Re: Hacked?

Bret Hughes Sat, 15 Apr 2000 09:03:45 -0700
WARNING WARNING WARNING


Be careful! As I recall from the infamous 'vidiot -redhat 6.2 sucks because it
deleted all my partitions' thread or what ever it started as the consensus was
that you can do a install an not wipe out the existing partition info by using
expert mode.  The install will wipe out all partition info without asking you
the 'ol are you sure, are you REALLY sure type of deal.  Come to think of it it
might have been 6.1. Anyway make sure you have working backups and a method of
restoring the data.

Personally, I would plan to just restore mine from the backup you are surely
going to do just before the reinstall.

Bret

"Burke, Thomas G." wrote:

> Well, darn it all, I _have_ been hacked...  I found a copy of netcat
> (/usr/sbin/netcat), and that's been causing the heartaches...  I will
> delete it now, & order a copy of RH6.2 today, I suppose.
>
> I've been thinking of a complete re-install of a newer version, anyway...
>
> Here's a question:  When doing a reinstall, I want to save my file-serving
> directories...  Is this hard to format & install everything but these
> directories?
> Fortunately, they are on different partitions, but since I have never done
> this
> before, I could use some pointers.
>
> > -----Original Message-----
> > From: Nikki Cook [SMTP:[EMAIL PROTECTED]]
> > Sent: Friday, April 07, 2000 5:54 PM
> > To:   [EMAIL PROTECTED]
> > Subject:      Re: Hacked?
> >
> > Looks like a trin00 server is what's going on, Thomas.
> >
> > Check http://staff.washington.edu/dittrich/misc/trinoo.analysis for more
> > information.
> >
> > Communication ports typically are:
> >
> > Attacker to Master(s):      27665/tcp
> > Master to daemon(s):        27444/udp
> > Daemon to Master(s):        31335/udp
> >
> > As a quick workaround, you may want to block those ports until you
> > investigate your machine thoroughly.
> >
> > Nikki
> >
> > At 03:16 PM 04/07/2000 , you wrote:
> > >In a nutshell...  What the heck is going on here?!
> > >
> > >~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > >
> > >tcdump from last night (tcdump -ippp0) - All machines on the internal net
> > >turned OFF:
> > >
> > >21:40:21.010000 classifieds2000.com.http > ##MY.MACHINE##.62267: R
> > >2140746213:2140746213(0) win 0 (DF)
> > >21:40:21.010000 ##MY.MACHINE##.1774 > ns2.dns.rcn.net.domain: 11760+ (42)
> > >21:40:21.360000 ns2.dns.rcn.net.domain > ##MY.MACHINE##.1774: 11760*
> > 1/4/4
> > >(246) (DF)
> > >21:40:21.360000 ##MY.MACHINE##.1776 > ns2.dns.rcn.net.domain: 11761+ (42)
> > >21:40:21.580000 ns2.dns.rcn.net.domain > ##MY.MACHINE##.1776: 11761 1/3/3
> > >(221) (DF)
> > >
> > >21:48:17.940000 165.113.216.6.52501 > ##MY.MACHINE##.27444: udp 11 (DF)
> > >21:48:17.940000 ##MY.MACHINE##.1777 > 165.113.216.6.31335: udp 4
> > >21:48:17.940000 ##MY.MACHINE##.1778 > ns2.dns.rcn.net.domain: 11762+ (44)
