Warning

 

Close

Confirm Action

Are you sure you wish to do this?

Confirm Cancel
Member Login

Site Notices
Posted: 1/7/2003 9:03:07 PM EST
REREATEDLY (3 times within two weeks) "Hackers" (a misused term) have relentlessly tried and have suceeded in breaking into my name server. I was able to find some of the clues they left behind despite their attempts to delete RRs (records). They would break in through BIND and somehow start RLOGIN despite the fact that I haven't enabled RLOGIN. I can't even login as ROOT from the console. Here is the the IP address and information I was able to obtain using NSLOOKUP:
Link Posted: 1/7/2003 9:03:59 PM EST
nslookup Default Server: dns1-la.lsan03.pacbell.net Address: 206.13.29.12 > exit [wg1:~] ihlewis% nslookup -d 211.73.237.6 ;; res_nmkquery(QUERY, 12.29.13.206.in-addr.arpa, IN, PTR) ------------ Got answer: HEADER: opcode = QUERY, id = 16549, rcode = NOERROR header flags: response, want recursion, recursion avail. questions = 1, answers = 1, authority records = 2, additional = 2 QUESTIONS: 12.29.13.206.in-addr.arpa, type = PTR, class = IN ANSWERS: -> 12.29.13.206.in-addr.arpa name = dns1-la.lsan03.pacbell.net ttl = 3777 (1h2m57s) AUTHORITY RECORDS: -> 29.13.206.in-addr.arpa nameserver = NS1.PBI.net ttl = 68575 (19h2m55s) -> 29.13.206.in-addr.arpa nameserver = NS2.PBI.net ttl = 68575 (19h2m55s) ADDITIONAL RECORDS: -> NS1.PBI.net internet address = 206.13.28.11 ttl = 67806 (18h50m6s) -> NS2.PBI.net internet address = 206.13.29.11 ttl = 130699 (1d12h18m19s) ------------ Server: dns1-la.lsan03.pacbell.net Address: 206.13.29.12 ;; res_nmkquery(QUERY, 6.237.73.211.in-addr.arpa, IN, PTR) ------------ Got answer: HEADER: opcode = QUERY, id = 16550, rcode = NOERROR header flags: response, auth. answer, want recursion, recursion avail. questions = 1, answers = 1, authority records = 2, additional = 2 QUESTIONS: 6.237.73.211.in-addr.arpa, type = PTR, class = IN ANSWERS: -> 6.237.73.211.in-addr.arpa name = Host5-237-6.pagic.net ttl = 14400 (4H) AUTHORITY RECORDS: -> 237.73.211.in-addr.arpa nameserver = ns1.pagic.net ttl = 14400 (4H) -> 237.73.211.in-addr.arpa nameserver = ns2.pagic.net ttl = 14400 (4H) ADDITIONAL RECORDS: -> ns1.pagic.net internet address = 210.63.92.1 ttl = 300 (5M) -> ns2.pagic.net internet address = 210.63.92.2 ttl = 300 (5M) ------------ Name: Host5-237-6.pagic.net Address: 211.73.237.6
Link Posted: 1/7/2003 9:09:22 PM EST
This ISP is in Taipei, China. They learned from their last attempt as they allowed the name server to continue to resolve lookups whereas last time they disabled everything. I am in the process of building a replacement server as this one is old and I have had a hard time upgrading the OS on it due to some oddities of that particular computer. I'm sick of being hacked and wish I had some form of retribution. Arrrrrrrrrhhhhhh!!!! Hopefully I will have the other items within a week or two. I'm await shipment of some parts (hurry, hurry, hurry) and some extra cash. I wouldn't put this past the government there to sponsor such attacks. If I did that to them they would be ready to haul me to court or jail. Hmmmmm.......nevermind.
Link Posted: 1/7/2003 9:11:27 PM EST
Now, if I could just get this firewall configured properly.....
Link Posted: 1/7/2003 9:26:15 PM EST
Um.......I kind of like cheese crackers. Sgtar15
Link Posted: 1/7/2003 9:28:25 PM EST
Dude, that is soooooooo over my head! We should send a CIA team in after these crackers though.
Link Posted: 1/7/2003 9:30:04 PM EST
[b]HACKED BY CHINESE![/B]
Link Posted: 1/7/2003 9:32:37 PM EST
What are you running, Linux? I thought it was impervious to hackers!!!! [:D]
Link Posted: 1/7/2003 9:41:09 PM EST
Originally Posted By SNorman: What are you running, Linux? I thought it was impervious to hackers!!!! [:D]
View Quote
LOL, Yeah i'm running Linux but the problem is with the version of BIND that i'm running. Briefly, BIND is the program that is run on name servers to resolve domain names. e.g.- Humans know what www.lewistechnogroup.com is but computers only understand numbers (addresses) so the name server would tell your computer that the above name has the address of 67.112.173.90. You can type the address in your browser and get the same results as typing the name. Back to BIND. I was running an UPDATED version of bind before the first attack, it took some work to get it to work on that computer but I did get it to work. Well even that version of BIND had some bug which is exploited by hackers. So, here we go again.... The new server i'm building won't have these problems but its still annoying nevertheless. If I weren't running BIND (which you have to run on a DOMAIN NAME SERVER) this wouldn't be a problem.
