Have I been hacked?

Have I been hacked?

Post by Silviu Minu » Tue, 19 Dec 2000 03:43:13



Running vanilla RedHat7.0. I got something funny in /var/log/messages

Dec 10 23:33:45 localhost udplog[484]: dgram to port 6970 from
209.67.101.226:2425 sz=290(+28)
Dec 10 23:33:45 localhost last message repeated 3 times
Dec 10 23:33:45 localhost udplog[484]: dgram to port 6970 from
209.67.101.226:2425 sz=300(+28)
Dec 10 23:33:46 localhost udplog[484]: dgram to port 6970 from
209.67.101.226:2425 sz=290(+28)
Dec 10 23:33:46 localhost last message repeated 6 times
Dec 10 23:33:47 localhost udplog[484]: dgram to port 6970 from
209.67.101.226:2425 sz=300(+28)
Dec 10 23:33:47 localhost udplog[484]: dgram to port 6970 from
209.67.101.226:2425 sz=290(+28)
Dec 10 23:33:47 localhost last message repeated 6 times
Dec 10 23:33:48 localhost udplog[484]: dgram to port 6970 from
209.67.101.226:2425 sz=300(+28)
Dec 10 23:33:48 localhost udplog[484]: dgram to port 6970 from
209.67.101.226:2425 sz=290(+28)
Dec 10 23:33:49 localhost last message repeated 6 times
Dec 10 23:33:49 localhost udplog[484]: dgram to port 6970 from
209.67.101.226:2425 sz=300(+28)
Dec 10 23:33:49 localhost udplog[484]: dgram to port 6970 from
209.67.101.226:2425 sz=290(+28)
Dec 10 23:33:50 localhost last message repeated 6 times
Dec 10 23:33:50 localhost udplog[484]: dgram to port 6970 from
209.67.101.226:2425 sz=300(+28)
Dec 10 23:33:50 localhost udplog[484]: dgram to port 6970 from
209.67.101.226:2425 sz=290(+28)
Dec 10 23:33:51 localhost last message repeated 6 times
Dec 10 23:33:51 localhost udplog[484]: dgram to port 6970 from
209.67.101.226:2425 sz=300(+28)
Dec 10 23:33:51 localhost udplog[484]: dgram to port 6970 from
209.67.101.226:2425 sz=290(+28)
Dec 10 23:33:52 localhost last message repeated 6 times
Dec 10 23:33:52 localhost udplog[484]: dgram to port 6970 from
209.67.101.226:2425 sz=300(+28)
Dec 10 23:33:52 localhost udplog[484]: dgram to port 6970 from
209.67.101.226:2425 sz=290(+28)
Dec 10 23:33:53 localhost last message repeated 6 times
Dec 10 23:33:53 localhost udplog[484]: dgram to port 6970 from
209.67.101.226:2425 sz=300(+28)
Dec 10 23:33:53 localhost udplog[484]: dgram to port 6970 from
209.67.101.226:2425 sz=290(+28)
Dec 10 23:33:54 localhost last message repeated 6 times
Dec 10 23:33:54 localhost udplog[484]: dgram to port 6970 from
209.67.101.226:2425 sz=300(+28)
Dec 10 23:33:54 localhost udplog[484]: dgram to port 6970 from
209.67.101.226:2425 sz=290(+28)
Dec 10 23:33:55 localhost last message repeated 6 times
Dec 10 23:33:55 localhost udplog[484]: dgram to port 6970 from
209.67.101.226:2425 sz=300(+28)
Dec 10 23:33:55 localhost udplog[484]: dgram to port 6970 from
209.67.101.226:2425 sz=290(+28)
Dec 10 23:33:56 localhost last message repeated 6 times
Dec 10 23:33:56 localhost udplog[484]: dgram to port 6970 from
209.67.101.226:2425 sz=300(+28)
