Potential compromise of detour (fwd)

Neal Cardwell (cardwell@cs.washington.edu)
Wed, 26 Jan 2000 12:49:59 -0800 (PST)

can someone take a look at this?

---------- Forwarded message ----------
Date: Wed, 26 Jan 2000 11:35:30 PST
From: Voradesh Yenbut <yenbut@cs.washington.edu>
To: cardwell@cs.washington.edu
Cc: robs@cs.washington.edu
Subject: Potential compromise of detour

Detour is on the list of "Potential compromise of 19 UW systems"
sent out by C&C below. Could you please check detour?

Hostname Model Loc Oper_System Admin Users Function
detour PII/400 328c Linux 2.0.x cardwe detour compute s

------- Forwarded Message

Date: Wed, 26 Jan 2000 10:51:36 -0800 (PST)
From: Dave Dittrich <dittrich@cac.washington.edu>
To: aldrich@u.washington.edu, andexler@u.washington.edu,
belonis@phys.washington.edu, bge@u.washington.edu,
blanchette@cheme.washington.edu, burr@cs.washington.edu,
dana@geophys.washington.edu, emuller@u.washington.edu,
ganter@u.washington.edu, gjt@u.washington.edu,
hal@cellworks.mbt.washington.edu, harry@atmos.washington.edu,
help@ee.washington.edu, help@me.washington.edu,
hubley@u.washington.edu, jedlow@phys.washington.edu,
joel@its.washington.edu, ken@cac.washington.edu, kfwh@u.washington.edu,
lmayhugh@u.washington.edu, msccstaff@ms.washington.edu,
netreq@u.washington.edu, oystr@cs.washington.edu,
perseant@hitl.washington.edu, peterson@chem.washington.edu,
pramsay@u.washington.edu, Bryan Rawson <rawson@engr.washington.edu>,
rcf@ms.washington.edu, reedr@u.washington.edu,
rgretty@u.washington.edu, Rex Hughes <rxhughes@u.washington.edu>,
sekar@ee.washington.edu, steve@geophys.washington.edu,
yenbut@cs.washington.edu
cc: security@cac.washington.edu
Subject: Potential compromise of 19 UW systems
Message-ID: <Pine.GUL.4.21.0001261033320.3057-100000@red3.cac.washington.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-UIDL: e0cb9c563ff9474e797670ba1f0a962c

Please note the following report of a suspected RPC scan/remote exploit
attack on a large number of UW systems. This incident originated from
the host www.mgmt.mankato.msus.edu on January 24, 2000.

It is known that this system made connections to port 111/tcp (rpcbind
or portmap), but it is unclear what specific RPC service(s) were
targetted, or if this was simply a scan. Insufficient evidence is
available to make any determination, or to give any specific information
about files/directories/processes to look for on the system.

Please identify the system(s) listed below that are under your authority
and take a very close look at them and report anything that you find on
the system that can help determine the attack method, fingerprints, etc.

Just as a reminder, please keep track of the time spent on this. We are
seeing more and more mass-attacks that are part of significantly larger
incidents (sometimes on the order of >1000 hosts at a time). Inadequate
preservation of forensic evidence and accurate time estimates (used to
determine damages) hampers investigations and prosecution efforts.

For more information on responding to suspected root compromise and the
use of "root kits" to hide files/processes on compromised systems, see:

http://staff.washington.edu/dittrich/misc/faqs/responding.faq
http://staff.washington.edu/dittrich/misc/faqs/rootkits.faq

- --
Dave Dittrich Client Services
dittrich@cac.washington.edu Computing & Communications
University of Washington

<a href="http://www.washington.edu/People/dad/">
Dave Dittrich / dittrich@cac.washington.edu [PGP Key]</a>

PGP 6.5.1 key fingerprint:
FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5

On 25 January, 2000, reports of scans to service 111/tcp (portmap) were
sent in by 'Dave' David Bowen <bowend@u.washington.edu>, Eric Zager
<zager@marge.phys.washington.edu>, Neil M. Bogue <bogue@apl.washington.edu>,
and David Fetrow <fetrow@biostat.washington.edu>.

