To the WORM Detweiller THE FOLLOWING SHOULD REALLY TURN YOU ON... Escape character is '^]'. 220 ntupub.ntu.edu Sendmail 5.65/DEC-Ultrix/4.3 ready at Sun, 23 Jan 1994 02:01: 06 -0700 vrfy ld231782 550 ld231782... User Unknown vrfy detweiler 550 detweiler... User Unknown verify larry 500 Command unrecognized vrfy larry 252 <larry> is an alias expn larry 250 <larry@ntuvax.ntu.edu> quit 221 ntupub.ntu.edu closing connection THIS SENDMAIL 5.65 IS POSSIBLY VUNERABLE TO THE SENDMAIL HOLE RECENTLY FOUND AND A SCRIPT OF WHICH TO PENETRATE WITH CAN BE FOUND IN THE bugtraq ARCHIVE. Connection closed by foreign host. # finger larry@ntuvax.ntu.edu [ntuvax.ntu.edu] connect: Connection refused this is a somewhat paranoid host so we we look at it BUT netfind SEEKS ROTWEILER OUT SYSTEM: ntupub.ntu.edu Login name: larry In real life: LArry Detweiller Directory: /users/NTU/larry Shell: /bin/csh Last login Fri Jan 21 16:14 on tty02 from LARRY Project: What am I working on? No Plan. checking one of the upstream ips from this we find Trying 192.52.106.4... Connected to 192.52.106.4. Escape character is '^]'. This is the cisco gateway at NCAR for Westnet. Configuration loaded from windom.UCAR.EDU:/tftpboot/ncar-gw-confg. User Access Verification Password: Traceroute logs follow 4 cix-west2.cix.net (149.20.3.3) 290 ms 300 ms 330 ms 5 ans.cix.net (149.20.5.2) 320 ms 320 ms 310 ms 6 en-0.San-Francisco-cnss11.t3.ans.net (192.103.60.5) 310 ms 320 ms 330 ms 7 mf-0.San-Francisco-cnss8.t3.ans.net (140.222.8.222) 310 ms 310 ms 320 ms 8 t3-1.Seattle-cnss88.t3.ans.net (140.222.88.2) 330 ms 290 ms 320 ms 9 t3-0.Denver-cnss96.t3.ans.net (140.222.96.1) 340 ms 320 ms 330 ms 10 mf-0.Denver-cnss97.t3.ans.net (140.222.96.193) 330 ms 300 ms 320 ms 11 t3-0.enss141.t3.ans.net (140.222.141.1) 330 ms 330 ms 320 ms 12 cu-gw.ucar.edu (192.52.106.4) 320 ms 310 ms 330 ms 13 ucb-ncar.CO.westnet.net (129.19.254.46) 320 ms 310 ms cu2-ncar2.CO.westnet.net (129.19.248.62) 370 ms 14 csu-ucb.CO.westnet.net (129.19.254.102) 320 ms 310 ms 330 ms 15 csu-gw-2.UCC.ColoState.EDU (129.82.103.2) 320 ms 310 ms 330 ms 16 middle.lance.colostate.edu (129.82.109.2) 320 ms 330 ms 330 ms 17 dolores.lance.colostate.edu (129.82.112.18) 330 ms 330 ms 300 ms 4 cix-west2.cix.net (149.20.3.3) 310 ms 310 ms 310 ms 5 ans.cix.net (149.20.5.2) 310 ms 300 ms 300 ms 6 en-0.San-Francisco-cnss11.t3.ans.net (192.103.60.5) 310 ms 320 ms 390 ms 7 mf-0.San-Francisco-cnss8.t3.ans.net (140.222.8.222) 300 ms 300 ms 310 ms 8 t3-1.Seattle-cnss88.t3.ans.net (140.222.88.2) 320 ms 310 ms 310 ms 9 t3-0.Denver-cnss96.t3.ans.net (140.222.96.1) 320 ms 340 ms 330 ms 10 mf-0.Denver-cnss97.t3.ans.net (140.222.96.193) 350 ms 300 ms 310 ms 11 t3-0.enss141.t3.ans.net (140.222.141.1) 320 ms 320 ms 310 ms 12 cu-gw.ucar.edu (192.52.106.4) 330 ms 310 ms 310 ms 13 cu2-ncar2.CO.westnet.net (129.19.248.62) 340 ms ucb-ncar.CO.westnet.net (129.19.254.46) 320 ms 300 ms 14 csu-ucb.CO.westnet.net (129.19.254.102) 320 ms 330 ms 320 ms 