Dec 10 23:33:57 localhost udplog[484]: dgram to port 6970 from
209.67.101.226:2425 sz=290(+28)
Dec 10 23:33:57 localhost last message repeated 6 times
Dec 10 23:33:57 localhost udplog[484]: dgram to port 6970 from
209.67.101.226:2425 sz=300(+28)
Dec 10 23:33:58 localhost udplog[484]: dgram to port 6970 from
209.67.101.226:2425 sz=290(+28)
Dec 10 23:33:58 localhost last message repeated 6 times
Dec 10 23:33:59 localhost udplog[484]: dgram to port 6970 from
209.67.101.226:2425 sz=300(+28)
Dec 10 23:33:59 localhost udplog[484]: dgram to port 6970 from
209.67.101.226:2425 sz=290(+28)
Dec 10 23:33:59 localhost last message repeated 6 times
Dec 10 23:34:00 localhost udplog[484]: dgram to port 6970 from
209.67.101.226:2425 sz=300(+28)
Dec 10 23:34:00 localhost udplog[484]: dgram to port 6970 from
209.67.101.226:2425 sz=290(+28)
Dec 10 23:34:01 localhost last message repeated 6 times
Dec 10 23:34:01 localhost udplog[484]: dgram to port 6970 from
209.67.101.226:2425 sz=300(+28)
Dec 10 23:34:01 localhost udplog[484]: dgram to port 6970 from
209.67.101.226:2425 sz=290(+28)
Dec 10 23:34:02 localhost last message repeated 6 times
Dec 10 23:34:02 localhost udplog[484]: dgram to port 6970 from
209.67.101.226:2425 sz=300(+28)
Dec 10 23:34:02 localhost udplog[484]: dgram to port 6970 from
209.67.101.226:2425 sz=290(+28)
Dec 10 23:34:03 localhost last message repeated 6 times
Dec 10 23:34:03 localhost udplog[484]: dgram to port 6970 from
209.67.101.226:2425 sz=300(+28)
Dec 10 23:34:03 localhost udplog[484]: dgram to port 6970 from
209.67.101.226:2425 sz=290(+28)
Dec 10 23:34:04 localhost last message repeated 6 times
Dec 10 23:34:04 localhost udplog[484]: dgram to port 6970 from
209.67.101.226:2425 sz=300(+28)
Dec 10 23:34:04 localhost udplog[484]: dgram to port 6970 from
209.67.101.226:2425 sz=290(+28)
Dec 10 23:34:05 localhost last message repeated 6 times
Dec 10 23:34:05 localhost udplog[484]: dgram to port 6970 from
209.67.101.226:2425 sz=300(+28)
Dec 10 23:34:05 localhost udplog[484]: dgram to port 6970 from
209.67.101.226:2425 sz=290(+28)
Dec 10 23:34:06 localhost last message repeated 6 times
Dec 10 23:34:06 localhost udplog[484]: dgram to port 6970 from
209.67.101.226:2425 sz=300(+28)
Dec 10 23:34:06 localhost udplog[484]: dgram to port 6970 from
209.67.101.226:2425 sz=290(+28)
Dec 10 23:34:07 localhost last message repeated 6 times
Dec 10 23:34:07 localhost udplog[484]: dgram to port 6970 from
209.67.101.226:2425 sz=300(+28)
Dec 10 23:34:07 localhost udplog[484]: dgram to port 6970 from
209.67.101.226:2425 sz=290(+28)
Dec 10 23:34:09 localhost udplog[484]: dgram to port 6970 from
209.67.101.226:2425 sz=290(+28)
Dec 10 23:34:09 localhost icmplog[464]: 209.67.78.207: udp port is
unreachable [dp=6772 sp=6970]
Dec 10 23:34:09 localhost last message repeated 3 times
Dec 10 23:34:09 localhost udplog[484]: dgram to port 6970 from
209.67.101.226:2425 sz=290(+28)

