Is this evidence of an attack

Is this evidence of an attack

Post by Gary Lawrence Murph » Wed, 30 Oct 1996 04:00:00



I think my client may be under attack.  The symptoms are strange,
but so is their setup so I'd believe this is just a config trouble.

Here's what happens:

There is typically a in.fingerd call in the log from the core
machine of another ISP.  Then, if there is a console open on their
nameserver/webserver/mailserver machine (Linux 2.1.1), we get
a rapid succession of "request to talk" messages with no username
or a gibberish username and the same remote ISP machine; lately, I have
been getting a gibberish name but with the local machine name, but
again, a rapid succession ...

... and then the remote router (in another town) crashes.

On one occasion, I had remote xterms into the machine from my office,
I saw the same in.fingerd messages appear in my log, and all of my
xterm windows one-by-one turned to gibberish and then vanished.

We were ready to believe the router trouble was voltage fluctuations
(its a computone connected to a Compatible 2800i) except this never
occurs during business hours.  The config on both the computone and
the 2800i seem fine, although both have been configured with IPs on the
192.168.2.0 network.  I am also aware of the "evil ping" attack and
wonder if there is something similar happening here --- the initial
occurance of in.fingerd (if it is related) suggests the method will
only work if the attacker knows that a local tty is in use.

I have checked both machines with ISS and COPS --- Satan won't run
under Linux :( --- and both show no obvious holes. If this is an
intruder, how do I gather more information?

--

(519) 422-1150 fax:422-2723 ---- RR1/F3 Sauble Beach, Ontario, Canada
TeleDynamics ----------- http://www.geocities.com/SiliconValley/7704/
-------------------The view from the high mountain is worth the climb

 
 
 

Is this evidence of an attack

Post by Gregory R Beel » Wed, 30 Oct 1996 04:00:00


Greetings, all...


writes:

Quote:>There is typically a in.fingerd call in the log from the core
>machine of another ISP.  Then, if there is a console open on their
>nameserver/webserver/mailserver machine (Linux 2.1.1), we get
>a rapid succession of "request to talk" messages with no username
>or a gibberish username and the same remote ISP machine; lately, I
have
>been getting a gibberish name but with the local machine name, but
>again, a rapid succession ...

This looks like a buffer overrun to me.  I just grabbed the source to
the latest Slackware's release of talkd, and it does certainly do its
share to promote the use of sprintf(), strcpy(), etc., and there
appears to be no protection on these commands as far as length is
concerned (i.e., the sprintf()'s have raw %s's in them, etc).  It might
be possible that the buffers are coincidentally big enough if the code
has a limiter on the UDP packet size, but.... this is worth some
investigation.  Anyone have any ideas?  I only glanced at the source
code; I haven't analyzed it at all.

----Greg

 
 
 

Is this evidence of an attack

Post by Roger Espel Lli » Thu, 31 Oct 1996 04:00:00





>writes:

>>There is typically a in.fingerd call in the log from the core
>>machine of another ISP.  Then, if there is a console open on their
>>nameserver/webserver/mailserver machine (Linux 2.1.1), we get
>>a rapid succession of "request to talk" messages with no username
>>or a gibberish username and the same remote ISP machine; lately, I
>have
>>been getting a gibberish name but with the local machine name, but
>>again, a rapid succession ...

That looks just like someone sending 'flashes' to me, which are talk
requests with escape-sequences embedded in the remote username.  An old
and rather forgettable attack... there are patched talkd's floating
around that don't allow that; it's just a matter of ignoring the packet
if you see an escape anywhere in the username.

Quote:>This looks like a buffer overrun to me.  I just grabbed the source to
>the latest Slackware's release of talkd, and it does certainly do its
>share to promote the use of sprintf(), strcpy(), etc., and there
>appears to be no protection on these commands as far as length is
>concerned (i.e., the sprintf()'s have raw %s's in them, etc).  It might
>be possible that the buffers are coincidentally big enough if the code
>has a limiter on the UDP packet size, but.... this is worth some
>investigation.  Anyone have any ideas?  I only glanced at the source
>code; I haven't analyzed it at all.

All the fields in a talk daemon UDP packet have limited fixed sizes, but
the daemon should take into account the fact that the local username
field in a malformed packet might not be null-terminated, so it would
get concatenated with the remote username field (which is right after
it).

