Running Nats? BLOCK THIS IP NOW - Active Hacker
 

65.110.62.120

Heads up GFYers... We have stopped a hacker dead in his tracks
who is going after nats db's. This guy is not to be taken lightly
he is skillfull and methodical and if left ignored, WILL own your server.
He is in our honeypot as I type this and we are watching him closely.

We have complained to sagonet about this guy, who has his home there.
I have been working in conjunction with others on this and we have been
trying to get sagonet to shut down this guys server, but they ignore the
issue.

Everyoine should email sagonet's abuse and tell them to get rid of 65.110.62.120 as he is a threat to everyone.

So there is your heads up. Hope I helped.

[email protected]

Best regards,

Chris Jester
SplitInfinity

Posted to NANOG about this issue since SAGO like to ignore their abuse:


65.110.62.120

Sagonet,

We have a serious hacker here who is ACTIVLY engaged in logins
on our network (have him in a honeypot at the moment). He is running exploits from your network and
also I have been hearing from others that you have been notified of this
a few times yet have done nothing about it. Can we get someone to handle
this immediately please?

This hacker has rooted at least 35 servers on a friends network (friendly competitor) and now hes scanning ours...

This is what was said by my friend after contacting you guys about this:
"Good... They will not listen... I have provided them logs, screen shots, etc..."

Additionally, I would LOVE to know what is on that server... this guy is
not to be taken lightly, he is VERY methodical and patient. He's problably
owning your network too.

[root@mail /home]# netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:21 0.0.0.0 LISTEN
tcp 0 0 :::38300 :: LISTEN
tcp 0 0 ::ffff:66.11.112.15:38300 ::ffff:65.110.62.120:59979 ESTABLISHED
ESTABLISHED
posted to nanog

Get 'Em :mad:!!

bump for awareness!

Why would you post that to nanog? What does any of this have to do with "network" security? Why don't you post some actual details instead of saying he "rooted" 35 of your friends servers? Sounds like your friend needs a lesson in server security. Maybe you can send split_joel over to show him the ropes.

Posted to nanog because sagonet people are on nanog and pay attention there.
Their help desk peeps tend to ignore issues like this.

AND yes, it has alot to do with network security because he is DDoSing routers and the like as well... and joel is not a security guy... Karlin and Ariel and I are. Joel is a tech/admin/apache kinda guy...

Were teaching him that stuff though.... so maybe some day we can call him a security guy. :-)

bump.....

You don't mention anything about DDoSing routers in your nanog post, in fact your nanog post doesn't really appear to meet their posting criteria. Forwarding an email to the list from webair support should get the nanog trolls out of bed. Should be a fun afternoon.

65.110.62.120 <- i dont think its the server of the hacker.. just a allready hacked one i guess. He would be stupid to hack from his own server. And if he is skilled like you just said, he woudnt be that stupid.

You fit your name well.

:-)

"65.110.62.120 <- i dont think its the server of the hacker.. just a allready hacked one i guess. He would be stupid to hack from his own server. And if he is skilled like you just said, he woudnt be that stupid."


Right, I agree. However I cannot ignore the fact that he has been calling that server home for a while now.

Wake up bro!
Its 2006 and the host wont help you. They maybe tell the real owner of the server (65.110.62.120) that he got a trojan on his server and should watch out.
But they cant just shut down a box YOU want shut down. If they would handle it like this i would send millions of those mails each day and half of the internet would be down...

MayorsMoneys:

NATS has found a problem

mysql_connect(): Can't connect to MySQL server on '8.2.119.104' (4)

/a/nats/includes/database.php:207

I hope it's nothing serious :/

Its the end of the world as we know it :/

It is the hosts responsibility to keep abusive servers off of their network.
If you told us we had a hacked box, we would surely get out of our chair and
secure it.

Maybe not but I do lose signups if NATS doesn't count them.

SI, etc. if there is anything we can do to help please let us know right away.

Re: Mayor's money, their mysql server appears to be down, contact them rather than post about it in a totally unrelated thread :)

I don't see the connection to NATs. He is hacking a server right?