Dec 16 21:53:14 localhost portsentry[700]: attackalert: Connect from
host: c661346-a.elnsng1.mi.home.com/24.183.178.115 to TCP port: 6667
Dec 16 21:53:14 localhost tcplog[15062]: telnet connection attempt from
c661346-a.elnsng1.mi.home.com:1520
Dec 16 21:53:14 localhost portsentry[700]: attackalert: Host
24.183.178.115 has been blocked via wrappers with string: "ALL:
24.183.178.115"
Dec 16 21:53:14 localhost xinetd[15064]: Bad line received from identity
server at 24.183.178.115: 1520
Dec 16 21:53:14 localhost portsentry[700]: attackalert: Host
24.183.178.115 has been blocked via dropped route using command:
"/sbin/route add -host 24.183.178.115 gw 127.0.0.1"

and in /etc/hosts.deny

ALL: 24.183.178.115
ALL: 209.153.128.248

What are those guys doing here? What are ports 6970 and 6667? Is 6667 an
X server port? What do I do now?

 
 
 

Have I been hacked?

Post by Tim » Tue, 19 Dec 2000 06:12:36



Quote:> Running vanilla RedHat7.0. I got something funny in /var/log/messages

> Dec 10 23:33:45 localhost udplog[484]: dgram to port 6970 from
> 209.67.101.226:2425 sz=290(+28)
> Dec 10 23:33:45 localhost last message repeated 3 times
> Dec 10 23:33:45 localhost udplog[484]: dgram to port 6970 from
> 209.67.101.226:2425 sz=300(+28)
> Dec 10 23:33:46 localhost udplog[484]: dgram to port 6970 from
> 209.67.101.226:2425 sz=290(+28)
> Dec 10 23:33:46 localhost last message repeated 6 times
> Dec 10 23:33:47 localhost udplog[484]: dgram to port 6970 from
> 209.67.101.226:2425 sz=300(+28)
> Dec 10 23:33:47 localhost udplog[484]: dgram to port 6970 from
> 209.67.101.226:2425 sz=290(+28)
> Dec 10 23:33:47 localhost last message repeated 6 times
> Dec 10 23:33:48 localhost udplog[484]: dgram to port 6970 from
> 209.67.101.226:2425 sz=300(+28)
> Dec 10 23:33:48 localhost udplog[484]: dgram to port 6970 from
> 209.67.101.226:2425 sz=290(+28)
> Dec 10 23:33:49 localhost last message repeated 6 times
> Dec 10 23:33:49 localhost udplog[484]: dgram to port 6970 from
> 209.67.101.226:2425 sz=300(+28)
> Dec 10 23:33:49 localhost udplog[484]: dgram to port 6970 from
> 209.67.101.226:2425 sz=290(+28)
> Dec 10 23:33:50 localhost last message repeated 6 times
> Dec 10 23:33:50 localhost udplog[484]: dgram to port 6970 from
> 209.67.101.226:2425 sz=300(+28)
> Dec 10 23:33:50 localhost udplog[484]: dgram to port 6970 from
> 209.67.101.226:2425 sz=290(+28)
> Dec 10 23:33:51 localhost last message repeated 6 times
> Dec 10 23:33:51 localhost udplog[484]: dgram to port 6970 from
> 209.67.101.226:2425 sz=300(+28)
> Dec 10 23:33:51 localhost udplog[484]: dgram to port 6970 from
> 209.67.101.226:2425 sz=290(+28)
> Dec 10 23:33:52 localhost last message repeated 6 times
> Dec 10 23:33:52 localhost udplog[484]: dgram to port 6970 from
> 209.67.101.226:2425 sz=300(+28)
> Dec 10 23:33:52 localhost udplog[484]: dgram to port 6970 from
> 209.67.101.226:2425 sz=290(+28)
> Dec 10 23:33:53 localhost last message repeated 6 times
> Dec 10 23:33:53 localhost udplog[484]: dgram to port 6970 from
> 209.67.101.226:2425 sz=300(+28)
> Dec 10 23:33:53 localhost udplog[484]: dgram to port 6970 from
> 209.67.101.226:2425 sz=290(+28)
> Dec 10 23:33:54 localhost last message repeated 6 times
> Dec 10 23:33:54 localhost udplog[484]: dgram to port 6970 from
> 209.67.101.226:2425 sz=300(+28)
> Dec 10 23:33:54 localhost udplog[484]: dgram to port 6970 from
> 209.67.101.226:2425 sz=290(+28)
