These hackers mean business. The suspicious DALnet server on 64.35.57.81:6667 turns out to be a DALnet imposter. I only picked this up when noticing brief modem activity (when there should have been none) and took a look at tcpdump, and started doing nslookups on various hosts to add to my firewall deny rules:
[root@f1 05:24:06 /]# nslookup preschool.shacknet.nu ns4.pacific.net.au. Server: ns4.pacific.net.au. Address: 61.8.0.113#53 Name: preschool.shacknet.nu Address: 64.35.57.81 So the real DALnet server is: [root@f1 05:25:01 /]# nslookup jade.va.us.dal.net ns4.pacific.net.au. Server: ns4.pacific.net.au. Address: 61.8.0.113#53 Name: jade.va.us.dal.net Address: 199.184.165.134 DALnet Imposter IRCd: ================================================== [04:43] * Connecting to 64.35.57.81 (6667) - [04:43] -jade.va.us.dal.net- *** Looking up your hostname... - [04:43] -jade.va.us.dal.net- *** Found your hostname (cached) - [04:43] -jade.va.us.dal.net- *** Checking ident... - [04:43] -jade.va.us.dal.net- *** No ident response; username prefixed with ~ - Welcome to the none IRC Network guest_!~[EMAIL PROTECTED] Your host is jade.va.us.dal.net, running version Unreal3.2-Selene[beta12] This server was created Thu Nov 21 2002 at 04:24:17 EST jade.va.us.dal.net Unreal3.2-Selene[beta12] iowghraAsORVSxNCWqBzvdHtG lvhopsmntikrRcaqOALQbSeKVfHGCuzN MAP KNOCK SAFELIST HCN MAXCHANNELS=10 MAXBANS=60 NICKLEN=30 TOPICLEN=307 KICKLEN=307 MAXTARGETS=20 AWAYLEN=307 are supported by this server WALLCHOPS WATCH=128 SILENCE=5 MODES=13 CHANTYPES=# PREFIX=(ohv)@%+ CHANMODES=ohvbeqa,kfL,l,psmntirRcOAQKVHGCuzN NETWORK=none are supported by this server - There are 154 users and 7 invisible on 1 servers 4 channels formed I have 161 clients and 0 servers - Current Local Users: 161 Max: 169 - Local host: ppp227.adsl95.pacific.net.au (202.7.95.227) - Current Global Users: 161 Max: 169 - MOTD File is missing - [04:43] * guest_ sets mode: +wx - guest_ SILENCE +*!*@* - ================================================== Real DALnet server IRCd: ================================================== [04:44] * Connecting to jade.va.us.dal.net (6667) - [04:44] -jade.va.us.dal.net- *** Looking up your hostname... - [04:44] -jade.va.us.dal.net- *** Checking Ident - [04:44] -jade.va.us.dal.net- *** No Ident response - [04:44] -jade.va.us.dal.net- *** Found your hostname - Welcome to the DALnet IRC Network guest_!~[EMAIL PROTECTED] Your host is jade.va.us.dal.net[@0.0.0.0], running version bahamut-1.4(35) This server was created Tue Nov 19 2002 at 15:21:32 EST jade.va.us.dal.net bahamut-1.4(35) oOiwscrkKnfydaAbgheFxXj biklLmMnoprRstvc NOQUIT WATCH=128 SAFELIST MODES=6 MAXCHANNELS=10 MAXBANS=100 NICKLEN=30 TOPICLEN=307 KICKLEN=307 CHANTYPES=# PREFIX=(ov)@+ NETWORK=DALnet SILENCE=10 CASEMAPPING=ascii CHANMODES=b,k,l,ciLmMnOprRst are available on this server - There are 6 users and 727 invisible on 1 servers 1 IRC Operators online 1354 channels formed I have 733 clients and 0 servers - Current local users: 733 Max: 6007 - Local host: ppp227.adsl95.pacific.net.au (202.7.95.227) - Current global users: 733 Max: 121632 - [04:44] -jade.va.us.dal.net- *** Notice -- motd was last changed at 25/6/2002 17:41 - [04:44] -jade.va.us.dal.net- *** Notice -- Please read the motd if you haven't read it - Message of the Day, jade.va.us.dal.net - - ** This is the SHORT motd ** - For the full motd, type /motd - - Access to this server and network is a privledge, - not a right. We reseve the right to deny access - to this server without warning or explanation. - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - By connecting to this server you