Was the Cellar hit again?

[Undertoad]

Well, for me, admitting all this is like staceyv admitting she yelled at her puppy. Waking up in the middle of the night is the penance. I was dumb, I left the vulnerable machine up, I am punished.

[Clodfobble]

Quote:

Originally Posted by SteveDallas

How did you get him to do that??? Ours just comes on in to our bedroom & climbs in.

Deadbolt on the bedroom door. Also, sleep naked or in just underwear, it gives you an added incentive not to give in and allow them in with you.

[footfootfoot]

Quote:

Originally Posted by Undertoad

Well, for me, admitting all this is like staceyv admitting she yelled at her puppy...

!!!

[Undertoad]

Ten attacks today. So far.

An lsof found that their open process was constantly connecting to 210.170.60.2. That address is now blocked at the firewall. I think.

It's in Japan. But I dunno if that was the target or the source, or whether it's just a bridge to somewhere else.

[Elspode]

Can you notify the IP owner?

[Undertoad]

There's no reverse DNS on the address. But whois lookup says it belongs to

TELE PLANNING INTERNATIONAL INC.

in Japan. There's technical contact information:

http://whois.nic.ad.jp/cgi-bin/whois_gw?key=MJ018JP

[Undertoad]

Look, it's trying right now. netstat -an includes the lines:

tcp 0 1 207.245.113.66:43901 210.170.60.2:3982 SYN_SENT
tcp 0 1 207.245.113.66:43905 210.170.60.2:3982 SYN_SENT

I don't think this firewall works.

Naw, it just tried again. Damn.

lsof:

# lsof -p 6683
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
exe 6683 nobody cwd DIR 3,3 4096 2 /
exe 6683 nobody rtd DIR 3,3 4096 2 /
exe 6683 nobody txt REG 3,6 17828 30 /tmp/upxBQHBVKFAGQ0 (deleted)
exe 6683 nobody mem REG 3,3 90168 2371760 /lib/ld-2.3.2.so
exe 6683 nobody mem REG 3,3 1452984 49557 /lib/i686/libc-2.3.2.so
exe 6683 nobody 0r CHR 1,3 1701592 /dev/null
exe 6683 nobody 1r CHR 1,3 1701592 /dev/null
exe 6683 nobody 2r CHR 1,3 1701592 /dev/null
exe 6683 nobody 3u IPv4 511195499 TCP topaz:43909->210.170.60.2:3982 (SYN_SENT)

[Griff]

Gee whiz I wish I had some idea about this stuff. Keep fighting the good fight Bro.

[richlevy]

I'd send an e-mail to the tech contact. If they've been infected, you would be doing them a favor by informing them.

[Undertoad]

Yeah, but I don't know if they're the target or the source.

I'm not sure the firewall was up, or maybe it was and it was preventing that attack. I do know the firewall blocked my DNS services for a bit. Damn I am supposed to know what I'm doing on this stuff.

[Undertoad]

I found it. In the crontab of the userid that runs the web server, was an entry that created a binary that would start its work, delete itself, and change its name to the same process name of the web server.

Before they loaded this, they trojaned every single utility used to do network administration. With VERY good trojans, exactly the same size as the originals. I only found that because I have safe copies of these utilities everywhere, along with the safe copies of the checksum programs that let you detect what's changed.

Things are better. Not great but better. The people who were supposed to do the network configuration at our new location, failed to do so again and so we can't move til Monday at the soonest.

I figured out that it was a cron entry because the parent process id of the DOSsing daemon was 0.

[zippyt]

Good job UT !!!!!!

Trace down their address , and me and Louie will go have a TALK wit' em !

[xoxoxoBruce]

Quote:

Originally Posted by Undertoad

Well, for me, admitting all this is like staceyv admitting she yelled at her puppy. Waking up in the middle of the night is the penance. I was dumb, I left the vulnerable machine up, I am punished.

Aw bullshit. You're embarassed because you want to live some kind of normal life instead of holing up in a dark room like a L0pht member? Screw that, Sir. You are providing us, at considerable cost in time and money, with a great service. Greater than you can imagine at certain times.
We certainly have no right to complain one bit.
You, Sir, are our hero.

[richlevy]

Quote:

Originally Posted by xoxoxoBruce

Aw bullshit. You're embarassed because you want to live some kind of normal life instead of holing up in a dark room like a L0pht member? Screw that, Sir. You are providing us, at considerable cost in time and money, with a great service. Greater than you can imagine at certain times.
We certainly have no right to complain one bit.
You, Sir, are our hero.

I concur with Bruce. I really love the Cellar, but it's not worth screwing up your second relationship. When I was on call, I always felt guilty when the phone would wake up my wife. In your case this is a hobby, not your livelihood, so there is not even that justification.

BTW, as soon as the bills clear and I verify the status of the checking account I have tied to Paypal, I will drop something into the Cellar Defense Fund. I don't remember if my last donation was 2005 or 2004, so I figure that I'm due.

It won't be a lot, but at least enough for caffeine pills and aspirin.

Since these guys are technically cyber-terrorists, I would assume that under the current political climate, you have the authority to hire contractors to deal with them if you identify them.

Maybe the guys from BlackWater would like a warmup mission before going to Iraq. We could have a fundraiser.

[Undertoad]

Y'know what it is - it's like an electrician who goes home and doesn't wire his own house to code, because he figures he pretty much knows what he's doing, and that, well that can be fixed later, as long as we don't plug something heavy into it, that's what it is.