[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Cobalt, you have been hacked? :o)

Subject: Re: [cobalt-security] Cobalt, you have been hacked? :o)
From: Jeff Lovell <jlovell@xxxxxxx>
Date: Mon, 21 May 2001 13:14:01 -0700
Organization: Cobalt Networks, Inc.
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

On Mon, 21 May 2001, Michael Stauber wrote:

> To whom it might concern,
> 
> I usually don't bother to report it when my server at 206.239.85.113 gets 
> portscanned, or when some other exploits are being tried to run. This time 
> it's different, as the originating machine *seems* to belong to SUN/Cobalt.
> 
> Whoever is in charge of system security at SUN/Cobalt *should* look into this:
> 
> wss130a:~ # nslookup 64.224.123.177
> Server:  amerika-buch.de
> Address:  206.239.85.113
>  
> Name:    mail.skublin.cobalt.com
> Address:  64.224.123.177
>  
> Here is a traceroute from my linux desktop. The 10.1.130.50 on top is my 
> Firewall/Dial-in-Router.
> 
> wss130a:~ # traceroute 64.224.123.177
> traceroute to 64.224.123.177 (64.224.123.177), 30 hops max, 40 byte packets
>  1  10.1.130.50 (10.1.130.50)  1 ms  0 ms  0 ms
>  2  217.5.106.101 (217.5.106.101)  34 ms  40 ms  40 ms
>  3  217.5.106.62 (217.5.106.62)  150 ms  60 ms  280 ms
>  4  GI-EB1.GI.DE.net.dtag.de (62.154.10.191)  40 ms  40 ms  40 ms
>  5  TysonsC-gw12.USA.net.DTAG.DE (194.25.6.98)  130 ms  130 ms  130 ms
>  6  208.30.208.9 (208.30.208.9)  130 ms  129 ms  130 ms
>  7  sl-bb21-rly-10-0.sprintlink.net (144.232.7.146)  130 ms  130 ms  130 ms
>  8  sl-bb20-atl-12-0.sprintlink.net (144.232.9.198)  180 ms  180 ms  180 ms
>  9  sl-gw21-atl-9-0.sprintlink.net (144.232.12.18)  180 ms  180 ms  180 ms
> 10  * sl-il-3-0.sprintlink.net (160.81.204.10)  176 ms  180 ms
> 11  10.0.2.5 (10.0.2.5)  180 ms  175 ms  200 ms
> 12  * * *
> 13  * * *
> wss130a:~ #
> 
> So the nslookup says that the IP in question belongs to cobalt.com. But the 
> traceroute seems to end in another class A private network. Now if that ain't 
> fishy. 
> 
> My server clock runs on GMT+1, if that helps to pin down whichever script 
> kiddy tried to run the sunrpc exploit on my machine.

03:06pm:shell-2:~ $ whois -a 64.224.123.177
Interland (NETBLK-INTERLAND-5)	INTERLAND-5	   64.224.0.0 - 64.226.255.255
interweb designs (NETBLK-SKUBLINCOBALTCOM) SKUBLINCOBALTCOM
	64.224.123.177 - 64.224.123.190

03:06pm:shell-2:~ $ nslookup mail.cobalt.com
Server:		207.229.143.1
Address:	207.229.143.1#53

Name:	mail.cobalt.com
Address: 63.77.128.166

03:09pm:shell-2:~ $ whois -a 63.77.128.166
UUNET Technologies, Inc. (NETBLK-UUNET63) UUNET63   63.64.0.0 - 63.127.255.255
Cobalt Networks (NETBLK-UU-63-77-128) UU-63-77-128 63.77.128.0 - 63.77.128.255


Looks like a messed up reverse DNS by Interland.

Jeff

-- 
Jeff Lovell
Sun Microsystems
Server Appliance Business Unit

Follow-Ups:
- Re: [cobalt-security] Cobalt, you have been hacked? :o)
  - From: Bill Irwin

References:
- [cobalt-security] Cobalt, you have been hacked? :o)
  - From: Michael Stauber

Prev by Date: [cobalt-security] Cobalt, you have been hacked? :o)
Next by Date: Re: [cobalt-security] BIND 9.1.2rc1
Previous by thread: [cobalt-security] Cobalt, you have been hacked? :o)
Next by thread: Re: [cobalt-security] Cobalt, you have been hacked? :o)

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index