[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
No Subject
- To: [email protected]
- From: [email protected]
- Date: Sun, 23 Jan 1994 05:52:14 -0800
- Comments: This message is NOT from the person listed in the Fromline. It is from an automated software remailing service operating atthat address. Please report problem mail to <[email protected]>.
To the WORM Detweiller
THE FOLLOWING SHOULD REALLY TURN YOU ON...
Escape character is '^]'.
220 ntupub.ntu.edu Sendmail 5.65/DEC-Ultrix/4.3 ready at Sun, 23 Jan 1994 02:01:
06 -0700
vrfy ld231782
550 ld231782... User Unknown
vrfy detweiler
550 detweiler... User Unknown
verify larry
500 Command unrecognized
vrfy larry
252 <larry> is an alias
expn larry
250 <[email protected]>
quit
221 ntupub.ntu.edu closing connection
THIS SENDMAIL 5.65 IS POSSIBLY VUNERABLE TO THE SENDMAIL
HOLE RECENTLY FOUND AND A SCRIPT OF WHICH TO PENETRATE
WITH CAN BE FOUND IN THE bugtraq ARCHIVE.
Connection closed by foreign host.
# finger [email protected]
[ntuvax.ntu.edu]
connect: Connection refused
this is a somewhat paranoid host so we we look at it
BUT netfind SEEKS ROTWEILER OUT
SYSTEM: ntupub.ntu.edu
Login name: larry In real life: LArry Detweiller
Directory: /users/NTU/larry Shell: /bin/csh
Last login Fri Jan 21 16:14 on tty02 from LARRY
Project: What am I working on?
No Plan.
checking one of the upstream ips from this we find
Trying 192.52.106.4...
Connected to 192.52.106.4.
Escape character is '^]'.
This is the cisco gateway at NCAR for Westnet.
Configuration loaded from windom.UCAR.EDU:/tftpboot/ncar-gw-confg.
User Access Verification
Password:
Traceroute logs follow
4 cix-west2.cix.net (149.20.3.3) 290 ms 300 ms 330 ms
5 ans.cix.net (149.20.5.2) 320 ms 320 ms 310 ms
6 en-0.San-Francisco-cnss11.t3.ans.net (192.103.60.5) 310 ms 320 ms 330 ms
7 mf-0.San-Francisco-cnss8.t3.ans.net (140.222.8.222) 310 ms 310 ms 320 ms
8 t3-1.Seattle-cnss88.t3.ans.net (140.222.88.2) 330 ms 290 ms 320 ms
9 t3-0.Denver-cnss96.t3.ans.net (140.222.96.1) 340 ms 320 ms 330 ms
10 mf-0.Denver-cnss97.t3.ans.net (140.222.96.193) 330 ms 300 ms 320 ms
11 t3-0.enss141.t3.ans.net (140.222.141.1) 330 ms 330 ms 320 ms
12 cu-gw.ucar.edu (192.52.106.4) 320 ms 310 ms 330 ms
13 ucb-ncar.CO.westnet.net (129.19.254.46) 320 ms 310 ms cu2-ncar2.CO.westnet.net (129.19.248.62) 370 ms
14 csu-ucb.CO.westnet.net (129.19.254.102) 320 ms 310 ms 330 ms
15 csu-gw-2.UCC.ColoState.EDU (129.82.103.2) 320 ms 310 ms 330 ms
16 middle.lance.colostate.edu (129.82.109.2) 320 ms 330 ms 330 ms
17 dolores.lance.colostate.edu (129.82.112.18) 330 ms 330 ms 300 ms
4 cix-west2.cix.net (149.20.3.3) 310 ms 310 ms 310 ms
5 ans.cix.net (149.20.5.2) 310 ms 300 ms 300 ms
6 en-0.San-Francisco-cnss11.t3.ans.net (192.103.60.5) 310 ms 320 ms 390 ms
7 mf-0.San-Francisco-cnss8.t3.ans.net (140.222.8.222) 300 ms 300 ms 310 ms
