[sclug] Re: External command run for host: using command: "echo \

Graham lists at Information-Cascade.co.uk
Sat Dec 31 15:53:01 UTC 2005 

	I dont belive they are being foiled.
	I think that the attacker is sucessfully 'pinging' your box.
	and checking that they can still cause an address to be blocked.
	Denial-Of-Service - checked to be available but not used

> Message: 1
> Date: Fri, 30 Dec 2005 12:04:14 +0000
> From: Tim Sutton <tim at linfiniti.com>
> Subject: [sclug] External command run for host: using command: "echo \
> To: sclug <sclug at sclug.org.uk>
> Message-ID: <43B5223E.6000107 at linfiniti.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> 
> Hi All
> 
> I regularly get breakin attempts on my webserver with the following log 
> messages (see below). I believe the breakins are being foiled by 
> portsentry but would like to
> 
> a) make sure no permament damage is being done
> b) block these probes as effectively as possible (blocking the host etc)
> c) generally understand what is going on here...
> 
> 
> Any tips will be appreciated.
> 
> Regards
> 
> Tim
> 
> Active System Attack Alerts
> =-=-=-=-=-=-=-=-=-=-=-=-=-=
> Dec 29 14:06:42 foohost portsentry[1049]: attackalert: UDP scan from 
> host: f09m-213-44-216-15.d1.club-internet.fr/213.44.216.15 to UDP port: 80

	its classified a packet as a host attacking,
	it is now running its mechanism, to block access from that host

	HOWEVER - that might not be the real attacking machine.
	It could be a remotely-controlled PC, or a UDP packet
	with a faked 'from' address.

	Even running it occasionally, to check that the second packet is blocked,
	gives the hacker an accumaulated list of hosts under partial control.
	At a later date, thousands of machines, could be swamped with thousands
	of faked UDP packets, causing a lot of fork/CPU, and blocked connectivity.
	Even a scalpel, to stop YOU connecting to your own box!
	But kept as a reserve, on the shelf.

	NB beware of ISP's who provide web caches, and denial of service.
	One faked UDP packet, and a community (ntl, aol, ...) cant reach you!

> Dec 29 14:06:42 foohost portsentry[1049]: attackalert: Host 
> 213.44.216.15 has been blocked via wrappers with string: "ALL: 
> 213.44.216.15"

	it has edited /etc/hosts.deny (.allow) with string ...
	(( why the newline ? where is the datestamp ?? ))

	It doesnt use tcp_wrappers, but it does reconfigure them!
	(Not fixed readonly md5 summed ones) Check the results.
	inetd and other apps (not xinetd) use those files,
	man -a host_access
	ftp://ftp.porcupine.org/pub/security/	index.html
	tcp_wrappers_7.6.tar.gz	# 1997

> Dec 29 14:06:42 foohost portsentry[1049]: attackalert: Host 
> 213.44.216.15 has been blocked via dropped route using command: 
> "/sbin/route add -host 213.44.216.15 reject"

	it has run the routing command "/sbin/route ..." as found in the .conf

> Dec 29 14:06:42 foohost portsentry[1049]: attackalert: External command 
> run for host: 213.44.216.15 using command: "echo \"

	it has run the arbitrary command "..." as found in the .conf

	this could call ipfwadm, or iptables, or custom (traceroute to log file)

	... errm ... this looks really nasty:	'echo \'
	There should not be ANY backslashes in the .conf, esp at END of string.
	Theres no need for them, and it's playing with fire.
	It might be a simple problem, but it looks like your .conf is corrupted

	It might call system(string) calling (execvp) $SHELL -c string, maybe finding \NUL
	running a hidden file called '&NUL;' (if its possible to create such a thing)
	(I'd look at the source, but time ticks on ...)
	If an invisible file is there, "ls -b" should find it,
	as should "find . -exec namechecker {} ';'" (or optimised tree-walker) 
	running strace -p 1234 on portsentry, and activating the trigger, would report
	what is/not happening. The trigger might run a call-back script as root.
	That script might be absent, but creatable as a non-root user,
	to combine components into a backdoor. Or it could be present and hard to see.

	Alternatively, it might be a simple typo.
	I think you should check portsentry.conf and maybe complain to the distro editor
	If it has been edited by someone else, ... well, you know the rest ...


> -- 
> Tim Sutton (tim at linfiniti.com)
> 
> Visit http://qgis.org for a great open source GIS application
> Skype : timlinux
> Jabber : timlinux at jabber.org
> MSN : tim_bdworld at msn.com
> ICQ : 245485851

"portsentry" comes as:
	portsentry-1.2.tar.gz	# 2003
	http://sourceforge.net/projects/sentrytools/
	http://kent.dl.sourceforge.net/sourceforge/sentrytools/portsentry-1.2.tar.gz 

	The "echo \" looks a bit frightening,

Testing
	You need a third machine, to be the 'bad' machine.

		udp_scan hostname 80

	This will lock yourself out - how does it feel?
	There is a python packet-builder, or other knocking tools

		can you fake the originators address?

	Invoke similar responses from portsentry (locking third machine out)
	look at the logs, files edited, routes active, access, iptables -L, etc
	look at strace -p,  (try this before messing up the fragile current setup)
	reset your third machines access, and repeat until happy, or not

--
   Graham
   gps @ Information-Cascade .co.uk
   www . Information-Cascade .co.uk

More information about the Sclug mailing list