[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] Cobalt, you have been hacked? :o)
- Subject: [cobalt-security] Cobalt, you have been hacked? :o)
- From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
- Date: Mon, 21 May 2001 21:28:13 +0200
- Organization: Stauber Multimedia Design
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
To whom it might concern,
I usually don't bother to report it when my server at 206.239.85.113 gets
portscanned, or when some other exploits are being tried to run. This time
it's different, as the originating machine *seems* to belong to SUN/Cobalt.
Whoever is in charge of system security at SUN/Cobalt *should* look into this:
wss130a:~ # nslookup 64.224.123.177
Server: amerika-buch.de
Address: 206.239.85.113
Name: mail.skublin.cobalt.com
Address: 64.224.123.177
Here is a traceroute from my linux desktop. The 10.1.130.50 on top is my
Firewall/Dial-in-Router.
wss130a:~ # traceroute 64.224.123.177
traceroute to 64.224.123.177 (64.224.123.177), 30 hops max, 40 byte packets
1 10.1.130.50 (10.1.130.50) 1 ms 0 ms 0 ms
2 217.5.106.101 (217.5.106.101) 34 ms 40 ms 40 ms
3 217.5.106.62 (217.5.106.62) 150 ms 60 ms 280 ms
4 GI-EB1.GI.DE.net.dtag.de (62.154.10.191) 40 ms 40 ms 40 ms
5 TysonsC-gw12.USA.net.DTAG.DE (194.25.6.98) 130 ms 130 ms 130 ms
6 208.30.208.9 (208.30.208.9) 130 ms 129 ms 130 ms
7 sl-bb21-rly-10-0.sprintlink.net (144.232.7.146) 130 ms 130 ms 130 ms
8 sl-bb20-atl-12-0.sprintlink.net (144.232.9.198) 180 ms 180 ms 180 ms
9 sl-gw21-atl-9-0.sprintlink.net (144.232.12.18) 180 ms 180 ms 180 ms
10 * sl-il-3-0.sprintlink.net (160.81.204.10) 176 ms 180 ms
11 10.0.2.5 (10.0.2.5) 180 ms 175 ms 200 ms
12 * * *
13 * * *
wss130a:~ #
So the nslookup says that the IP in question belongs to cobalt.com. But the
traceroute seems to end in another class A private network. Now if that ain't
fishy.
My server clock runs on GMT+1, if that helps to pin down whichever script
kiddy tried to run the sunrpc exploit on my machine.
Am Montag, 21. Mai 2001 19:00 schrieben Sie:
> Active System Attack Alerts
> =-=-=-=-=-=-=-=-=-=-=-=-=-=
> May 21 18:50:22 admin portsentry[26113]: attackalert: SYN/Normal scan from
> host: mail.skublin.cobalt.com/64.224.123.177 to TCP port: 111 May 21
> 18:50:22 admin portsentry[26113]: attackalert: Host 64.224.123.177 has been
> blocked via dropped route using command: "/sbin/ipchains -I input -s
> 64.224.123.177 -j DENY" May 21 18:50:22 admin portsentry[26113]:
> attackalert: SYN/Normal scan from host:
> mail.skublin.cobalt.com/64.224.123.177 to TCP port: 111 May 21 18:50:22
> admin portsentry[26113]: attackalert: Host:
> mail.skublin.cobalt.com/64.224.123.177 is already blocked Ignoring May 21
> 18:50:22 admin portsentry[26113]: attackalert: SYN/Normal scan from host:
> mail.skublin.cobalt.com/64.224.123.177 to TCP port: 111 May 21 18:50:22
> admin portsentry[26113]: attackalert: Host:
> mail.skublin.cobalt.com/64.224.123.177 is already blocked Ignoring May 21
> 18:50:22 admin portsentry[26113]: attackalert: SYN/Normal scan from host:
> mail.skublin.cobalt.com/64.224.123.177 to TCP port: 111 May 21 18:50:22
> admin portsentry[26113]: attackalert: Host:
> mail.skublin.cobalt.com/64.224.123.177 is already blocked Ignoring May 21
> 18:50:22 admin portsentry[26113]: attackalert: SYN/Normal scan from host:
> mail.skublin.cobalt.com/64.224.123.177 to TCP port: 111 May 21 18:50:22
> admin portsentry[26113]: attackalert: Host:
> mail.skublin.cobalt.com/64.224.123.177 is already blocked Ignoring May 21
> 18:50:22 admin portsentry[26113]: attackalert: SYN/Normal scan from host:
> mail.skublin.cobalt.com/64.224.123.177 to TCP port: 111 May 21 18:50:22
> admin portsentry[26113]: attackalert: Host:
> mail.skublin.cobalt.com/64.224.123.177 is already blocked Ignoring May 21
> 18:50:22 admin portsentry[26113]: attackalert: SYN/Normal scan from host:
> mail.skublin.cobalt.com/64.224.123.177 to TCP port: 111 May 21 18:50:22
> admin portsentry[26113]: attackalert: Host:
> mail.skublin.cobalt.com/64.224.123.177 is already blocked Ignoring May 21
> 18:50:22 admin portsentry[26113]: attackalert: SYN/Normal scan from host:
> mail.skublin.cobalt.com/64.224.123.177 to TCP port: 111 May 21 18:50:22
> admin portsentry[26113]: attackalert: Host:
> mail.skublin.cobalt.com/64.224.123.177 is already blocked Ignoring
--
Mit freundlichen Grüßen / Best regards
Michael Stauber
Stauber Multimedia Design ____ Phone: +49-6471-923812
Hauptstrasse 31 ______ D-56244 Goddert ______ Germany
SMD.NET ___ SOLARSPEED.NET ___ FORUMWORLD.COM