--- Begin Message ---
------_=_NextPart_001_01C262A0.034A0FF0
Content-Type: text/plain
Hey Jerry,
We had a report that grv2 was running an IRC server. After looking into it
I found that there were several ports open on that machine and it looked
likes that machine has been compromised. They are running SSH on port 16236
for example. I've included, at the bottom, some of what I've found on that
machine. The short of is that I had to disable the network port for that
computer. I would like to come over tomorrow and take a look at it and see
what we find. How critical is that machine? How long can you have that
machine down? Most likely you all will have to reinstall the OS. I would
also like to bring over a new person, Sasko Stefanovski, with me. He is the
new IS person who was hired to help faculty/staff with some of the burden of
administrating their servers.
Thanks,
Tim
Network address: 141.166.222.216
Ethernet address: 080020aafd7c
Network location: SCI2A-3.15
Interesting ports on grv2.richmond.edu (141.166.222.216):
(The 65523 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
23/tcp open telnet
111/tcp open sunrpc
1726/tcp open unknown
4546/tcp open unknown
6000/tcp open X11
16236/tcp open unknown
23485/tcp open unknown
32772/tcp open sometimes-rpc7
32773/tcp open sometimes-rpc9
32774/tcp open sometimes-rpc11
32776/tcp open sometimes-rpc15
telnet 141.166.222.216
Trying 141.166.222.216...
Connected to 141.166.222.216.
Escape character is '^]'.
SunOS 5.7
ssh -p 4546 141.166.222.216
The authenticity of host '141.166.222.216 (141.166.222.216)' can't be
established.
RSA1 key fingerprint is dc:cd:da:72:fe:6e:db:70:ff:11:e5:cc:b4:27:80:80.
Are you sure you want to continue connecting (yes/no)? no
------_=_NextPart_001_01C262A0.034A0FF0
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2653.12">
<TITLE>grv2</TITLE>
</HEAD>
<BODY>
<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">Hey Je</FONT><FONT =
SIZE=3D2 FACE=3D"Arial">rry,</FONT></P>
<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">We had a report that grv2 =
was</FONT> <FONT SIZE=3D2 FACE=3D"Arial">running an IRC server. =
After looking into it I found that there were several ports open on =
that machine and it looked likes that machine has been =
compromised.</FONT> <FONT SIZE=3D2 FACE=3D"Arial"> They are =
running SSH on por</FONT><FONT SIZE=3D2 FACE=3D"Arial">t</FONT><FONT =
SIZE=3D2 FACE=3D"Arial"> 16236</FONT><FONT SIZE=3D2 FACE=3D"Arial"> for =
example. </FONT> <FONT SIZE=3D2 FACE=3D"Arial"></FONT> <FONT =
SIZE=3D2 FACE=3D"Arial">I</FONT><FONT SIZE=3D2 =
FACE=3D"Arial">'</FONT><FONT SIZE=3D2 FACE=3D"Arial">ve =
included</FONT><FONT SIZE=3D2 FACE=3D"Arial">,</FONT><FONT SIZE=3D2 =
FACE=3D"Arial"> at the bottom</FONT><FONT SIZE=3D2 FACE=3D"Arial">, =
some</FONT><FONT SIZE=3D2 FACE=3D"Arial"> of what I</FONT><FONT =
SIZE=3D2 FACE=3D"Arial">'</FONT><FONT SIZE=3D2 FACE=3D"Arial">ve found =
on that machine. The short of is that I had to disable the =
network port for that computer. I would like to come over</FONT> =
<FONT SIZE=3D2 FACE=3D"Arial">tomorrow</FONT><FONT SIZE=3D2 =
FACE=3D"Arial"></FONT> <FONT SIZE=3D2 FACE=3D"Arial">and take a look at =
it and see what we find. </FONT> <FONT SIZE=3D2 FACE=3D"Arial">How =
critical is that machine? </FONT> <FONT SIZE=3D2 =
FACE=3D"Arial">How long can you have that machine down? </FONT> =
<FONT SIZE=3D2 FACE=3D"Arial">Most likely you all will have to =
reinstall the OS. I would also like to bring over a new person, =
Sasko Stefano</FONT><FONT SIZE=3D2 FACE=3D"Arial">vski, with me. =
He is the new IS person who was hired to help faculty/staff with some =
of the burden of administrating their servers. </FONT> </P>
<BR>
<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">Thanks,</FONT></P>
<BR>
<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">Tim</FONT></P>
<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">Network address: =
141.166.222.216 </FONT></P>
<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">Ethernet address: =
080020aafd7c </FONT></P>
<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">Network location: =
SCI2A-3.15 </FONT></P>
<BR>
<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">Interesting ports on =
grv2.richmond.edu (141.166.222.216):</FONT></P>
<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">(The 65523 ports scanned =
but not shown below are in state: closed)</FONT></P>
<P ALIGN=3DLEFT><FONT SIZE=3D2 =
FACE=3D"Arial">Port =
State Service</FONT></P>
<P ALIGN=3DLEFT><FONT SIZE=3D2 =
FACE=3D"Arial">22/tcp =
open =
ssh &nb=
sp; </FONT></P>
<P ALIGN=3DLEFT><FONT SIZE=3D2 =
FACE=3D"Arial">23/tcp =
open =
telnet =
</FONT></P>
<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">111/tcp =
open =
sunrpc =
</FONT></P>
<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">1726/tcp =
open =
unknown  =
; </FONT></P>
<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">4546/tcp =
open =
unknown  =
; </FONT></P>
<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">6000/tcp =
open =
X11 &nb=
sp; </FONT></P>
<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">16236/tcp =
open =
unknown  =
; </FONT></P>
<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">23485/tcp =
open =
unknown  =
; </FONT></P>
<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">32772/tcp =
open =
sometimes-rpc7 =
</FONT></P>
<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">32773/tcp =
open =
sometimes-rpc9 =
</FONT></P>
<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">32774/tcp =
open =
sometimes-rpc11 =
</FONT></P>
<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">32776/tcp =
open =
sometimes-rpc15 </FONT></P>
<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">telnet =
141.166.222.216</FONT></P>
<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">Trying =
141.166.222.216...</FONT></P>
<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">Connected to =
141.166.222.216.</FONT></P>
<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">Escape character is =
'^]'.</FONT></P>
<BR>
<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">SunOS 5.7</FONT></P>
<BR>
<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">ssh -p 4546 =
141.166.222.216</FONT></P>
<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">The authenticity of host =
'141.166.222.216 (141.166.222.216)' can't be established.</FONT></P>
<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">RSA1 key fingerprint is =
dc:cd:da:72:fe:6e:db:70:ff:11:e5:cc:b4:27:80:80.</FONT></P>
<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">Are you sure you want to =
continue connecting (yes/no)? no</FONT></P>
</BODY>
</HTML>
------_=_NextPart_001_01C262A0.034A0FF0--
--- End Message ---