Could be a NATS exploit, could be a hacker targetting NATS users and hacking with general random hacks just to get on the box then fucking with things.

We're looking into it with everyone involved.

edit, nevermind, i misread that

I'm pretty sure if that were a valid solution Chris would have thought of it :)

Good chance they're doing things thru port 80 which is kinda rough to firewall.

Rofl. Shutting 65.110.62.120 will only get you so you have no idea where the attack is coming from. If you know what you're doing, you'll secure the box/es, and follow the ip to see do you have any breaches, and hope that he'll stay on that box forever, as it will be like a beacon when he comes.

naah, i was eating and under impression he was still hacking live as he typed that... BTW, you can firewall an ip via inbound/output on any individial port or all, which I am sure they have done

Of course you can, considering his thread topic was "Block this IP" I think it was obvious he had done that in some fashion :)

Geet Hiimmmmmm

Ok UPDATES.....

I have been in several boxes around the world that this guy is in...
It seems this it not a NATS specific hack, but this hacker is targeting
nats systems that use epassporte since thats the only ones he can
steal money from.

He is using some mysql injection exploit to find nats databases.

You should check your servers for the following:

Directories that should not be there... if they are, contact me...
/dev/k4rd
/dev/k4rd/proc.k4rd

In your /lib directory, this will surely tell you your system has been rooted:

[root@mail ~]# cd /lib
[root@mail lib]# grep k4rd *
Binary file libutil-2.3.3.so matches
Binary file libutil-2.3.4.so matches
Binary file libutil-2.3.5.so matches


All three of those files are kernel libs that totally give the guy control
of your system. In our case, were owning him right now...... lol

Note to all: Nats has been VERY helpful in the situation.
they have heard of this same person before, he is apparantly in australia.

I want to say that anyone using NATS is in good hands, these guys are all
talking to me as I uncover all of this so they can jump on whatever they need to jump on to get things fixed (if they need to advise people to upgrade mysql for example or whatever)

bump.. FUCK HIM Up!

PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
143/tcp open imap
993/tcp open imaps
1080/tcp filtered socks
2121/tcp open ccproxy-ftp
3128/tcp filtered squid-http
3306/tcp open mysql
6588/tcp filtered analogx
8081/tcp filtered blackice-icecap

Just to let you know what is in one of those lib files... study the strings...
you can see he runs a sniffer and other find stuff... this kernel module is the shit... VERY intelligent hacker...


[root@mail lib]# strings libutil-2.3.3.so|more
_DYNAMIC
_GLOBAL_OFFSET_TABLE_
dkgm_control
dkg_pid_alive
dkg_pid_add
dkg_pid_delete
kill
dkg_open_pscore
umask
ftruncate
mmap
dkg_close_pscore
munmap
dkg_pid_check
dkg_pid_cself
getpid
dkg_proc_hidden
dkg_o_sym
dlsym
dkg_is_auth
dkg_file_hidden
strlen
strcmp
readdir
readdir64
dkg_proc
opendir
closedir
clone
vfork
dkg_check_bd
memset
strncpy
memmem
strncmp
alarm
setreuid
setregid
write
dkg_login
ioctl
drg_read
strchr
read64
memcpy
recv
strstr
execve
getuid
geteuid
drg_open
open64
fopen
fileno
create_nl
create_net_struc
drg_close
close64
fclose
free
fgets
feof
malloc
lseek
create_net_tab
strip_net
fill_netlist
strcpy
sprintf
readlink
atoi
dkg_envp
dkg_argv
dkg_hup
_exit
dkg_get_tty
dkg_open_tty
openpty
dkg_enprint
setpgid
setsid
__sysv_signal
dup2
chdir
hupty
select
memchr
__xstat
__fxstat
libdl.so.2
libutil.so.1
_edata
__bss_start
_end
GLIBC_2.0
jBhh;
Phtcp
Phudp
Phraw
0he<
8 u$
8 t!
/dev/k4rd/proc.k4rd
k4rd
ld.so.preload
readdir
readdir64
opendir
/proc
closedir
clone
fork
dKg!:anuslicker
+dKg!
read
/dev/k4rd/.sniffer
recv
write
ssword:
phrase:
execve
getuid
open
open64
fopen
close
close64
fclose
fgets
feof
/proc/net/
/proc/
socket:[
TERM=linux
SHELL=/bin/bash
PS1=\[\033[1;30m\][\[\033[0;32m\]\u\[\033[1;32m\]@\[\033[0;32m\]\h \[\033[1;37m\]\W\[\033[1;30m\]]\[\033[0m\]\$
HISTFILE=/dev/null
HOME=/dev/k4rd
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:./bin:/dev/k4rd:/dev/k4rd/bin
pqrstuvwxyzabcde
0123456789abcdef
/dev/ptmx
Can't open a tty, all in use ?
Can't fork subshell, there is no way...
/dev/k4rd
/bin/sh
Can't execve shell!
login
telnet
rlogin
rexec
passwd
adduser
mysql
sudo

