Return-Path: <sentto-279987-4106-1008825473-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Wed, 19 Dec 2001 21:28:07 -0800 (PST) Received: (qmail 23006 invoked by uid 510); 20 Dec 2001 05:26:32 -0000 Received: from n12.groups.yahoo.com (216.115.96.62) by all.net with SMTP; 20 Dec 2001 05:26:32 -0000 X-eGroups-Return: sentto-279987-4106-1008825473-fc=all.net@returns.groups.yahoo.com Received: from [216.115.97.166] by n12.groups.yahoo.com with NNFMP; 20 Dec 2001 05:17:52 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_1_3); 20 Dec 2001 05:17:52 -0000 Received: (qmail 72989 invoked from network); 20 Dec 2001 05:17:52 -0000 Received: from unknown (216.115.97.167) by m12.grp.snv.yahoo.com with QMQP; 20 Dec 2001 05:17:52 -0000 Received: from unknown (HELO red.all.net) (12.232.125.69) by mta1.grp.snv.yahoo.com with SMTP; 20 Dec 2001 05:17:50 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id fBK5J3n30403 for iwar@onelist.com; Wed, 19 Dec 2001 21:19:03 -0800 Message-Id: <200112200519.fBK5J3n30403@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Wed, 19 Dec 2001 21:19:03 -0800 (PST) Subject: [iwar] [fc:*MAJOR.SECURITY.BREACH.AT.CCBILL**] Reply-To: iwar@yahoogroups.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit It appears that perhaps tens of thousands of username/passwords for valid shell logins ALL ACROSS THE NET may have been compromised at CCBILL, a large internet credit card/check processor used for e-commerce and adult sites, read carefully!! Well, after the user complaint below, we began some investigation and found about 6 of these IRC bots running on our network as well. All with a fartone.conf and fartone eggdrop irc daemon listening on port 9872... this is across 6 different machines alone in our server farm, so far that we have found, we are scanning right now to find out if there are more listening on port 9872 in our address spaces. Interestingly enough, the common tie between all these compromised accounts is that they are ALL CCBILL customers. Being CCBILL customers, they have all their userid and password information to ssh to their website(s)/server(s) to update scripts and databases as required. Was CCBILL hacked? OR do they have someone inside who has released the user information abroad? We called a couple other hosts whom we communicate with and voila.. they have boxes with IRC bots running on port 9872 as well... also CCBILL clients. It appears whomever has obtained the CCBILL list of usernames/passwords systematically SSH's into their customers server, installs the irc eggdrop bot and leaves. I have found no instances of root kits, or anything else malicious being performed or installed. In fact, in all 6 instances they left all their .tar and config files, AND their .history files intact. Looking thru normal daily log files would not tip you off to any sort of compromise at all -No multiple password failures, etc etc because they already have the correct password to login :) It is my opinion that Cavecreek/CCBILL has had a breach of security thus releasing user ids and logins on various servers around the internet. CCBILLS customer base is in the tens of thousands. It appears the bots are merely sitting and listening waiting for commands for perhaps a large distributed DoS attack, it does not appear that they are logging any sensitive data transmitted thru the server(s). I tcpdumped the port and logged in and out of the server to make sure it wasnt transmitting any data elsewhere. I also confirmed that the bots were not logging anything locally either. I have attached a sample output of strings on the binary file called 'fartone' for your review, please note there are *several* cavecreek machines who are listed as well as many others. ALL these machines below have been verified to have port 9872 open and listening with perhaps this same type IRC Eggdrop bot running. Also please note, all these servers/domains listed below are current CCBILL subscribers: [FC - supressed for my protection] ... Please note the .history file just from this one account, and this is merely a small sample, please note, these are all CCBILL accounts: ssh -l f215109 www.extremeteens.net telnet www.extremeteens.net ... ssh -l nudistphotogallery www.nudistphotogallery.net ... Here is a message regarding a hack attempt. They have stated that the hack was also from our server 216.226.xxx.xxx. How can we check who/what happened from that server. The details from there logs are below. ... One of your users illegally accessed a server I own and illegally installed and ran software on it. The hacker gained access to the system using a hacked or stolen password and installed "eggdrop" an IRC bot with the capability of launching distributed denial of service attacks. This hacker accessed my system from cc118955-a.groni1.gr.nl.home.com by FTP as per the following entry in my system FTP logs. All times are Mountain Standard Time (Arizona, USA). Dec 18 11:48:04 gelt ftpd[23349]: connection from cc118955-a.groni1.gr.nl.home.com (213.51.147.235) The user also accessed the system using interactive SSH from 216.226.xxx.xxx according to the following entries in syslog Dec 18 11:37:51 gelt sshd2[16845]: DNS lookup failed for "216.226.xxx.xxx". Dec 18 11:38:02 gelt sshd2[16845]: User gtdfor's local password accepted. Dec 18 11:38:02 gelt sshd2[16845]: Password authentication for user gtdfor accepted. Dec 18 11:38:02 gelt sshd2[16845]: User gtdfor, coming from 216.226.xxx.xxx, authenticated. This is a private server and the gtdfor user ID is used only by myself, the system administrator. This is a unix-level login, not a web site account. This(these) user(s) therefore gained access illegally. ... ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-12-31 21:00:00 PST