Living on the Front Line

(Gathered from Internet posts)

On July 6, at slightly after 2 am local time (PDT, 7 hours west of UTC), an intruder installed a TCP/IP-sniffing daemon on one of the machines at a2i Communications (domain rahul.net). The sniffer was discovered and disabled on the evening of the same day, about 18 hours later. During this time, the daemon collected data including passwords.

Here is a summary of the intruder's tracks discovered in combination on the hosts bolero.rahul.net [192.160.13.1] and jive.rahul.net [192.160.13.2]. Both are SPARC machines running SunOS 4.1.3.
1.)  A number of setuid-root programs, which would instantly yield a root shell when executed.  We found these with the command: find / -fstype nfs -prune -o -perm -04000 -print

2.)  Processes, one listening on UDP port 891, another listening on UDP port 937.  We could detect this bound ports with the lsof program.

3.)  A daemon that monitored the /dev/nit device, keeping the Ethernet interface le0 in promiscuous mode, and recorded the first few bytes of each Telnet, FTP, and rlogin session, apparently to collect passwords.  Output was collected in a log file.  We could detect the promiscuous mode of le0 with the command /usr/etc/ifconfig le0, which printed information similar to this:
le0: flags=163<UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC>
4.) A daemon listening on TCP port 3011 which would accept a connection (no password needed) and immediately provide a root shell. The intruder could later connect to this port and use the root shell to collect the contents of the log file. We could detect these bound port with the lsof program.

5.) We were able to monitor the local network and observe incoming connections to port 3011 from the following hosts:
joe.me.uiuc.edu 7:05 pm PDT July 6
athena brynmawr.edu 6:54 am PDT July 8
We believe that during the connection at 7:05 pm on July 6 from joe.me.uiuc.edu the intruder was able to collect the contents of the log file. The connection attempt at 6:54 am on July 8 was benign, because the intruder's processes were no longer active.
From the log file collected by the intruder's daemon, we have made a list of potentially affected hosts and it is given below.  A numeric IP address indicates failure of the SunOS 4.1.3 gethostbyaddr routine to resolve the name - this usually means that either reverse resolution failed, or that reverse resolution yielded a name that could not be resolved back to the original IP address.

A quick script has been used to filter out from the log file entries for FTP sessions in which the target user was anonymous, ftp, and entries for connections not involving any host external to our network.  All other hostnames recorded by the sniffer are included in this list.  Site administrators at all these hosts are advised to search their systems for possible intrusions.  They should assume that if their users accessed a2i, or if any a2i user accessed their site, a password might have been logged.  We are mailing a warning message to postmaster at each affected host.  The message includes specific entries found for that host in the intruder's log.

A script was run to attempt to Telnet to port 3011 on each host in the attached list, attempting to find out if a similar intrusion was in progress anywhere.  No active port 3011 was reached on any of these hosts.  There is, however, no guarantee that the intruder will always use port 3011.

All sites should look at their logs and search for connections to and from the domain rahul.net and/or from any host on the network 192.160.13.0, at any time before approximately 11:00 pm July 6.  All cleartext passwords used in such sessions should be considered suspect.

For safety, it may be wise to assume that any password transmitted during the last eight weeks has been compromised - since it cannot be guaranteed that previous undetected intrusions did not happen.

It is not yet clear by which mechanism the intruder gained access.

The general format of the intruder's log is shown below:
===== Begin sample log entry =====

- TCP/IP LOG - TM: Wed Jul 6 03:47:55 - 
PATH: name.of.source.host (source_port) => name.of.destination.host (dest_port)
STAT: Wed Jul 6 03:48:34, 48 pkts, 128 bytes [DATA LIMIT]
DATA: < data bytes here >
    : < data bytes here >
    : < data bytes here >

===== End sample log entry =====
List of potentially compromised hosts.