Good work guys, when i get into the office tomo, i will check our servers to make sure he hasnt got into our systems

chris-jesters-powerbook-g4-17:~ chris$ whois -a 65.110.62.120
Sago Networks SAGO-20030401 (NET-65-110-32-0-1)
65.110.32.0 - 65.110.63.255
Anton Tenev SAGO-65-110-62-120 (NET-65-110-62-120-1)
65.110.62.120 - 65.110.62.129


Sagonet swips their ips into the customers name...

This guy may not be the hacker, but he owns the box that the hacker
has been osama-bin-lading on....

CustName: Anton Tenev
Address: Dianabad bl.5b
City: Sofia
StateProv: -1
PostalCode: 1000
Country: BG
RegDate: 2005-04-15
Updated: 2005-04-15

NetRange: 65.110.62.120 - 65.110.62.129
CIDR: 65.110.62.120/29, 65.110.62.128/31
NetName: SAGO-65-110-62-120
NetHandle: NET-65-110-62-120-1
Parent: NET-65-110-32-0-1
NetType: Reassigned

And now ask yourself, how did he get inside? How was he able to write in /dev or /lib, and what did he do to secure the access to return back. The sniffer is least of your problems.

Word. Logging in as root when it's not needed is also a bad thing, sudo is your friend. (Among other things I could nit pick about)

Sure you have.

"Sure you have."

The box affected is not managed by us, so poop on you. Were lending a hand.
Logging in as root to a hosed box doesnt matter tard. The box is being cleaned and reinstalled anyways.

And in regards to your Superterrorizer style comment "Sure you have.", I have been working with others all day today on different networks who have seen the SAME hacker on their nets... No why dont you go do something productive like find osama or something. you guys have alot of catching up to do.... be sure and show him you owned me on GFY lameass. LOL

Get 'er done boys!!!

Bump to keep it at the top.

You said "several boxes around the world", now you're saying it's just one box. Would be great if you could get your story straight, you've been saying one thing, then another.

You say the box affected is not managed by you, yet the netstat -na you posted shows 66.11.112.15, which is on your network. Let me guess, it's a colo box, right? Wrong, it's mail.suavemente.net, which I suspect is your mail server. So let's recap the REAL story for everyone who is reading:

1) Someone pwned your mail server
2) You said it was a server not managed by you, but several servers around the world
3) You called me a tard
4) You get pwned by the tard

Would sure like to know what your mail server getting rooted has to do with NATS, so why don't you fill us in on that.

I don't dispute the fact that someone has installed a rootkit on your mailserver, and possibly other servers. What I take exception to is your inability to keep your story straight and your resorting to calling me names.

Oh by the way, I just got off the phone with Osama. I told him I owned you on GFY, he said "Death to the infidels, dirkah dirkah mohammed jihad".

root@mail

get that hacker that we could sleep tight!

We caught thiis fucker awhilie ago....Epass shut down his account, they know who he is or what named he used last time.....we were tracking his epass activity and found what city and hotel he was in, i was about to jump on a plane and go pay him a visit with a few friends...lol....

Great work Chris...see you in LA?

be sure its the owner of the box really doing it, i know interland a while back people were hacking all their servers, and doing DDOS attacks using the machines.