should i publish a list of cracked machines?
i found one of my boxes was cracked (probably due to the BSD telnetd overflow). in any case, i found a file in the cracker's directory containing what i think is a list of other servers which might be hacked. i think the list also includes the passwords for using the trojan. on my server, i found a trojan daemon, allowing ssh on an 14000 series port. i was gonna just post the list of hosts here, but then, maybe not. what is the appropriate feeling? -- [ Jim Mercer jim@reptiles.org +1 416 410-5633 ] [ Now with more and longer words for your reading enjoyment. ]
On Thu, 23 Aug 2001, Jim Mercer wrote:
i found one of my boxes was cracked (probably due to the BSD telnetd overflow).
in any case, i found a file in the cracker's directory containing what i think is a list of other servers which might be hacked. i think the list also includes the passwords for using the trojan.
on my server, i found a trojan daemon, allowing ssh on an 14000 series port.
i was gonna just post the list of hosts here, but then, maybe not.
what is the appropriate feeling?
Suggest you first notify CERT. If the list is manageable in size, perhaps you may also want to write to the sysadmins/network owners whose boxen were compromised. Publishing such list in the open may not be such a hot idea, for obvious reasons... --Mitch NetSide
ok, having seen numerous comments (and numerous requests for the file), i have decided to punt the list to cert.org and let them deal with it. - as much as i'd like to, i don't have the time/energy to run through the list and contact each netadmin. i've walked that trail before while attempting to nip a few DoS attacks. - i will not send the list to anyone other than cert, unless suggestions can be made for other "authorative" groups who will maybe pick up the task of contacting the netadmins in the list my suspicions and some things to look for: - boxes were comprimised using the buffer overflow in telnetd (speculation) - my box had a bogus /usr/sbin/nscd (which is not a normal FreeBSD binary) - nscd appears to be a hacked sshd, listening on a 14000 series port - it had its own /etc/ssh_* config files (FreeBSD puts them in /etc/ssh/ssh_*) - there was a file in /dev/ptaz which appeared to be DES crypto gunge - there were a bunch of irc/eggdrop related files in a ".e" directory of one of the user's $HOME suggestions for looking about: - do an ls -lta in bindirs, my systems generally have all /bin /usr/bin files with the same timestamp - do a "du /dev" and look for anomalies - do a "cd /dev ; ls -l | grep -e-" and look for anomalies - do a "ls -ltra /" (as well as /usr and /usr/local) and look for anomalies -- [ Jim Mercer jim@reptiles.org +1 416 410-5633 ] [ Now with more and longer words for your reading enjoyment. ]
--On Thursday, August 23, 2001 12:39:21 -0400 Jim Mercer <jim@reptiles.org> wrote:
my suspicions and some things to look for:
- boxes were comprimised using the buffer overflow in telnetd (speculation)
The CERT/CC is aware of some level of automated exploitation of the recently described telnetd vulnerability. If folks have yet to patch systems for that particular vulnerability, it would be a good thing to spend time doing. We've seen it used to deploy DDoS-capable tools, for example. More info on the vulnerability at: http://www.kb.cert.org/vuls/id/745371 Kevin
On Thu, Aug 23, 2001 at 11:53:38AM -0400, Jim Mercer said:
i found one of my boxes was cracked (probably due to the BSD telnetd overflow).
in any case, i found a file in the cracker's directory containing what i think is a list of other servers which might be hacked. i think the list also includes the passwords for using the trojan.
on my server, i found a trojan daemon, allowing ssh on an 14000 series port.
i was gonna just post the list of hosts here, but then, maybe not.
what is the appropriate feeling?
I'd try to contact the owners of the systems in the list personally. Posting such a list of machines thought to be cracked would accomplish little except getting those machines further probed/attacked. I would suggest trying to see what domains the IPs belong to and just shoot out some mail to root@/admin@/hostmaster@ or any other likely admin accounts with a heads up. -- Josha Bronson <dmuz@slartibartfast.angrypacket.com> Network/Systems/Security Engineer josha.net || dmuz.angrypacket.com
Jim- How about instead posting information to help other admins identify the trojan daemon so we can check our own machines? David Leonard ShaysNet On Thu, 23 Aug 2001, Jim Mercer wrote:
i found one of my boxes was cracked (probably due to the BSD telnetd overflow).
in any case, i found a file in the cracker's directory containing what i think is a list of other servers which might be hacked. i think the list also includes the passwords for using the trojan.
on my server, i found a trojan daemon, allowing ssh on an 14000 series port.
i was gonna just post the list of hosts here, but then, maybe not.
what is the appropriate feeling?
-- [ Jim Mercer jim@reptiles.org +1 416 410-5633 ] [ Now with more and longer words for your reading enjoyment. ]
Also, why not do whois lookups on those hosts and email appropriate people? On Thu, 23 Aug 2001, M. David Leonard wrote:
Jim-
How about instead posting information to help other admins identify the trojan daemon so we can check our own machines?
David Leonard ShaysNet
On Thu, 23 Aug 2001, Jim Mercer wrote:
i found one of my boxes was cracked (probably due to the BSD telnetd overflow).
in any case, i found a file in the cracker's directory containing what i think is a list of other servers which might be hacked. i think the list also includes the passwords for using the trojan.
on my server, i found a trojan daemon, allowing ssh on an 14000 series port.
i was gonna just post the list of hosts here, but then, maybe not.
what is the appropriate feeling?
-- [ Jim Mercer jim@reptiles.org +1 416 410-5633 ] [ Now with more and longer words for your reading enjoyment. ]
Laurence Berland http://www.isp.northwestern.edu
participants (7)
-
Jim Mercer
-
Josha Bronson
-
Kevin Houle
-
Laurence Berland
-
M. David Leonard
-
Mike Trest
-
Mitch Halmu