> > >21:48:18.260000 ns2.dns.rcn.net.domain > ##MY.MACHINE##.1778: 11762
> > >NXDomain* 0/1/0 (112) (DF)
> > >21:51:12.230000 165.113.216.6.52502 > ##MY.MACHINE##.27444: udp 11 (DF)
> > >21:51:12.230000 ##MY.MACHINE##.1779 > 165.113.216.6.31335: udp 4
> > >
> > >21:51:59.340000 165.113.216.6.52504 > ##MY.MACHINE##.27444: udp 16 (DF)
> > >21:52:04.660000 165.113.216.6.52505 > ##MY.MACHINE##.27444: udp 25 (DF)
> > >
> > >22:11:36.720000 165.113.216.6.52507 > ##MY.MACHINE##.27444: udp 15 (DF)
> > >
> > >22:11:43.980000 165.113.216.6.52508 > ##MY.MACHINE##.27444: udp 15 (DF)
> > >
> > >22:16:51.040000 165.113.216.6.52509 > ##MY.MACHINE##.27444: udp 11 (DF)
> > >22:18:58.030000 165.113.216.6.52510 > ##MY.MACHINE##.27444: udp 11 (DF)
> > >
> > >22:22:46.060000 165.113.216.6.52511 > ##MY.MACHINE##.27444: udp 11 (DF)
> > >22:22:58.270000 165.113.216.6.52514 > ##MY.MACHINE##.27444: udp 25 (DF)
> > >22:26:30.900000 165.113.216.6.52515 > ##MY.MACHINE##.27444: udp 11 (DF)
> > >
> > >22:28:17.000000 ##MY.MACHINE##.1780 > 165.113.216.6.31335: udp 4
> > >22:28:17.000000 ##MY.MACHINE##.1781 > 165.113.216.6.31335: udp 4
> > >22:28:17.000000 ##MY.MACHINE##.1782 > 165.113.216.6.31335: udp 4
> > >
> > >22:31:38.000000 ##MY.MACHINE##.1783 > 165.113.216.6.31335: udp 4
> > >
> > >23:03:51.930000 165.113.216.6.52517 > ##MY.MACHINE##.27444: udp 11 (DF)
> > >23:03:51.930000 ##MY.MACHINE##.1784 > 165.113.216.6.31335: udp 4
> > >23:03:53.940000 165.113.216.6.52518 > ##MY.MACHINE##.27444: udp 11 (DF)
> > >23:03:57.010000 165.113.216.6.52519 > ##MY.MACHINE##.27444: udp 15 (DF)
> > >23:04:45.040000 165.113.216.6.52520 > ##MY.MACHINE##.27444: udp 61 (DF)
> > >
> > >23:21:04.330000 165.113.216.6.52521 > ##MY.MACHINE##.27444: udp 11 (DF)
> > >23:21:07.210000 165.113.216.6.52522 > ##MY.MACHINE##.27444: udp 15 (DF)
> > >23:21:07.870000 165.113.216.6.52523 > ##MY.MACHINE##.27444: udp 23 (DF)
> > >
> > >23:30:01.190000 165.113.216.6.52524 > ##MY.MACHINE##.27444: udp 11 (DF)
> > >23:30:01.190000 ##MY.MACHINE##.1785 > 165.113.216.6.31335: udp 4
> > >23:30:08.820000 165.113.216.6.52526 > ##MY.MACHINE##.27444: udp 15 (DF)
> > >
> > >23:45:08.290000 165.113.216.6.52530 > ##MY.MACHINE##.27444: udp 15 (DF)
> > >
> > >01:06:04.860000 165.113.216.6.52537 > ##MY.MACHINE##.27444: udp 11 (DF)
> > >01:06:07.430000 165.113.216.6.52538 > ##MY.MACHINE##.27444: udp 16 (DF)
> > >01:06:09.950000 165.113.216.6.52539 > ##MY.MACHINE##.27444: udp 26 (DF)
> > >
> > >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > >
> > >Related parts of my logs:
> > >
> > >Apr  6 21:52:05 tomii-gate kernel: IP fw-out deny ppp0 TCP
> > >193.26.175.63:34277 209.67.45.225:13009 L=40 S=0x08 I=54333 F=0x0000
> > T=255
> > >Apr  6 21:52:05 tomii-gate kernel: IP fw-out deny ppp0 TCP
> > >152.227.250.6:34533 209.67.45.225:50856 L=40 S=0x08 I=54589 F=0x0000
> > T=255
> > >Apr  6 21:52:05 tomii-gate kernel: IP fw-out deny ppp0 TCP