Postmaster at each site - please check your incoming mail.
079a1.phy.ohiou.edu
129.108.1.10
129.198.2.40
129.71.44.224
130.99.32.69
131.128.123.13
131.241.16.4
134.53.8.55
138.119.20.47
138.13.16.203
138.43.160.87
140.175.7.143
144.26.45.1
146.68.173.106
147.160.30.23
155.16.192.32
156.98.25.50
158.234.18.74
158.234.24.60
165.113.242.2
165.173.38.9
192.204.164.33
192.84 232.107
193.227.31.2
198.147.181.1
198.211.41.35
198.62.89.50
198.78.71.51
199.182.70.2
199.8.30.50
ACC.WUACC.EDU
ACF6.ACF.NYU.EDU
ACUVAX.ACU.EDU
BLOOM-PICAYUNE.MIT.EDU
BUDZICHO.NAVSSES.NAVY.MIL
C208BN21.sunydutchess.edu
CORNELLC.CIT.CORNELL.EDU
CSA.BU.EDU
DEPAUW.EDU
GOPHER.UPENN.EDU
HDSF17.Houston.WIRELINE.SLB.COM
Joyce-Perkins.tenet.edu 
LIB.IS.TCU.EDU 
LibL19.LIBRARY.ColoState.EDU 
MILANESE.MIT.EDU 
MOSS3.TAMU.EDU 
NIC.DDN.MIL 
NTP-MASTER.ALMADEN.IBM.COM 
Ruth.Butler.EDU 
SALLIB.SALS.EDU 
SUMEX-AIM.Stanford.EDU 
SVAPPL04.MDC.COM 
Sony.COM 
Sun.COM 
VAX.DICKINSON.EDU 
VULCAN.LIBRARY.CMU.EDU 
a100.ucs.usl.edu 
acad.drake.edu 
access1.digex.net 
acs1.byu.edu 
aed.pica.army.mil 
amazon.csc.liv.ac.uk 
ampere.mee.tcd.ie 
anlnpb.ep.anl.gov 
annex1.net.ubc.ca 
antares.tymnet.com 
awesome.hq.Verdix.COM 
bart.starnet.com 
blue.weeg.uiowa.edu 
bode.ee.ualberta.ca 
bodie.cs.unc.edu 
brahms.udel.edu 
bruno.cs.colorado.edu 
btissue.chem.vt.edu 
bubble.yonsei.ac.kr 
buffalo.ny.ts.psi.net 
cabell.vcu.edu 
calamari.storage.tandem.com 
caliph.intellicorp.com 
camelot.acf-lab.alaska.edu 
canyon.ATMOS.ColoState.EDU 
carson.u.washington.edu 
cathy.ijs.si 
cbunnell.lerc.nasa.gov 
central.co.nz 
chameleon.cc.metu.edu.tr 
cirrus.com 
clark.net 
clevxd.CPL.ORG 
copernicus.isi.com 
cr14.crl.com 
cr15.crl.com 
csl.biosci.Arizona.EDU 
csws15.ic.sunysb.edu 
csws2.ic.sunysb.edu 
cube.clas.suffolk.edu 
cuplvx.ap.columbia.edu 
dandelion.com 
dante.NMSU.Edu 
default52.usa.cerfnet.com 
dns.global.com 
dorfsr.b17d.ingr.com 
dorsai.dorsai.org
dracman.cray.com 
dschmit.wa.ATK.COM 
dunlop.cs.ucdavis.edu 
dutikos.twi.tudelft.n1 
echonyc.com 
ecoli.harvard.edu 
elf1.Stanford.EDU 
enterprise.america.com 
forsythe.Stanford.EDU 
ftp.iitb.fhg.de 
ftp.technion.ac.il 
ftpserv.c-cube.com 
garnet.Berkeley.EDU 
gatekeeper.qualix.com 
gemsgw.med.ge.com 
gomez.intel.com 
gpu.srv.ualberta.ca 
grind.isca.uiowa.edu 
grumpy.usu.edu 
gryps1.rz.uni-greifswald.de 
gucis.cit.gu.edu.au 
gw1.octel.com 
halon.sybase.com 
hestia.arc.nasa.gov 
host0.colby.edu 
howe.cs.ucdavis.edu 
hpcea.ce.hp.com 
ibm.com 
ics.soe.umich.edu 
igw.merck.com 
infoserv.utdallas.edu 
ingate.microsoft.com 
isr.harvard.edu 
jarthur.cs.hmc.edu 
jfrank.jfrank.com 
jmch.demon.co.uk 
jobe.shell.portal.com 
k2cc.sos.clarkson.edu 
kafka.network.com 
kelly.teleport.com 
kublib.kub.nl 
kwilkins.NPD.Provo.Novell.COM 
kwme6.nerc-keyworth.ac.uk 