8 t3-1.Seattle-cnss88.t3.ans.net (140.222.88.2) 320 ms 310 ms 310 ms
9 t3-0.Denver-cnss96.t3.ans.net (140.222.96.1) 320 ms 340 ms 330 ms
10 mf-0.Denver-cnss97.t3.ans.net (140.222.96.193) 350 ms 300 ms 310 ms
11 t3-0.enss141.t3.ans.net (140.222.141.1) 320 ms 320 ms 310 ms
12 cu-gw.ucar.edu (192.52.106.4) 330 ms 310 ms 310 ms
13 cu2-ncar2.CO.westnet.net (129.19.248.62) 340 ms ucb-ncar.CO.westnet.net (129.19.254.46) 320 ms 300 ms
14 csu-ucb.CO.westnet.net (129.19.254.102) 320 ms 330 ms 320 ms
15 csu-gw-2.UCC.ColoState.EDU (129.82.103.2) 320 ms 330 ms 330 ms
16 middle.lance.colostate.edu (129.82.109.2) 340 ms 310 ms 420 ms
17 keller.lance.colostate.edu (129.82.112.41) 320 ms 330 ms 330 ms
4 cix-west2.cix.net (149.20.3.3) 310 ms 330 ms 350 ms
5 ans.cix.net (149.20.5.2) 340 ms 340 ms 330 ms
6 en-0.San-Francisco-cnss11.t3.ans.net (192.103.60.5) 330 ms 300 ms 280 ms
7 mf-0.San-Francisco-cnss8.t3.ans.net (140.222.8.222) 340 ms 300 ms 280 ms
8 t3-1.Seattle-cnss88.t3.ans.net (140.222.88.2) 340 ms 290 ms 350 ms
9 t3-0.Denver-cnss96.t3.ans.net (140.222.96.1) 330 ms 320 ms 310 ms
10 mf-0.Denver-cnss97.t3.ans.net (140.222.96.193) 350 ms 320 ms 330 ms
11 t3-0.enss141.t3.ans.net (140.222.141.1) 340 ms 340 ms 310 ms
12 cu-gw.ucar.edu (192.52.106.4) 330 ms 320 ms 300 ms
13 cu2-ncar2.CO.westnet.net (129.19.248.62) 350 ms 320 ms 320 ms
14 csu-ucb.CO.westnet.net (129.19.254.102) 330 ms 320 ms 320 ms
15 ntu-csu.CO.westnet.net (129.19.254.82) 360 ms 330 ms 330 ms
16 192.65.141.15 (192.65.141.15) 350 ms 340 ms 350 ms
JUST DOING SOME RESEARCH VIA NIC WE FIND THAT THE MACHINE
Non-authoritative answer:
Name: longs.lance.colostate.edu
Address: 129.82.109.16
> set type=mx
> longs.lance.colostate.edu
longs.lance.colostate.edu preference = 0, mail exchanger = longs.lance.col
ostate.edu
longs.lance.colostate.edu preference = 10, mail exchanger = yuma.acns.colo
state.edu
longs.lance.colostate.edu internet address = 129.82.109.16
yuma.acns.colostate.edu internet address = 129.82.100.64
acns.colostate.EDU nameserver = yuma.acns.ColoState.EDU
acns.colostate.EDU nameserver = lamar.ColoState.EDU
yuma.ACNS.ColoState.EDU internet address = 129.82.100.64
lamar.ColoState.EDU internet address = 129.82.103.75
lamar.ColoState.EDU preference = 10, mail exchanger = lamar.ColoState.EDU
lamar.ColoState.EDU preference = 20, mail exchanger = yuma.ACNS.ColoState.ED
U
lamar.ColoState.EDU internet address = 129.82.103.75
yuma.ACNS.ColoState.EDU internet address = 129.82.100.64
and a traceroute to LDs favorite posting machine
dolores.lance.colostate.edu
;; flags: qr rd ra ; Ques: 1, Ans: 1, Auth: 2, Addit: 2
;; QUESTIONS:
;; dolores.lance.colostate.edu, type = A, class = IN
;; ANSWERS:
dolores.lance.colostate.edu. 86298 A 129.82.112.18
;; AUTHORITY RECORDS:
lance.colostate.EDU. 44453 NS yuma.acns.ColoState.EDU.
lance.colostate.EDU. 44453 NS lamar.ColoState.EDU.
