Security hole
Paul Jacobs
paul at netpacq.com
Wed Nov 3 21:33:24 UTC 1999
At 12:39 PM 11/3/1999 , you wrote:
>Would you mind telling the details of the exploit?
>
>It would be nice if we can insure the exploit is not in 8.2.2.
>
>Thanks,
>-drc
This is what I sent to www.cert.org:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
version 5.1
July 1999
CERT(R) Coordination Center
Incident Reporting Form
CERT/CC has developed the following form in an effort to gather
incident information. If you believe you are involved in an incident,
we would appreciate your completing the form below. If you do not
believe you are involved in an incident, but have a question, send
email to:
cert at cert.org
Note that our policy is to keep any information specific to your site
confidential unless we receive your permission to release that
information.
Return this form to:
cert at cert.org
If you are unable to email this form, please send it by FAX. The CERT/CC
FAX
number is:
+1 412 268 6989
We would appreciate any feedback or comments you have on this Incident
Reporting Form. Please send your comments to:
cert at cert.org
Submit this form to: cert at cert.org
If you are unable to send email, fax this form to: +1 412 268 6989
Your contact information
name ...........:Paul Jacobs
email address...:paul at Netpacq.com
telephone number:858-541-0222
other...........:
Affected Machine(s)
(duplicate for each host)
hostname and IP.:208.239.156.6
timezone........:PST
Source(s) of the Attack
(duplicate for each host)
hostname or IP..: 167.7.17.196
timezone........:Unknown
been in contact?:No
hostname or IP..: tc260.bhnet.com.br
timezone........:Unknown
been in contact?:No
hostname or IP..: userBb004.videon.wave.ca
timezone........:Unknown
been in contact?:No
hostname or IP..: 199.103.168.126
timezone........:Unknown
been in contact?:No
hostname or IP..: mama.du.gtn.com
timezone........:Unknown
been in contact?:No
Description of the incident:
Starting OCT 20, 1999 below is a list of people that logged in to my Red
Hat 5.2 linux system Protocol with port number and source IP with out
permission:
ftpd1872
167.7.17.196
ftpd2334
167.7.17.196
ftpd6350
tc260.bhnet.com.br
ftpd6350
ftpd6351
userBb004.videon.wave.ca
ftpd6351
ftpd21639
199.103.168.126
ftpd21639
ftpd21665
199.103.168.126
ftpd21665
ftpd4161
mama.du.gtn.com
ftpd4161
mama.du.gtn.com
System config:
Red Hat 5.2 no fixes
Bind 8.2.1 (added 10/02/99)
One of the above people got root access to my system through port 53 Turned
on my ftpd service created a tcpd config file to allow backdoor access to
my system, and then whent about trying to clear logs to cover his and
anyone else's tracks!.
Below is a copy of the netstat I captured during one of his attack runs:
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 ns3:823 huey.nawcad.navy.mi:111
CLOSE_WAIT
tcp 0 0 ns3:824 duey.nawcad.navy.mi:111
CLOSE_WAIT
tcp 0 0 ns3:825 luey.nawcad.navy.mi:111
CLOSE_WAIT
tcp 0 0 ns3:826 crabpot.stinigoes.n:111
CLOSE_WAIT
tcp 0 0 ns3:859 pax-dns2.nawcad.nav:111
CLOSE_WAIT
tcp 0 0 ns3:860 pax-dns1.nawcad.nav:111
CLOSE_WAIT
tcp 0 0
ns3:922 130.114.200.6:111 ESTABLISHED
tcp 272 0 ns3:802 heaven.ce.ntu.edu.t:111
ESTABLISHED
tcp 0 0 ns3:672 edtnas05.telusplane:111
ESTABLISHED
tcp 0 0 ns3:683 edtnas07.telusplane:111
ESTABLISHED
tcp 0 0 ns3:696 edtnas09.telusplane:111
