[99018] in RedHat Linux List
[Fwd: noc]
daemon@ATHENA.MIT.EDU (Clyde- RedHat Linux User)
Wed Nov 11 17:26:22 1998
Date: Wed, 11 Nov 1998 18:20:50 -0500
From: Clyde- RedHat Linux User <ctaylor@mail.faynet.com>
To: redhat-list@redhat.com
Resent-From: redhat-list@redhat.com
Reply-To: redhat-list@redhat.com
This is a multi-part message in MIME format.
--------------9326545C67FF5841249946F8
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
got hacked
--------------9326545C67FF5841249946F8
Content-Type: message/rfc822
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Return-Path: <alex@virgin.relcom.eu.net>
Received: from virgin.relcom.EU.net ([193.124.23.4]) by mail.faynet.com
(Post.Office MTA v3.1.2 release (PO205-101c)
ID# 0-41997U2500L250S0) with ESMTP id AAA184
for <ctaylor@mail.faynet.com>; Wed, 11 Nov 1998 08:43:57 -0500
Received: from virgin.relcom.eu.net (alex@virgin.relcom.eu.net [193.124.23.4]) by virgin.relcom.EU.net (8.8.8/Relcom-2A) with SMTP
id QAA26411 ;Wed, 11 Nov 1998 16:32:51 +0300 (MSK)
Date: Wed, 11 Nov 1998 16:32:51 +0300 (MSK)
From: "Alex P. Rudnev" <alex@Relcom.EU.net>
To: Abuse <abuse@EU.net>
cc: Clyde- Red Hat Linux Hacker Wanna-be <ctaylor@mail.faynet.com>,
Abuse <abuse@EU.net>, abuse@Relcom.ru
Subject: Re: noc
In-Reply-To: <Pine.LNX.4.03.9811111408220.12698-100000@freya.EU.net>
Message-ID: <Pine.SUN.3.91.981111162708.29965a@virgin.relcom.eu.net>
Organization: Relcom Corp.
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
This was the server hacked by the russion hacker (NIC == Frozen). This
hack was written in our logs we are holding now to stop the hacker's
activity.
After a few attempts to contact the owners of this network I login into
their system (by the same backdoor account as the hacker) and wrote a
message into '/etc/motd' file with my e-mail address and the warning
about the hacker's activity.
I can send the logs showing how this hacker abused the system to the
owners of this server. Just as the standard notification I send usially.
I am sorry because I used this backdoor myself, but I could not contact
the server's owners by the other way.
Below is our standard 'HACKER ALERT' message. I would not fill in it's
fields but you are free to ask any details about the intrusion into this
server we have fixed last weekend.
> Clyde,
>
> Can you elaborate a little more, please ?
>
> What was the nature of the attack ? It's strange an attacker would
> leave several mail addresses behind him.
It was me, the attacker himself have installed troyan package allowing
him to work there invisibly.
Best regards. Alex Roudnev, NOC Relcom, MOSCOW, Russia.
-----------------------------
Dear network administrator.
Please, re-sent this message to the person responsible for
security, if it was sent to the wrong address.
We have fixed how russion hacker worked in YOUR network
by backdoor/stealed account at ___.___.___.___ server
(login _____ password _______).
I suspect this server was broken by Unix exploint and well known Troyan Unix toolkit
was installed in it. There is a chance to have your LAN network sniffered and
all open passwords (used by TELNET, POP and FTP protocols) stealed by
the hacker (and this passwords can be used for the future exploits).
May be, some additional services was installed into your server by the hacker.
They (hackers) used to install illegal IRC server, back doored SSHD
server and use foreighn servers for network scanning and SMURF attaking.
Be free to ask more details if you want,
I ask you to pay extra attention to this case because (as I know) there is
an active group of russion hackers who digged in backdoor accounts over the world and
use this for extra haking - password cracking by CRAY computers,
SMURF and FLOOD attacks from 100Mbit based networks, password sniffering
in ISP networks, etc etc. You case was not first in our LOG files,
and I had not errors in determining the hacker's activity in past.
I advice you to -
- close all backdoors (/bin/login, shared libraries, extra SSH servers, etc) at
your computer. In case of LINUX the only solid way to defend yourself is
to reinstall this system.
- close voluntareble services such as IMAPD or QPOPPER;
- do not allow standard (TELNET, SLOGIN, RLOGIN, FTP) services from
the outer world except some dedicated servers. Use access list and/or
nonstandart port numbers (if you can't close service totally).
--------------9326545C67FF5841249946F8--
--
PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
http://www.redhat.com http://archive.redhat.com
To unsubscribe: mail redhat-list-request@redhat.com with
"unsubscribe" as the Subject.
