1994-01-23 - No Subject

Header Data

From: nobody@shell.portal.com
To: cypherpunks@toad.com
Message Hash: 0ce4fc32ce351a56d7570531b4aa3ba6db177cb1e849eedc41895b269872a15e
Message ID: <199401231352.FAA17675@jobe.shell.portal.com>
Reply To: N/A
UTC Datetime: 1994-01-23 13:56:31 UTC
Raw Date: Sun, 23 Jan 94 05:56:31 PST

Raw message

From: nobody@shell.portal.com
Date: Sun, 23 Jan 94 05:56:31 PST
To: cypherpunks@toad.com
Subject: No Subject
Message-ID: <199401231352.FAA17675@jobe.shell.portal.com>
MIME-Version: 1.0
Content-Type: text/plain


To the WORM Detweiller
THE FOLLOWING SHOULD REALLY TURN YOU ON...

Escape character is '^]'.
220 ntupub.ntu.edu Sendmail 5.65/DEC-Ultrix/4.3 ready at Sun, 23 Jan 1994 02:01:
06 -0700
vrfy ld231782
550 ld231782... User Unknown
vrfy detweiler
550 detweiler... User Unknown
verify larry
500 Command unrecognized
vrfy larry
252 <larry> is an alias
expn larry
250 <larry@ntuvax.ntu.edu>
quit
221 ntupub.ntu.edu closing connection
THIS SENDMAIL 5.65 IS POSSIBLY VUNERABLE TO THE SENDMAIL
HOLE RECENTLY FOUND AND A SCRIPT OF WHICH TO PENETRATE
WITH CAN BE FOUND IN THE bugtraq ARCHIVE.

Connection closed by foreign host.
# finger larry@ntuvax.ntu.edu
[ntuvax.ntu.edu]
connect: Connection refused
 this is a somewhat paranoid host so we we look at it

 BUT netfind SEEKS ROTWEILER OUT
SYSTEM: ntupub.ntu.edu
        Login name: larry                       In real life: LArry Detweiller
        Directory: /users/NTU/larry             Shell: /bin/csh
        Last login Fri Jan 21 16:14 on tty02 from LARRY
        Project: What am I working on?
        No Plan.

 checking one of the upstream ips from this we find
Trying 192.52.106.4...
Connected to 192.52.106.4.
Escape character is '^]'.

  This is the cisco gateway at NCAR for Westnet.
  Configuration loaded from windom.UCAR.EDU:/tftpboot/ncar-gw-confg.


User Access Verification

Password:

Traceroute logs follow

 4  cix-west2.cix.net (149.20.3.3)  290 ms  300 ms  330 ms
 5  ans.cix.net (149.20.5.2)  320 ms  320 ms  310 ms
 6  en-0.San-Francisco-cnss11.t3.ans.net (192.103.60.5)  310 ms  320 ms  330 ms
 7  mf-0.San-Francisco-cnss8.t3.ans.net (140.222.8.222)  310 ms  310 ms  320 ms
 8  t3-1.Seattle-cnss88.t3.ans.net (140.222.88.2)  330 ms  290 ms  320 ms
 9  t3-0.Denver-cnss96.t3.ans.net (140.222.96.1)  340 ms  320 ms  330 ms
10  mf-0.Denver-cnss97.t3.ans.net (140.222.96.193)  330 ms  300 ms  320 ms
11  t3-0.enss141.t3.ans.net (140.222.141.1)  330 ms  330 ms  320 ms
12  cu-gw.ucar.edu (192.52.106.4)  320 ms  310 ms  330 ms
13  ucb-ncar.CO.westnet.net (129.19.254.46)  320 ms  310 ms cu2-ncar2.CO.westnet.net (129.19.248.62)  370 ms
14  csu-ucb.CO.westnet.net (129.19.254.102)  320 ms  310 ms  330 ms
15  csu-gw-2.UCC.ColoState.EDU (129.82.103.2)  320 ms  310 ms  330 ms
16  middle.lance.colostate.edu (129.82.109.2)  320 ms  330 ms  330 ms
17  dolores.lance.colostate.edu (129.82.112.18)  330 ms  330 ms  300 ms
 
