[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

what do you make of this?

To: Francisco Chinchilla <fchinchi@richmond.edu>
Subject: what do you make of this?
From: gilfoyle <ggilfoyl@mindspring.com>
Date: Sun, 22 Sep 2002 23:46:22 -0700
Organization: University of Richmond Physics Department
Reply-to: ggilfoyl@richmond.edu
Sender: gilfoyle@polyester.richmond.edu

hi francisco,

   hope your graduate classes are going well. i got the
attached message from tim st. laurent this evening. it
looks like telnet is running on grv2. is that so? did we
get hacked?

jerry

-- 
Dr. Gerard P. Gilfoyle
Physics Department                e-mail: ggilfoyl@richmond.edu
University of Richmond, VA 23173  phone:  804-289-8255
USA                               fax:    804-289-8482

--- Begin Message ---

------_=_NextPart_001_01C262A0.034A0FF0
Content-Type: text/plain

Hey Jerry,

We had a report that grv2 was running an IRC server.  After looking into it
I found that there were several ports open on that machine and it looked
likes that machine has been compromised.  They are running SSH on port 16236
for example.   I've included, at the bottom, some of what I've found on that
machine.  The short of is that I had to disable the network port for that
computer.  I would like to come over tomorrow and take a look at it and see
what we find.  How critical is that machine?  How long can you have that
machine down?  Most likely you all will have to reinstall the OS.  I would
also like to bring over a new person, Sasko Stefanovski, with me.  He is the
new IS person who was hired to help faculty/staff with some of the burden of
administrating their servers.  

Thanks,

Tim

Network address: 141.166.222.216 
Ethernet address: 080020aafd7c 
Network location: SCI2A-3.15 


Interesting ports on grv2.richmond.edu (141.166.222.216):
(The 65523 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh                     
23/tcp     open        telnet                  
111/tcp    open        sunrpc                  
1726/tcp   open        unknown                 
4546/tcp   open        unknown                 
6000/tcp   open        X11                     
16236/tcp  open        unknown                 
23485/tcp  open        unknown                 
32772/tcp  open        sometimes-rpc7          
32773/tcp  open        sometimes-rpc9          
32774/tcp  open        sometimes-rpc11         
32776/tcp  open        sometimes-rpc15       

telnet 141.166.222.216
Trying 141.166.222.216...
Connected to 141.166.222.216.
Escape character is '^]'.


SunOS 5.7


ssh -p 4546 141.166.222.216
The authenticity of host '141.166.222.216 (141.166.222.216)' can't be
established.
RSA1 key fingerprint is dc:cd:da:72:fe:6e:db:70:ff:11:e5:cc:b4:27:80:80.
Are you sure you want to continue connecting (yes/no)? no

------_=_NextPart_001_01C262A0.034A0FF0
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2653.12">
<TITLE>grv2</TITLE>
</HEAD>
<BODY>

<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">Hey Je</FONT><FONT =
SIZE=3D2 FACE=3D"Arial">rry,</FONT></P>

<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">We had a report that grv2 =
was</FONT> <FONT SIZE=3D2 FACE=3D"Arial">running an IRC server.&nbsp; =
After looking into it I found that there were several ports open on =
that machine and it looked likes that machine has been =
compromised.</FONT>&nbsp;<FONT SIZE=3D2 FACE=3D"Arial"> They are =
running SSH on por</FONT><FONT SIZE=3D2 FACE=3D"Arial">t</FONT><FONT =
SIZE=3D2 FACE=3D"Arial"> 16236</FONT><FONT SIZE=3D2 FACE=3D"Arial"> for =
example.&nbsp;</FONT>&nbsp;<FONT SIZE=3D2 FACE=3D"Arial"></FONT> <FONT =
SIZE=3D2 FACE=3D"Arial">I</FONT><FONT SIZE=3D2 =
FACE=3D"Arial">'</FONT><FONT SIZE=3D2 FACE=3D"Arial">ve =
included</FONT><FONT SIZE=3D2 FACE=3D"Arial">,</FONT><FONT SIZE=3D2 =
FACE=3D"Arial"> at the bottom</FONT><FONT SIZE=3D2 FACE=3D"Arial">, =
some</FONT><FONT SIZE=3D2 FACE=3D"Arial"> of what I</FONT><FONT =
SIZE=3D2 FACE=3D"Arial">'</FONT><FONT SIZE=3D2 FACE=3D"Arial">ve found =
on that machine.&nbsp; The short of is that I had to disable the =
network port for that computer.&nbsp; I would like to come over</FONT> =
<FONT SIZE=3D2 FACE=3D"Arial">tomorrow</FONT><FONT SIZE=3D2 =
FACE=3D"Arial"></FONT> <FONT SIZE=3D2 FACE=3D"Arial">and take a look at =
it and see what we find.&nbsp;</FONT> <FONT SIZE=3D2 FACE=3D"Arial">How =
critical is that machine?&nbsp;</FONT> <FONT SIZE=3D2 =
FACE=3D"Arial">How long can you have that machine down?&nbsp;</FONT> =
<FONT SIZE=3D2 FACE=3D"Arial">Most likely you all will have to =
reinstall the OS.&nbsp; I would also like to bring over a new person, =
Sasko Stefano</FONT><FONT SIZE=3D2 FACE=3D"Arial">vski, with me.&nbsp; =
He is the new IS person who was hired to help faculty/staff with some =
of the burden of administrating their servers.&nbsp;</FONT> </P>
<BR>

