Running Nats? BLOCK THIS IP NOW - Active Hacker
 

65.110.62.120

Heads up GFYers... We have stopped a hacker dead in his tracks
who is going after nats db's. This guy is not to be taken lightly
he is skillfull and methodical and if left ignored, WILL own your server.
He is in our honeypot as I type this and we are watching him closely.

We have complained to sagonet about this guy, who has his home there.
I have been working in conjunction with others on this and we have been
trying to get sagonet to shut down this guys server, but they ignore the
issue.

Everyoine should email sagonet's abuse and tell them to get rid of 65.110.62.120 as he is a threat to everyone.

So there is your heads up. Hope I helped.

[email protected]

Best regards,

Chris Jester
SplitInfinity

Posted to NANOG about this issue since SAGO like to ignore their abuse:


65.110.62.120

Sagonet,

We have a serious hacker here who is ACTIVLY engaged in logins
on our network (have him in a honeypot at the moment). He is running exploits from your network and
also I have been hearing from others that you have been notified of this
a few times yet have done nothing about it. Can we get someone to handle
this immediately please?

This hacker has rooted at least 35 servers on a friends network (friendly competitor) and now hes scanning ours...

This is what was said by my friend after contacting you guys about this:
"Good... They will not listen... I have provided them logs, screen shots, etc..."

Additionally, I would LOVE to know what is on that server... this guy is
not to be taken lightly, he is VERY methodical and patient. He's problably
owning your network too.

[root@mail /home]# netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:21 0.0.0.0 LISTEN
tcp 0 0 :::38300 :: LISTEN
tcp 0 0 ::ffff:66.11.112.15:38300 ::ffff:65.110.62.120:59979 ESTABLISHED
ESTABLISHED
posted to nanog

Get 'Em :mad:!!

bump for awareness!

Why would you post that to nanog? What does any of this have to do with "network" security? Why don't you post some actual details instead of saying he "rooted" 35 of your friends servers? Sounds like your friend needs a lesson in server security. Maybe you can send split_joel over to show him the ropes.

Posted to nanog because sagonet people are on nanog and pay attention there.
Their help desk peeps tend to ignore issues like this.

AND yes, it has alot to do with network security because he is DDoSing routers and the like as well... and joel is not a security guy... Karlin and Ariel and I are. Joel is a tech/admin/apache kinda guy...

Were teaching him that stuff though.... so maybe some day we can call him a security guy. :-)

bump.....

You don't mention anything about DDoSing routers in your nanog post, in fact your nanog post doesn't really appear to meet their posting criteria. Forwarding an email to the list from webair support should get the nanog trolls out of bed. Should be a fun afternoon.

65.110.62.120 <- i dont think its the server of the hacker.. just a allready hacked one i guess. He would be stupid to hack from his own server. And if he is skilled like you just said, he woudnt be that stupid.

You fit your name well.

:-)

"65.110.62.120 <- i dont think its the server of the hacker.. just a allready hacked one i guess. He would be stupid to hack from his own server. And if he is skilled like you just said, he woudnt be that stupid."


Right, I agree. However I cannot ignore the fact that he has been calling that server home for a while now.

Wake up bro!
Its 2006 and the host wont help you. They maybe tell the real owner of the server (65.110.62.120) that he got a trojan on his server and should watch out.
But they cant just shut down a box YOU want shut down. If they would handle it like this i would send millions of those mails each day and half of the internet would be down...

MayorsMoneys:

NATS has found a problem

mysql_connect(): Can't connect to MySQL server on '8.2.119.104' (4)

/a/nats/includes/database.php:207

I hope it's nothing serious :/

Its the end of the world as we know it :/

It is the hosts responsibility to keep abusive servers off of their network.
If you told us we had a hacked box, we would surely get out of our chair and
secure it.

Maybe not but I do lose signups if NATS doesn't count them.

SI, etc. if there is anything we can do to help please let us know right away.

Re: Mayor's money, their mysql server appears to be down, contact them rather than post about it in a totally unrelated thread :)

I don't see the connection to NATs. He is hacking a server right?

Could be a NATS exploit, could be a hacker targetting NATS users and hacking with general random hacks just to get on the box then fucking with things.

We're looking into it with everyone involved.

edit, nevermind, i misread that

I'm pretty sure if that were a valid solution Chris would have thought of it :)

Good chance they're doing things thru port 80 which is kinda rough to firewall.

