Chris,
What kind of activity are you seeing once he's in the servers? At
Webair we're primarily web hosting, and some customer boxes were
compromised over recent months.
I'm curious because you say he was very patient and methodical. I've asked
around with a few friends and they have seen this guy too.. just as in
your case
Anyway, it fits the profile of the guy we had. He was inserting references
to megacount.net, and some obfuscated javascript code. He has been hard to
get rid of..
Sincerely,
----------------------------------------
Brian Hourigan
Lead Technical Support Specialist/
Programming Development Team
Webair Internet Development, Inc.
Fax: 516.938.5100
http://www.webair.com
----------------------------------------
We are interested in any feedback you might have about the service
you received. Please contact our technical support consumer care manager
directly 1.866.WEBAIR1 or e-mail customercare@webair.com
65.110.62.120
Sagonet,
We have a serious hacker here who is ACTIVLY engaged in logins
on our network (have him in a honeypot at the moment). He is running
exploits from your network and
also I have been hearing from others that you have been notified of this
a few times yet have done nothing about it. Can we get someone to
handle
this immediately please?
This hacker has rooted at least 35 servers on a friends network
(friendly
competitor) and now hes scanning ours...
This is what was said by my friend after contacting you guys about this:
"Good... They will not listen... I have provided them logs, screen
shots,
etc..."
Additionally, I would LOVE to know what is on that server... this guy is
not to be taken lightly, he is VERY methodical and patient. He's
problably
owning your network too.
[root@mail /home]# netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address
State
tcp 0 0 0.0.0.0:21 0.0.0.0:*
LISTEN
tcp 0 0 :::38300 :::*
LISTEN
tcp 0 0 ::ffff:66.11.112.15:38300
::ffff:65.110.62.120:59979
ESTABLISHED
ESTABLISHED
In the honeypot server we have him in, he is storing files in /dev/k4rd
Bash has been replaced with a "key logging" bash, het gets everything
you type, passwords included, emailed back to him at root@65.110.62.120
There seems to be ALOT of files in /dev/k4rd, a bin directory and etc.
He hacked the kernel so good that its VERY difficult to track his moves
without booting off another drive first. We boot off a live linux cd
enviornment to do studies on what he is up to, but before we do that
we let him hack it up nicely so we get all his tricks. Note: he cannot
really touch any other servers as he is stuck in a faked network enviornment
at this moment. Pinging yahoo.com for example will generate a reply and a
faked dns entry, but the packets never leave the zone he is in.
His motivation seems to be to gather nats affilaite and customer data.
He has an exploit that works on any and all nats installations. Were
not going to release that until nats has been notified and had time to
secure it.
Were also seeing "traffic skimming" being attempted.
He is searching for scripts (that we put there just to see what he does
with them) that log traffic hits and etc.... He modifies these scripts so
that randomly, but rarely, hits are re-directed to a web site called
cgi-dnsl.com ( porn ).
I dont mean to be a brat to Sagonet, but this is always the source of this
hacker and his home never changes, its always on that single ip.
Chris Jester
NJesterIII