|
Well, for me, admitting all this is like staceyv admitting she yelled at her puppy. Waking up in the middle of the night is the penance. I was dumb, I left the vulnerable machine up, I am punished.
|
Quote:
|
Quote:
|
Ten attacks today. So far.
An lsof found that their open process was constantly connecting to 210.170.60.2. That address is now blocked at the firewall. I think. It's in Japan. But I dunno if that was the target or the source, or whether it's just a bridge to somewhere else. |
Can you notify the IP owner?
|
There's no reverse DNS on the address. But whois lookup says it belongs to
TELE PLANNING INTERNATIONAL INC. in Japan. There's technical contact information: http://whois.nic.ad.jp/cgi-bin/whois_gw?key=MJ018JP |
Look, it's trying right now. netstat -an includes the lines:
tcp 0 1 207.245.113.66:43901 210.170.60.2:3982 SYN_SENT tcp 0 1 207.245.113.66:43905 210.170.60.2:3982 SYN_SENT I don't think this firewall works. Naw, it just tried again. Damn. lsof: # lsof -p 6683 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME exe 6683 nobody cwd DIR 3,3 4096 2 / exe 6683 nobody rtd DIR 3,3 4096 2 / exe 6683 nobody txt REG 3,6 17828 30 /tmp/upxBQHBVKFAGQ0 (deleted) exe 6683 nobody mem REG 3,3 90168 2371760 /lib/ld-2.3.2.so exe 6683 nobody mem REG 3,3 1452984 49557 /lib/i686/libc-2.3.2.so exe 6683 nobody 0r CHR 1,3 1701592 /dev/null exe 6683 nobody 1r CHR 1,3 1701592 /dev/null exe 6683 nobody 2r CHR 1,3 1701592 /dev/null exe 6683 nobody 3u IPv4 511195499 TCP topaz:43909->210.170.60.2:3982 (SYN_SENT) |
Gee whiz I wish I had some idea about this stuff. Keep fighting the good fight Bro.
|
I'd send an e-mail to the tech contact. If they've been infected, you would be doing them a favor by informing them.
|
Yeah, but I don't know if they're the target or the source.
I'm not sure the firewall was up, or maybe it was and it was preventing that attack. I do know the firewall blocked my DNS services for a bit. Damn I am supposed to know what I'm doing on this stuff. |
I found it. In the crontab of the userid that runs the web server, was an entry that created a binary that would start its work, delete itself, and change its name to the same process name of the web server.
Before they loaded this, they trojaned every single utility used to do network administration. With VERY good trojans, exactly the same size as the originals. I only found that because I have safe copies of these utilities everywhere, along with the safe copies of the checksum programs that let you detect what's changed. Things are better. Not great but better. The people who were supposed to do the network configuration at our new location, failed to do so again and so we can't move til Monday at the soonest. I figured out that it was a cron entry because the parent process id of the DOSsing daemon was 0. |
Good job UT !!!!!!
Trace down their address , and me and Louie will go have a TALK wit' em ! |
Quote:
We certainly have no right to complain one bit. You, Sir, are our hero. :king: |
Quote:
BTW, as soon as the bills clear and I verify the status of the checking account I have tied to Paypal, I will drop something into the Cellar Defense Fund. I don't remember if my last donation was 2005 or 2004, so I figure that I'm due. It won't be a lot, but at least enough for caffeine pills and aspirin. Since these guys are technically cyber-terrorists, I would assume that under the current political climate, you have the authority to hire contractors to deal with them if you identify them. Maybe the guys from BlackWater would like a warmup mission before going to Iraq. We could have a fundraiser.http://www.cellar.org/images/smilies/cool.gif |
Y'know what it is - it's like an electrician who goes home and doesn't wire his own house to code, because he figures he pretty much knows what he's doing, and that, well that can be fixed later, as long as we don't plug something heavy into it, that's what it is.
|
| All times are GMT -5. The time now is 09:27 PM. |
Powered by: vBulletin Version 3.8.1
Copyright ©2000 - 2025, Jelsoft Enterprises Ltd.