15 csu-gw-2.UCC.ColoState.EDU (129.82.103.2) 320 ms 330 ms 330 ms 16 middle.lance.colostate.edu (129.82.109.2) 340 ms 310 ms 420 ms 17 keller.lance.colostate.edu (129.82.112.41) 320 ms 330 ms 330 ms 4 cix-west2.cix.net (149.20.3.3) 310 ms 330 ms 350 ms 5 ans.cix.net (149.20.5.2) 340 ms 340 ms 330 ms 6 en-0.San-Francisco-cnss11.t3.ans.net (192.103.60.5) 330 ms 300 ms 280 ms 7 mf-0.San-Francisco-cnss8.t3.ans.net (140.222.8.222) 340 ms 300 ms 280 ms 8 t3-1.Seattle-cnss88.t3.ans.net (140.222.88.2) 340 ms 290 ms 350 ms 9 t3-0.Denver-cnss96.t3.ans.net (140.222.96.1) 330 ms 320 ms 310 ms 10 mf-0.Denver-cnss97.t3.ans.net (140.222.96.193) 350 ms 320 ms 330 ms 11 t3-0.enss141.t3.ans.net (140.222.141.1) 340 ms 340 ms 310 ms 12 cu-gw.ucar.edu (192.52.106.4) 330 ms 320 ms 300 ms 13 cu2-ncar2.CO.westnet.net (129.19.248.62) 350 ms 320 ms 320 ms 14 csu-ucb.CO.westnet.net (129.19.254.102) 330 ms 320 ms 320 ms 15 ntu-csu.CO.westnet.net (129.19.254.82) 360 ms 330 ms 330 ms 16 192.65.141.15 (192.65.141.15) 350 ms 340 ms 350 ms JUST DOING SOME RESEARCH VIA NIC WE FIND THAT THE MACHINE Non-authoritative answer: Name: longs.lance.colostate.edu Address: 129.82.109.16

set type=mx longs.lance.colostate.edu

longs.lance.colostate.edu preference = 0, mail exchanger = longs.lance.col ostate.edu longs.lance.colostate.edu preference = 10, mail exchanger = yuma.acns.colo state.edu longs.lance.colostate.edu internet address = 129.82.109.16 yuma.acns.colostate.edu internet address = 129.82.100.64 acns.colostate.EDU nameserver = yuma.acns.ColoState.EDU acns.colostate.EDU nameserver = lamar.ColoState.EDU yuma.ACNS.ColoState.EDU internet address = 129.82.100.64 lamar.ColoState.EDU internet address = 129.82.103.75 lamar.ColoState.EDU preference = 10, mail exchanger = lamar.ColoState.EDU lamar.ColoState.EDU preference = 20, mail exchanger = yuma.ACNS.ColoState.ED U lamar.ColoState.EDU internet address = 129.82.103.75 yuma.ACNS.ColoState.EDU internet address = 129.82.100.64 and a traceroute to LDs favorite posting machine dolores.lance.colostate.edu ;; flags: qr rd ra ; Ques: 1, Ans: 1, Auth: 2, Addit: 2 ;; QUESTIONS: ;; dolores.lance.colostate.edu, type = A, class = IN ;; ANSWERS: dolores.lance.colostate.edu. 86298 A 129.82.112.18 ;; AUTHORITY RECORDS: lance.colostate.EDU. 44453 NS yuma.acns.ColoState.EDU. lance.colostate.EDU. 44453 NS lamar.ColoState.EDU. ;; ADDITIONAL RECORDS: yuma.acns.ColoState.EDU. 160860 A 129.82.100.64 lamar.ColoState.EDU. 160860 A 129.82.103.75 ;; Sent 1 pkts, answer found in time: 10 msec ;; MSG SIZE sent: 45 rcvd: 166 dig type=mx keller.lance.colostate.edu ; <<>> DiG 2.0 <<>> type=mx keller.lance.colostate.edu ;; ->>HEADER<<- opcode: QUERY , status: NOERROR, id: 6 ;; flags: qr aa rd ra ; Ques: 1, Ans: 1, Auth: 0, Addit: 0 ;; QUESTIONS: ;; keller.lance.colostate.edu, type = A, class = IN ;; ANSWERS: keller.lance.colostate.edu. 86400 A 129.82.112.41 ;; Sent 1 pkts, answer found in time: 470 msec ;; MSG SIZE sent: 44 rcvd: 60 from 4. Note also I didnt query intervening routers and hosts for information. Upstream hosts and/or routers may also be compromisable... 