A quick look at the talkd code shows that the only sprintf's a BSD talkd
does (other than some debug info in debug mode) are done into an array of
5 120-byte buffers, and two of the lines look like:

        (with i == 2)

                        request->l_name, remote_machine);
        (with i == 3)

                        request->l_name, remote_machine);

where remote_machine is the h_name field of a gethostbyname() of the
machine the packet came from.  

Looking at the code "gcc -S" produces on a SunOS 4.x machine, we see
that for the sprintf done with i == 3, the line length needed to
overwrite past the end of the buffer, as well as the next buffer, and
the other 30-odd bytes of local variables, to get into the return
address on the stack, would be around 270.  The daemon fills 28 bytes of

request to actually get printed the local name must be right, so the
remote name can be at most 12 chars + the local name, which makes at
most 20.  

Therefore, an attack *should* be possible with a faked hostname
containing machine code, and the hostname would need to have a length of
around 220 chars.  I don't know if DNS's would even propagate such a
name, but I kind of doubt it.

If anyone has better ideas...   I *think* that, seeing the code, any
buffer overflows shorter than that couldn't be exploited or be made
to do anything worse than coredump the daemon.

        -Roger
--

WWW page & PGP key: http://www.eleves.ens.fr:8080/home/espel/index.html

 
 
 

Is this evidence of an attack

Post by Ronnie Koch - BC » Thu, 31 Oct 1996 04:00:00


-- large snip --

Quote:> I have checked both machines with ISS and COPS --- Satan won't run
> under Linux :( --- and both show no obvious holes.

Satan _does_ run under Linux (There is a version with minor patches for
Linux on one of the standard Linux distribution sites - I can't remember
which one).

You could also run Satan on another machine with a different OS and just
point it at your Linux machine (doesn't work if you only have Linux
machines :-).

Regards

Ronnie

--------------------------------------------------------------------
Ronnie Koch                   | Snailmail: POBox 60124
Bsc Eng (Elec)(Pret) MSAIEE   |            Pierre van Ryneveld 0045

--------------------------------------------------------------------

 
 
 

Is this evidence of an attack

Post by Valdis Kletnie » Sat, 02 Nov 1996 04:00:00


[Posted and mailed]



Quote:> There is typically a in.fingerd call in the log from the core
> machine of another ISP.  Then, if there is a console open on their
> nameserver/webserver/mailserver machine (Linux 2.1.1), we get
> a rapid succession of "request to talk" messages with no username
> or a gibberish username and the same remote ISP machine; lately, I have
> been getting a gibberish name but with the local machine name, but
> again, a rapid succession ...

Sounds like you've been hit by "flash" - it relies on the fact that
many talkd's are broken and pass trough the purported userid without
any filtering.  So the attacking machine sends a packet "talk request

resets...

Cure for this is getting a talkd that converts non-printable chars to blanks.

Quote:> ... and then the remote router (in another town) crashes.

Hmm.. could be one of the many other attacks - somebody just posted to
another list about how certain vendor's routers at certain releases
would blow chow if they received the right combination of IP and/or
TCP option bytes.

--
                                Valdis Kletnieks
                                Computer Systems Engineer
                                *ia Tech

 
 
 

Is this evidence of an attack

Post by J. Sh » Sat, 02 Nov 1996 04:00:00


Sounds like someone is flashing the tty's.  By what you've described, it looks

close the finger or talk daemons down.  I'd personally advise doing all 3, unless
there is a real reason to have finger and talk running.  Or, you could just turn off
remote fingers, or add "mesg n" to your .login.  Hope this helps you.


: There is typically a in.fingerd call in the log from the core
: machine of another ISP.  Then, if there is a console open on their
: nameserver/webserver/mailserver machine (Linux 2.1.1), we get
: a rapid succession of "request to talk" messages with no username
: or a gibberish username and the same remote ISP machine; lately, I have
: been getting a gibberish name but with the local machine name, but
: again, a rapid succession ...

