[Leaplist] Server break-in attempt, a couple of QUESTIONS.

Richard F. Ostrow Jr. kshots at warfaresdl.com
Fri Sep 7 12:32:34 EDT 2007 

On Fri, September 7, 2007 6:52 am, patrick wrote:
> patrick wrote:
>> David Simmons wrote:
>>> Guys/Gals,
>>>
>>>  Just was able to catch a 'break in attempt' on one
>>> of my webservers
>>>
>>>  It was from the RIPE network in
>>> Amserdam....IP address was 86.126.41.177
>>>
>>>
>>> they were logging in through the NAGIOS user and (trying to run)
>>> two programs (files from):
>>>
>>>  brute.tgz
>>>  fast.tgz
>>>
>>>  Just a word of caution to double-check those servers....
>>>
>>>
>>> dave
>>
>> My whois query brings back:
>>
>>> % This is the RIPE Whois query server #1.
>>> % The objects are in RPSL format.
>>> %
>>> % Rights restricted by copyright.
>>> % See http://www.ripe.net/db/copyright.html
>>>
>>> % Note: This output has been filtered.
>>> %       To receive output for a database update, use the "-B" flag.
>>>
>>> % Information related to '86.126.41.0 - 86.126.41.255'
>>>
>>> inetnum:        86.126.41.0 - 86.126.41.255
>>> netname:        RO-RCS-RDS-FIBERLINK
>>> descr:          RCS & RDS S.A.
>>> descr:          FiberLink Customers
>>> descr:          Craiova city
>>> country:        RO
>>> admin-c:        RDS-RIPE
>>> tech-c:         RDS-RIPE
>>> status:         ASSIGNED PA
>>> mnt-by:         AS8708-MNT
>>> source:         RIPE # Filtered
>>>
>>> role:           Romania Data Systems NOC
>>> address:        71-75 Dr. Staicovici
>>> address:        Bucharest / ROMANIA
>>> phone:          +40 21 30 10 888
>>> fax-no:         +40 21 30 10 892
>>> e-mail:         contact-tech at rdsnet.ro
>>> admin-c:        CN19-RIPE
>>> admin-c:        GEPU1-RIPE
>>> tech-c:         CN19-RIPE
>>> tech-c:         GEPU1-RIPE
>>> nic-hdl:        RDS-RIPE
>>> mnt-by:         AS8708-MNT
>>> remarks:
>>> +-----------------------------------------------------------+
>>> remarks:        | ABUSE CONTACT: abuse at rdsnet.ro IN CASE OF HACK
>>> ATTACKS,   |
>>> remarks:        | ILLEGAL ACTIVITY, VIOLATION, SCANS, PROBES, SPAM,
>>> ETC.    |
>>> remarks:
>>> +-----------------------------------------------------------+
>>> source:         RIPE # Filtered
>>>
>>> % Information related to '86.120.0.0/13AS8708'
>>>
>>> route:        86.120.0.0/13
>>> descr:        RDSNET
>>> origin:       AS8708
>>> mnt-by:       AS8708-MNT
>>> source:       RIPE # Filtered
>>>
>>>
>
> John Simpson has some great advise.  I am saving that.
>
> Are you going to notify abuse at rdsnet.ro  about this?  A print out in a
> file, even, would be a good reminder of the exploits, their source, and
> the cure that John has suggested!

I doubt it. This isn't going to be where the attack originated from, only
where the last hop point was. I can very nearly guarantee that whoever did
this compromised other machines first and tunnelled from one to another.
The attacker just isn't there (but that machine was compromised).

Just looking at the nature of the attack tells you that much. They're
doing port scans and such looking for other victims and probably filling
some database somewhere full of exploited usernames and passwords. Just
fix your account, make sure there are no others like that, and if you
suspect root access was obtained wipe the whole machine... otherwise, just
wipe that account (and re-install all software that came with that account
- if that account had write access to anything, it's suspect).

I had a similar problem recently when I flew out to Korea. For an
install-fest recently, I had created a temporary account (tmp) with the
password tmp to show how remote-X works over ssh. I had forgotten to
remove this account after the install-fest, and when I plugged my laptop
in at Korea it was almost immediately compromised in a similar method -
someone was running something they compiled locally ("a.out") which took
nearly all the processor doing whatever they were doing. When I terminated
the connections, they left no files behind... so I removed the account and
wiped the /tmp directory (it had write access there). No more breakin
attempts were noted, and that account had no capability to gain root
access (not in wheel group).

>
> Does running a web server on the amber port of an IPCOP box protect the
> web server from most exploits?

No, a port scan will reveal that you're running a web-server on another
port, which will direct the web server attack to that port. I wouldn't
treat that as "safe"

> _______________________________________________
> Leaplist mailing list
> Leaplist at leap-cf.org
> http://lists.leap-cf.org/mailman/listinfo/leaplist
>

More information about the Leaplist mailing list