;; ADDITIONAL RECORDS:
yuma.acns.ColoState.EDU. 160860 A 129.82.100.64
lamar.ColoState.EDU. 160860 A 129.82.103.75
;; Sent 1 pkts, answer found in time: 10 msec
;; MSG SIZE sent: 45 rcvd: 166
dig type=mx keller.lance.colostate.edu
; <<>> DiG 2.0 <<>> type=mx keller.lance.colostate.edu
;; ->>HEADER<<- opcode: QUERY , status: NOERROR, id: 6
;; flags: qr aa rd ra ; Ques: 1, Ans: 1, Auth: 0, Addit: 0
;; QUESTIONS:
;; keller.lance.colostate.edu, type = A, class = IN
;; ANSWERS:
keller.lance.colostate.edu. 86400 A 129.82.112.41
;; Sent 1 pkts, answer found in time: 470 msec
;; MSG SIZE sent: 44 rcvd: 60
from 4. Note also I didnt query intervening routers and hosts for
information.
Upstream hosts and/or routers may also be compromisable...
4 cix-west2.cix.net (149.20.3.3) 310 ms 260 ms 290 ms
5 ans.cix.net (149.20.5.2) 280 ms 280 ms 280 ms
6 en-0.San-Francisco-cnss11.t3.ans.net (192.103.60.5) 270 ms 290 ms 270 ms
7 mf-0.San-Francisco-cnss8.t3.ans.net (140.222.8.222) 280 ms 320 ms 290 ms
8 t3-1.Seattle-cnss88.t3.ans.net (140.222.88.2) 300 ms 290 ms 300 ms
9 t3-0.Denver-cnss96.t3.ans.net (140.222.96.1) 310 ms 300 ms 310 ms
10 mf-0.Denver-cnss97.t3.ans.net (140.222.96.193) 310 ms 290 ms 310 ms
11 t3-0.enss141.t3.ans.net (140.222.141.1) 300 ms 300 ms 310 ms
12 cu-gw.ucar.edu (192.52.106.4) 300 ms 410 ms 310 ms
13 ucb-ncar.CO.westnet.net (129.19.254.46) 310 ms 129.19.248.62 (129.19.248.62
) 320 ms 330 ms
14 csu-ucb.CO.westnet.net (129.19.254.102) 340 ms 320 ms 340 ms
15 csu-gw-2.UCC.ColoState.EDU (129.82.103.2) 310 ms 450 ms 310 ms
16 longs.lance.colostate.edu (129.82.109.16) 350 ms 330 ms 320 ms
WELL WHAT DOES THIS TELL US TECHNICALLY SO FAR... THERE
IS MOST LIKELY NO EFFECTIVE FIREWALL PROTECTION BETWEEN LD'S FAVORITE MACHINE
AND THE OUTSIDE WORLD AS TRACEROUTE USES UDP PROBES ON RANDOM PORTS.
NO INCOMING UDP BLOCKAGE GENERALLY INDICATES THE SECURITY
OF THAT MACHINE IS NOT DEPENDENT ON PROXY/PACKET FILTERING TYPE ROUTERS AND
FIREWALLED DOMAINS
ADDITIONALLY A ISS LOG RUN VIA
iss -p 129.82.109.16
SHOWED THE FOLLOWING RESULTS :
--> Inet Sec Scanner Log By Christopher Klaus (C) 1993 <--
Email: [email protected] [email protected]
================================================================
Host 129.82.109.16, Port 11 opened. systat udp/tcp users
Host 129.82.109.16, Port 13 opened. daytime udp/tcp
Host 129.82.109.16, Port 17 opened. qotd tcp quote
Host 129.82.109.16, Port 21 opened. ftp tcp
Host 129.82.109.16, Port 23 opened. telnet tcp
Host 129.82.109.16, Port 25 opened. smtp tcp
Host 129.82.109.16, Port 37 opened. time udp/tcp
Host 129.82.109.16, Port 53 opened. domain udp/tcp
Host 129.82.109.16, Port 79 opened. finger tcp
Host 129.82.109.16, Port 109 opened. pop-2 tcp Post Office Protocol
Host 129.82.109.16, Port 110 opened. pop-3
Host 129.82.109.16, Port 111 opened. sunrpc udp/tcp JACKPOT!!!!!!