Link Posted: 1/7/2003 9:49:15 PM EST
[Last Edit: 1/7/2003 9:50:38 PM EST by M4_Aiming_at_U]
I dont know about all your tech talk you posted, but there HAS to be a way to hack back. I'm sure there are people on this board that will remain namless that might IM you. And by the way Taipai is in Taiwan, not China. Good Luck! I hope you get these A$$40le$!
Link Posted: 1/7/2003 9:56:11 PM EST
Originally Posted By M4_Aiming_at_U: I dont know about all your tech talk you posted, but there HAS to be a way to hack back. I'm sure there are people on this board that will remain namless that might IM you. And by the way Taipai is in Taiwan, not China. Good Luck! I hope you get these A$$4oles!
View Quote
[B]by the way Taipai is in Taiwan, not China.[/B]
View Quote
DOH! My mistake... Basically what they are doing is crashing a program (BIND) which runs with a high privledge level then they somehow run another program (RLOGIN = remote login) which allows them to login to a command prompt (like a DOS prompt). At this point they can run commands and programs. They probably have set it up so they can upload their software to the server. This is done so they can attack other computers from the one they hacked. It helps cover their tracks but they made a mistake which I happen to see, so I know where the attack came from.
Link Posted: 1/7/2003 9:57:14 PM EST
Originally Posted By SNorman: What are you running, Linux? I thought it was impervious to hackers!!!! [:D]
View Quote
Haha... I also was thinking the same thing. ---- Result for 211.73.237.6 % [whois.apnic.net node-2] % How to use this server http://www.apnic.net/db/ % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html inetnum: 211.73.224.0 - 211.73.255.255 netname: PAGIC-TW descr: PAGIC.net Inc. descr: 13F,86,Hsin Tai Wu Road Section 1, descr: HsiChih City, Taipei Taiwan 221 country: TW admin-c: CL470-AP tech-c: HL257-AP mnt-by: MAINT-TW-TWNIC changed: hostmaster@twnic.net 20010817 status: ALLOCATED PORTABLE source: APNIC person: Carven Lee address: Pagic net Inc.13F, No.86, Sec 1, Hsin Tai Wu Rd., Hsi-Chih City. Taipei, Taiwan country: TW phone: +886 2 8691 2324 fax-no: +886 2 8691 2521 e-mail: netadmin@pagic.net nic-hdl: CL470-AP mnt-by: MAINT-TW-TWNIC changed: cwkuo@twnic.net.tw 20010814 source: APNIC person: Heman Lu address: PAGIC.net,Inc. address: 13F, 86, Sec.1, Hsin Tai Wu Rd, Hsichih address: Taipei County Taiwan 221 country: TW phone: +886-2-2696-4800 fax-no: +886-2-2696-4513 e-mail: heman@pagic.net nic-hdl: HL257-AP mnt-by: MAINT-TW-TWNIC changed: hostmaster@twnic.net 20020610 source: APNIC -----
Link Posted: 1/7/2003 10:03:14 PM EST
Yeah, i'm definately going to email that ISp about this!!!!
Link Posted: 1/8/2003 1:53:13 AM EST
How are they getting through your router or is this server on the DMZ or also acting as a proxy?
Link Posted: 1/8/2003 2:25:03 AM EST
[Last Edit: 1/8/2003 2:26:27 AM EST by gomer]
[austin powers] Woopdie do, What does it all mean Bazzle? [/austin powers] What your seeing is nothing new. You must have just started monitoring because this is very common. Many attacks originate from the former USSR, Florida and NY. Most of the attacks from Florida are on a Road Runner segment. If you are running Linux use Portsentry and Tripwire to help protect your system. In addition to upgrading BIND as that has been a problem for years. A firewall most likely would not have helped becase you would still allow port 53 UDP access which would still make your system vulnerable to BIND attacks. The only way to ensure your system is secure is to blow it away and reload.
Link Posted: 1/8/2003 8:18:48 AM EST
Actually i monitor my system regularly. I have had one previous attack over a year ago and stopped it cold. Its just that I have had three break-ins over the past two weeks. I'm just getting tired of reloading everything (I do keep backups). While they may crash BIND if things are configured correctly I can deny the use of FTP making it harder for them to upload things onto my server.
Top Top