4 cix-west2.cix.net (149.20.3.3) 310 ms 260 ms 290 ms 5 ans.cix.net (149.20.5.2) 280 ms 280 ms 280 ms 6 en-0.San-Francisco-cnss11.t3.ans.net (192.103.60.5) 270 ms 290 ms 270 ms 7 mf-0.San-Francisco-cnss8.t3.ans.net (140.222.8.222) 280 ms 320 ms 290 ms 8 t3-1.Seattle-cnss88.t3.ans.net (140.222.88.2) 300 ms 290 ms 300 ms 9 t3-0.Denver-cnss96.t3.ans.net (140.222.96.1) 310 ms 300 ms 310 ms 10 mf-0.Denver-cnss97.t3.ans.net (140.222.96.193) 310 ms 290 ms 310 ms 11 t3-0.enss141.t3.ans.net (140.222.141.1) 300 ms 300 ms 310 ms 12 cu-gw.ucar.edu (192.52.106.4) 300 ms 410 ms 310 ms 13 ucb-ncar.CO.westnet.net (129.19.254.46) 310 ms 129.19.248.62 (129.19.248.62 ) 320 ms 330 ms 14 csu-ucb.CO.westnet.net (129.19.254.102) 340 ms 320 ms 340 ms 15 csu-gw-2.UCC.ColoState.EDU (129.82.103.2) 310 ms 450 ms 310 ms 16 longs.lance.colostate.edu (129.82.109.16) 350 ms 330 ms 320 ms WELL WHAT DOES THIS TELL US TECHNICALLY SO FAR... THERE IS MOST LIKELY NO EFFECTIVE FIREWALL PROTECTION BETWEEN LD'S FAVORITE MACHINE AND THE OUTSIDE WORLD AS TRACEROUTE USES UDP PROBES ON RANDOM PORTS. NO INCOMING UDP BLOCKAGE GENERALLY INDICATES THE SECURITY OF THAT MACHINE IS NOT DEPENDENT ON PROXY/PACKET FILTERING TYPE ROUTERS AND FIREWALLED DOMAINS ADDITIONALLY A ISS LOG RUN VIA iss -p 129.82.109.16 SHOWED THE FOLLOWING RESULTS : --> Inet Sec Scanner Log By Christopher Klaus (C) 1993 <-- Email: cklaus@hotsun.nersc.gov coup@gnu.ai.mit.edu ================================================================ Host 129.82.109.16, Port 11 opened. systat udp/tcp users Host 129.82.109.16, Port 13 opened. daytime udp/tcp Host 129.82.109.16, Port 17 opened. qotd tcp quote Host 129.82.109.16, Port 21 opened. ftp tcp Host 129.82.109.16, Port 23 opened. telnet tcp Host 129.82.109.16, Port 25 opened. smtp tcp Host 129.82.109.16, Port 37 opened. time udp/tcp Host 129.82.109.16, Port 53 opened. domain udp/tcp Host 129.82.109.16, Port 79 opened. finger tcp Host 129.82.109.16, Port 109 opened. pop-2 tcp Post Office Protocol Host 129.82.109.16, Port 110 opened. pop-3 Host 129.82.109.16, Port 111 opened. sunrpc udp/tcp JACKPOT!!!!!! Host 129.82.109.16, Port 119 opened. nntp tcp Host 129.82.109.16, Port 210 opened. THIS ONE IS UNUSUAL? i shows closed by foreign host Host 129.82.109.16, Port 512 opened. biff/exec udp/tcpf Host 129.82.109.16, Port 513 opened. who/login udp/ tcp Host 129.82.109.16, Port 514 ("shell" service) opened. syslog/shell udp/tcp Host 129.82.109.16, Port 515 opened. syslog/printer udp/tcp Host 129.82.109.16, Port 593 opened. refuses telnet(udp connection) research... Host 129.82.109.16, Port 704 opened. accepts telnet connection(tcp) echos... Host 129.82.109.16, Port 1024 opened. accepts telnet connection(tcp) Host 129.82.109.16, Port 1025 opened. listener RFS remote_file_sharing Host 129.82.109.16, Port 1031 opened. Host 