 4  cix-west2.cix.net (149.20.3.3)  310 ms  310 ms  310 ms
 5  ans.cix.net (149.20.5.2)  310 ms  300 ms  300 ms
 6  en-0.San-Francisco-cnss11.t3.ans.net (192.103.60.5)  310 ms  320 ms  390 ms
 7  mf-0.San-Francisco-cnss8.t3.ans.net (140.222.8.222)  300 ms  300 ms  310 ms
 8  t3-1.Seattle-cnss88.t3.ans.net (140.222.88.2)  320 ms  310 ms  310 ms
 9  t3-0.Denver-cnss96.t3.ans.net (140.222.96.1)  320 ms  340 ms  330 ms
10  mf-0.Denver-cnss97.t3.ans.net (140.222.96.193)  350 ms  300 ms  310 ms
11  t3-0.enss141.t3.ans.net (140.222.141.1)  320 ms  320 ms  310 ms
12  cu-gw.ucar.edu (192.52.106.4)  330 ms  310 ms  310 ms
13  cu2-ncar2.CO.westnet.net (129.19.248.62)  340 ms ucb-ncar.CO.westnet.net (129.19.254.46)  320 ms  300 ms
14  csu-ucb.CO.westnet.net (129.19.254.102)  320 ms  330 ms  320 ms
15  csu-gw-2.UCC.ColoState.EDU (129.82.103.2)  320 ms  330 ms  330 ms
16  middle.lance.colostate.edu (129.82.109.2)  340 ms  310 ms  420 ms
17  keller.lance.colostate.edu (129.82.112.41)  320 ms  330 ms  330 ms


 4  cix-west2.cix.net (149.20.3.3)  310 ms  330 ms  350 ms
 5  ans.cix.net (149.20.5.2)  340 ms  340 ms  330 ms
 6  en-0.San-Francisco-cnss11.t3.ans.net (192.103.60.5)  330 ms  300 ms  280 ms
 7  mf-0.San-Francisco-cnss8.t3.ans.net (140.222.8.222)  340 ms  300 ms  280 ms
 8  t3-1.Seattle-cnss88.t3.ans.net (140.222.88.2)  340 ms  290 ms  350 ms
 9  t3-0.Denver-cnss96.t3.ans.net (140.222.96.1)  330 ms  320 ms  310 ms
10  mf-0.Denver-cnss97.t3.ans.net (140.222.96.193)  350 ms  320 ms  330 ms
11  t3-0.enss141.t3.ans.net (140.222.141.1)  340 ms  340 ms  310 ms
12  cu-gw.ucar.edu (192.52.106.4)  330 ms  320 ms  300 ms
13  cu2-ncar2.CO.westnet.net (129.19.248.62)  350 ms  320 ms  320 ms
14  csu-ucb.CO.westnet.net (129.19.254.102)  330 ms  320 ms  320 ms
15  ntu-csu.CO.westnet.net (129.19.254.82)  360 ms  330 ms  330 ms
16  192.65.141.15 (192.65.141.15)  350 ms  340 ms  350 ms

JUST DOING SOME RESEARCH VIA NIC WE FIND THAT THE MACHINE
Non-authoritative answer:
Name:    longs.lance.colostate.edu
Address:  129.82.109.16

> set type=mx
> longs.lance.colostate.edu

longs.lance.colostate.edu       preference = 0, mail exchanger = longs.lance.col
ostate.edu
longs.lance.colostate.edu       preference = 10, mail exchanger = yuma.acns.colo
state.edu
longs.lance.colostate.edu       internet address = 129.82.109.16
yuma.acns.colostate.edu internet address = 129.82.100.64
acns.colostate.EDU      nameserver = yuma.acns.ColoState.EDU
acns.colostate.EDU      nameserver = lamar.ColoState.EDU
yuma.ACNS.ColoState.EDU internet address = 129.82.100.64
lamar.ColoState.EDU     internet address = 129.82.103.75
lamar.ColoState.EDU     preference = 10, mail exchanger = lamar.ColoState.EDU
lamar.ColoState.EDU     preference = 20, mail exchanger = yuma.ACNS.ColoState.ED
U
lamar.ColoState.EDU     internet address = 129.82.103.75
yuma.ACNS.ColoState.EDU internet address = 129.82.100.64

and a traceroute to LDs favorite posting machine

dolores.lance.colostate.edu
;; flags: qr rd ra ; Ques: 1, Ans: 1, Auth: 2, Addit: 2
;; QUESTIONS:
;;      dolores.lance.colostate.edu, type = A, class = IN

;; ANSWERS:
dolores.lance.colostate.edu.    86298   A       129.82.112.18

;; AUTHORITY RECORDS:
lance.colostate.EDU.    44453   NS      yuma.acns.ColoState.EDU.
lance.colostate.EDU.    44453   NS      lamar.ColoState.EDU.

