|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Exodus: this is bad
Folks. All (ALL) Linux-based NS servers or other LInux servers with IMAPD turned on (default) and withouth imapd patch (I do not know if it exist at all) can be treaten as COMPROMISED. I have found (and closed) more than 20 backdoored servers over the world in a week (and it was done by ONLY ONE HACKER)! What do you discuss? This was not serious attack, it was (I think) usial network scanning they are doing (or was doing) EVERY DAY. On Mon, 16 Nov 1998, Richard Irving wrote: > Date: Mon, 16 Nov 1998 20:34:23 -0500 > From: Richard Irving <[email protected]> > To: Jared Mauch <[email protected]> > Cc: Adam Rothschild <[email protected]>, [email protected], > [email protected] > Subject: Re: Exodus: this is bad > > It looks worse Jared, > > This appears to be a concerted effort. This type of attack > is propogating to new origin IP's by the hour. There seems to > be a pattern forming.... > > DNS server is compromised. (Bind ? Autohack ?) > local programs set up to crack local passwords. > (Dumps results to FTP directory) > local program set up to port probe/asttack other DNS's. > (Dumps results to FTP directory) > > Someone said Linux servers appear to be primary targets.. > I suggest maybe Linux servers were more likely to have a vulnerable > configuration... Probers running locally,( that I saw), did not *seem* > to discriminate. (Conjecture Based on output of parasitic programs) > > I hate to profer alt.net.conspiracy...... But... > > the above data was collected both by myself, as well as another > NANOG member who may want to remain anonymous... > (He didn't post it to the group) > > CERT does have an alert posted, but I am not sure > they know how pervasive this is..... > > > > > > Jared Mauch wrote: > > > > On Mon, Nov 16, 1998 at 06:51:53PM -0500, Adam Rothschild wrote: > > > Am I forgetting anything? > > > > Yeah. > > > > Calling the providers where the attack is originating from. > > > > Calling your local law enforcement agencies and alerting > > them to the problem at hand > > > > Calling your local fbi agent and telling them what is going on. > > > > Calling CERT and opening up a case > > > > I'm sure if you get CERT+FBI+Local law agencies calling *ANY* > > noc, someone is going to notice. > > > > And for fun, call CNN, or some other news agency, and say > > "xxx hasn't dealt with this after many phone calls, etc..". > > > > If none of those paths provides you with the desired response, > > unplug your ethernet cable. > > > > - jared > > > > -- > > Jared Mauch | pgp key available via finger from [email protected] > > | http://puck.nether.net/~jared/ > Aleksei Roudnev, Network Operations Center, Relcom, Moscow (+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager) (+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
|