[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]

re: [LI] is it hacker ? (fwd)

To: linux-india@xxxxxxxxxxxxxxxxxxxxx
Subject: re: [LI] is it hacker ? (fwd)
From: Suresh Ramasubramanian <r.suresh@xxxxxxxxxxxxxxx>
Date: Sun, 23 Jan 2000 00:06:18 +0530 (IST)
Cc: Dr SK Singh <linuxfan@xxxxxxxxxxxxxx>
In-reply-to: <200001221759.JAA14874@www.aunet.org>
Reply-to: linux-india
Sender: owner-linux-india@xxxxxxxxxxxxxxxxxxxxx

On Sat, 22 Jan 2000, thus spake Dr. S.K.Singh:

> Somebody is logging in from AS52-07-79.cas as per following in one of our
> accounts. I could not understand this. I feel that somebody is hacking my
> server, is it so ?

> AS52-07-79.cas-kpts/1Sat Jan 22 06:23Shutdown03:38
> AS52-10-227. etc etc

This looks like an ip address 227.10.52.something - check for that, or 
an FQDN if you have it.  It looks like an adsl line (several shell acct
providers are hosted on such lines, and unix accts - esp on free servers, 
are fantastic places to launch portscans from)

Some spammer or hacker is portscanning you (probing all the ports on your
network for security holes - like open relays, insecure socks, back
orifice etc etc).  

I'm fwding this to a list of anti spammers and abuse admins I'm on - let's
see what turns up.  Till then, block this ip block at your router.

No wonder, half the spammers around seem to know that .ernet.in and
.nic.in domains are usually running antiquated unix, antiquated sendmail,
antiquated everything, and there are dozens of hacks (see cert.org or
rootshell.com for details) for gaining root access.

For your information, that sendmail crack I posted (or a variant of the
same) was used by MilW0rm to crack into BARC's servers.  The latest target
(last week) is tn.nic.in (NIC Tamil Nadu) which has been blacklisted in
the MAPS RBL <http://www.mail-abuse.org/rbl> and cut off from 40% of the
Internet.

So, please, as you are a clued linuxer AND a member of NIC, mail all the
NIC and ERNET server admins you know and ask them to

1. Upgrade their unix systems (new version, kernel, all possible patches)

or at least

2. Upgrade sendmail to 8.9.3 and REBUILD sendmail.cf

-- 
Suresh Ramasubramanian     | President, CAUCE India
r.suresh@xxxxxxxxxxxxxxx   | suresh@xxxxxxxxxxxxxxx
http://www.india.cauce.org | Stopping Spam In India
--
A year spent in artificial intelligence is enough to make one believe in God.

--------------------------------------------------------------------
The Linux India Mailing List Archives are now available.  Please search
the archive at http://lists.linux-india.org/ before posting your question
to avoid repetition and save bandwidth.

Follow-Ups:
- re: [LI] is it hacker ? (fwd)
  - From: Suresh Ramasubramanian
- Re: [LI] is it hacker ? (fwd)
  - From: Sudhakar Chandrasekharan

Prev by Subject: [LI] is it hacker ? (fwd)
Next by Subject: re: [LI] is it hacker ? (fwd)
Previous by thread: [LI] is it hacker ? (fwd)
Next by thread: re: [LI] is it hacker ? (fwd)
Index(es):
- Subject
- Thread