[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Cobalt, you have been hacked? :o)
- Subject: Re: [cobalt-security] Cobalt, you have been hacked? :o)
- From: Bill Irwin <bill_irwin@xxxxxxxx>
- Date: Mon, 21 May 2001 17:22:52 -0400
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Jeff Lovell wrote:
>
> On Mon, 21 May 2001, Michael Stauber wrote:
>
> > To whom it might concern,
> >
> > I usually don't bother to report it when my server at 206.239.85.113 gets
> > portscanned, or when some other exploits are being tried to run. This time
> > it's different, as the originating machine *seems* to belong to SUN/Cobalt.
> >
> > Whoever is in charge of system security at SUN/Cobalt *should* look into this:
> >
> > wss130a:~ # nslookup 64.224.123.177
> > Server: amerika-buch.de
> > Address: 206.239.85.113
> >
> > Name: mail.skublin.cobalt.com
> > Address: 64.224.123.177
> >
> > Here is a traceroute from my linux desktop. The 10.1.130.50 on top is my
> > Firewall/Dial-in-Router.
> >
> > wss130a:~ # traceroute 64.224.123.177
> > traceroute to 64.224.123.177 (64.224.123.177), 30 hops max, 40 byte packets
> > 1 10.1.130.50 (10.1.130.50) 1 ms 0 ms 0 ms
> > 2 217.5.106.101 (217.5.106.101) 34 ms 40 ms 40 ms
> > 3 217.5.106.62 (217.5.106.62) 150 ms 60 ms 280 ms
> > 4 GI-EB1.GI.DE.net.dtag.de (62.154.10.191) 40 ms 40 ms 40 ms
> > 5 TysonsC-gw12.USA.net.DTAG.DE (194.25.6.98) 130 ms 130 ms 130 ms
> > 6 208.30.208.9 (208.30.208.9) 130 ms 129 ms 130 ms
> > 7 sl-bb21-rly-10-0.sprintlink.net (144.232.7.146) 130 ms 130 ms 130 ms
> > 8 sl-bb20-atl-12-0.sprintlink.net (144.232.9.198) 180 ms 180 ms 180 ms
> > 9 sl-gw21-atl-9-0.sprintlink.net (144.232.12.18) 180 ms 180 ms 180 ms
> > 10 * sl-il-3-0.sprintlink.net (160.81.204.10) 176 ms 180 ms
> > 11 10.0.2.5 (10.0.2.5) 180 ms 175 ms 200 ms
> > 12 * * *
> > 13 * * *
> > wss130a:~ #
> >
> > So the nslookup says that the IP in question belongs to cobalt.com. But the
> > traceroute seems to end in another class A private network. Now if that ain't
> > fishy.
> >
> > My server clock runs on GMT+1, if that helps to pin down whichever script
> > kiddy tried to run the sunrpc exploit on my machine.
>
> 03:06pm:shell-2:~ $ whois -a 64.224.123.177
> Interland (NETBLK-INTERLAND-5) INTERLAND-5 64.224.0.0 - 64.226.255.255
> interweb designs (NETBLK-SKUBLINCOBALTCOM) SKUBLINCOBALTCOM
> 64.224.123.177 - 64.224.123.190
>
> 03:06pm:shell-2:~ $ nslookup mail.cobalt.com
> Server: 207.229.143.1
> Address: 207.229.143.1#53
>
> Name: mail.cobalt.com
> Address: 63.77.128.166
>
> 03:09pm:shell-2:~ $ whois -a 63.77.128.166
> UUNET Technologies, Inc. (NETBLK-UUNET63) UUNET63 63.64.0.0 - 63.127.255.255
> Cobalt Networks (NETBLK-UU-63-77-128) UU-63-77-128 63.77.128.0 - 63.77.128.255
>
> Looks like a messed up reverse DNS by Interland.
>
> Jeff
>
> --
> Jeff Lovell
> Sun Microsystems
> Server Appliance Business Unit
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
I was about to say that =)
We did a lookup here and found the same thing. Its coming from Interland
server.
--
Bill Irwin
Technical Support Engineer
Sun Microsystems, Inc.