securenets issue?

From: Jon Lockley (Jon.Lockley@comlab.ox.ac.uk)
Date: Fri Apr 02 2004 - 05:22:03 EST

• Next message: Paul Boven: "Applying 108993-33 to the miniroot"
• Previous message: Jim Dirstein: "NFS issues between Solaris and Linux"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello everyone,

A local machine (SunOS xxx 5.8 Generic_108528-15 sun4u sparc
SUNW,Sun-Fire-880) was hacked at our site earlier in the week. This
machine was then used to launch a DoS attack on two other sites. The
time-line of the attack is as follows:

At around 5pm port 32773 (ypxfrd) was probed. Shortly afterwards a local
user was observed to log onto the machine from a remote site and upload
some files. After contacting this user, I can confirm the authorised user
was not the person using the account at this time. This account was then
used to run multiple copies of a code which blasted out a large volume of
UDP packets from about 10pm until the machine was physically pulled off
the network at around 11pm. Examination of the shadow password file
revealed that this user was using a very weak password (because it was
_supposed_ to be a temporary replacement for one they had lost). Our
present interpretation of events is as follows: the attacker guessed our
NIS domain name (unfortunately similar to the hostname) and downloaded the
encrypted password file. They were then able to crack this user's password
very quickly and gain access. There is currently no sign of root access
but we are not taking any chances of course.

I'm new to SUN/Solaris management and so would appreciate any thoughts or
tips on the following: The securenets file should have stopped anything
not on our internal networks (192.168.0.0/16) from binding. (Our Linux
systems have the same configuration and indeed they do prevent this
happening - the hacked Solaris machine is under quarantine so it's harder
to do the test). Is anyone aware of how an external attacker could have
been served our encrypted password file assuming the securenets file is
configured correctly? There is currently no evidence of unauthorised
access to other local machines.

Thanks in advance,

Jon
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers

• Next message: Paul Boven: "Applying 108993-33 to the miniroot"
• Previous message: Jim Dirstein: "NFS issues between Solaris and Linux"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:28:24 EDT