[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

WARNING: Break-in attempts



Greetings all,

	I'm forwarding a copy of an email I sent reporting attempted
break-ins on my main server, earth.terran.org.  I am forwarding this
because I think it is relevant that folks watch for this kind of activity
in their logs to catch people who "try doorknobs" in the middle of the
night.  After sending this email, I sent a talk request to the user, who
was still logged onto a RedHat 4.2 system via dialup.  Though he did not
respond, within minutes he had downed his link.
	No damage was done to my system (I have all up-to-date security
mechanisms in place).  I believe this user is a Joe-random Linux user who
just found some pre-packaged linux security exploits.

cheers,
-bp
--
B. James Phillippe <bryan terran org>
Linux Software Engineer, WGT Inc.
http://earth.terran.org/~bryan

[mod: Normally "I got hacked" messages are rejected, but this is an 
"I didn't get hacked" report OK? -- REW ;-]


---------- Forwarded message ----------
Subject: BREAK-IN ATTEMPT!
Date: Fri, 19 Jun 1998 01:09:55 -0700 (PDT)
From: "B. James Phillippe" <bryan terran org>
To: webmaster inu net, root inu net, postmaster inu net

Greetings,

	As administrator of terran.org (TERRAN3-DOM), I am writing to
inform you that I have significant log data to confirm that several
attempts to break into my main server earth.terran.org were made from a
host on your network.  The host in question is pmnac1-4.inu.net and the
attacks were made from the superuser (root).  Before I go further, let me
present the evidence:

Attempt on IMAP server:

Jun 18 23:49:49 earth imapd[25125]: command stream end of file, while
reading line user=??? host=pmnac1-4.inu.net
Jun 18 23:49:49 earth ipop3d[25126]: Connection broken while reading line
user=??? host=pmnac1-4.inu.net

IP Firewall logs showing attempt on portmapper and X server:

Jun 18 23:49:47 earth kernel: IP acct in ppp0 TCP 208.164.139.14:3624
208.152.24.33:6000 L=44 S=0x00 I=36775 F=0x0000 T=54
Jun 18 23:49:55 earth kernel: IP acct in ppp0 TCP 208.164.139.14:741
208.152.24.33:111 L=44 S=0x00 I=37060 F=0x0000 T=54
Jun 18 23:49:59 earth kernel: IP acct in ppp0 UDP 208.164.139.14:766
208.152.24.33:111 L=84 S=0x00 I=37187 F=0x0000 T=54
Jun 18 23:50:00 earth kernel: IP acct in ppp0 UDP 208.164.139.14:767
208.152.24.33:111 L=84 S=0x00 I=37203 F=0x0000 T=54

System logs showing attempt on telnet and portmapper:

Jun 18 23:49:48 earth in.telnetd[25124]: refused connect from
root pmnac1-4 inu net
Jun 18 23:49:49 earth in.telnetd[25127]: refused connect from
root pmnac1-4 inu net
Jun 18 23:49:56 earth portmap[25132]: connect from 208.164.139.14 to
dump(): request from unauthorized host
Jun 18 23:49:59 earth portmap[25133]: connect from 208.164.139.14 to
getport(mountd): request from unauthorized host
Jun 18 23:50:00 earth portmap[25134]: connect from 208.164.139.14 to
getport(mountd): request from unauthorized host

Access log showing more of same:

Jun 18 23:49:48 earth logger[25129]: remote mail poll from
root 208 164 139 14
Jun 18 23:49:49 earth logger[25131]: remote mail poll from
root 208 164 139 14

More:

Jun 18 23:19:39 earth ipop3d[25105]: connect from 209.20.133.158
Jun 18 23:21:01 earth ipop3d[25108]: connect from 209.20.133.158
Jun 18 23:49:48 earth in.telnetd[25124]: refused connect from
root pmnac1-4 inu net
Jun 18 23:49:48 earth imapd[25125]: connect from root 208 164 139 14
Jun 18 23:49:49 earth in.telnetd[25127]: refused connect from
root pmnac1-4 inu net
Jun 18 23:49:49 earth ipop3d[25126]: connect from root 208 164 139 14

More:

Jun 18 23:49:59 earth portmap[25133]: connect from 208.164.139.14 to
getport(mountd): request from unauthorized host
Jun 18 23:50:00 earth portmap[25134]: connect from 208.164.139.14 to
getport(mountd): request from unauthorized host

Web server logs showing attempted breakin:

pmnac1-4.inu.net - - [18/Jun/1998:23:49:57 -0700] "GET /cgi-bin/phf" 302 -
pmnac1-4.inu.net - - [18/Jun/1998:23:49:58 -0700] "GET /cgi-bin/test-cgi"
403 -
pmnac1-4.inu.net - - [18/Jun/1998:23:49:59 -0700] "GET /cgi-bin/handler"
404 -

I have taken measures to block all further access attempts from your
systems, and will be watching my logs very closely.  If I do not receive a
formal explanation of events within the next few hours (I see root is
logged in on your system now), I will be forwarding this information to
CERT and to the security lists of which I am a member.  If I determine that
any breach of information has occured, I may prosecute.

Your response is anticipated,
-bp
--
B. James Phillippe <bryan terran org>
Linux Software Engineer, WGT Inc.
http://earth.terran.org/~bryan



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]