Watch out for a dropcatcher hacker

[aquanuke]

Seems theres a dropcatcher hacker about these forums. Would advise everyone to check there servers. Had a server compromised and seems he was doing some rather strange things...

grep TAGNAMES inbox -A 2 -B 2

grep ACCEPTED -A 70 -B 20 inbox |more

tail -n 90000 inbox | grep ACCEPTED -A 70 -B 20 |more

He was using IP 87.110.95.119 LATVIA

Quite obvious he's intentions, not sure why he thinks im connected to Tagnames.

 

[bb99]

Very strange...

Out of interest what O/S and version was the box running?

 

[aquanuke]

Very strange...

Out of interest what O/S and version was the box running?

CentOS release 4.3 (Final)

 

[diablo]

thanks for the heads up

 

[Jeewhizz]

How did he get in? Do you have intrustion detection? Brute force checking? A firewall? What kernel was it?

Cheers

Jee

 

[retired member 1]

I've had someone from a BT.net IP trying to bruteforce my server, I notified BT of the IP/Time etc and they are looking into it.

 

[netserve]

Have you thought how he managed to get your IP address?
He can't have got that via the forum, unless he's hosted an image on the forum and used that to get IP's.

I take it that the PC you use to access the forums is the same as the dac?

 

[grantw]

Have you thought how he managed to get your IP address?

That was my first thought too, very worrying. Unless the server in question is the one that is shown in your whois details??

Grant

 

[A-Wing]

I assume he got the IP from the domain on aquanuke's profile. I would imagine he got in either via an exploit on your site (don't know what software it uses so can't pinpoint it), or via. a vulnerable package like SSH with v.1 protocol enabled.
There have also been security vulnerabilities in the mail package you use, but that isn't as likely.

Whoever it was they didn't cover their tracks so either they aren't very smart or they wanted you to catch them.

 

[A-Wing]

If it is any help the Latvian IP looks like a Windows box on a DSL that is trojaned, it was probably just used as a proxy for someone in the UK.

 

[rob]

If it is any help the Latvian IP looks like a Windows box on a DSL that is trojaned, it was probably just used as a proxy for someone in the UK.

Would think 110% sure UK etc as only catchers would know of TAGNAMES plus automaton ACK replies etc, thus would think that the person would have prior knowledge of Nom's systems - so would be someone on http://www.nominet.org.uk/tag/becometagholder/taglist/

The main question is which IP did you use for DAC as posting IP can be picked up by most people, hosting IP from your domains - but if totally different then somehow its come from Nominets list or you have let it out?

All a tad worrying as it is rather 'over the line' !

 

[aqls]

could it possibly be email interception? this would contain ip address?

perhaps someone into nominet's mail server?

-aqls-

 

[aquanuke]

How did he get in? Do you have intrustion detection? Brute force checking? A firewall? What kernel was it?

Cheers

Jee

Brute force on a user account, had no root access. Server was firewalled, logwatch alerted me to the incident. 2.4.20-28.7smp.

Have you thought how he managed to get your IP address?

IP is very easy to find on this forum and whois etc

If it is any help the Latvian IP looks like a Windows box on a DSL that is trojaned, it was probably just used as a proxy for someone in the UK.

Yep def. a proxy.. I doubt anyone in Lativa knows what drop catching is and they must know a fair bit to be looking for specific drop catchers on my server.

 

[Jeewhizz]

What firewall are you using? Take a look at BFD from rfxnetworks - nice light script that will let you know via email of brute force attacks.

You could also install tripwire.

Jee

 

[aquanuke]

What firewall are you using? Take a look at BFD from rfxnetworks - nice light script that will let you know via email of brute force attacks.

You could also install tripwire.

Jee

Thanks I was using his APF firewall. BFD? presume thats a brute force addon, will go check it out.

 

[aquanuke]

The main question is which IP did you use for DAC as posting IP can be picked up by most people, hosting IP from your domains - but if totally different then somehow its come from Nominets list or you have let it out?

All a tad worrying as it is rather 'over the line' !

It was hosting IP no DAC on this box, but it did have automatron msg's sent to it and looks like he was trying to trace my DAC server via that route.

Cant imagine he would single out me as a target so he will without a doubt be checking other catchers.

 

[A-Wing]

Brute force on a user account, had no root access. Server was firewalled, logwatch alerted me to the incident. 2.4.20-28.7smp.

The fact a brute force worked is very worrying, your daemons should be protecting you against that. I didn't even realised people used them anymore as they fail so often.

 

[aquanuke]

End of the day guess no server is safe. Theres always a way in, Ive ran my own servers for over 7 years with no trouble. This server has over 300 user accounts and gets brute force attacks every day.. I just ignore them as its mostly script kiddies. But this chap was looking for something specific.

As its a high traffic server with lots of users logging in and out this incident slipped under the net