[NTLUG:Discuss] crackers

Dan Carlson dmcarlson at cwix.com
Thu Aug 26 17:59:36 CDT 1999 

The gibberish (>(E^H^-(E^H^-(E^H^-(E^H^-(E^H^-) in your log file probably
indicates a buffer overflow attack of some sort.  If it occured as part of
an nfs mount attempt, the infiltrator might have been trying to take
advantage of the CERT CA-98.12 vulnerability.  See
http://www.cert.org/advisories/CA-98.12.mountd.html for details.  If you
were running a vulnerable version of nfs mountd at the time, this could be
how he got in.  However, the 30 minute delay probably means that was not the
case.  He probably kept trying and found some other vulnerability.

Be sure to change your issue message so that it doesn't indicate that you
are running linux and what version you are running.  Leaving the default
message makes it easy for crackers to target known weaknesses in each
distribution and version.

Be sure to obtain and install all the security updates for your
distribution.

Don't run any services you don't need to run.

For those services you do need to run, if you can restrict them to only
serve over your local network (rather than the whole internet), do so.
Many/most of the services can be configured this way, if you can find the
required info on how to do it in their documentation.

Dan Carlson

-----Original Message-----
From: lee <lknudsen at usa.alcatel.com>
To: discuss at ntlug.org <discuss at ntlug.org>
Date: Thursday, August 26, 1999 2:58 PM
Subject: Re: [NTLUG:Discuss] crackers


>first intrusion was around 9:00 in the a.m., a failed attempt to do
>some kind of NFS mount. couple of 30 minutes or so later were some
>kernel error messages and a bunch of gibberish
>(E^H^-(E^H^-(E^H^-(E^H^-(E^H^-( type stuff, so i knew something was
>up.  then at about 9:30pm or so, i noticed ROOT LOGIN from tailing
>the system logs, and it wasn't me.  after about 30-60 secs of sheer
>panic, i was about to %/sbin/ifdown eth0 but he was gone by then.
>guess i just shoulda reached up and unplugged the ethernet cable
>instead.
>
>first two intrusions were from different ip addys from home.com
>somewheres up near buffalo ny and the last one came from
>jaguarsystems.com dialup service in jersey.
>
>i could go on, but if y'all are really interested in a crack autopsy
>i could post what remains of the logs and some other interesting
>stuff later this evening
>
>-- lee
>
>Greg E wrote:
>>
>> Do you know how they got in, telnet?, news?, ftp? or what?
>>
>> I just got mine hooked up last night (ISDN) and I'm not sure how secure I
>> am yet.
>>
>> Greg E
>>
>> Lee Knudsen wrote:
>> >
>> > don't you just hate it when you have your cable modem up-and-running
>> > for LESS THAN FIVE DAYS and some cracker from jersey finds his way
>> > into your system and gets root access and deletes /var/log/* ??
>> > man, i *hate* it when that happens!
>> >
>> >
>> > -- lee
>> >
>>
>> _______________________________________________
>> http://ntlug.org/mailman/listinfo/discuss
>
>--
>      _
>    _| ~-     Lee Knudsen
>    \,  _}    Lee.Knudsen at usa.alcatel.com
>      \(      lee at brave.com
>100% of the shots you don't take don't go in.
> - Wayne Gretzky
>
>_______________________________________________
>http://ntlug.org/mailman/listinfo/discuss
>

More information about the Discuss mailing list