Folks. All (ALL) Linux-based NS servers or other LInux servers with IMAPD turned on (default) and withouth imapd patch (I do not know if it exist at all) can be treaten as COMPROMISED. I have found (and closed) more than 20 backdoored servers over the world in a week (and it was done by ONLY ONE HACKER)! What do you discuss? This was not serious attack, it was (I think) usial network scanning they are doing (or was doing) EVERY DAY. On Mon, 16 Nov 1998, Richard Irving wrote:
Date: Mon, 16 Nov 1998 20:34:23 -0500 From: Richard Irving <rirving@onecall.net> To: Jared Mauch <jared@puck.nether.net> Cc: Adam Rothschild <asr@millburn.net>, list@inet-access.net, nanog@merit.edu Subject: Re: Exodus: this is bad
It looks worse Jared,
This appears to be a concerted effort. This type of attack is propogating to new origin IP's by the hour. There seems to be a pattern forming....
DNS server is compromised. (Bind ? Autohack ?) local programs set up to crack local passwords. (Dumps results to FTP directory) local program set up to port probe/asttack other DNS's. (Dumps results to FTP directory)
Someone said Linux servers appear to be primary targets.. I suggest maybe Linux servers were more likely to have a vulnerable configuration... Probers running locally,( that I saw), did not *seem* to discriminate. (Conjecture Based on output of parasitic programs)
I hate to profer alt.net.conspiracy...... But...
the above data was collected both by myself, as well as another NANOG member who may want to remain anonymous... (He didn't post it to the group)
CERT does have an alert posted, but I am not sure they know how pervasive this is.....
Jared Mauch wrote:
On Mon, Nov 16, 1998 at 06:51:53PM -0500, Adam Rothschild wrote:
Am I forgetting anything?
Yeah.
Calling the providers where the attack is originating from.
Calling your local law enforcement agencies and alerting them to the problem at hand
Calling your local fbi agent and telling them what is going on.
Calling CERT and opening up a case
I'm sure if you get CERT+FBI+Local law agencies calling *ANY* noc, someone is going to notice.
And for fun, call CNN, or some other news agency, and say "xxx hasn't dealt with this after many phone calls, etc..".
If none of those paths provides you with the desired response, unplug your ethernet cable.
- jared
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net | http://puck.nether.net/~jared/
Aleksei Roudnev, Network Operations Center, Relcom, Moscow (+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager) (+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)