ESTABLISHED
tcp 0 0 ns3:987 clgrps10.telusplane:111
ESTABLISHED
tcp 0 0 ns3:990 clgrps09.telusplane:111
ESTABLISHED
tcp 0 0 ns3:991 clgrps11.telusplane:111
ESTABLISHED
tcp 0 0 ns3:976 www.net-tech.bbn.co:111
ESTABLISHED
tcp 0 0 ns3:775 edtnps06.telusplane:111
ESTABLISHED
tcp 0 0 ns3:611 ltbrpx06-port-45.ag:111
CLOSE
tcp 0 0 ns3:917 edtnps07.telusplane:111
ESTABLISHED
tcp 0 0 ns3:995 edtnind1.telusplane:111
ESTABLISHED
tcp 0 0 ns3:686 edtnps03.telusplane:111
ESTABLISHED
tcp 0 0 ns3:687 edtnps05.telusplane:111
ESTABLISHED
tcp 0 0
ns3:649 radb2.merit.edu:111 ESTABLISHED
tcp 0 0 ns3:651 vif03.nic.merit.edu:111
ESTABLISHED
tcp 0 0 ns3:775 edtnps06.telusplane:111
ESTABLISHED
tcp 0 0 ns3:611 ltbrpx06-port-45.ag:111
CLOSE
tcp 0 0 ns3:917 edtnps07.telusplane:111
ESTABLISHED
tcp 0 0 ns3:995 edtnind1.telusplane:111
ESTABLISHED
tcp 0 0 ns3:686 edtnps03.telusplane:111
ESTABLISHED
tcp 0 0 ns3:687 edtnps05.telusplane:111
ESTABLISHED
tcp 0 0
ns3:649 radb2.merit.edu:111 ESTABLISHED
tcp 0 0 ns3:651 vif03.nic.merit.edu:111
ESTABLISHED
tcp 0 44
ns3:895 www.pdslex.com:111 CLOSE
tcp 0 0 ns3:691 lh2.rdc2.occa.home.:111
ESTABLISHED
tcp 0 44 ns3:866 ingersoll-ip030.tm.:111
CLOSE
tcp 0 0
ns3:988 billing.us.net:111 CLOSE
tcp 1 0
ns3:924 x2haup33.asb.com:111 CLOSE_WAIT
tcp 0 0
ns3:730 yr.com:111 ESTABLISHED
tcp 0 0
ns3:929 209.185.159.214:111 ESTABLISHED
tcp 1 0
ns3:926 lanzelot.blb.de:111 CLOSE_WAIT
tcp 0 0
ns3:625 206.169.119.72:111 ESTABLISHED
tcp 0 44
ns3:689 china-whb.com:111 CLOSE
tcp 1 0 ns3:711 cc1008071-b.wlgrv1.:111
CLOSE_WAIT
tcp 0 0
ns3:1021 web21.zdnet.com:111 ESTABLISHED
tcp 0 0
ns3:729 pw-admin.arx.com:111 CLOSE_WAIT
tcp 0 0
ns3:692 194.216.217.166:111 ESTABLISHED
tcp 0 0 ns3:619 att-bt-globalventur:111
CLOSE_WAIT
tcp 0 44 ns3:698 rumor.research.att.:111
CLOSE
tcp 0 44 ns3:999 auspoly.auschar.com:111
CLOSE
tcp 252 0
ns3:757 q.cfu.net:111 ESTABLISHED
tcp 252 0
ns3:757 q.cfu.net:111 ESTABLISHED
tcp 1 0
ns3:937 hobbits.brel.com:111 CLOSE_WAIT
tcp 0 0
ns3:844 opus.cfw.com:111 ESTABLISHED
tcp 0 0
ns3:740 207.220.3.1:111 ESTABLISHED
tcp 0 0
ns3:743 teaspoon.azc.com:111 ESTABLISHED
tcp 0 126
ns3:telnet ns1.netpacq.net:2154 ESTABLISHED
tcp 0 2 ns3:769 dhcp248-203.vlb2-e2:111
SYN_SENT
tcp 0 2 ns3:894 brg207x82x132x154.b:111
SYN_SENT
tcp 0 2
ns3:877 pims.nima.mil:111 SYN_SENT
udp 0 0
localhost:domain *:*
udp 0 0
ns3:domain *:*
udp 0 0
ns3:137 *:*
udp 0 0 ns3:138 *:*
As you can see for some reason the attacks only go out on port 111??
The system in question has been wiped and reloaded with the default bind
version that comes with 5.2 of red hat The problem has not come back up yet!?.
I have one or 2 networks that has blocked my ip range so I am unable to
send them anything.
>Paul Jacobs wrote:
> >
> > F.Y.I. -
> >
> > I found a hole in bind 8.2.1 that allowed a hacker to gain root access to
> > my red hat box running 8.2.1, and start using my system as a gateway!!
> >
> > I reloaded my Red hat box and went back to the bind version that comes with
> > 5.2 and all is well agian..
Best regards,
Paul Jacobs /Senior Network Eng.
Commerce Service Provider (CSP)
Internet Presence Provider (IPP)
Streaming Video and MPEG
http://www.netpacq.com
mailto:paul at netpacq.com
Picture : http://www.netpacq.com/nis_team.htm
More information about the bind-users
mailing list