> Dec 10 23:33:55 localhost last message repeated 6 times
> Dec 10 23:33:55 localhost udplog[484]: dgram to port 6970 from
> 209.67.101.226:2425 sz=300(+28)
> Dec 10 23:33:55 localhost udplog[484]: dgram to port 6970 from
> 209.67.101.226:2425 sz=290(+28)
> Dec 10 23:33:56 localhost last message repeated 6 times
> Dec 10 23:33:56 localhost udplog[484]: dgram to port 6970 from
> 209.67.101.226:2425 sz=300(+28)
> Dec 10 23:33:57 localhost udplog[484]: dgram to port 6970 from
> 209.67.101.226:2425 sz=290(+28)
> Dec 10 23:33:57 localhost last message repeated 6 times
> Dec 10 23:33:57 localhost udplog[484]: dgram to port 6970 from
> 209.67.101.226:2425 sz=300(+28)
> Dec 10 23:33:58 localhost udplog[484]: dgram to port 6970 from
> 209.67.101.226:2425 sz=290(+28)
> Dec 10 23:33:58 localhost last message repeated 6 times
> Dec 10 23:33:59 localhost udplog[484]: dgram to port 6970 from
> 209.67.101.226:2425 sz=300(+28)
> Dec 10 23:33:59 localhost udplog[484]: dgram to port 6970 from
> 209.67.101.226:2425 sz=290(+28)
> Dec 10 23:33:59 localhost last message repeated 6 times
> Dec 10 23:34:00 localhost udplog[484]: dgram to port 6970 from
> 209.67.101.226:2425 sz=300(+28)
> Dec 10 23:34:00 localhost udplog[484]: dgram to port 6970 from
> 209.67.101.226:2425 sz=290(+28)
> Dec 10 23:34:01 localhost last message repeated 6 times
> Dec 10 23:34:01 localhost udplog[484]: dgram to port 6970 from
> 209.67.101.226:2425 sz=300(+28)
> Dec 10 23:34:01 localhost udplog[484]: dgram to port 6970 from
> 209.67.101.226:2425 sz=290(+28)
> Dec 10 23:34:02 localhost last message repeated 6 times
> Dec 10 23:34:02 localhost udplog[484]: dgram to port 6970 from
> 209.67.101.226:2425 sz=300(+28)
> Dec 10 23:34:02 localhost udplog[484]: dgram to port 6970 from
> 209.67.101.226:2425 sz=290(+28)
> Dec 10 23:34:03 localhost last message repeated 6 times
> Dec 10 23:34:03 localhost udplog[484]: dgram to port 6970 from
> 209.67.101.226:2425 sz=300(+28)
> Dec 10 23:34:03 localhost udplog[484]: dgram to port 6970 from
> 209.67.101.226:2425 sz=290(+28)
> Dec 10 23:34:04 localhost last message repeated 6 times
> Dec 10 23:34:04 localhost udplog[484]: dgram to port 6970 from
> 209.67.101.226:2425 sz=300(+28)
> Dec 10 23:34:04 localhost udplog[484]: dgram to port 6970 from
> 209.67.101.226:2425 sz=290(+28)
> Dec 10 23:34:05 localhost last message repeated 6 times
> Dec 10 23:34:05 localhost udplog[484]: dgram to port 6970 from
> 209.67.101.226:2425 sz=300(+28)
> Dec 10 23:34:05 localhost udplog[484]: dgram to port 6970 from
> 209.67.101.226:2425 sz=290(+28)
> Dec 10 23:34:06 localhost last message repeated 6 times
> Dec 10 23:34:06 localhost udplog[484]: dgram to port 6970 from
> 209.67.101.226:2425 sz=300(+28)
> Dec 10 23:34:06 localhost udplog[484]: dgram to port 6970 from
> 209.67.101.226:2425 sz=290(+28)
> Dec 10 23:34:07 localhost last message repeated 6 times
> Dec 10 23:34:07 localhost udplog[484]: dgram to port 6970 from
> 209.67.101.226:2425 sz=300(+28)
> Dec 10 23:34:07 localhost udplog[484]: dgram to port 6970 from
> 209.67.101.226:2425 sz=290(+28)
> Dec 10 23:34:09 localhost udplog[484]: dgram to port 6970 from
> 209.67.101.226:2425 sz=290(+28)
> Dec 10 23:34:09 localhost icmplog[464]: 209.67.78.207: udp port is
> unreachable [dp=6772 sp=6970]
> Dec 10 23:34:09 localhost last message repeated 3 times
> Dec 10 23:34:09 localhost udplog[484]: dgram to port 6970 from
> 209.67.101.226:2425 sz=290(+28)