Logs indicate that this was likely due to a root level compromise of
the system www.mgmt.mankato.msus.edu:

- ----------------------------------------------------------------------------
Jan 24 23:25:32 abacus ippl: sunrpc connection attempt from
root@www.mgmt.mankato.msus.edu [134.29.16.98]
Jan 24 23:25:34 rossini ippl: sunrpc connection attempt from
www.mgmt.mankato.msus.edu [134.29.16.98]
Jan 24 23:25:34 beth ippl: sunrpc connection attempt from
www.mgmt.mankato.msus.edu [134.29.16.98]
Jan 24 23:25:34 daleth ippl: sunrpc connection attempt from
www.mgmt.mankato.msus.edu [134.29.16.98]
Jan 24 23:25:36 gimel ippl: sunrpc connection attempt from
root@www.mgmt.mankato.msus.edu [134.29.16.98]
Jan 24 23:25:36 rossini ippl: sunrpc connection attempt from
www.mgmt.mankato.msus.edu [134.29.16.98]
Jan 24 23:26:07 abacus ippl: sunrpc connection attempt from
root@www.mgmt.mankato.msus.edu [134.29.16.98]
. . .
- ----------------------------------------------------------------------------

On January 25, Jeffrey E. Hundstad <jeffrey.hundstad@mankato.msus.edu>
responded to one of these reports confirming that the host had been
compromised and that they were performing an audit to determine the
extent and source of the compromise.

>From border router network flow logs, Aaron Racine identified 19 UW
systems that had more than on packet in the flow to the portmap service
port (111/tcp):

- ----------------------------------------------------------------------------
Jan 24 23:23:41 134.29.16.98(656) -> 128.95.1.27(111), 4 packets
Jan 24 23:24:32 134.29.16.98(698) -> 128.95.8.115(111), 3 packets
Jan 24 23:24:50 134.29.16.98(746) -> 128.95.12.165(111), 2 packets
Jan 24 23:25:07 134.29.16.98(804) -> 128.95.16.55(111), 2 packets
Jan 24 23:26:39 134.29.16.98(730) -> 128.95.31.207(111), 2 packets
Jan 24 23:26:55 134.29.16.98(880) -> 128.95.34.186(111), 5 packets
Jan 24 23:29:31 134.29.16.98(660) -> 128.95.64.30(111), 2 packets
Jan 24 23:30:21 134.29.16.98(762) -> 128.95.73.62(111), 2 packets
Jan 24 23:32:20 134.29.16.98(758) -> 128.95.95.2(111), 5 packets
Jan 24 23:32:44 134.29.16.98(1006) -> 128.95.98.56(111), 3 packets
Jan 24 23:32:45 134.29.16.98(1010) -> 128.95.98.59(111), 5 packets
Jan 24 23:36:05 134.29.16.98(1010) -> 128.95.135.136(111), 5 packets
Jan 24 23:38:28 134.29.16.98(819) -> 128.95.161.55(111), 5 packets
Jan 24 23:39:35 134.29.16.98(619) -> 128.95.174.3(111), 4 packets
Jan 24 23:40:46 134.29.16.98(948) -> 128.95.186.96(111), 2 packets
Jan 24 23:43:13 134.29.16.98(746) -> 128.95.214.88(111), 5 packets
Jan 24 23:43:40 134.29.16.98(780) -> 128.95.219.129(111), 3 packets
Jan 24 23:44:06 134.29.16.98(928) -> 128.95.224.126(111), 4 packets
Jan 24 23:44:37 134.29.16.98(1015) -> 128.95.231.15(111), 3 packets
- ----------------------------------------------------------------------------

In the past, this has been indicative of an automated attack using a
prior reconnaissance scan to detect operating system
type/architecure/service combinations, followed by a scripted remote
buffer overrun and remote command shell installation, which is followed
by piping commands to this root shell to install programs on the
compromised systems.

>From a prior scan of campus systems for operating system detection
and limited service ports, these systems appear to be a mix of operating
types (which would be contrary to the assessment in prior paragraph).