> > >212.138.249.60:34789 209.67.45.225:552 L=40 S=0x08 I=54845 F=0x0000 T=255
> > >.
> > >.
> > >.
> > >Apr  6 22:07:55 tomii-gate kernel: IP fw-out deny ppp0 TCP
> > 46.7.71.7:50521
> > >209.67.45.225:17926 L=40 S=0x08 I=5298 F=0x0000 T=255
> > >Apr  6 22:07:55 tomii-gate kernel: IP fw-out deny ppp0 TCP
> > >72.28.202.58:50777 209.67.45.225:45 fw-out deny ppp0 TCP
> > >215.165.249.95:48932 209.67.45.225:52711 L=40 S=0x08 I=3709 F=0x0000
> > T=255
> > >.
> > >.
> > >.
> > >Apr  6 22:31:44 tomii-gate kernel: IP fw-out deny ppp0 TCP
> > >91.86.116.82:19139 154.11.89.164:3888 L=40 S=0x08 I=46375 F=0x0000 T=255
> > >Apr  6 22:31:45 tomii-gate kernel: IP fw-out deny ppp0 TCP
> > >230.7.181.106:19395 154.11.89.164:23482 L=40 S=0x08 I=46631 F=0x0000
> > T=255
> > >.
> > >.
> > >.
> > >Apr  6 23:04:45 tomii-gate kernel: IP fw-out deny ppp0 TCP
> > >212.218.143.80:7264 62.236.92.186:11648 L=40 S=0x08 I=40912 F=0x0000
> > T=255
> > >Apr  6 23:04:45 tomii-gate kernel: IP fw-out deny ppp0 TCP
> > >21.210.177.114:36222 199.174.197.117:51372 L=40 S=0x08 I=1752 F=0x0000
> > T=255
> > >.
> > >.
> > >.
> > >Apr  6 23:14:51 tomii-gate kernel: IP fw-out deny ppp0 TCP
> > >102.241.197.103:34790 129.116.18.120:17040 L=40 S=0x08 I=11762 F=0x0000
> > >T=255
> > >Apr  6 23:14:51 tomii-gate kernel: IP fw-out deny ppp0 TCP
> > 224.155.34.51:172
> > >62.236.92.186:46889 L=40 S=0x08 I=5203 F=0x0000 T=255
> > >.
> > >.
> > >.
> > >Apr  6 23:28:45 tomii-gate kernel: IP fw-out deny ppp0 TCP
> > >150.169.177.45:19214 24.141.1.55:17985 L=40 S=0x08 I=46985 F=0x0000 T=255
> > >Apr  6 23:28:45 tomii-gate kernel: IP fw-out deny ppp0 TCP
> > >238.31.244.59:19470 24.141.1.55:7161 L=40 S=0x08 I=47241 F=0x0000 T=255
> > >Apr  7 01:06:10 tomii-gate kernel: IP fw-out deny ppp0 TCP
> > >35.128.116.121:49889 129.111.249.53:9837 L=40 S=0x08 I=12673 F=0x0000
> > T=255
> > >Apr  7 01:06:10 tomii-gate kernel: IP fw-out deny ppp0 TCP
> > >212.104.245.43:50145 129.111.249.53:16172 L=40 S=0x08 I=12929 F=0x0000
> > T=255
> > >Apr  7 01:06:10 tomii-gate kernel: IP fw-out deny ppp0 TCP
> > >195.16.60.120:50401 129.111.249.53:35045 L=40 S=0x08 I=13185 F=0x0000
> > T=255
> > >.
> > >.
> > >.
> > >Apr  7 01:22:57 tomii-gate kernel: IP fw-out deny ppp0 TCP
> > >70.41.138.30:49428 129.111.249.53:39115 L=40 S=0x08 I=12468 F=0x0000
> > T=255
> > >Apr  7 01:22:57 tomii-gate kernel: IP fw-out deny ppp0 TCP
> > >139.222.87.115:49684 129.111.249.53:11940 L=40 S=0x08 I=12724 F=0x0000
> > T=255
> > >
> > >
> > >
> > >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > >
> > >Traceroute output:
> > >
> > >[root@tomii-gate /root]# traceroute -ippp0 165.113.216.6
> > >traceroute to 165.113.216.6 (165.113.216.6), 30 hops max, 40 byte packets
> > > 1  as4.anp.md.rcn.net (10.65.34.14)  444.075 ms  549.621 ms  389.890 ms
> > > 2  fe0-0-0.core1.anp.md.rcn.net (10.65.34.1)  239.821 ms  309.810 ms
> > >399.957 ms
