On Thu, 2 Dec 1999, Shu Xiao wrote:
> Now we have to recover the binary code with clean copies from the
> other machine having same RH 6.0, and telnet works now.
Save your non-executable files on some other box, re-format and reinstall the
compromised box, change passwords everywhere -- otherwise you wouldn't be able
to tell if it still havs backdoors installed, or that passwords were sniffed.
> I also telneted
> to 210.114.231.130. Surprisely, it gave me a prompt like 'Wingate>', after
> I entered some host name, it then tried to connect me to that machine.
> It seems that it can masquarade the hacker behind. Where is 210.114.231.130?
210.114.231.130 is ns.samsan.com, but reverse DNS is broken on
ns3.shinbiro.com and ns2.shinbiro.com, so it doesn't resolve back. However it
is registered in whois database as a nameserver for samsan.com domain.
That host:
1. Is a Windows box.
2. Is a primary nameserver for smasan.com and secondary nameserver for
samsan.co.kr.
3. Runs an unrestricted wingate proxy.
4. Runs IMS SMTP and POP3 services, SMTP server is configured as an
unrestricted relay.
5. samsan.com has no MX or A record pointing there or anywhere else.
6. samsan.co.kr has no MX record yet has A record pointing to the same host.
Whois record for the samsan.com domain is:
---8<---
Registrant:
Samsan Corporatopn (SAMSAN2-DOM)
Samsan Bldg., 506-7, Amsa-dong,
Kangdong-ku,
seoul, Seoul 134-050
KR
Domain Name: SAMSAN.COM
Administrative Contact, Technical Contact, Zone Contact:
Kim, Gwansick (GK1104) [EMAIL PROTECTED]
+82-2-3427-3672 (FAX) +82-2-3427-3671
Billing Contact:
Kim, Gwansick (GK1105) [EMAIL PROTECTED]
+82-2-3427-3672 (FAX) +82-2-3427-3671
Record last updated on 01-Aug-1999.
Record created on 04-Mar-1997.
Database last updated on 2-Dec-1999 12:28:08 EST.
Domain servers in listed order:
NS.SAMSAN.COM 210.114.231.130
HICON.HYUNDAI.NET 203.251.201.1
--->8---
Address [EMAIL PROTECTED] does not work (obviously because MX record is
missing).
At the same time 210.114.231.130 is a secondary nameserver for SAMSAN.CO.KR,
a domain that still has no MX record, yet has A record pointing to the same
box, so [EMAIL PROTECTED] does work and actually sends mail to the same box --
this is why it is running SMTP server.
This kind of configuration means that its sysadmin (most likely Gwansick Kim)
is too stupid to be of any help to you or anyone else but people who used his
wingate proxy to hide their IP address, or possibly spammers who can use his
SMTP server as a relay.
> Any people for suggestion and comment? I still don't know how this guy
> first access into our system. We have strict account adminstration. Where can
> I find more about Linux security? Thanks in advance.
First, if you use Red Hat you should look at security updates at the "Errata"
section at Red Hat site. Second, you need to study Unix security and system
administration, however I can't recommend any particular book on it. Third, it
is always a good idea to subscribe to security mailing lists -- in case of
Linux it will be [EMAIL PROTECTED] (Linux-specific) and
[EMAIL PROTECTED] (general, more informative).
Also see archives at http://www2.merton.ox.ac.uk/~security/
--
Alex
----------------------------------------------------------------------
Excellent.. now give users the option to cut your hair you hippie!
-- Anonymous Coward
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
