|
|
| Author |
Message |
bdh3
|
|
Cracked (again).
| 
Apr 29 04:27 UTC 2002 |
A couple days ago a cracker broke into one of my systems. Not
because it wasn't my own fault. In order to accomodate a microsoft
user's inability to use a secure protocol I had opened up ftp
on one of my DMZ boxes - thats what they are there for after
all (behind one firewall and in front of the main firewalls to the
rest of the real network). The interesting thing is that this
was a redhat7.2 distribution that contained reasonably current
code. I haven't taken a lot of time to examine the box, merely
moved it into a non-public (not NAT-ed) portion of the DMZ and put
another one in its place. WHat I have determined so far is that
ftp (not set up for anonymous) was attacked and sshd was overwritten
with a custom version of the cracker's. The hacked version of
sshd listens at a high port and refuses to connect to anthing other
than a list of his/her own hosts (using a modified version of
the tcpwrapper). Problem on this box of course is that telnet
is disabled and ssh is the only way to get in thus it was
apparent when it happened. For some reason the hacker cloaked
the sshd config file (why? Instead of hard coding in own config?).
Also since the regular functionality of sshd was removed it became
apparent that something had happened (if tripwire hadn't reported
it).
The really funny thing is that these boxes are in the .nu domain
and as far as I know the PRC (where the attack originated at
a military site) is not interested an island 2500 miles southeast
of New Zealand (petrified bird shit, they have one of the highest
per capita incomes in the world believe it or not, you have to
get into the richest private oil nations such as nepal for
higher). Now perhaps the PRC was merely looking for out of the
way test boxes so I suppose nauru would qualify. Or perhaps they
were simply going through US network blocks by IP and happened
upon mine in the week or so it was open?
The real irony is that the hostname of the box is 'hongke' which
is 'hacker' in mandarin - but means 'good hacker', literally
'red guest'. Although its public name is something boring like
host7.somting.nu or something like that and they woulda had
to connect to the ftp port (open less than a week) to see the
chinese name (heh, maybe they figures they was invited).
I sent email to the domain technical contact (from a different domain)
giving a few details, offering more if they were interested,
and suggesting they hire this guy/gal. (Sort of an I know that
you know that I know kinda thingy - the chinese love those manner
of.) WHats-her-name suggested I report it to the FBI but I figure
those guys ain't exactly worried about the PRC right about now, and
they don't like to hear about things they don't discover themselves
anyhow (or understand for that matter).
|
| 8 responses total. |
gull
|
|
response 1 of 8:
|
Apr 29 12:58 UTC 2002 |
Did the mail bounce? I've had bad luck trying to send mail to the
administrative addresses for Chinese netblocks. They're also common spam
sources. It's gotten so bad that some of the spam blacklists contain
pretty much all of the Chinese netblocks, now.
|
jazz
|
|
response 2 of 8:
|
May 3 15:43 UTC 2002 |
How can you be sure the intruder was white?
|
bdh3
|
|
response 3 of 8:
|
May 4 05:36 UTC 2002 |
Huh? I don't regard anyone that penetrates my network as
'white' unless I know them.
|
oval
|
|
response 4 of 8:
|
May 4 09:31 UTC 2002 |
well you *did* call him a "cracker".
|
orinoco
|
|
response 5 of 8:
|
May 5 21:40 UTC 2002 |
<rim shot>
|
bdh3
|
|
response 6 of 8:
|
May 6 06:03 UTC 2002 |
Oh. Heh, I get it now... actually s/he was 'yellow' as it
came from the PRC.
|
goose
|
|
response 7 of 8:
|
May 15 14:57 UTC 2002 |
So, more like a Club cracker?
|
tsty
|
|
response 8 of 8:
|
May 22 10:50 UTC 2002 |
heh-heh
|