leif.ucs.mun.ca 
leo.nmc.edu 
lfs.cyf-kr.edu.pl 
library.wustl.edu 
llwhro.whro-pbs.org 
luciano.ee.adfa.oz.au 
m205b.cc.uch.gr 
mac-nincehelser.tri.sbc.com 
maelstrom-ether.Berkeley.EDU 
maestro.maestro.com 
maggie.jpl.nasa.gov 
magma.com 
mail.evansville.edu 
mail.infinet.com 
mars.dcs.fmph.uniba.sk 
marsh.cacs.usl.edu 
math.uwaterloo.ca 
medusa.gs.gov.bc.ca 
milpitas.adaptec.com 
moab.me.iastate.edu 
monk.fel.duke.edu 
mri-gw.mri.com 
ncb.gov.sg 
nessie.cc.wwu.edu 
netcom.netcom.com 
netcom11.netcom.com 
netcom12.netcom.com 
netcom2.netcom.com 
netcom3.netcom.com 
netcom4.netcom.com 
netcom7.netcom.com 
netcom8.netcom.com 
netcom9.netcom.com 
netmail.microsoft.com 
newt.com 
nic.funet.fi 
nic.uakom.sk 
ninja.jp.borland.com 
nowaksg.chemend.edu 
ns.bmd.SAIC.COM 
nx44.mik.uky.edu
ocean.ocean.com 
ohstpx.mps.ohio-state.edu 
orion.sil.nrc.ca 
osage.den.mmc.com 
oven.ccds.charlotte.nc.us 
panix.com 
parry.lance.colostate.edu 
pc-78-73.ipxrarp.Virginia.EDU 
pdavispc1.uk.mdis.com 
phobia.phys.lsu.edu 
phscpc1.ucs.uoknor.edu 
picard.infonet.net 
pinchy.micro.umn.edu 
pirx.cs.purdue.edu 
port4.buffalo.ny.pub-ip.psi.net 
psulias.psu.edu 
psulib.cc.pdx.edu 
pure3.pure.com 
pv022c.vincent.iastate.edu 
quad4.phx.mcd.mot.com 
quip.eecs.umich.edu 
rcasciel.beva.blacksburg.va.us 
renegade.lerc.nasa.gov 
rhoda.fordham.edu 
ring28.cs.utsa.edu 
risc.ce.utep.edu 
rkadwl.ple.af.mil 
sabre.afit.af.mil 
sandcastle.cosc.BrockU.CA 
sauza.math.lsa.umich.edu 
scooby.bme.ri.ccf.org 
sequoia.northcoast.com 
server.netcom.com 
sescva.esc.edu 
sgigate.SGI.COM 
slip1-17.acs.ohio-state.edu 
slon.labs.BrockU.CA 
sluava.slu.edu 
smartva2.svi.org 
solomon.technet.sg 
sowebo.charm.net 
sparc5.sunbim.be 
spectrum.xerox.com 
starbase.NeoSoft.COM 
sugar.NeoSoft.COM 
sunset.ma.huji.ac.il 
sv05wld.wldelft.nl 
swootton2.NSD.Provo.Novell.COM 
teacups.San-Jose.ate.slb.com 
telesciences.com 
thorin.uthscsa.edu 
tigger.StCloud.MSUS.EDU 
tollbooth.vnet.ibm.com 
trump.cts.com 
twnmoe10.edu.tw 
ubvmsa.cc.buffalo.edu 
uhunix.uhcc.Hawaii.Edu 
ukanaix.cc.ukans.edu 
ulinf0.unil.ch 
unbvml.csd.unb.ca 
unidui.uni-duisburg.de 
univax.fhda.edu 
unknown-pc-28.bf.umich.edu
upr1.UPR.CLU.EDU 
ursula.ucdavis.edu 
utsw.swmed.edu 
uxa.cso.uiuc.edu 
v5119.tvrl.lth.se 
vax.sonoma.edu 
vector.ucsb.edu 
vixen.cso.uiuc.edu 
vm2.cis.pitt.edu 
vms.huji.ac.il 
vmsb.is.csupomona.edu 
watt.engin.umich.edu 
wcarchive.cdrom.com 
welch.ncd.com 
worf.qntm.com 
wuarchive.wustl.edu 
www0.cern.ch 
zeus.apsu.edu
"If someone's hacked our system, we'd certainly like to know about it, although it's very doubtful; more likely, this is just someone trying to make you nervous" --- Netcom Admin, 2600, Summer 1994
Date: Wed, 13 Jul 94 18:22:12 PDT 
Subject: Hacker Break In CERT#12804
Status: R
Hi;