> > > 3  poet0-0-1.core1.col.md.rcn.net (207.172.9.197)  299.799 ms  569.799
> > ms
> > >419.907 ms
> > > 4  poet6-0-0.core1.blb.md.rcn.net (207.172.19.170)  629.828 ms  309.800
> > ms
> > >389.895 ms
> > > 5  poet1-0-0.core1.blba.md.rcn.net (207.172.9.53)  659.849 ms  569.777
> > ms
> > >379.830 ms
> > > 6  poet4-0-1.core1.dcb.dc.rcn.net (207.172.9.49)  269.858 ms
> > >poet5-1-0.core1.dcb.dc.rcn.net (207.172.19.178)  309.767 ms
> > >poet4-1-0.core1.dcb.dc.rcn.net (207.17
> > >2.19.218)  509.764 ms
> > > 7  pos1-1-0.border1.tcob.va.rcn.net (207.172.19.249)  519.685 ms
> > 579.809
> > >ms  389.905 ms
> > > 8  ge3-0-0.core1.tco.va.rcn.net (207.172.19.213)  389.821 ms  680.031 ms
> > >669.662 ms
> > > 9  fe1-1-0.border1.tco.va.rcn.net (207.172.9.230)  609.829 ms  569.745
> > ms
> > >469.894 ms
> > >10  mae-e-1.e0.crl.com (192.41.177.104)  569.879 ms  439.767 ms  640.375
> > ms
> > >11  careerblazer.atm-e.us.crl.net (165.113.99.37)  649.369 ms  390.484 ms
> > >659.205 ms
> > >12  165.113.216.6 (165.113.216.6)  379.852 ms  649.748 ms *
> > >
> > >
> > >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > >
> > >My firewall script:
> > >
> > >ipfwadm -I -f
> > >ipfwadm -I -p deny
> > >ipfwadm -I -a accept -V 192.168.68.1 -S 192.168.0.0/16 -D 0.0.0.0/0
> > >ipfwadm -I -a deny -V ##MY.MACHINE.IP.ADDR## -S 192.168.0.0/16 -D
> > 0.0.0.0/0
> > >-o
> > >ipfwadm -I -a accept -V ##MY.MACHINE.IP.ADDR## -S 0.0.0.0/0 -D
> > >##MY.MACHINE.IP.ADDR##/32
> > >ipfwadm -I -a accept -V 127.0.0.1 -S 0.0.0.0/0 -D 0.0.0.0/0
> > ># ??
> > >ipfwadm -I -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 -o
> > >
> > >ipfwadm -O -f
> > >ipfwadm -O -p deny
> > >ipfwadm -O -a accept -V 192.168.68.1 -S 0.0.0.0/0 -D 192.168.0.0/16
> > >ipfwadm -O -a deny -V ##MY.MACHINE.IP.ADDR## -S 0.0.0.0/0 -D
> > 192.168.0.0/16
> > >-o
> > >ipfwadm -O -a deny -V ##MY.MACHINE.IP.ADDR## -S 192.168.0.0/16 -D
> > 0.0.0.0/0
> > >-o
> > >ipfwadm -O -a deny -V ##MY.MACHINE.IP.ADDR## -S 0.0.0.0/0 -D
> > 192.168.0.0/16
> > >-o
> > >ipfwadm -O -a accept -V ##MY.MACHINE.IP.ADDR## -S ##MY.MACHINE.IP.ADDR##
> > -D
> > >0.0.0.0/0
> > >ipfwadm -O -a accept -V 127.0.0.1 -S 0.0.0.0/0 -D 0.0.0.0/0
> > >ipfwadm -O -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 -o
> > >
> > >ipfwadm -F -f
> > >ipfwadm -F -p deny
> > >ipfwadm -F -a masquerade -W ppp0 -S 192.168.0.0/16 -D 0.0.0.0/0
> > >ipfwadm -F -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 -o
> > >
> > >#ipfwadm -F -p deny
> > >#ipfwadm -F -a m -S 192.168.68.0/24 -D 0.0.0.0/0
> > >
> > >
> > >--
> > >To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
> > >as the Subject.
> > >
> >
> >
> > Nikki
> >
> >
> > --
> > To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
> > as the Subject.
>
> --
> To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
> as the Subject.


-- 
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
Re: Hacked?

Reply via email to