agree to be bound - by the terms put forth in DALnet's Acceptable Use - Policy (http://www.dal.net/aup/) - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - - By connecting, you agree to these and all terms of service. End of /MOTD command. - [04:44] -jade.va.us.dal.net- *** Notice -- This server runs an open proxy monitor to prevent abuse. - [04:44] -jade.va.us.dal.net- *** Notice -- If you see connections on various ports from proxy8.monitor.dal.net - [04:44] -jade.va.us.dal.net- *** Notice -- please disregard them, as they are the monitor in action. - [04:44] -jade.va.us.dal.net- *** Notice -- For more information please visit http://kline.dal.net/proxy - [04:44] * guest_ sets mode: +i - guest_ SILENCE +*!*@* - ================================================== Possible locally generated traffic by automated scanner/worm, processing netblocks/name-based target lists. Notice preschool.shacknet.nu (64.35.57.81) is amung the output, 04:41:57.301119 202.7.95.227.2592 > 61.8.0.113.domain: 62870+ A? preschool.shacknet.nu. (39) (DF) ... my box is likely compromised and is making nslookups to the same hosts at odd hours of day: ================================================== 04:41:17.421119 202.7.95.227.2592 > 61.8.0.113.domain: 62857+ A? www1.fscking.com. (34) (DF) 04:41:17.451119 61.8.0.113.domain > 202.7.95.227.2592: 62857 NXDomain 0/1/0 (92) 04:41:17.451119 202.7.95.227.2592 > 61.8.0.113.domain: 62858+ A? www1.fscking.com.fnet.home. (44) (DF) 04:41:17.491119 61.8.0.113.domain > 202.7.95.227.2592: 62858 NXDomain 0/1/0 (119) 04:41:17.491119 202.7.95.227.2592 > 61.8.0.113.domain: 62859+ A? www1.fscking.com.orin.home. (44) (DF) 04:41:17.531119 61.8.0.113.domain > 202.7.95.227.2592: 62859 NXDomain 0/1/0 (119) 04:41:17.531119 202.7.95.227.2592 > 61.8.0.113.domain: 62860+ A? mail1.3lefties.com. (36) (DF) 04:41:17.571119 61.8.0.113.domain > 202.7.95.227.2592: 62860 NXDomain 0/1/0 (84) 04:41:17.571119 202.7.95.227.2592 > 61.8.0.113.domain: 62861+ A? mail1.3lefties.com.fnet.home. (46) (DF) 04:41:17.611119 61.8.0.113.domain > 202.7.95.227.2592: 62861 NXDomain 0/1/0 (121) 04:41:17.611119 202.7.95.227.2592 > 61.8.0.113.domain: 62862+ A? mail1.3lefties.com.orin.home. (46) (DF) 04:41:17.651119 61.8.0.113.domain > 202.7.95.227.2592: 62862 NXDomain 0/1/0 (121) 04:41:17.651119 202.7.95.227.2592 > 61.8.0.113.domain: 62863+ A? the.city.ro. (29) (DF) 04:41:17.691119 61.8.0.113.domain > 202.7.95.227.2592: 62863 1/2/2 A 66.70.11.90 (122) 04:41:23.661119 202.7.95.227.4156 > 202.239.76.249.4156: udp 28 (DF) 04:41:27.791119 202.7.95.227.2592 > 61.8.0.113.domain: 62864+ A? www1.fscking.com. (34) (DF) 04:41:27.831119 61.8.0.113.domain > 202.7.95.227.2592: 62864 NXDomain 0/1/0 (92) 04:41:27.831119 202.7.95.227.2592 > 61.8.0.113.domain: 62865+ A? www1.fscking.com.fnet.home. (44) (DF) 04:41:27.881119 61.8.0.113.domain > 202.7.95.227.2592: 62865 NXDomain 0/1/0 (119) 04:41:27.881119 202.7.95.227.2592 > 61.8.0.113.domain: 62866+ A? www1.fscking.com.orin.home. (44) (DF) 04:41:27.921119 61.8.0.113.domain > 202.7.95.227.2592: 62866 NXDomain 0/1/0 (119) 04:41:27.921119 202.7.95.227.2592 > 61.8.0.113.domain: 62867+ A? x.x.ro. (24) (DF) 04:41:27.951119 61.8.0.113.domain > 202.7.95.227.2592: 62867 2/2/2 A 64.35.107.95, A 64.224.118.115 (133) 04:41:31.011119 202.7.95.227 > 129.125.6.242: icmp: echo reply (DF) 04:41:31.661119 202.7.95.227.4156 > 202.239.76.249.4156: udp 28 (DF) 04:41:37.041119 202.7.95.227.2592 > 61.8.0.113.domain: 62868+ A? c.c.ro. (24) (DF) 04:41:37.071119 61.8.0.113.domain > 202.7.95.227.2592: 62868 2/2/2 A 64.224.118.115, A 64.35.107.95 (133) 04:41:41.011119 202.7.95.227 > 129.125.6.242: icmp: