just seen my first IPv6 network abuse scan, is this the startfor more?

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Tue Sep 7 18:48:19 UTC 2010


On Tue, 07 Sep 2010 09:03:12 EDT, Jamie Bowden said:

> Now, on to the topic at hand.  Why would you scan the address space in
> the first place?  Wouldn't it be easier to compromise a known host and
> look at the ARP table?  Or better yet, the router on the edge?  If it's
> moving packets, something on the network has mapped the MAC address to
> its IP at some point.

Remember that although there are some truly scary black hats out there, the
vast majority of them are even less technically savvy than your average trainee
banana eater, and will do things so mind-bogglingly stupid that you have to
roll a saving throw at -5 to disbelieve ;)

True incident I worked on sometime last century:

I get called about this AIX box, it's been hosed for "a while", and they can't
login to run the one application they ran literally once a year that they kept
this box around for. Preliminary indications are /etc/passwd is scrozzled.  So
I boot off an install CD and start looking. Takes about 10 seconds to figure
out the box was hacked.

I'm amazed - the machine wasn't fully hardened, and was *way* behind on
patches. On the other hand, it *was* at least tcp-wrappered, and the attacker
managed to fingerprint it as an AIX box without setting any of the wrappers
off.  The guy whacked it with either a telnetd or ftpd exploit, and by looking
at process accounting, I was able to verify it worked on the *first* try.  I'm
suitably impressed at this point - even 15 years ago, AIX wasn't common enough
that most black hats kept exploits in their back pockets (much less know enough
to use them on the first try).

Guy whacks the box on the very first try, and then it gets interesting.

Guy says 'cat > /etc/paswd^[[D^[[Dswd' because he doesn't realize his exploit
rootshell doesn't have line editing.

Guy tries to get in on a second session, realizes his attempt to set a root
backdoor didn't work, so he does this for his second try:

cat > /etc/passwd
foo::1:0::/:
^D

Yep.  1.  Not zero.  And > not >>.  So then when he tries to come in via
telnet again, inetd won't do it because inetd.conf says 'root' and there's no
'root' in /etc/passwd anymore.

Actual forensics work:  about 15 mins. Convincing myself it was a damned lucky
ankle-biter and not a uberhacker leaving a false trail:  most of an 8-hour day.

Or as I said on another list - "Sometimes the data makes a lot more sense if
you ask yourself 'What if the Three Stooges were hackers?'".  And there's no
indication that the bell curve of black hat clue levels has shifted any since
last century.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20100907/dc9ab16c/attachment.sig>


More information about the NANOG mailing list