Rofl. Shutting 65.110.62.120 will only get you so you have no idea where the attack is coming from. If you know what you're doing, you'll secure the box/es, and follow the ip to see do you have any breaches, and hope that he'll stay on that box forever, as it will be like a beacon when he comes.

naah, i was eating and under impression he was still hacking live as he typed that... BTW, you can firewall an ip via inbound/output on any individial port or all, which I am sure they have done

Of course you can, considering his thread topic was "Block this IP" I think it was obvious he had done that in some fashion :)

Geet Hiimmmmmm

Ok UPDATES.....

I have been in several boxes around the world that this guy is in...
It seems this it not a NATS specific hack, but this hacker is targeting
nats systems that use epassporte since thats the only ones he can
steal money from.

He is using some mysql injection exploit to find nats databases.

You should check your servers for the following:

Directories that should not be there... if they are, contact me...
/dev/k4rd
/dev/k4rd/proc.k4rd

In your /lib directory, this will surely tell you your system has been rooted:

[root@mail ~]# cd /lib
[root@mail lib]# grep k4rd *
Binary file libutil-2.3.3.so matches
Binary file libutil-2.3.4.so matches
Binary file libutil-2.3.5.so matches


All three of those files are kernel libs that totally give the guy control
of your system. In our case, were owning him right now...... lol

Note to all: Nats has been VERY helpful in the situation.
they have heard of this same person before, he is apparantly in australia.

I want to say that anyone using NATS is in good hands, these guys are all
talking to me as I uncover all of this so they can jump on whatever they need to jump on to get things fixed (if they need to advise people to upgrade mysql for example or whatever)

bump.. FUCK HIM Up!

PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
143/tcp open imap
993/tcp open imaps
1080/tcp filtered socks
2121/tcp open ccproxy-ftp
3128/tcp filtered squid-http
3306/tcp open mysql
6588/tcp filtered analogx
8081/tcp filtered blackice-icecap

Just to let you know what is in one of those lib files... study the strings...
you can see he runs a sniffer and other find stuff... this kernel module is the shit... VERY intelligent hacker...


[root@mail lib]# strings libutil-2.3.3.so|more
_DYNAMIC
_GLOBAL_OFFSET_TABLE_
dkgm_control
dkg_pid_alive
dkg_pid_add
dkg_pid_delete
kill
dkg_open_pscore
umask
ftruncate
mmap
dkg_close_pscore
munmap
dkg_pid_check
dkg_pid_cself
getpid
dkg_proc_hidden
dkg_o_sym
dlsym
dkg_is_auth
dkg_file_hidden
strlen
strcmp
readdir
readdir64
dkg_proc
opendir
closedir
clone
vfork
dkg_check_bd
memset
strncpy
memmem
strncmp
alarm
setreuid
setregid
write
dkg_login
ioctl
drg_read
strchr
read64
memcpy
recv
strstr
execve
getuid
geteuid
drg_open
open64
fopen
fileno
create_nl
create_net_struc
drg_close
close64
fclose
free
fgets
feof
malloc
lseek
create_net_tab
strip_net
fill_netlist
strcpy
sprintf
readlink
atoi
dkg_envp
dkg_argv
dkg_hup
_exit
dkg_get_tty
dkg_open_tty
openpty
dkg_enprint
setpgid
setsid
__sysv_signal
dup2
chdir
hupty
select
memchr
__xstat
__fxstat
libdl.so.2
libutil.so.1
_edata
__bss_start
_end
GLIBC_2.0
jBhh;
Phtcp
Phudp
Phraw
0he<
8 u$
8 t!
/dev/k4rd/proc.k4rd
k4rd
ld.so.preload
readdir
readdir64
opendir
/proc
closedir
clone
fork
dKg!:anuslicker
+dKg!
read
/dev/k4rd/.sniffer
recv
write
ssword:
phrase:
execve
getuid
open
open64
fopen
close
close64
fclose
fgets
feof
/proc/net/
/proc/
socket:[
TERM=linux
SHELL=/bin/bash
PS1=\[\033[1;30m\][\[\033[0;32m\]\u\[\033[1;32m\]@\[\033[0;32m\]\h \[\033[1;37m\]\W\[\033[1;30m\]]\[\033[0m\]\$
HISTFILE=/dev/null
HOME=/dev/k4rd
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:./bin:/dev/k4rd:/dev/k4rd/bin
pqrstuvwxyzabcde
0123456789abcdef
/dev/ptmx
Can't open a tty, all in use ?
Can't fork subshell, there is no way...
/dev/k4rd
/bin/sh
Can't execve shell!
login
telnet
rlogin
rexec
passwd
adduser
mysql
sudo

Good work guys, when i get into the office tomo, i will check our servers to make sure he hasnt got into our systems

chris-jesters-powerbook-g4-17:~ chris$ whois -a 65.110.62.120
Sago Networks SAGO-20030401 (NET-65-110-32-0-1)
65.110.32.0 - 65.110.63.255
Anton Tenev SAGO-65-110-62-120 (NET-65-110-62-120-1)
65.110.62.120 - 65.110.62.129


Sagonet swips their ips into the customers name...

