[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] PortSentry

Subject: RE: [cobalt-users] PortSentry
From: flash22@xxxxxxx
Date: Thu Feb 22 22:17:02 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
On Thu, 22 Feb 2001 elmer@xxxxxxxxxxxxxx wrote:
> 	Servers are not hacked through ports. They're most commonly
> hacked through insecure passwords, configuration errors (or lack
> thereof) and known exploitable holes in services which may or may
> not be accessible through a port. As some who lurk this list have

OK, after some pondering, i decided i would in fact post this, in the
hopes that it will prove educational, it is a nice example of what kinda
of things the kiddies are doing, why proper username/password management
is importane, what kinds of things in the log files are important to
notice, and why simple information leaks in one service can help someone
in their attempt to gain access to another service.

This is from actual log files of an access attempt that happened on the
20th, with ip/domain info removed to protect client...

sarcastic comments in parenthesis are mine, i can't help it, this fellow
is not ready for prime time yet...tho give him time and he will get lota
of practice...assume he's not already headed for jail....

I would note that in this particular case, NIDS would have stopped this
immediatly, tho as noted, it's not a panacea...
(PLS clip generously if replying, this is a touch long)
--------- 

23:08:33 proftpd[32721]: connect from @IP@
23:08:34 telnetd[32722]: connect from @IP@
23:08:39 POP2[32724]: connect from @IP@
23:08:39 qpopper[32725]: connect from @IP@
23:08:42 imapd[32726]: connect from @IP@
(Very sloppy port scan, does full open, in numerical sequence,
 generates logs everywhere...)

23:10:11 proftpd[32735]: connect from @IP@
(Immediately trys a blank root logon....does this actually work places?)
23:10:51 proftpd
 - SECURITY VIOLATION: root login attempted. 
 - PAM(admin): Authentication failure. 
 - USER (Login failed): Incorrect password. 
 - FTP session closed. 

(checks ftp version signon (he missed it last time?))
23:11:46 proftpd[32749]: connect from @IP@
23:11:52 FTP session closed. 

(next he issues a null command to web server....)

23:13:39 www "-" 408 - "-" "-"

causes error, gets him server version and OS 
interestingly, he doesn't seem to realize he's actually asked for the wrong 
domain, it's a VHOST site and he didn't issue a HOST, so none of the 
username@domains he could uncover will be correct)


(always nice to have some telnet windows open in case you trip port security)
23:14:19 telnetd[18]: connect from @IP@
23:14:58 telnetd[26]: connect from @IP@
23:15:08 telnetd[55]: connect from @IP@

(guesses 'admin' might be a username, tries to get sendmail 
to verify it so he won't make lots of nasty login errors...)

23:16:07 sendmail[72]: 
	NOQUEUE: @DOMAIN@ [@IP@]: expn admin@xxxxxxxx [rejected]
	NOQUEUE: @DOMAIN@ [@IP@]: expn [rejected]

[Anyone else wanna ask why sendmail doesn't do EXPN anymore?]

	POP2  -ERR Unknown command: "expn".
(um, not with pop2 you can't)

23:17:50 pop2 [92] (null) at @DOMAIN@ (@IP@):
	 -ERR Unknown command: "me^Ha^H^H^H". [pop_get_command.c:122]
(It's spelled m-a-i-l....)

23:17:50 pop2 [92] Qpopper ready for input from (null) at
	-ERR Unknown command: "mail".
	-ERR Unknown command: "send".
	-ERR POP EOF
(finally spells 'mail' correctly...doesn't do him much good 
 note however that the embedded backspaces give me a clue,
  his telnet client isn't line buffered)


23:18:35 2001 [98] Qpopper ready for input
(ponders for almost 2 minutes....must be reading the cheat notes)

23:20:26 2001 [105] (null) at @DOMAIN@ (@IP@):
	 -ERR Unknown command: "xsender".
(It's just a tad late to be trying to pretend to be someone else ;)
(It does tell him something about the version in theory tho..)

23:21:07 2001 [108] Received (5): " ^\...
(Binary attack on pop server - nice try , no dice...)
(If he'd bothered to read the logon message he might have noticed 
 'MIPS' - probably has no clue what a mips is tho)

23:21:13 2001 [108] Received (11): "user root"
23:21:17 2001 [108] Received (10): "passroot"
23:21:17 2001 [108] root at @DOMAIN@ (@IP@):
	 -ERR Unknown command: "passroot".
(*duh*)
23:21:21 2001 [108] Received: "pass xxxxxxxxx"
23:21:21 pop2 [108] root at @DOMAIN@ (@IP@): 
	-ERR [AUTH] Access is blocked for UIDs below 10
(I should be insulted here ;)

(finally, it occurrs to him to try to assess the pop servers capabilities)
23:22:30 2001 [119] Qpopper ready for input from (null)
	 -ERR Unknown command: "list".
	 -ERR Unknown command: "stat".
	 -ERR Unknown command: "to".
	 -ERR Unknown command: "top"
	-ERR POP EOF
(how rude ;)

23:23:08 www2 "GET / HTTP/1.1" 304 - "-" 
	"Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
23:23:09 www2 "GET /images/backgrnd/bgblue.gif HTTP/1.1" 304

(&associated pages...note 304 status, he's been here before, 1 day ago and
 the pages are still in his browser cache...clue for me ;0

 What's he doing? why he's getting email addresses to try as usernames,
 discovers info@ email link on web page, tries it immediately...)

23:23:27 POP2[130]: connect from @IP@
	+OK Password required for info.
	Received: "pass xxxxxxxxx"
	User info not in passwd file
(unfortunatly, info is an alias...)

(maybe it works in the pop3 or imap server...)
23:24:04 qpopper[133]: connect from @IP@
23:25:43 imapd[139]: connect from @IP@
23:25:46 imapd[139]: Missing command before authentication host=
(he seems to be having some problems with the protocol here...)

(ok, that's boring, on to the next IP address....cept it's on the same server)

23:26:06 www "GET / HTTP/1.1" 302 220 "-"
23:26:07 www "GET / HTTP/1.1" 200 11146 "-"
(note 302/200 status...browser bugs, he really is using IE5
, this site has no local email links...)


23:26:11 imapd[145]: connect from @IP@
23:26:17 imapd[145]: command stream end of file,
	 while reading line user=???
(he's still having troubles wih that pesky imap protocol ;)

23:29:20 POP2[153]: connect from @IP@
(back to good old pop2...)

	 Qpopper ready for input from mgr.test at 
	-ERR [AUTH] Password supplied for "mgr.test" is incorrect.
(ok, ROFL here, mgr.test is the sample username in HP version of 
qpopper 2.41  as in, 1997 vintage)

23:32:39 POP2[224]: connect from @IP@
(more pointless stray poking ...)

(giving up...but he takes one last shot at it...

23:36:59 proftpd[253]: connect from @IP@
	 - SECURITY VIOLATION: root login attempted. 
	 - FTP session closed. 
-----

At this point i get bored and blackhole him....

He has however left over 90K of detailed log files behind....

gsh
References:
- RE: [cobalt-users] PortSentry
  - From: elmer
Prev by Date: [cobalt-users] Re: get off the phone! :)
Next by Date: [cobalt-users] Scheduled Backup Error
Previous by thread: RE: [cobalt-users] PortSentry
Next by thread: RE: [cobalt-users] PortSentry
Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index