[H-GEN] FTP login by wtmp?

James C. McPherson James.McPherson at mq.edu.au
Tue Aug 17 21:03:25 EDT 1999


[ Humbug *General* list - semi-serious discussions about Humbug and
Unix-related topics. ]


Martin Pool writes:
 > [ Humbug *General* list - semi-serious discussions about Humbug and
 > Unix-related topics. ]
 > 
 > >Hehe...the 8 second hack sounded pretty cool (if it is real, that is).
 > 
 > It sounds pretty plausible,

yup, it sure is. We've had some experiences with that lately down here.

 > 
 > >>Fortunately, they only ran the script on the ftp xferlog, and did not
 > >bother
 > >>with the system log or with the ippl log, so we have a complete audit trail
 > >>of their access attempts. Which leads me to believe that the attacker(s)
 > >was
 > >>only a scriptkiddy. 
 > 
 > Or they didn't care enough to edit them.
 > 
 > >What if they were relaying through that machine, rather than originating
 > >from it?
 > >
 > >Yeah, considered that, however the originating IP addresses seem very much
 > >like terminal server addresses, vis:
 > >
 > >Aug 16 06:22:28 port 40000 connection attempt from p48-max4.chc.ihug.co.nz
 > >[207.214.13.175] (207.214.13.175:37188->139.130.67.107:40000)
 > >Aug 16 14:23:31 ICMP message type echo reply from p79-max16.chc.ihug.co.nz
 > >[216.100.148.83] (216.100.148.83->203.108.63.250)
 > 
 > Sure, probably the address is a dialup at ihug.co.nz.  But what if the
 > machine connected to that port was itself compromised and forwarding
 > packets to you from somewhere else?  For example, suppose it's a Unix
 > machine that was compromised by the same attack; or a wingate box in
 > promiscuous IP-forwarding mode.  

Ihug got majorly cracked last year (about November iirc) and we had a few
attempts on our servers from them as a result. I don't know that they've fixed 
their boxen up yet. AusCert advised us at the time about that. Interestingly
enough ihug also trade in Australia as "The Internet Group" and advertise
cheap rates every monday in the smh. 

Does the original poster know whether he's being audited at the moment by,
say, PWC?

James C. McPherson
--
Unix Systems Administrator            Phone: +61.2.9850.9418
Office of Computing Services            Fax: +61.2.9850.7433
Macquarie University   NSW    2109     
AUSTRALIA			     

--
This is list (humbug) general handled by majordomo at lists.humbug.org.au .
Postings only from subscribed addresses of lists general or general-post.



More information about the General mailing list