;; ADDITIONAL RECORDS:
yuma.acns.ColoState.EDU.        160860  A       129.82.100.64
lamar.ColoState.EDU.    160860  A       129.82.103.75

;; Sent 1 pkts, answer found in time: 10 msec
;; MSG SIZE  sent: 45  rcvd: 166
 dig type=mx keller.lance.colostate.edu

; <<>> DiG 2.0 <<>> type=mx keller.lance.colostate.edu
;; ->>HEADER<<- opcode: QUERY , status: NOERROR, id: 6
;; flags: qr aa rd ra ; Ques: 1, Ans: 1, Auth: 0, Addit: 0
;; QUESTIONS:
;;      keller.lance.colostate.edu, type = A, class = IN

;; ANSWERS:
keller.lance.colostate.edu.     86400   A       129.82.112.41

;; Sent 1 pkts, answer found in time: 470 msec
;; MSG SIZE  sent: 44  rcvd: 60

from 4. Note also I didnt query intervening routers and hosts for
information.
Upstream hosts and/or routers may also be compromisable...

 4  cix-west2.cix.net (149.20.3.3)  310 ms  260 ms  290 ms
 5  ans.cix.net (149.20.5.2)  280 ms  280 ms  280 ms
 6  en-0.San-Francisco-cnss11.t3.ans.net (192.103.60.5)  270 ms  290 ms  270 ms
 7  mf-0.San-Francisco-cnss8.t3.ans.net (140.222.8.222)  280 ms  320 ms  290 ms
 8  t3-1.Seattle-cnss88.t3.ans.net (140.222.88.2)  300 ms  290 ms  300 ms
 9  t3-0.Denver-cnss96.t3.ans.net (140.222.96.1)  310 ms  300 ms  310 ms
10  mf-0.Denver-cnss97.t3.ans.net (140.222.96.193)  310 ms  290 ms  310 ms
11  t3-0.enss141.t3.ans.net (140.222.141.1)  300 ms  300 ms  310 ms
12  cu-gw.ucar.edu (192.52.106.4)  300 ms  410 ms  310 ms
13  ucb-ncar.CO.westnet.net (129.19.254.46)  310 ms 129.19.248.62 (129.19.248.62
)  320 ms  330 ms
14  csu-ucb.CO.westnet.net (129.19.254.102)  340 ms  320 ms  340 ms
15  csu-gw-2.UCC.ColoState.EDU (129.82.103.2)  310 ms  450 ms  310 ms
16  longs.lance.colostate.edu (129.82.109.16)  350 ms  330 ms  320 ms


WELL WHAT DOES THIS TELL US TECHNICALLY SO FAR... THERE
IS MOST LIKELY NO EFFECTIVE FIREWALL PROTECTION BETWEEN LD'S FAVORITE MACHINE
AND THE OUTSIDE WORLD AS TRACEROUTE USES UDP PROBES ON RANDOM PORTS.
NO INCOMING UDP BLOCKAGE GENERALLY INDICATES THE SECURITY
OF THAT MACHINE IS NOT DEPENDENT ON PROXY/PACKET FILTERING TYPE ROUTERS AND
 FIREWALLED DOMAINS

