[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Cobalt, you have been hacked? :o)
- Subject: Re: [cobalt-security] Cobalt, you have been hacked? :o)
- From: Jeff Lovell <jlovell@xxxxxxx>
- Date: Mon, 21 May 2001 13:14:01 -0700
- Organization: Cobalt Networks, Inc.
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
On Mon, 21 May 2001, Michael Stauber wrote:
> To whom it might concern,
>
> I usually don't bother to report it when my server at 206.239.85.113 gets
> portscanned, or when some other exploits are being tried to run. This time
> it's different, as the originating machine *seems* to belong to SUN/Cobalt.
>
> Whoever is in charge of system security at SUN/Cobalt *should* look into this:
>
> wss130a:~ # nslookup 64.224.123.177
> Server: amerika-buch.de
> Address: 206.239.85.113
>
> Name: mail.skublin.cobalt.com
> Address: 64.224.123.177
>
> Here is a traceroute from my linux desktop. The 10.1.130.50 on top is my
> Firewall/Dial-in-Router.
>
> wss130a:~ # traceroute 64.224.123.177
> traceroute to 64.224.123.177 (64.224.123.177), 30 hops max, 40 byte packets
> 1 10.1.130.50 (10.1.130.50) 1 ms 0 ms 0 ms
> 2 217.5.106.101 (217.5.106.101) 34 ms 40 ms 40 ms
> 3 217.5.106.62 (217.5.106.62) 150 ms 60 ms 280 ms
> 4 GI-EB1.GI.DE.net.dtag.de (62.154.10.191) 40 ms 40 ms 40 ms
> 5 TysonsC-gw12.USA.net.DTAG.DE (194.25.6.98) 130 ms 130 ms 130 ms
> 6 208.30.208.9 (208.30.208.9) 130 ms 129 ms 130 ms
> 7 sl-bb21-rly-10-0.sprintlink.net (144.232.7.146) 130 ms 130 ms 130 ms
> 8 sl-bb20-atl-12-0.sprintlink.net (144.232.9.198) 180 ms 180 ms 180 ms
> 9 sl-gw21-atl-9-0.sprintlink.net (144.232.12.18) 180 ms 180 ms 180 ms
> 10 * sl-il-3-0.sprintlink.net (160.81.204.10) 176 ms 180 ms
> 11 10.0.2.5 (10.0.2.5) 180 ms 175 ms 200 ms
> 12 * * *
> 13 * * *
> wss130a:~ #
>
> So the nslookup says that the IP in question belongs to cobalt.com. But the
> traceroute seems to end in another class A private network. Now if that ain't
> fishy.
>
> My server clock runs on GMT+1, if that helps to pin down whichever script
> kiddy tried to run the sunrpc exploit on my machine.
03:06pm:shell-2:~ $ whois -a 64.224.123.177
Interland (NETBLK-INTERLAND-5) INTERLAND-5 64.224.0.0 - 64.226.255.255
interweb designs (NETBLK-SKUBLINCOBALTCOM) SKUBLINCOBALTCOM
64.224.123.177 - 64.224.123.190
03:06pm:shell-2:~ $ nslookup mail.cobalt.com
Server: 207.229.143.1
Address: 207.229.143.1#53
Name: mail.cobalt.com
Address: 63.77.128.166
03:09pm:shell-2:~ $ whois -a 63.77.128.166
UUNET Technologies, Inc. (NETBLK-UUNET63) UUNET63 63.64.0.0 - 63.127.255.255
Cobalt Networks (NETBLK-UU-63-77-128) UU-63-77-128 63.77.128.0 - 63.77.128.255
Looks like a messed up reverse DNS by Interland.
Jeff
--
Jeff Lovell
Sun Microsystems
Server Appliance Business Unit