We were one of many systems that was attacked this past weekend. Unfortunatly my system was compromised. The attached is a description of the hacker's dirty work and a suggested plan to try to prevent future attacks. I am sharing this because it is amazing how everyone seems to clam up if they are attacked and/or broken into. It of course hurts the "professional" pride to be hacked, but the only way to stop this is to spread the information. The "head in the sand" reactions are not going to make this problem go away. This particular hack used several "textbook" methods to try to break in and it still worked, suprisingly enough and suprisingly well. I am running a Sun and PC network with a PPP link to the Internet. Hope this can help somebody else not get caught unprepared.
Subject: Response to the Hacker attack of July 8th-11th 1994. 
Synopsis of the Break in:
On Friday July 8^th 1994 at 23:09, an incoming mail message was received by IRT's mail server.  The message came in from Netcom (machine: netcom11.netcom.com).  This message was carrying a shell script which exploited a security hole in the Sendmail program.  The mail was interpreted and run by the Sendmail program.  The script copied source code contained within itself into the /tmp directory and using standard UNIX commands compiled and started a daemon process on port number 7002.  An outsider Telnet'ing in to this port would have bypassed all logins and logging facilities.  Netcom alerted IRT on July 11^th at 16:13 that IRT had possibly been compromised.

Upon checking, I discovered the daemon running on our system.  According to Netcom's log we had been Telnet'ed to from their system at 23:13 on July 8^th.  The record shows it was at most four minutes before the offending session was ended.  This is the last recorded information available.  Once the port was established we were accessible to anyone who knew about the port and we could have been visited again from anywhere without any record.

The daemon source code was found in the mail queue and removed for analysis.  The process was killed and removed from the /tmp directory.  We were disconnected from the Internet and a search was made to see if any traces could be found.

On Tuesday July 12^th at 11:59, three (3) files appeared on the system.  In the / (root) directory a file of zero size appeared with the name 1776_July_4 at the same time two zero size files appeared in the /tmp directory.  The file names were tmp.7105.foo and tmp.7105.bar. The time stamps and file names ending in foo and bar (a well known acronym) are very suspect.  No further strange occurances have surfaced.

Netcom has not been able to provide anymore information on the hacker.  They report he hacked into an account on their system and was able to work undetected for an unknown period of time.  Netcom was alerted by complaints from System Administrators who detected the break in attempts.

What Failed

Sendmail was thought to be patched and wasn't.

The security package (COPS) I ran did not have checks to alert for this problem with Sendmail.

PPP packet filtering created a false sense of security.  Running a high level of filtering was not enough.

Recommended Actions

All users must be forced to change their passwords.  In the future, any accounts with passwords that can be broken will be disabled and the user will need to see administrator to have it re-enabled.  It was also recommended that the whole OS be reinstalled from scratch if you are conprimised.

Sendmail needs patching with the latest software patch from Sun Microsystems (Sendmail Jumbo Patch #100377-17) or upgrade to version 8.  Sendmail also needs to be set up to use a restricted shell (smrsh) that was obtained from the Computer Emergency Response Team (CERT) FTP site.

In addition, obtain the following programs for installation to try and thwart future attempts to break in:

tcp_wrapper - Package to monitor and filter incoming requests for variety of services. (info.cert.org)

tripwire - A tool for monitoring a designated set of files for and directories for changes and/or corruption. (info.cert.org)

securelib - Tool to control access to network daemons not under inetd control or which serve more than one client. (securelib.tar)

netlog - A tool to passively watch all TCP and UDP traffic on a network. (netlog-1.02.tar.gz.  Also look at Tiger (COPS like program)

swatch - A process to watch the log files in real time and associate arbitrary actions with patterns. (swatch.sourceforge.net)

crack - A program to try to crack passwords. (info.cert.org)

Recent reports indicate that Netcom's credit file, stored online and containing information on all their customers, has been compromised.

Return to $2600 Index