ADDITIONALLY A ISS LOG RUN VIA

iss -p 129.82.109.16

SHOWED THE FOLLOWING RESULTS :
  -->    Inet Sec Scanner Log By Christopher Klaus (C) 1993    <--
              Email: cklaus@hotsun.nersc.gov coup@gnu.ai.mit.edu
       ================================================================
Host 129.82.109.16, Port 11 opened. systat    udp/tcp    users
Host 129.82.109.16, Port 13 opened. daytime   udp/tcp 
Host 129.82.109.16, Port 17 opened. qotd      tcp        quote
Host 129.82.109.16, Port 21 opened. ftp       tcp          
Host 129.82.109.16, Port 23 opened. telnet    tcp
Host 129.82.109.16, Port 25 opened. smtp      tcp
Host 129.82.109.16, Port 37 opened. time      udp/tcp
Host 129.82.109.16, Port 53 opened. domain    udp/tcp
Host 129.82.109.16, Port 79 opened. finger    tcp
Host 129.82.109.16, Port 109 opened. pop-2      tcp Post Office Protocol
Host 129.82.109.16, Port 110 opened. pop-3 
Host 129.82.109.16, Port 111 opened. sunrpc   udp/tcp JACKPOT!!!!!! 
Host 129.82.109.16, Port 119 opened. nntp     tcp
Host 129.82.109.16, Port 210 opened. THIS ONE IS UNUSUAL? i shows closed by foreign host
Host 129.82.109.16, Port 512 opened. biff/exec udp/tcpf
Host 129.82.109.16, Port 513 opened. who/login  udp/ tcp 
Host 129.82.109.16, Port 514  ("shell" service) opened. syslog/shell  udp/tcp
Host 129.82.109.16, Port 515 opened. syslog/printer    udp/tcp
Host 129.82.109.16, Port 593 opened. refuses telnet(udp connection) research...
Host 129.82.109.16, Port 704 opened. accepts telnet connection(tcp) echos...
Host 129.82.109.16, Port 1024 opened. accepts telnet connection(tcp)
Host 129.82.109.16, Port 1025 opened. listener RFS remote_file_sharing
Host 129.82.109.16, Port 1031 opened.
Host 129.82.109.16, Port 1032 opened. tcp
Host 129.82.109.16, Port 1033 opened. not checked
Host 129.82.109.16, Port 1034 opened. not checked
Host 129.82.109.16, Port 1035 opened. not checked
Host 129.82.109.16, Port 1036 opened. not checked
Host 129.82.109.16, Port 5599 opened. not checked
Host 129.82.109.16, Port 6667 opened. not checked

THE SCAN WAS TERMINATED AT THIS POINT. IN THE ABOVE LIST
WE FIND SEVERAL GEMS THE BEST OF WHICH IS
SUNRPC   :)... so next of course

 rpcinfo -p longs.lance.colostate.edu
   program vers proto   port
    100004    2   udp   1029  ypserv
    100004    2   tcp   1024  ypserv
    100004    1   udp   1029  ypserv
    100004    1   tcp   1024  ypserv
    100007    2   tcp   1025  ypbind
    100007    2   udp   1038  ypbind
    100007    1   tcp   1025  ypbind
    100007    1   udp   1038  ypbind
    100005    1   udp   1071  mountd
    100005    1   tcp   1031  mountd
    100003    2   udp   2049  nfs
    100024    1   udp   1081  status
    100024    1   tcp   1032  status
    100008    1   udp   1087  walld
    100021    1   tcp   1033  nlockmgr
    100021    1   udp   1092  nlockmgr
    100021    3   tcp   1034  nlockmgr
    100021    3   udp   1096  nlockmgr
    100020    1   udp   1099  llockmgr
    100020    1   tcp   1035  llockmgr
    100021    2   tcp   1036  nlockmgr
    150001    1   udp   1127  pcnfsd
    300019    1   udp   1022
    200002    1   udp   1956


 whether running regular or secure RPC(the latter requires nfscrack
to crack the secret exponent) this machine is most likely a sparc or compatible
running a given version of SUNOS 4.1.X?(check HINFO if available.)
 a check should be made to see which network security patchs
have been applied to this host.

A probe of longs.lance.colostate.edu smtp port :
longs.lance.colostate.edu Sendmail 8.6.4/8.6.4 (LANCE 1.00) ready at xxx,xx2
 xxx xxxx xx:xx:xx -xxxx
220 ESMTP spoken here
VRFY ld231782
250 L. Detweiler <ld231782@longs.lance.colostate.edu>
EXPN ld231782
502 That's none of your business
quit
221 longs.lance.colostate.edu closing connection


OK SO FAR SO GOOD HIS MACHINE SHOWS A FAIRLY SECURE SMTP DAEMON.
EXAMINATION OF THAT REVISION AND SOURCE OF SENDMAIL IS
STILL UNDER QUESTION BECAUSE THE CURRENT VERSION 8.65 ADDS EVEN MORE SECURITY
PATCHES 
CHECKING FOR ANONYMOUS FTP WE FIND:



 Check for anonymous FTP service

connected to 129.82.109.16.
220 longs.lance.colostate.edu FTP server (Version 4.1 Sun Mar 25 22:59:11 EST 19
90) ready.
Name (129.82.109.16:root): anonymous
530 User anonymous unknown.
Login failed.
ftp> quit
500 'SYST': command not understood.
# ftp 129.82.109.16
Connected to 129.82.109.16.
220 longs.lance.colostate.edu FTP server (Version 4.1 Sun Mar 25 22:59:11 EST 19
90) ready.
Name (129.82.109.16:root): ftp
530 User ftp unknown.
Login failed.
ftp> quit
  -->    Inet Sec Scanner Log By Christopher Klaus (C) 1993    <--
              Email: cklaus@hotsun.nersc.gov coup@gnu.ai.mit.edu
       ================================================================
Host dolores.lance.colostate.edu, Port 11 opened.
Host dolores.lance.colostate.edu, Port 13 opened.
Host dolores.lance.colostate.edu, Port 17 opened.
Host dolores.lance.colostate.edu, Port 21 opened.
Host dolores.lance.colostate.edu, Port 23 opened.
Host dolores.lance.colostate.edu, Port 79 opened.
Host dolores.lance.colostate.edu, Port 111 opened.
Host dolores.lance.colostate.edu, Port 119 opened.
Host dolores.lance.colostate.edu, Port 512 opened.
Host dolores.lance.colostate.edu, Port 513 opened.
Host dolores.lance.colostate.edu, Port 514  ("shell" service) opened.
Host dolores.lance.colostate.edu, Port 515 opened.
Host dolores.lance.colostate.edu, Port 593 opened.
Host dolores.lance.colostate.edu, Port 704 opened.
Host dolores.lance.colostate.edu, Port 1041 opened.
Host dolores.lance.colostate.edu, Port 1045 opened.
Host dolores.lance.colostate.edu, Port 1046 opened.
Host dolores.lance.colostate.edu, Port 1047 opened.
Host dolores.lance.colostate.edu, Port 1048 opened.
Host dolores.lance.colostate.edu, Port 1049 opened.
Host dolores.lance.colostate.edu, Port 1999 opened.
Host dolores.lance.colostate.edu, Port 6000 opened.

Ooohhh this is a bad one Xwindows is in ALL likelihood
an OPEN DOOR...WE FIND THE SAME FOR keller.lance.colostate.edu
Host keller.lance.colostate.edu, Port 11 opened.
Host keller.lance.colostate.edu, Port 13 opened.
Host keller.lance.colostate.edu, Port 17 opened.
Host keller.lance.colostate.edu, Port 21 opened.
Host keller.lance.colostate.edu, Port 23 opened.
Host keller.lance.colostate.edu, Port 79 opened.
Host keller.lance.colostate.edu, Port 111 opened.
Host keller.lance.colostate.edu, Port 119 opened.
Host keller.lance.colostate.edu, Port 512 opened.
Host keller.lance.colostate.edu, Port 513 opened.
Host keller.lance.colostate.edu, Port 514  ("shell" service) opened.
Host keller.lance.colostate.edu, Port 515 opened.
Host keller.lance.colostate.edu, Port 593 opened.
Host keller.lance.colostate.edu, Port 704 opened.
Host keller.lance.colostate.edu, Port 1024 opened.
Host keller.lance.colostate.edu, Port 1025 opened.
Host keller.lance.colostate.edu, Port 1026 opened.
Host keller.lance.colostate.edu, Port 1027 opened.
Host keller.lance.colostate.edu, Port 1028 opened.
Host keller.lance.colostate.edu, Port 1029 opened.
Host keller.lance.colostate.edu, Port 1034 opened.
Host keller.lance.colostate.edu, Port 6000 opened.


k
 rpcinfo -p keller.lance.colostate.edu
   program vers proto   port
    100007    2   tcp   1024  ypbind
    100007    2   udp   1031  ypbind
    100007    1   tcp   1024  ypbind
    100007    1   udp   1031  ypbind
    100008    1   udp   1041  walld
    100024    1   udp   1045  status
    100024    1   tcp   1025  status
    100021    1   tcp   1026  nlockmgr
    100021    1   udp   1050  nlockmgr
    100021    3   tcp   1027  nlockmgr
    100021    3   udp   1054  nlockmgr
    100020    1   udp   1057  llockmgr
    100020    1   tcp   1028  llockmgr
    100021    2   tcp   1029  nlockmgr
    300019    1   udp   1023
 rpcinfo -p dolores.lance.colostate.edu
   program vers proto   port
    100007    2   tcp   1041  ypbind
    100007    2   udp   1050  ypbind
    100007    1   tcp   1041  ypbind
    100007    1   udp   1050  ypbind
    100008    1   udp   1067  walld
    100024    1   udp   1071  status
    100024    1   tcp   1045  status
    100021    1   tcp   1046  nlockmgr
    100021    1   udp   1076  nlockmgr
    100021    3   tcp   1047  nlockmgr
    100021    3   udp   1080  nlockmgr
    100020    1   udp   1083  llockmgr
    100020    1   tcp   1048  llockmgr
    100021    2   tcp   1049  nlockmgr
    300019    1   udp   1104





Thread