This guy may not be the hacker, but he owns the box that the hacker
has been osama-bin-lading on....

CustName: Anton Tenev
Address: Dianabad bl.5b
City: Sofia
StateProv: -1
PostalCode: 1000
Country: BG
RegDate: 2005-04-15
Updated: 2005-04-15

NetRange: 65.110.62.120 - 65.110.62.129
CIDR: 65.110.62.120/29, 65.110.62.128/31
NetName: SAGO-65-110-62-120
NetHandle: NET-65-110-62-120-1
Parent: NET-65-110-32-0-1
NetType: Reassigned

And now ask yourself, how did he get inside? How was he able to write in /dev or /lib, and what did he do to secure the access to return back. The sniffer is least of your problems.

Word. Logging in as root when it's not needed is also a bad thing, sudo is your friend. (Among other things I could nit pick about)

Sure you have.

"Sure you have."

The box affected is not managed by us, so poop on you. Were lending a hand.
Logging in as root to a hosed box doesnt matter tard. The box is being cleaned and reinstalled anyways.

And in regards to your Superterrorizer style comment "Sure you have.", I have been working with others all day today on different networks who have seen the SAME hacker on their nets... No why dont you go do something productive like find osama or something. you guys have alot of catching up to do.... be sure and show him you owned me on GFY lameass. LOL

Get 'er done boys!!!

Bump to keep it at the top.

You said "several boxes around the world", now you're saying it's just one box. Would be great if you could get your story straight, you've been saying one thing, then another.

You say the box affected is not managed by you, yet the netstat -na you posted shows 66.11.112.15, which is on your network. Let me guess, it's a colo box, right? Wrong, it's mail.suavemente.net, which I suspect is your mail server. So let's recap the REAL story for everyone who is reading:

1) Someone pwned your mail server
2) You said it was a server not managed by you, but several servers around the world
3) You called me a tard
4) You get pwned by the tard

Would sure like to know what your mail server getting rooted has to do with NATS, so why don't you fill us in on that.

I don't dispute the fact that someone has installed a rootkit on your mailserver, and possibly other servers. What I take exception to is your inability to keep your story straight and your resorting to calling me names.

Oh by the way, I just got off the phone with Osama. I told him I owned you on GFY, he said "Death to the infidels, dirkah dirkah mohammed jihad".

root@mail

get that hacker that we could sleep tight!

We caught thiis fucker awhilie ago....Epass shut down his account, they know who he is or what named he used last time.....we were tracking his epass activity and found what city and hotel he was in, i was about to jump on a plane and go pay him a visit with a few friends...lol....

Great work Chris...see you in LA?

be sure its the owner of the box really doing it, i know interland a while back people were hacking all their servers, and doing DDOS attacks using the machines.

Fris, you are right, we will surely talk to the box owner first. And if its not him, well advise him of what he needs to do to secure it box... It very well may not be him, but I do know sagonet had received many many complaints about it.
Odd that it would not be fixed months ago.

Superterrorizer - You are such a putz. Im here giving people info on something going on related to nats and all you can do is look for "story" changing? Perhaps the box was on another ip because I moved the HD
so I could examine the drive under a clean kernel and os..... I dont
need to explain anything to you, and yes I will call you names if i like. ;-)

Hence the title of this board: GFY.

You are just an idiot looking for drama and trouble and I dont respect that.
So be nice and Im nice, otherwise Im not nice... thats it.

Mike, yes, LA! Lets hook up.

Bullshit. 100% bullshit. Your mailserver got hacked and you know it.

Why would you put a known compromised hard drive IN YOUR MAIL SERVER?

Why would that "hackers" IP have an established connection to the IP of your mail server? The only explaination is that your mail server was compromised and you posted the evidence right here yourself.

You can call me all the names you want but that doesn't change the fact that _YOU_ are not being honest with the people on this board. I am simply pointing out the anomalies in your posts, and rather than explaining how this has anything at all to do with NATS (Or anything other than your mailserver being hacked) you simply resort to calling me names. You were trying to make yourself look like some kind of internet hero and it backfired.