<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">Thanks,</FONT></P>
<BR>

<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">Tim</FONT></P>

<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">Network address: =
141.166.222.216 </FONT></P>

<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">Ethernet address: =
080020aafd7c </FONT></P>

<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">Network location: =
SCI2A-3.15 </FONT></P>
<BR>

<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">Interesting ports on =
grv2.richmond.edu (141.166.222.216):</FONT></P>

<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">(The 65523 ports scanned =
but not shown below are in state: closed)</FONT></P>

<P ALIGN=3DLEFT><FONT SIZE=3D2 =
FACE=3D"Arial">Port&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
State&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Service</FONT></P>

<P ALIGN=3DLEFT><FONT SIZE=3D2 =
FACE=3D"Arial">22/tcp&nbsp;&nbsp;&nbsp;&nbsp; =
open&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
ssh&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </FONT></P>

<P ALIGN=3DLEFT><FONT SIZE=3D2 =
FACE=3D"Arial">23/tcp&nbsp;&nbsp;&nbsp;&nbsp; =
open&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
telnet&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </FONT></P>

<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">111/tcp&nbsp;&nbsp;&nbsp; =
open&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
sunrpc&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </FONT></P>

<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">1726/tcp&nbsp;&nbsp; =
open&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
unknown&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </FONT></P>

<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">4546/tcp&nbsp;&nbsp; =
open&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
unknown&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </FONT></P>

<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">6000/tcp&nbsp;&nbsp; =
open&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
X11&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </FONT></P>

<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">16236/tcp&nbsp; =
open&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
unknown&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </FONT></P>

<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">23485/tcp&nbsp; =
open&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
unknown&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </FONT></P>

<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">32772/tcp&nbsp; =
open&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
sometimes-rpc7&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
</FONT></P>

<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">32773/tcp&nbsp; =
open&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
sometimes-rpc9&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
</FONT></P>

<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">32774/tcp&nbsp; =
open&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
sometimes-rpc11&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
</FONT></P>

<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">32776/tcp&nbsp; =
open&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
sometimes-rpc15&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </FONT></P>

<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">telnet =
141.166.222.216</FONT></P>

<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">Trying =
141.166.222.216...</FONT></P>

<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">Connected to =
141.166.222.216.</FONT></P>

<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">Escape character is =
'^]'.</FONT></P>
<BR>

<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">SunOS 5.7</FONT></P>
<BR>

<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">ssh -p 4546 =
141.166.222.216</FONT></P>

<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">The authenticity of host =
'141.166.222.216 (141.166.222.216)' can't be established.</FONT></P>

<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">RSA1 key fingerprint is =
dc:cd:da:72:fe:6e:db:70:ff:11:e5:cc:b4:27:80:80.</FONT></P>

<P ALIGN=3DLEFT><FONT SIZE=3D2 FACE=3D"Arial">Are you sure you want to =
continue connecting (yes/no)? no</FONT></P>

</BODY>
</HTML>
------_=_NextPart_001_01C262A0.034A0FF0--

--- End Message ---

Prev by Date: Re: grv2
Next by Date: grv2
Previous by thread: grv2
Next by thread: Root access
Index(es):
- Date
- Thread