- ----------------------------------------------------------------------------
Host: 128.95.1.27 (bonanza.cs.washington.edu) Ports: 37/open/tcp//time///, 540/open/tcp//uucp/// Seq Index: 1
Host: 128.95.12.165 (cascade.bchem.washington.edu) Status: Up
Host: 128.95.16.55 (wobbles.geophys.washington.edu) Status: Up
Host: 128.95.161.55 () Status: Up
Host: 128.95.174.3 (ecfc3.atmos.washington.edu) Status: Up
Host: 128.95.214.88 (tofsims.cheme.washington.edu) Ports: 37/open/tcp//time///, 540/open/tcp//uucp/// Seq Index: 1 OS: SunOS 4.1.1 - 4.1.4 (or derivative)
Host: 128.95.219.129 (detour.cs.washington.edu) Status: Up
Host: 128.95.224.126 (x126.math.washington.edu) Status: Up
Host: 128.95.231.15 (droog.mbt.washington.edu) Ports: 37/open/tcp//time///, 7100/open/tcp//font-service/// Seq Index: 21303 OS: Solaris 2.6 - 2.7
Host: 128.95.31.207 (amazon.ee.washington.edu) Ports: 37/open/tcp//time///, 540/open/tcp//uucp///, 7100/open/tcp//font-service/// Seq Index: 30662 OS: Solaris 2.6 - 2.7
Host: 128.95.34.186 (hydra.me.washington.edu) Status: Up
Host: 128.95.64.30 (huckel.chem.washington.edu) Ports: 37/open/tcp//time///, 540/open/tcp//uucp/// Seq Index: 9999999 OS: AIX 4.2
Host: 128.95.73.62 (nootka.mbt.washington.edu) Status: Up
Host: 128.95.8.115 (x-gravel.cs.washington.edu) Status: Up
Host: 128.95.95.2 (nucthy.phys.washington.edu) Ports: 37/open/tcp//time/// Seq Index: 9999999 OS: OpenVMS 6.2
Host: 128.95.98.56 (betula.astro.washington.edu) Ports: 37/open/tcp//time///, 540/open/tcp//uucp///, 7100/open/tcp//font-service/// Seq Index: 33313 OS: Solaris 2.6 - 2.7
Host: 128.95.98.59 (incubus98.astro.washington.edu) Status: Up
- ----------------------------------------------------------------------------

These systems are owned/managed by the following people:

- ----------------------------------------------------------------------------
128.95.1.27 = bonanza.cs.washington.edu
EMAIL0: yenbut@cs.washington.edu
EMAIL1: burr@cs.washington.edu
PHONE0: 206-685-0912
EMAIL2: oystr@cs.washington.edu
PHONE1: 206-543-2371
PHONE2: 206-685-0911

128.95.8.115 = x-gravel.cs.washington.edu
EMAIL0: yenbut@cs.washington.edu
EMAIL1: burr@cs.washington.edu
PHONE0: 206-685-0912
EMAIL2: oystr@cs.washington.edu
PHONE1: 206-543-2371
PHONE2: 206-685-0911

128.95.12.165 = cascade.bchem.washington.edu
EMAIL0: emuller@u.washington.edu
NAME0: Eric Muller
PHONE0: 206-543-5354

128.95.16.55 = wobbles.geophys.washington.edu
EMAIL0: steve@geophys.washington.edu
NAME0: Steve Malone
EMAIL1: dana@geophys.washington.edu
PHONE0: 206-685-3811
NAME1: Dana Carrington
PHONE1: 206-685-3398

128.95.31.207 = amazon.ee.washington.edu
NAME0: Joel Bradbury
NAME1: Sekar Thiagarajan
NAME2: ee consulting
EMAIL0: joel@its.washington.edu
EMAIL1: sekar@ee.washington.edu
EMAIL2: help@ee.washington.edu
PHONE0: 206-616-9830
PHONE1: 206-221-5163
PHONE2: 206-543-8984

128.95.34.186 = hydra.me.washington.edu
NAME0: Bryan Rawson
NAME1: George Andexler
NAME2: Mark Ganter
NAME3: Ulix Goettsch
EMAIL0: rawson@engr.washington.edu
EMAIL1: andexler@u.washington.edu
PHONE0: 206-543-4215
EMAIL2: ganter@u.washington.edu
PHONE1: 206-685-3219
EMAIL3: help@me.washington.edu
PHONE2: 543-5487
PHONE3: 206-616-1867

128.95.64.30 = huckel.chem.washington.edu
NAME0: John Peterson
EMAIL0: peterson@chem.washington.edu
PHONE0: 206-543-1699