129.82.109.16, Port 1032 opened. tcp Host 129.82.109.16, Port 1033 opened. not checked Host 129.82.109.16, Port 1034 opened. not checked Host 129.82.109.16, Port 1035 opened. not checked Host 129.82.109.16, Port 1036 opened. not checked Host 129.82.109.16, Port 5599 opened. not checked Host 129.82.109.16, Port 6667 opened. not checked THE SCAN WAS TERMINATED AT THIS POINT. IN THE ABOVE LIST WE FIND SEVERAL GEMS THE BEST OF WHICH IS SUNRPC :)... so next of course rpcinfo -p longs.lance.colostate.edu program vers proto port 100004 2 udp 1029 ypserv 100004 2 tcp 1024 ypserv 100004 1 udp 1029 ypserv 100004 1 tcp 1024 ypserv 100007 2 tcp 1025 ypbind 100007 2 udp 1038 ypbind 100007 1 tcp 1025 ypbind 100007 1 udp 1038 ypbind 100005 1 udp 1071 mountd 100005 1 tcp 1031 mountd 100003 2 udp 2049 nfs 100024 1 udp 1081 status 100024 1 tcp 1032 status 100008 1 udp 1087 walld 100021 1 tcp 1033 nlockmgr 100021 1 udp 1092 nlockmgr 100021 3 tcp 1034 nlockmgr 100021 3 udp 1096 nlockmgr 100020 1 udp 1099 llockmgr 100020 1 tcp 1035 llockmgr 100021 2 tcp 1036 nlockmgr 150001 1 udp 1127 pcnfsd 300019 1 udp 1022 200002 1 udp 1956 whether running regular or secure RPC(the latter requires nfscrack to crack the secret exponent) this machine is most likely a sparc or compatible running a given version of SUNOS 4.1.X?(check HINFO if available.) a check should be made to see which network security patchs have been applied to this host. A probe of longs.lance.colostate.edu smtp port : longs.lance.colostate.edu Sendmail 8.6.4/8.6.4 (LANCE 1.00) ready at xxx,xx2 xxx xxxx xx:xx:xx -xxxx 220 ESMTP spoken here VRFY ld231782 250 L. Detweiler <ld231782@longs.lance.colostate.edu> EXPN ld231782 502 That's none of your business quit 221 longs.lance.colostate.edu closing connection OK SO FAR SO GOOD HIS MACHINE SHOWS A FAIRLY SECURE SMTP DAEMON. EXAMINATION OF THAT REVISION AND SOURCE OF SENDMAIL IS STILL UNDER QUESTION BECAUSE THE CURRENT VERSION 8.65 ADDS EVEN MORE SECURITY PATCHES CHECKING FOR ANONYMOUS FTP WE FIND: Check for anonymous FTP service connected to 129.82.109.16. 220 longs.lance.colostate.edu FTP server (Version 4.1 Sun Mar 25 22:59:11 EST 19 90) ready. Name (129.82.109.16:root): anonymous 530 User anonymous unknown. Login failed. ftp> quit 500 'SYST': command not understood. # ftp 129.82.109.16 Connected to 129.82.109.16. 220 longs.lance.colostate.edu FTP server (Version 4.1 Sun Mar 25 22:59:11 EST 19 90) ready. Name (129.82.109.16:root): ftp 530 User ftp unknown. Login failed. ftp> quit --> Inet Sec Scanner Log By Christopher Klaus (C) 1993 <-- Email: cklaus@hotsun.nersc.gov coup@gnu.ai.mit.edu ================================================================ Host dolores.lance.colostate.edu, Port 11 opened. Host dolores.lance.colostate.edu, Port 13 opened. Host dolores.lance.colostate.edu, Port 17 opened. Host dolores.lance.colostate.edu, Port 21 opened. Host dolores.lance.colostate.edu, Port 23 opened. Host dolores.lance.colostate.edu, Port 79 