|
|
|
A couple days ago a cracker broke into one of my systems. Not because it wasn't my own fault. In order to accomodate a microsoft user's inability to use a secure protocol I had opened up ftp on one of my DMZ boxes - thats what they are there for after all (behind one firewall and in front of the main firewalls to the rest of the real network). The interesting thing is that this was a redhat7.2 distribution that contained reasonably current code. I haven't taken a lot of time to examine the box, merely moved it into a non-public (not NAT-ed) portion of the DMZ and put another one in its place. WHat I have determined so far is that ftp (not set up for anonymous) was attacked and sshd was overwritten with a custom version of the cracker's. The hacked version of sshd listens at a high port and refuses to connect to anthing other than a list of his/her own hosts (using a modified version of the tcpwrapper). Problem on this box of course is that telnet is disabled and ssh is the only way to get in thus it was apparent when it happened. For some reason the hacker cloaked the sshd config file (why? Instead of hard coding in own config?). Also since the regular functionality of sshd was removed it became apparent that something had happened (if tripwire hadn't reported it). The really funny thing is that these boxes are in the .nu domain and as far as I know the PRC (where the attack originated at a military site) is not interested an island 2500 miles southeast of New Zealand (petrified bird shit, they have one of the highest per capita incomes in the world believe it or not, you have to get into the richest private oil nations such as nepal for higher). Now perhaps the PRC was merely looking for out of the way test boxes so I suppose nauru would qualify. Or perhaps they were simply going through US network blocks by IP and happened upon mine in the week or so it was open? The real irony is that the hostname of the box is 'hongke' which is 'hacker' in mandarin - but means 'good hacker', literally 'red guest'. Although its public name is something boring like host7.somting.nu or something like that and they woulda had to connect to the ftp port (open less than a week) to see the chinese name (heh, maybe they figures they was invited). I sent email to the domain technical contact (from a different domain) giving a few details, offering more if they were interested, and suggesting they hire this guy/gal. (Sort of an I know that you know that I know kinda thingy - the chinese love those manner of.) WHats-her-name suggested I report it to the FBI but I figure those guys ain't exactly worried about the PRC right about now, and they don't like to hear about things they don't discover themselves anyhow (or understand for that matter).
8 responses total.
Did the mail bounce? I've had bad luck trying to send mail to the administrative addresses for Chinese netblocks. They're also common spam sources. It's gotten so bad that some of the spam blacklists contain pretty much all of the Chinese netblocks, now.
How can you be sure the intruder was white?
Huh? I don't regard anyone that penetrates my network as 'white' unless I know them.
well you *did* call him a "cracker".
<rim shot>
Oh. Heh, I get it now... actually s/he was 'yellow' as it came from the PRC.
So, more like a Club cracker?
heh-heh
Response not possible - You must register and login before posting.
|
|
|
- Backtalk version 1.3.30 - Copyright 1996-2006, Jan Wolter and Steve Weiss