Host 129.82.109.16, Port 119 opened. nntp tcp
Host 129.82.109.16, Port 210 opened. THIS ONE IS UNUSUAL? i shows closed by foreign host
Host 129.82.109.16, Port 512 opened. biff/exec udp/tcpf
Host 129.82.109.16, Port 513 opened. who/login udp/ tcp
Host 129.82.109.16, Port 514 ("shell" service) opened. syslog/shell udp/tcp
Host 129.82.109.16, Port 515 opened. syslog/printer udp/tcp
Host 129.82.109.16, Port 593 opened. refuses telnet(udp connection) research...
Host 129.82.109.16, Port 704 opened. accepts telnet connection(tcp) echos...
Host 129.82.109.16, Port 1024 opened. accepts telnet connection(tcp)
Host 129.82.109.16, Port 1025 opened. listener RFS remote_file_sharing
Host 129.82.109.16, Port 1031 opened.
Host 129.82.109.16, Port 1032 opened. tcp
Host 129.82.109.16, Port 1033 opened. not checked
Host 129.82.109.16, Port 1034 opened. not checked
Host 129.82.109.16, Port 1035 opened. not checked
Host 129.82.109.16, Port 1036 opened. not checked
Host 129.82.109.16, Port 5599 opened. not checked
Host 129.82.109.16, Port 6667 opened. not checked
THE SCAN WAS TERMINATED AT THIS POINT. IN THE ABOVE LIST
WE FIND SEVERAL GEMS THE BEST OF WHICH IS
SUNRPC :)... so next of course
rpcinfo -p longs.lance.colostate.edu
program vers proto port
100004 2 udp 1029 ypserv
100004 2 tcp 1024 ypserv
100004 1 udp 1029 ypserv
100004 1 tcp 1024 ypserv
100007 2 tcp 1025 ypbind
100007 2 udp 1038 ypbind
100007 1 tcp 1025 ypbind
100007 1 udp 1038 ypbind
100005 1 udp 1071 mountd
100005 1 tcp 1031 mountd
100003 2 udp 2049 nfs
100024 1 udp 1081 status
100024 1 tcp 1032 status
100008 1 udp 1087 walld
100021 1 tcp 1033 nlockmgr
100021 1 udp 1092 nlockmgr
100021 3 tcp 1034 nlockmgr
100021 3 udp 1096 nlockmgr
100020 1 udp 1099 llockmgr
100020 1 tcp 1035 llockmgr
100021 2 tcp 1036 nlockmgr
150001 1 udp 1127 pcnfsd
300019 1 udp 1022
200002 1 udp 1956
whether running regular or secure RPC(the latter requires nfscrack
to crack the secret exponent) this machine is most likely a sparc or compatible
running a given version of SUNOS 4.1.X?(check HINFO if available.)
a check should be made to see which network security patchs
have been applied to this host.
A probe of longs.lance.colostate.edu smtp port :
longs.lance.colostate.edu Sendmail 8.6.4/8.6.4 (LANCE 1.00) ready at xxx,xx2
xxx xxxx xx:xx:xx -xxxx
220 ESMTP spoken here
VRFY ld231782
250 L. Detweiler <[email protected]>
EXPN ld231782
502 That's none of your business
quit
221 longs.lance.colostate.edu closing connection
OK SO FAR SO GOOD HIS MACHINE SHOWS A FAIRLY SECURE SMTP DAEMON.
EXAMINATION OF THAT REVISION AND SOURCE OF SENDMAIL IS
STILL UNDER QUESTION BECAUSE THE CURRENT VERSION 8.65 ADDS EVEN MORE SECURITY
PATCHES
CHECKING FOR ANONYMOUS FTP WE FIND:
Check for anonymous FTP service
connected to 129.82.109.16.
220 longs.lance.colostate.edu FTP server (Version 4.1 Sun Mar 25 22:59:11 EST 19
90) ready.
Name (129.82.109.16:root): anonymous
530 User anonymous unknown.
Login failed.
ftp> quit
500 'SYST': command not understood.
# ftp 129.82.109.16
Connected to 129.82.109.16.
220 longs.lance.colostate.edu FTP server (Version 4.1 Sun Mar 25 22:59:11 EST 19
90) ready.
Name (129.82.109.16:root): ftp
530 User ftp unknown.
Login failed.
ftp> quit
--> Inet Sec Scanner Log By Christopher Klaus (C) 1993 <--
Email: [email protected] [email protected]
================================================================
Host dolores.lance.colostate.edu, Port 11 opened.