> Dec 16 21:53:14 localhost portsentry[700]: attackalert: Connect from
> host: c661346-a.elnsng1.mi.home.com/24.183.178.115 to TCP port: 6667
> Dec 16 21:53:14 localhost tcplog[15062]: telnet connection attempt from
> c661346-a.elnsng1.mi.home.com:1520
> Dec 16 21:53:14 localhost portsentry[700]: attackalert: Host
> 24.183.178.115 has been blocked via wrappers with string: "ALL:
> 24.183.178.115"
> Dec 16 21:53:14 localhost xinetd[15064]: Bad line received from identity
> server at 24.183.178.115: 1520
> Dec 16 21:53:14 localhost portsentry[700]: attackalert: Host
> 24.183.178.115 has been blocked via dropped route using command:
> "/sbin/route add -host 24.183.178.115 gw 127.0.0.1"

> and in /etc/hosts.deny

> ALL: 24.183.178.115
> ALL: 209.153.128.248

> What are those guys doing here? What are ports 6970 and 6667? Is 6667 an
> X server port? What do I do now?

6667 seems like an ircd port?

 
 
 

Have I been hacked?

Post by Davi » Tue, 19 Dec 2000 12:04:59



> Running vanilla RedHat7.0. I got something funny in /var/log/messages

--  snip--

> Dec 10 23:34:07 localhost last message repeated 6 times
> Dec 10 23:34:07 localhost udplog[484]: dgram to port 6970 from
> 209.67.101.226:2425 sz=300(+28)
> Dec 10 23:34:07 localhost udplog[484]: dgram to port 6970 from
> 209.67.101.226:2425 sz=290(+28)
> Dec 10 23:34:09 localhost udplog[484]: dgram to port 6970 from
> 209.67.101.226:2425 sz=290(+28)
> Dec 10 23:34:09 localhost icmplog[464]: 209.67.78.207: udp port is
> unreachable [dp=6772 sp=6970]
> Dec 10 23:34:09 localhost last message repeated 3 times
> Dec 10 23:34:09 localhost udplog[484]: dgram to port 6970 from
> 209.67.101.226:2425 sz=290(+28)

> Dec 16 21:53:14 localhost portsentry[700]: attackalert: Connect from
> host: c661346-a.elnsng1.mi.home.com/24.183.178.115 to TCP port: 6667
> Dec 16 21:53:14 localhost tcplog[15062]: telnet connection attempt from
> c661346-a.elnsng1.mi.home.com:1520
> Dec 16 21:53:14 localhost portsentry[700]: attackalert: Host
> 24.183.178.115 has been blocked via wrappers with string: "ALL:
> 24.183.178.115"
> Dec 16 21:53:14 localhost xinetd[15064]: Bad line received from identity
> server at 24.183.178.115: 1520
> Dec 16 21:53:14 localhost portsentry[700]: attackalert: Host
> 24.183.178.115 has been blocked via dropped route using command:
> "/sbin/route add -host 24.183.178.115 gw 127.0.0.1"

> and in /etc/hosts.deny

> ALL: 24.183.178.115
> ALL: 209.153.128.248

> What are those guys doing here? What are ports 6970 and 6667? Is 6667 an
> X server port? What do I do now?

