17 August 2000
A Denial of Service attack on Cryptome commenced at 19:27, 16 August 2000, from a Sprint Government Systems Division customer Data Wave (NET-SPRINT-C64637), 214 B State Street, Santa Barbara, CA 93101:
198.70.55.34 - - [16/Aug/2000:19:27:36 -0400] "GET / HTTP/1.0" 302 200 "-" "LEIA/2.90"
The attack ended this morning (last entry):
198.70.55.34 - - [17/Aug/2000:06:09:28 -0400] "GET / HTTP/1.0" 302 200 "-" "LEIA/2.90"
The attack repeated this command non-stop 6 times per second, for about 250,000 hits total. We noticed and attempted to block the machine's htaccess at 22:20 on 16 August but the htaccess block did not stop the attack.
The 198.70.55.34 address has made no previous requests.
The contact phone number for the "coordinator" of Data Wave, Universal Access (ua.com), is disconnected. An e-mail was sent to the coordinator, Henry Minsky (hqm@ua.com), who promptly called from Tokyo to say he is no longer coordinator and referred me to Brian Fox (bfox@ua.com or bfox@ai.mit.edu), the current administrator of Universal Access. Mr. Minsky suspects the address may have been hi-jacked by the attacker. We immediately sent a request for help to Brian Fox at his two e-mail addresses but have not received a reply at 7:10, 17 August.
Information welcomed on the attacking address or the program "LEIA/2.90." Send to jya@pipeline.com
Thanks for these responses to request for help:
From: D On your system, the command : route add 198.70.55.34 lo (or its equivalent on a non-unix system) will leave the machine at that address waiting with an open connection waiting for something that your system won't answer. Basically, it will make the operating system think that address is one of your own and won't send a response. At the other end, the timeout for a response could be as long as minutes, so without running the same program multiple times, the attacking system will just wait (of course, someone can write software to do anything, but some script kiddie or hack-wannabe might just have a script that automates the repeated connection attempts. If that's the case, blocking it by sending an RST will only cause it to loop faster. The command mentioned above essentiall tells the system to find that address through the systems own loopback to itself. If you have the system set up for persistent connections, set the persistent connection limit lower if possible. If tcp keep-alive is requested, your server will hold open multiple connections from this person.
From: DG LEIA appears to be a web browser or spider. Many sites that publish web server logs list this program in the compilation of browser versions. See for instance http://www.co.broward.fl.us/usage/brows233_b.htm Damned if I can find any other info on it, though.
From: JH I did some research on the dos attack that you were witnessed to and have found something interesting that is not just affecting you. There has recently been an exploit, non-published, that I have seen posted by many linux users with telnet with SSH tunneling open. I have found some dated information on the subject: "All systems running implementations of SSH using protocol version 1.x are vulnerable. This includes SSH software versions up to 1.2.23 and F-Secure SSH 1.3.4 To obtain the version of the SSH server that is running on a given host you can issue the following commands: $ telnet <IP address> 22 Trying <IPaddress>... Connected to <IPaddress>. Escape character is '^]'. SSH-1.5-1.2.23 \ / \--------- software version |------------ protocol version ^] telnet> close Connection closed. $ exit Additional Information: ~~~~~~~~~~~~~~~~~~~~~~~ These vulnerabilities were discovered by Ariel Futoransky <futo@core-sdi.com> and Emiliano Kargieman <ek@core-sdi.com> CORE SDI wishes to thank the SSH maintainers Tatu Ylonen <ylo@ssh.fi> and Tero Kivinen <kivinen@ssh.fi> for their quick response to the issues rised by this advisory." http://archives.indenial.com/hypermail/bugtraq/1998/June1998/0068.html The IP address you listed has 2 ports open. Port 22, which is an altered telnet port(they are using SSH-1.5-1.2.26), and port 25(email server 220 mailhost.ua.com ESMTP). That SSH version is rootable. The sysadmin should have taken the system offline as soon as he recieved your email. Their email box is effectively comprimised and must be formated. I suspect that it is trojaned and being controlled by an outside party. I did not portscan the upper spectrum of ports ala 65xxx and up. I suspect the 3rd party is telneting and controlling the box via that range with a sub7/bo2k type setup. The admin should take the email server down, format it, and restore only the email database from a backup. He should disable telnet until a fix is found. The fed has a blunt little tool that maybe of assistance to the sysop (probably not though): http://www.fbi.gov/nipc/trinoo.htm Here is a link to one forum pertinent to this root xploit: http://search.prospero.com/n/mb/message.asp?webtag=maxlinuxmsg=2116.1 I hope this helps. I have seen no recent errata on the subject as of yet. Since quite a few people are being affected, I may have to look into doing it myself. It looks interesting. Take care.
From: JH (2) It seems that the company http://www.metahtml.com/ email server has been rooted. The reason why they aren't responding to your email is therefore obvious. ua.com and metahtml.com are the same company parent/daughter- whatever. Brian Fox is the programmer and is listed at: http://www.metahtml.com/~bfox/ It seems like this server is redhat based, and correlates with what I have spoken to people about that have been exploited. In any case, it sucks that a hacker would target you at the business end of the xploit... Which makes me think, that it wasn't a hacker. True hacker's will not attack you because you give a voice to their cause, even if you don't intend to. And so, this 0-day exploit, which has no documentation, which cannot be gotten canned, which has to be from someone in the know or which had to have been truly created/hacked by a fairly intuitive person.. is being used on you. I'd think that more than likely it was one of the groups that you have pissed off, that have the people and tools to do this. And so that narrows it down further. I won't speculate anymore, less I start to sound like Montana resident. Take care.