echo reply (DF) 04:41:41.211119 202.7.95.227.64775 > 205.188.9.158.11952: P 414:420(6) ack 1093 win 8656 (DF) 04:41:41.681119 205.188.9.158.11952 > 192.168.0.8.1054: . ack 421 win 16384 (DF) 04:41:47.171119 202.7.95.227.2592 > 61.8.0.113.domain: 62869+ A? c.c.ro. (24) (DF) 04:41:47.201119 61.8.0.113.domain > 202.7.95.227.2592: 62869 2/2/2 A 64.35.107.95, A 64.224.118.115 (133) 04:41:57.301119 202.7.95.227.2592 > 61.8.0.113.domain: 62870+ A? preschool.shacknet.nu. (39) (DF) 04:41:57.571119 61.8.0.113.domain > 202.7.95.227.2592: 62870* 1/5/5 A 64.35.57.81 (235) 04:41:59.661119 202.7.95.227.4156 > 202.239.76.249.4156: udp 28 (DF) 04:42:07.011119 202.7.95.227 > 129.125.6.242: icmp: echo reply (DF) 04:42:07.661119 202.7.95.227.4156 > 202.239.76.249.4156: udp 28 (DF) 04:42:07.671119 202.7.95.227.2592 > 61.8.0.113.domain: 62871+ A? 2krad.busitec.jp. (34) (DF) 04:42:07.711119 61.8.0.113.domain > 202.7.95.227.2592: 62871 NXDomain 0/1/0 (96) 04:42:07.711119 202.7.95.227.2592 > 61.8.0.113.domain: 62872+ A? 2krad.busitec.jp.fnet.home. (44) (DF) 04:42:07.761119 61.8.0.113.domain > 202.7.95.227.2592: 62872 NXDomain 0/1/0 (119) 04:42:07.761119 202.7.95.227.2592 > 61.8.0.113.domain: 62873+ A? 2krad.busitec.jp.orin.home. (44) (DF) 04:42:07.801119 61.8.0.113.domain > 202.7.95.227.2592: 62873 NXDomain 0/1/0 (119) 04:42:07.801119 202.7.95.227.2592 > 61.8.0.113.domain: 62874+ A? c.c.ro. (24) (DF) 04:42:07.831119 61.8.0.113.domain > 202.7.95.227.2592: 62874 2/2/2 A 64.35.107.95, A 64.224.118.115 (133) ================================================== -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Howard Lowndes Sent: Friday, 29 November 2002 17:35 To: Minh Van Le Cc: [EMAIL PROTECTED] Subject: Re: [SLUG] Suscpicious IRCd connections Would you be running openSSL or secure apache on this machine by any chance. Does netstat -pant |grep 443 give anything, also netstat -pant |grep 6667 will tell you what process is connecting and the name of the running process then do a find for that name, you might find it in /tmp or /var/www somewhere. On Fri, 29 Nov 2002, Minh Van Le wrote: > I've noticed the following ircd connections in tcpdump, and wondered why my > box was communicating to an IRC server (and vice versa). When I use an IRC > client to connect to 64.35.57.81:6667, I log on to a jade.va.us.dal.net > server. So I check for the existence of jade.va.us.dal.net at > http://www.irchelp.org/irchelp/networks/servers/dalnet.html and it's there. > > ----- > 14:59:57.971119 64.35.57.81.ircd > 202.7.95.227.2916: P 841:867(26) ack 701 > win 7060 <nop,nop,timestamp 3640386803 26431156> (DF) > 14:59:57.971119 202.7.95.227.2916 > 64.35.57.81.ircd: P 701:726(25) ack 867 > win 10300 <nop,nop,timestamp 26441096 3640386803> (DF) > 14:59:58.281119 64.35.57.81.ircd > 202.7.95.227.2916: . ack 726 win 7060 > <nop,nop,timestamp 3640386834 26441096> (DF) > 15:00:27.421119 202.7.95.227.64623 > 205.188.9.159.11952: P 3870:3876(6) ack > 6100 win 9089 (DF) > 15:00:27.901119 205.188.9.159.11952 > 192.168.0.8.4955: . ack 3877 win 16384 > (DF) > 15:01:38.181119 64.35.57.81.ircd > 202.7.95.227.2916: P 867:893(26) ack 726 > win 7060 <nop,nop,timestamp 3640396825 26441096> (DF) > 15:01:38.181119 202.7.95.227.2916 > 64.35.57.81.ircd: P 726:751(25) ack 893 > win 10300 <nop,nop,timestamp 26451117 3640396825> (DF) > 15:01:38.721119 202.7.95.227.2916 > 64.35.57.81.ircd: P 726:751(25) ack 893 > win 10300 <nop,nop,timestamp 26451171 3640396825> (DF) > 15:01:39.001119 64.35.57.81.ircd > 202.7.95.227.2916: . ack 751 win 7060 > <nop,nop,timestamp 3640396907 26451171> (DF) > ----- -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
