[techtalk] Should I feel honored?

Nicole Zimmerman colby at wsu.edu
Sat Apr 21 15:27:31 EST 2001 

Just so you know your work is worth it. I have logcheck email me system
events that are logged to syslog... these events include what snort does
(since snort logs to syslog).

This is what an rpc.statd attempt looks like now. 

Date: Sat, 21 Apr 2001 13:02:02 -0700
From: root <root at catbox.dhs.org>
To: root at catbox.dhs.org
Subject: catbox 2001/04/21 13:02 system check

Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Apr 21 12:33:01 catbox snort[10907]: spp_portscan: PORTSCAN DETECTED from
213.255.46.55 (THRESHOLD 4 connections exceeded in 0 seconds)
Apr 21 12:33:02 catbox snort[10907]: IDS015 - RPC -
portmap-request-status:
213.255.46.55:899 -> 63.161.25.177:111
Apr 21 12:33:02 catbox snort[10907]: IDS181 - OVERFLOW-NOOP-X86:
213.255.46.55:900 -> 63.161.25.177:1024
Apr 21 12:33:04 catbox rpc.statd[27275]: gethostbyname error for
^X^?^X^?^Y^?^Y^?^Z^?^Z^?^[^?^[^?%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x
%n%137x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220
Apr 21 12:33:30 catbox snort[10907]: spp_portscan: portscan status from
213.255.46.55: 11 connections across 9 hosts: TCP(9), UDP(2)
Apr 21 12:35:13 catbox snort[10907]: spp_portscan: End of portscan from
213.255.46.55: TOTAL time(3s) hosts(9) TCP(9) UDP(2)
----

The offending IP is not 236.137.10.192 as one might think, but rather
213.255.46.55.

If you go to http://213.255.46.55, you will find that this person has the
default apache web page up with a "CHAT" link at the bottom. According to
netcraft, they are running Apache/1.3.12 (Unix) (Red Hat/Linux) PHP/3.0.15
mod_perl/1.21 on Linux. Their netblock is owned by "Dida EL" a site in the
.it domain (who I am going to send email through
assistenzaclienti at didael.it and webmaster at didael.it). I think they are the
domain search.didael.it, which traceroute quickly confirms for me. SO I am
also going to send this e-mail to root at search.didael.it

They were probably rootkitted and are now being used to root other boxes
through this attack.

-nicole

More information about the Techtalk mailing list