--

Escalation Engineer
Charter Communications International
Formerly Phoenix Data Net
"Each member of the team brings something different to the
group.  Speciality breeds in weakness..."
-Ghost In The Shell

 
 
 

Is this evidence of an attack

Post by Karcian DarkeMa » Tue, 05 Nov 1996 04:00:00



: been getting a gibberish name but with the local machine name, but
: again, a rapid succession ...
:
: ... and then the remote router (in another town) crashes.
:
: On one occasion, I had remote xterms into the machine from my office,
: I saw the same in.fingerd messages appear in my log, and all of my
: xterm windows one-by-one turned to gibberish and then vanished.

sounds more like they are using flash

:
: We were ready to believe the router trouble was voltage fluctuations
: (its a computone connected to a Compatible 2800i) except this never
: occurs during business hours.  The config on both the computone and
: the 2800i seem fine, although both have been configured with IPs on the
: 192.168.2.0 network.  I am also aware of the "evil ping" attack and
: wonder if there is something similar happening here --- the initial
: occurance of in.fingerd (if it is related) suggests the method will
: only work if the attacker knows that a local tty is in use.

not quite - if it is flash - they using it is not much use unless someone is aroundto be  'flashed' . more or less if your machine allows talkd requests
to come in then you can be 'flashed' either add in.talkd to hosts.deny or
add 'mesg n' to all your .login files .
:
: I have checked both machines with ISS and COPS --- Satan won't run
: under Linux :( --- and both show no obvious holes. If this is an
: intruder, how do I gather more information?

doy ou get any in.talkd requests in your log files? that s a pretty good sign that flash is being used - of course - it could be something else, some sorta
XWindow 'hack' maybe.


--
Darke / *Lynx <Synner Darkemane>

Witch, WereWolf, WereLynx, Lycanthropic Occultist,
Avid Book Collector, Gothick, Seeker of knowledge.

 
 
 

1. router log - I am under attack ??

Hello!

I've been reading my router's log, and I found something that could be
"nasty", let's say... Among other things, the router complains about some
(quite many I'd say) unrecognized accesses at port UDP 137. Doesen't that
mean that they (whoever they are) are trying to get to my shares?
The log says something like:

-------------------------------------------
Sat 07 Jun 2003 10:02:21 AM CEST Unrecognized access from 218.63.155.24:1026
to UDP port 137
Sat 07 Jun 2003 10:13:25 AM CEST Unrecognized access from 156.34.18.51:65290
to UDP port 137
Sat 07 Jun 2003 10:15:06 AM CEST Unrecognized access from 61.65.79.156:1029
to UDP port 137
Sat 07 Jun 2003 10:22:19 AM CEST Unrecognized access from
210.17.129.239:19805 to UDP port 137
Sat 07 Jun 2003 10:28:35 AM CEST Unrecognized access from
80.39.155.195:22593 to UDP port 137
Sat 07 Jun 2003 10:29:28 AM CEST Unrecognized access from
202.142.87.142:1028 to UDP port 137
Sat 07 Jun 2003 10:38:08 AM CEST Unrecognized access from
202.164.175.162:1064 to UDP port 137
 213.17.233.70:41701 to UDP port 137
Sat 07 Jun 2003 10:46:39 AM CEST Unrecognized access from
218.88.134.40:21131 to UDP port 137
Sat 07 Jun 2003 10:59:46 AM CEST Unrecognized access from
202.99.225.46:41290 to UDP port 137
Sat 07 Jun 2003 11:00:58 AM CEST Unrecognized access from
217.197.168.6:64555 to UDP port 137
Sat 07 Jun 2003 11:03:37 AM CEST Unrecognized access from 80.255.43.194:1028
to UDP port 137
Sat 07 Jun 2003 11:07:32 AM CEST Unrecognized access from
218.169.52.34:64441 to TCP port 445
Sat 07 Jun 2003 11:08:01 AM CEST Unrecognized access from 61.188.89.134:1026
to UDP port 137
Sat 07 Jun 2003 11:08:01 AM CEST Unrecognized access from
212.119.66.132:1024 to UDP port 137
---------------------------------------------

Behind the router there are 4 comp: linux, win98, winxp, mac OS9, all
sharing music and stuff among eachother.
Should I be warried about these logs?? I guess there are houndreds of them
in one day... I AM UNDER SIEGE ??

Thanx in advance. Appreciate some advice, maybe on how to secure things up a
little bit.

2. Make dep problem

3. Am I attacked by hackers?

4. Welcome to comp.unix.questions [Frequent posting]

5. help, analyzing traffic, am I being attacked or what?

6. Netscape 4.05 BUG??

7. CAUTION: I am under attack from an incompetent hacker probably in germany

8. Help - getting the following error

9. Am I attacked by hacker?

10. Urgent: Am I attacked, all logs are empty

11. Am I under netbios and httpsd (on Linux) attack?

12. Help, I need a list of Denial of Service attack by symptom to track an attack

13. Tried attack or succesfull attack on mountd?