[21602] in North American Network Operators' Group
Re: Exodus: this is bad
daemon@ATHENA.MIT.EDU (Roeland M.J. Meyer)
Tue Nov 17 00:29:02 1998
Date: Mon, 16 Nov 1998 21:09:54 -0800
To: rirving@onecall.net
From: "Roeland M.J. Meyer" <rmeyer@mhsc.com>
Cc: Jared Mauch <jared@puck.nether.net>, Adam Rothschild <asr@millburn.net>,
list@inet-access.net, nanog@merit.edu
In-Reply-To: <3650D29F.CAC19A49@onecall.net>
Just got to this list. Has any one called the FBI yet. It looks like a
full-scale raid.
At 08:34 PM 11/16/98 -0500, Richard Irving wrote:
>It looks worse Jared,
>
> This appears to be a concerted effort. This type of attack
>is propogating to new origin IP's by the hour. There seems to
>be a pattern forming....
>
> DNS server is compromised. (Bind ? Autohack ?)
> local programs set up to crack local passwords.
> (Dumps results to FTP directory)
> local program set up to port probe/asttack other DNS's.
> (Dumps results to FTP directory)
>
> Someone said Linux servers appear to be primary targets..
> I suggest maybe Linux servers were more likely to have a vulnerable
> configuration... Probers running locally,( that I saw), did not *seem*
> to discriminate. (Conjecture Based on output of parasitic programs)
>
> I hate to profer alt.net.conspiracy...... But...
>
> the above data was collected both by myself, as well as another
> NANOG member who may want to remain anonymous...
> (He didn't post it to the group)
>
> CERT does have an alert posted, but I am not sure
> they know how pervasive this is.....
>
>
>
>
>
>Jared Mauch wrote:
>>
>> On Mon, Nov 16, 1998 at 06:51:53PM -0500, Adam Rothschild wrote:
>> > Am I forgetting anything?
>>
>> Yeah.
>>
>> Calling the providers where the attack is originating from.
>>
>> Calling your local law enforcement agencies and alerting
>> them to the problem at hand
>>
>> Calling your local fbi agent and telling them what is going on.
>>
>> Calling CERT and opening up a case
>>
>> I'm sure if you get CERT+FBI+Local law agencies calling *ANY*
>> noc, someone is going to notice.
>>
>> And for fun, call CNN, or some other news agency, and say
>> "xxx hasn't dealt with this after many phone calls, etc..".
>>
>> If none of those paths provides you with the desired response,
>> unplug your ethernet cable.
>>
>> - jared
>>
>> --
>> Jared Mauch | pgp key available via finger from jared@puck.nether.net
>> | http://puck.nether.net/~jared/
>
___________________________________________________
Roeland M.J. Meyer, ISOC (InterNIC RM993)
e-mail: <mailto:rmeyer@mhsc.com>rmeyer@mhsc.com
Internet phone: hawk.mhsc.com
Personal web pages: <http://www.mhsc.com/~rmeyer>www.mhsc.com/~rmeyer
Company web-site: <http://www.mhsc.com/>www.mhsc.com/
___________________________________________
Who is John Galt?
"Atlas Shrugged" - Ayn Rand