128.95.73.62 = nootka.mbt.washington.edu
NAME0: Dwane Aldrich
NAME1: Konrad Schroder
NAME2: Rex Hughes
NAME3: Robert Hubley
NAME4: Linda Mayhugh
NAME5: Brent Ewing
EMAIL0: aldrich@u.washington.edu
EMAIL1: perseant@hitl.washington.edu
EMAIL2: rxhughes@u.washington.edu
PHONE0: 206-616-3097
EMAIL3: hubley@u.washington.edu
PHONE1: 206-616-1478
EMAIL4: lmayhugh@u.washington.edu
PHONE2: 206-616-9101
EMAIL5: bge@u.washington.edu
PHONE3: 206-616-3749
PHONE4: 206-616-2325
PHONE5: 206-616-6040

128.95.95.2 = nucthy.phys.washington.edu
NAME0: Jim Belonis
NAME1: Alan Jedlow
EMAIL0: belonis@phys.washington.edu
EMAIL1: jedlow@phys.washington.edu
PHONE0: 206-685-8695
PHONE1: 206-685-8695

128.95.98.56 = betula.astro.washington.edu
NAME0: Jim Belonis
NAME1: Alan Jedlow
EMAIL0: belonis@phys.washington.edu
EMAIL1: jedlow@phys.washington.edu
PHONE0: 206-685-8695
PHONE1: 206-685-8695

128.95.98.59 = incubus98.astro.washington.edu
NAME0: Jim Belonis
NAME1: Alan Jedlow
EMAIL0: belonis@phys.washington.edu
EMAIL1: jedlow@phys.washington.edu
PHONE0: 206-685-8695
PHONE1: 206-685-8695

128.95.135.136 = xcon3.cac.washington.edu
NAME0: UCS Desktop Group
NAME1: Ken Lowe
EMAIL0: netops@cac.washington.edu
EMAIL1: desktop@u.washington.edu
EMAIL2: ken@cac.washington.edu
PHONE0: 206-543-5128
PHONE1: 206-543-5048
PHONE2: 206-543-6699

128.95.161.55
NAME0: Ron Gretty
NAME1: Greg Thompson
NAME2: Medical Center Net Requests
NAME3: Renee Reed
EMAIL0: rgretty@u.washington.edu
EMAIL1: gjt@u.washington.edu
EMAIL2: netreq@u.washington.edu
PHONE0: 206-685-8119
EMAIL3: reedr@u.washington.edu
PHONE1: 206-543-5314
PHONE2:
PHONE3: 221-4598

128.95.174.3 = ecfc3.atmos.washington.edu
NAME0: Harry Edmon
EMAIL0: harry@atmos.washington.edu
PHONE0: 206-543-0547

128.95.186.96
NAME0: Ron Gretty
NAME1: Greg Thompson
NAME2: Medical Center Net Requests
NAME3: Renee Reed
EMAIL0: rgretty@u.washington.edu
EMAIL1: gjt@u.washington.edu
EMAIL2: netreq@u.washington.edu
PHONE0: 206-685-8119
EMAIL3: reedr@u.washington.edu
PHONE1: 206-543-5314
PHONE2:
PHONE3: 221-4598

128.95.214.88 = tofsims.cheme.washington.edu
NAME0: Paul Ramsay
NAME1: Michelle Blachette
NAME2: Bryan Rawson
EMAIL0: pramsay@u.washington.edu
EMAIL1: blanchette@cheme.washington.edu
EMAIL2: rawson@engr.washington.edu
PHONE0: 206-543-3227
PHONE1: 206-685-8364
PHONE2: 206-543-4215

128.95.219.129 = detour.cs.washington.edu
NAME0: Voradesh Yenbut
NAME1: Nancy Johnson Burr
NAME2: Jan Sanislo
EMAIL0: yenbut@cs.washington.edu
EMAIL1: burr@cs.washington.edu
EMAIL2: oystr@cs.washington.edu
PHONE0: 206-685-0912
PHONE1: 206-543-2371
PHONE2: 206-685-0911

128.95.224.126 = x126.math.washington.edu
NAME0: Richard Fairfield
NAME1: MSCC HelpDesk
NAME2: Kirk Wolden-Hanson
EMAIL0: rcf@ms.washington.edu
EMAIL1: msccstaff@ms.washington.edu
EMAIL2: kfwh@u.washington.edu
PHONE0: 206-685-2303
PHONE1: 206-616-3636
PHONE2: 206-543-9945

128.95.231.15 = droog.mbt.washington.edu
NAME0: Hal Miller
EMAIL0: hal@cellworks.mbt.washington.edu
PHONE0: 221-5279
- ----------------------------------------------------------------------------

------- End of Forwarded Message