On Mon, Nov 16, 1998 at 08:34:23PM -0500, Richard Irving put this into my mailbox:
It looks worse Jared,
This appears to be a concerted effort. This type of attack is propogating to new origin IP's by the hour. There seems to be a pattern forming....
DNS server is compromised. (Bind ? Autohack ?) local programs set up to crack local passwords. (Dumps results to FTP directory) local program set up to port probe/asttack other DNS's. (Dumps results to FTP directory)
Someone said Linux servers appear to be primary targets.. I suggest maybe Linux servers were more likely to have a vulnerable configuration... Probers running locally,( that I saw), did not *seem* to discriminate. (Conjecture Based on output of parasitic programs)
Based on what I have seen since roughly May 1998, I would guess that all these nameservers are the victims of the old named-4.9.6 buffer overflow. They then get compromised, trojaned, and get 'mscan' (available on rootshell) installed. Mscan then performs DNS walks (via AXFR) across entire domains, probing for named vulnerabilities, imap vulnerabilities, sunrpc(statd) vulnerabilities, and pop3 vulnerabilities. Chances are it's been upgraded to do more. Essentially, all the person has to do is point mscan at some large institution, net/com/edu, let it run for a few hours, come back, and they will most likely have in their list of vulnerable servers 5 or 10 more servers that can be hacked in the same manner. Solutions, to either prevent or at least delay people from hacking your boxes (if they haven't been there for months already): * Turn off public AXFR from your nameservers. bind 8 makes this very easy. * KEEP YOUR SYSTEMS UP TO DATE. Make sure your customers are doing this too. Almost all of the systems comprimised in this manner had RedHat or FreeBSD or Solaris installed, and then nobody installed patches. RPMs are easy to download and install for RedHat, and Solaris makes this almost as easy with patchadd. * NEVER connect a new machine to the network unless it has been fully patched and tested. This is old sysadmin knowledge, but it seems to have been forgotten in this day and age of plug and play operating systems. I know of a researcher who installed Linux on his home machine (connected via ISDN), got hacked into and was completely plowed 3 days later. I am not exaggerating. If you are vulnerable, they will find you, and they will find you *before* you 'get a chance' to patch your boxes. * If you see this message and run out to test your machine with ISS or somesuch because you haven't patched in a year, do not assume that you are safe simply because ISS says so. The folks who hack into boxes like this almost always patch the hole they used to get in. Look for hidden files, stuff in /dev that's not supposed to be there, etc - essentially anything suspicious. At least once per day, sometimes more often, my machines are probed by people using mscan, backorifice, NetBus, wingate scanners, and other nefarious utilities. Would that I had the time to report them all - unfortunately, I don't, and until I can come up with some intelligent scripts to process the reports, my Incident Pile is growing. This is a bad sign. This is getting to be off topic, but I am not seeing anything new here. These are the *same* old hacks, the *same* old probes, that have been going on continuously for 6 months to a year now. You're just finding more and more people stupid enough not to cover their tracks. (Or more sysadmins wising up to the fact that their new PII-300 running linux isn't supposed to take 5 minutes to come up with a shell prompt.) Most importantly, if you find yourself hacked into, before you rm -rf the drive, before you do anything other than unplug its ethernet, notify CERT and your local law enforcement agency (FBI in the US). Even if they aren't able to trace your specific cracker, it helps *very* much to have a paper trail and to have Actual Law Enforcement Agents look at your case, just on the off chance that it might turn into something large. Your local FBI agent is very friendly, and is there to help you. The other portion is communication. If your box has been hacked, and you don't know what to do, ask for help. It is not a disgrace to get hacked; even I've overlooked patches and gotten myself hacked a few times. It happens. You clean up, reinstall, and life goes on. (and who ever said IRC wasn't good for anything? }:P ) -dalvenjah -- Dalvenjah FoxFire (aka Sven Nielsen) "Hath not a dude eyes? If you prick us, Founder, the DALnet IRC Network do we not get bummed? If we eat bad guacamole, do we not blow chunks?" e-mail: dalvenjah@dal.net - Keanu Reeves as Shylock in The Critic whois: SN90 WWW: http://www.dal.net/~dalvenjah/