These 2 links might help.

http://www.linuxsecurity.com/resource_files/firewalls/firewall-seen.html

http://www.isi.edu/in-notes/iana/assignments/port-numbers

--
Confucius say: He who play in root, eventually kill tree.
Registered with the Linux Counter.  http://counter.li.org
ID # 123538
Completed more W/U's than 98.899% of seti users. +/- 0.01%

 
 
 

Have I been hacked?

Post by Silviu Minu » Wed, 20 Dec 2000 00:39:11


Quote:> Very useful links indeed!

Thanks!
Quote:

> These 2 links might help.

> http://www.linuxsecurity.com/resource_files/firewalls/firewall-seen.html

> http://www.isi.edu/in-notes/iana/assignments/port-numbers

> --
> Confucius say: He who play in root, eventually kill tree.
> Registered with the Linux Counter.  http://counter.li.org
> ID # 123538
> Completed more W/U's than 98.899% of seti users. +/- 0.01%

 
 
 

1. Csh hacking -- having problems...

[ .globl    _newsfood, 512; ]

I'm doing a major upgrade to the Berkeley C shell (no flames, please;
I speak csh and sh fluently and have different uses for each one).  One
of the things I am implementing is a "push" builtin, which is supposed
to simply fork() and create an exact duplicate of the shell on top of itself.

In the older version of this shell (to which I have regrettably lost the
source), we used to do this for extended alterations of environment without
having to restart the damn thing (i.e. aliases and shell variables were
preserved).  It was easier than throwing it into a ( subshell ), and we
needed the interaction.

Now, never mind *why* I want to do this when there might be other solutions...
When the push command is entered, the following set of events occurs (assume
all necessary variables):

dopush()
{
    switch (fork()) {
    case -1:    /* error */
        setname("push");
        bferr("Couldn't fork!");
        return (1);
    case 0:     /* child */
        /* set $$ = getpid() */
        /* set process group to $$ */
        /* set tty process group to $$ */
        /* increment push level */
        return(0);
    default:    /* parent */
        wait(&exitstat);
        /* reset process group */
        /* reset terminal process group */
        return(exitstat);
    }

Now, the push() occurs fine (it forks and does all the necessary stuff).
HOWEVER:  As soon as I hit an interrupt, the pushed shell prints a prompt,
exits, and the original shell prints a prompt.

The thing that's confusing is that I don't know why the pushed shell is only
catching the interrupt once and then giving up.  It seems as though the
parent shell also gets the interrupt (which I didn't think would happen if
the process group gets reset).  I thought Berkeley signal handlers reset
themselves...?

This is a Pyramid running OSx 5.0b, under the BSD universe (essentially
BSD 4.2-and-a-half).
--
thought:  I ain't so damb dumn! | Your brand new kernel just dump core on you
war: Invalid argument           | And fsck can't find root inode 2
                                | Don't worry -- be happy...
...!{ucbvax,acad,uunet,amdahl,pyramid}!unisoft!greywolf

2. What gcc library do I need?

3. I already RTFM, but am still having problems

4. Linux and NetBEUI

5. I am having trouble with tcpip

6. Using #fsize in an #if statement with apache ssi

7. I am having problems with "fvwm2" or Xwindows

8. Intel 810 chips

9. I am having trouble rebuilding xchat

10. Am I being hacked?

11. I am having problems with the 3c905 and the 3c509b with RH 5.0

12. am i hacked ??? / strange IP