opened. Host dolores.lance.colostate.edu, Port 111 opened. Host dolores.lance.colostate.edu, Port 119 opened. Host dolores.lance.colostate.edu, Port 512 opened. Host dolores.lance.colostate.edu, Port 513 opened. Host dolores.lance.colostate.edu, Port 514 ("shell" service) opened. Host dolores.lance.colostate.edu, Port 515 opened. Host dolores.lance.colostate.edu, Port 593 opened. Host dolores.lance.colostate.edu, Port 704 opened. Host dolores.lance.colostate.edu, Port 1041 opened. Host dolores.lance.colostate.edu, Port 1045 opened. Host dolores.lance.colostate.edu, Port 1046 opened. Host dolores.lance.colostate.edu, Port 1047 opened. Host dolores.lance.colostate.edu, Port 1048 opened. Host dolores.lance.colostate.edu, Port 1049 opened. Host dolores.lance.colostate.edu, Port 1999 opened. Host dolores.lance.colostate.edu, Port 6000 opened. Ooohhh this is a bad one Xwindows is in ALL likelihood an OPEN DOOR...WE FIND THE SAME FOR keller.lance.colostate.edu Host keller.lance.colostate.edu, Port 11 opened. Host keller.lance.colostate.edu, Port 13 opened. Host keller.lance.colostate.edu, Port 17 opened. Host keller.lance.colostate.edu, Port 21 opened. Host keller.lance.colostate.edu, Port 23 opened. Host keller.lance.colostate.edu, Port 79 opened. Host keller.lance.colostate.edu, Port 111 opened. Host keller.lance.colostate.edu, Port 119 opened. Host keller.lance.colostate.edu, Port 512 opened. Host keller.lance.colostate.edu, Port 513 opened. Host keller.lance.colostate.edu, Port 514 ("shell" service) opened. Host keller.lance.colostate.edu, Port 515 opened. Host keller.lance.colostate.edu, Port 593 opened. Host keller.lance.colostate.edu, Port 704 opened. Host keller.lance.colostate.edu, Port 1024 opened. Host keller.lance.colostate.edu, Port 1025 opened. Host keller.lance.colostate.edu, Port 1026 opened. Host keller.lance.colostate.edu, Port 1027 opened. Host keller.lance.colostate.edu, Port 1028 opened. Host keller.lance.colostate.edu, Port 1029 opened. Host keller.lance.colostate.edu, Port 1034 opened. Host keller.lance.colostate.edu, Port 6000 opened. k rpcinfo -p keller.lance.colostate.edu program vers proto port 100007 2 tcp 1024 ypbind 100007 2 udp 1031 ypbind 100007 1 tcp 1024 ypbind 100007 1 udp 1031 ypbind 100008 1 udp 1041 walld 100024 1 udp 1045 status 100024 1 tcp 1025 status 100021 1 tcp 1026 nlockmgr 100021 1 udp 1050 nlockmgr 100021 3 tcp 1027 nlockmgr 100021 3 udp 1054 nlockmgr 100020 1 udp 1057 llockmgr 100020 1 tcp 1028 llockmgr 100021 2 tcp 1029 nlockmgr 300019 1 udp 1023 rpcinfo -p dolores.lance.colostate.edu program vers proto port 100007 2 tcp 1041 ypbind 100007 2 udp 1050 ypbind 100007 1 tcp 1041 ypbind 100007 1 udp 1050 ypbind 100008 1 udp 1067 walld 100024 1 udp 1071 status 100024 1 tcp 1045 status 100021 1 tcp 1046 nlockmgr 100021 1 udp 1076 nlockmgr 100021 3 tcp 1047 nlockmgr 100021 3 udp 1080 nlockmgr 100020 1 udp 1083 llockmgr 100020 1 tcp 1048 llockmgr 100021 2 tcp 1049 nlockmgr 300019 1 udp 1104