support Specialist/
> Programming Development Team
> Webair Internet Development, Inc.
> Fax: 516.938.5100
> http://www.webair.com
> ----------------------------------------
> We are interested in any feedback you might have about the service
> you received. Please contact our technical support consumer care manager
> directly 1.866.WEBAIR1 or e-mail customercare at webair.com
>
> On Sun, 29 Oct 2006, Chris Jester wrote:
>
>>
>> 65.110.62.120
>>
>> Sagonet,
>>
>> We have a serious hacker here who is ACTIVLY engaged in logins
>> on our network (have him in a honeypot at the moment). He is running
>> exploits from your network and
>> also I have been hearing from others that you have been notified of this
>> a few times yet have done nothing about it.  Can we get someone to
>> handle
>> this immediately please?
>>
>> This hacker has rooted at least 35 servers on a friends network
>> (friendly
>> competitor) and now hes scanning ours...
>>
>> This is what was said by my friend after contacting you guys about this:
>> "Good... They will not listen... I have provided them logs, screen
>> shots,
>> etc..."
>>
>> Additionally, I would LOVE to know what is on that server... this guy is
>> not to be taken lightly, he is VERY methodical and patient. He's
>> problably
>> owning your network too.
>>
>> [root at mail /home]# netstat -an
>> Active Internet connections (servers and established)
>> Proto Recv-Q Send-Q Local Address               Foreign Address
>>  State
>> tcp        0      0 0.0.0.0:21                  0.0.0.0:*
>>  LISTEN
>> tcp        0      0 :::38300                    :::*
>>  LISTEN
>> tcp        0      0 ::ffff:66.11.112.15:38300
>> ::ffff:65.110.62.120:59979
>>  ESTABLISHED
>>  ESTABLISHED
>>
>>
>


In the honeypot server we have him in, he is storing files in /dev/k4rd
Bash has been replaced with a "key logging" bash, het gets everything
you type, passwords included, emailed back to him at root at 65.110.62.120

There seems to be ALOT of files in /dev/k4rd, a bin directory and etc.
He hacked the kernel so good that its VERY difficult to track his moves
without booting off another drive first.  We boot off a live linux cd
enviornment to do studies on what he is up to, but before we do that
we let him hack it up nicely so we get all his tricks.  Note: he cannot
really touch any other servers as he is stuck in a faked network enviornment
at this moment. Pinging yahoo.com for example will generate a reply and a
faked dns entry, but the packets never leave the zone he is in.

His motivation seems to be to gather nats affilaite and customer data.
He has an exploit that works on any and all nats installations.  Were
not going to release that until nats has been notified and had time to
secure it.

Were also seeing "traffic skimming" being attempted.
He is searching for scripts (that we put there just to see what he does
with them) that log traffic hits and etc.... He modifies these scripts so
that randomly, but rarely, hits are re-directed to a web site called
cgi-dnsl.com ( porn ).

I dont mean to be a brat to Sagonet, but this is always the source of this
hacker and his home never changes, its always on that single ip.

Chris Jester
NJesterIII






More information about the NANOG mailing list