> 203.9.252.16 seems to be the FTP site of a development organization called
> Program Development Systems in Greenborough, Australia. Their web site
> (www.pds.com.au) seems to be down right now, but they've got a piece called
> IP*Vision which seems to scan the services on machines on a network to
> graphically chart them and alert for failures. What you might be seeing is
> an overzealous IP*Vision at work. Malicious or not, I couldn't say...
hmm that reminds me of something I just read on the IAP report on security
focus... BTW have you checked the CRC/Hashes on your binaries?
( http://www.securityfocus.com/templates/forum-latest.html?forum=2 )
Quote:
"Friday, our Japanese participants discover that a computer on their
company network has been cracked into, one very secure Linux box running
only SSH and Apache 1.3.4. Now this would definitely send a chill up your
spine if you knew just how fanatic our friends are when it comes to
network security. Furthermore, they only detected the intrusion three days
after the fact, which is unbelievable when you consider the insane
monitoring levels they've been keeping since they agreed to
participate in the scan. They would have noticed any funny stuff, and in
fact, they did, lots of it, but none of which came close enough to a
security breach to raise any alarms.
Readers should also note how although a key binary in the cracked machine
had been modified, tripwire and an assortment of other booby traps failed
to detect this had happened. Even a close-up manual inspection (comparing
file contents with a trusted backup, playing with it's name) could not
detect any odd behavior. This trick, and others equally spooky were
achieved by clever manipulation of the OS's kernel code (dynamicly,
through a module).
Other characteristics of the attack which make it so eerily
sophisticated:
1.The attacker (convincingly) masquerades as a local employee.
The attacker knows the employee's username and password and is even
connecting through the employee's Japanese ISP on the employee's
account! (the phone company identified this was an untraceable
overseas caller)
This information could not have been sniffed, since network services are
only provided over encrypted SSH sessions.
Further investigation shows that this employee's personal NT box,
connected over a dynamic dailup connection, had been cracked into 4 days
earlier.
His ssh client (TTSSH extension to TeraTerm) had been trojaned to
transmit XOR garbled account information (hostname/username/password)
over pseudo-DNS udp packets to a refurnished i486 Redhat v4.2 box used as
a single-purpose cheap Samba fileserver in a small Australian ISP.
The little box was every cracker's dream, a discrete, utopian crack haven,
installed by a former Linux-savvy administrator, the last of it's kind in
a homogeneous Unix-illiterate Microsoft environment. The ISP practicly
ignored the box, which was running (up 270 days straight) so reliably none
of them had even bothered to log in since mid 1997! So as long as the
crackers kept Samba running, they would the box completely to
themselves..."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
