Re: TRG vger.timpanogas.org hacked

Henning P. Schmiedehausen (mailgate@hometree.net)
Tue, 5 Jun 2001 13:07:05 +0000 (UTC)


"Jeff V. Merkey" <jmerkey@vger.timpanogas.org> writes:

>is curious as to how these folks did this. They exploited BIND 8.2.3

Look below.

>to get in and logs indicated that someone was using a "back door" in
>Novell's NetWare proxy caches to perform the attack (since several
>different servers were used as "blinds" to get in).

There is AFAIK no known exploit to BIND 8.2.3 and I don't see why
anyone should use a "novell Netcache backdoor". If I'd want to hack
your box, I would use this:

% telnet vger.timpanogas.com 22
Trying 207.109.151.240...
Connected to vger.timpanogas.com.
Escape character is '^]'.
SSH-1.5-1.2.27
^]
telnet> quit

Well known exploits downloadable at any of the better hacking sites.

>We are unable to determine just how they got in exactly, but they
>kept trying and created an oops in the affected code which allowed
>the attack to proceed.

Come on, you can't be _that_ blind. Either you didn't install all your
vendor recommended updates or you installed self rolled programs and
got caught.

You even get connects on the telnet port (no daemon, though), so you
either have a hosts.allow (which _is_ spoofable) or a non-cleaned up
[x]inetd.conf which means you didn't harden your box for Internet
usage.

If you don't prepare your box for a hostile environment, you get
hit. First law of the Internet.

Regards
Henning

-- 
Dipl.-Inf. (Univ.) Henning P. Schmiedehausen       -- Geschaeftsfuehrer
INTERMETA - Gesellschaft fuer Mehrwertdienste mbH     hps@intermeta.de

Am Schwabachgrund 22 Fon.: 09131 / 50654-0 info@intermeta.de D-91054 Buckenhof Fax.: 09131 / 50654-20 - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/