You are the one looking for drama by posting this shit in the first place so please don't try and make me look like the bad guy. Just keep spewing that bullshit. Do you think that there aren't guys who read/post on this board who have made the same conclusions I have? This place is filled with nerds (Some of them UBER nerds), both posters and lurkers.


Yeah you did kind of fuck yourself by not removing the ip of your mailserver from your post, didn't you.

If I am an idiot looking for drama and trouble then that must make anybody who has read this thread (Which still doesn't appear to have anything at all to do with NATS or anything other than you not being able to keep up with those pesky root exploits on your mail server) an idiot for having had to read your bullshit. This isn't a matter of respect, I could fucking care less if you respected me or not. I'm just looking for a little bit of truth and that's a commodity in short order in your posts in this thread.

I just got to put my two cents in this thread. How many times has chris made seucirty post and tried to help people out, there's no reason why anyone should attack him regardless of how much we all can't stand him *lol* just kidding. All I am saying is he's tryin to help simple as that. Bring the drama somewhere else.

Should have at least put in a dime, your two cents are pretty much worthless.

While the idea of this thread seems like a good one, it seems to be lacking some information. I fail to see how this specifically had anything to do with NATS in the first place, and why it was included in the subject. It made it sound as if it was specifically related to NATS.

Though, the thread did take a turn for the comedic side I must admit, as the lies continue to pour in and be danced around. How on earth would putting the rooted drive in your mail server, to mount the file system from it, allow the same hacker to connect to your mail server?

Oddities aside, if your intent is to provide information to the public to help awareness of this issue, do you have anymore useful information you could provide in regards to the affected servers? Such as any commonalities in them. What OS were they running? Were any of them running outdated Apache/PHP installs? Was this a common thing across the board? Since these don't sound to all be NATS servers, what other scripts do they all have that could be the point or origin?

Just trying to get some better ideas of the issue at hand that you are seeing, as I'm sure everyone here would appreciate more detailed information.

Also, I wanted to give you a heads up. Firefox 2.0 is out now, it has a built in spell checker. Alarms sound and everything when I click reply on your message.

Really though, it underlines your mistakes while you're typing.

"Why would you put a known compromised hard drive IN YOUR MAIL SERVER?
"

Who ever said the server was live and in use? Just because the host name looked good to you? LOL Instead of poking at me, why dont you listen to what was said.... Block the ip, that guy is AFTER NATS BOXES. That is how it
has to do with nats. I have been working with the folks at nats today on this.
We are trying to hunt this guy down and also find out what exploits he is
using to get into nats servers. Right, the hack it self has not much to do with nats, seems more like a mysql injection exploit at this time, however the warning was clear - Block the ip if you are running nats, especially if you use epassporte with nats because he is most interested in those than anything.

You guys just made assumptions and tried to make me look dumb, thats not
cool. Perhaps in the future I'll refrain from disclosing known live hacker activity. Some people just love to hate.

From NANOG:

It saddens me to mention this, as I am a Amateur Radio operator as
well (N3YMY).

k4rd could be a Amateur Radio call sign.

This one actually does exist and has the following information
(www.qrz.com):

K4RD
WILLIAM E GREESON
1500 E TERRAMAR DR
LAUDERDALE BYTHE SEA FL 33062
USA

33062 is a zip code in Tampa, FL.

Sagonet is in Tampa. (whois.arin.net)

traceroute shows packets for 65.110.62.120 flowing into Tampa.

It may all be coincidence; however, it's *mighty* interesting...

With all due respect eastman, all the hours of sleep I lost cleaning up the mess you made over the years working for split makes any input in this thread useless.

To add to the fact. You have been a bitter dick sence you left split.

Any chance you get you try to attack anything chris and I say, yet you forget where you came from.

From what I remeber you were just some idiot who worked for a dieing dial up company, who got lucky to get a job you weren't qualified for.

Years later after learning shit from chris then going on your own and learning shit you get a big load of confidence and think your the shit and you go looking for the bigger buck.

Fact is your an asshole dude and I don't how much you think you know, but I will say this.

I hope you know more then you did when you were here because were still fixing your mistakes.

Joel, I hate to disagree with you, but Prodiac is good people.
I know you are angry that he picks on you, but Joel, we didnt clean up
any "mess" of his, so if you are going to post, please don't post comments
from the company in anger... He is a good tech and left no messes,
your comments above were made incorrectly. If you wanna fight with him,
I suggest a game of poker. :-) Fact is, you didnt work with him for the many years I did... so your post is biased. Dont be mad, your spelling does suck. :-) LOL

On the other hand: Superterrorizer is a dork. I can state that because I experienced it. See the difference Joel? :-)