Host dolores.lance.colostate.edu, Port 13 opened.
Host dolores.lance.colostate.edu, Port 17 opened.
Host dolores.lance.colostate.edu, Port 21 opened.
Host dolores.lance.colostate.edu, Port 23 opened.
Host dolores.lance.colostate.edu, Port 79 opened.
Host dolores.lance.colostate.edu, Port 111 opened.
Host dolores.lance.colostate.edu, Port 119 opened.
Host dolores.lance.colostate.edu, Port 512 opened.
Host dolores.lance.colostate.edu, Port 513 opened.
Host dolores.lance.colostate.edu, Port 514 ("shell" service) opened.
Host dolores.lance.colostate.edu, Port 515 opened.
Host dolores.lance.colostate.edu, Port 593 opened.
Host dolores.lance.colostate.edu, Port 704 opened.
Host dolores.lance.colostate.edu, Port 1041 opened.
Host dolores.lance.colostate.edu, Port 1045 opened.
Host dolores.lance.colostate.edu, Port 1046 opened.
Host dolores.lance.colostate.edu, Port 1047 opened.
Host dolores.lance.colostate.edu, Port 1048 opened.
Host dolores.lance.colostate.edu, Port 1049 opened.
Host dolores.lance.colostate.edu, Port 1999 opened.
Host dolores.lance.colostate.edu, Port 6000 opened.
Ooohhh this is a bad one Xwindows is in ALL likelihood
an OPEN DOOR...WE FIND THE SAME FOR keller.lance.colostate.edu
Host keller.lance.colostate.edu, Port 11 opened.
Host keller.lance.colostate.edu, Port 13 opened.
Host keller.lance.colostate.edu, Port 17 opened.
Host keller.lance.colostate.edu, Port 21 opened.
Host keller.lance.colostate.edu, Port 23 opened.
Host keller.lance.colostate.edu, Port 79 opened.
Host keller.lance.colostate.edu, Port 111 opened.
Host keller.lance.colostate.edu, Port 119 opened.
Host keller.lance.colostate.edu, Port 512 opened.
Host keller.lance.colostate.edu, Port 513 opened.
Host keller.lance.colostate.edu, Port 514 ("shell" service) opened.
Host keller.lance.colostate.edu, Port 515 opened.
Host keller.lance.colostate.edu, Port 593 opened.
Host keller.lance.colostate.edu, Port 704 opened.
Host keller.lance.colostate.edu, Port 1024 opened.
Host keller.lance.colostate.edu, Port 1025 opened.
Host keller.lance.colostate.edu, Port 1026 opened.
Host keller.lance.colostate.edu, Port 1027 opened.
Host keller.lance.colostate.edu, Port 1028 opened.
Host keller.lance.colostate.edu, Port 1029 opened.
Host keller.lance.colostate.edu, Port 1034 opened.
Host keller.lance.colostate.edu, Port 6000 opened.
k
rpcinfo -p keller.lance.colostate.edu
program vers proto port
100007 2 tcp 1024 ypbind
100007 2 udp 1031 ypbind
100007 1 tcp 1024 ypbind
100007 1 udp 1031 ypbind
100008 1 udp 1041 walld
100024 1 udp 1045 status
100024 1 tcp 1025 status
100021 1 tcp 1026 nlockmgr
100021 1 udp 1050 nlockmgr
100021 3 tcp 1027 nlockmgr
100021 3 udp 1054 nlockmgr
100020 1 udp 1057 llockmgr
100020 1 tcp 1028 llockmgr
100021 2 tcp 1029 nlockmgr
300019 1 udp 1023
rpcinfo -p dolores.lance.colostate.edu
program vers proto port
100007 2 tcp 1041 ypbind
100007 2 udp 1050 ypbind
100007 1 tcp 1041 ypbind
100007 1 udp 1050 ypbind
100008 1 udp 1067 walld
100024 1 udp 1071 status
100024 1 tcp 1045 status
100021 1 tcp 1046 nlockmgr
100021 1 udp 1076 nlockmgr
100021 3 tcp 1047 nlockmgr
100021 3 udp 1080 nlockmgr
100020 1 udp 1083 llockmgr
100020 1 tcp 1048 llockmgr
100021 2 tcp 1049 nlockmgr
300019 1 udp 1104