[lug] route add -host attacks

Harris, James James_Harris at maxtor.com
Thu Nov 15 10:04:29 MST 2001 

May I stray from the original intent of this post and make a recommendation:
disable sunrpc if you don't need it.  It has a history of known exploits and
it's definitely at the top of hackers and script kiddies lists to try.

NFS is the only service that _I_ know of that requires it (but I'm _sure_
there are others.)  If you're not using NFS, try disabling it completely and
see if it has any affect on your system.

My two cents...

-----Original Message-----
From: D. Stimits [mailto:stimits at idcomm.com] 
Sent: Wednesday, November 14, 2001 21:55
To: lug at lug.boulder.co.us
Subject: Re: [lug] route add -host attacks


Jeff wrote:
> 
> Dunno.  I'm also on the AT&T network.  I don't seem to have this 
> problem.  Just to be sure, I checked my message logs for the 
> following: 211.23.141.22 attackalert
> primatex
> "/sbin/route"
> 
> And came up blank.  Possible hack?  Port 111 is Sun RPC.  Not totally 
> sure what that does, but you may want to consider rebuilding the route 
> table.  Have you tried route or route -n ? What are the results?  Does 
> the below ip show up?  If so you may have a problem.  If not...
> 
> $0.02
> Jeff
> 
> Warren Sanders wrote:
> >
> > Anyone know anything about a known virus or other wrappers adding 
> > hosts to your route table?  Earlier this week I asked about my 
> > corrupt route table but no reply.  I now have found (after hacking 
> > away at my machine daily) several entries in my messages log:
> >
> > Nov 14 13:50:06 Sandman portsentry[11928]: attackalert: SYN/Normal 
> > scan from
> > host: ms1.primatex.com.tw/211.23.141.22 to TCP port: 111
> > Nov 14 13:50:06 Sandman portsentry[11928]: attackalert: Host
211.23.141.22 has
> > been blocked via wrappers with string: "ALL: 211.23.141.22"
> > Nov 14 13:50:06 Sandman portsentry[11928]: attackalert: Host
211.23.141.22 has
> > been blocked via dropped route using command: "/sbin/route add -host
211.23.1
> > 41.22 gw 127.0.0.1"

I don't use portsentry, but it seems to be a defensive reaction. Port scans
on 111 are common (used for many favorite attacks), but you don't see the
routes as adding these hosts, it appears to be removing them from routing.
There are times I've heard of people with portsentry finding that it was too
aggressive, and blocked something that wasn't intended to be blocked. If
someone finds a way to spoof and get portsentry to block a machine from too
many addresses, you could call this a denial of service attack. I have no
doubt that scans through port 111 are malicious in most cases, but it seems
like these log messages are just portsentry using routing as a defense
mechanism. Does anyone here use portsentry, and can you confirm if
portsentry can be configured to block routes on purpose?

D. Stimits, stimits at idcomm.com

> >
> > I have been getting these since mid October and seems to take a 
> > couple weeks to kill your route table.
> >
> > BTW: I'm on the @home network.
> >
> > --
> > Warren Sanders
> > http://MontanaLinux.Org
> >
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> 
> --
> "Yet they are mistaken, they will be exposed, and they will discover 
> what others in the past have learned;  Those who make war against the 
> United States have chosen their own destruction."
> G. Bush Jr.  Sept '01
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
_______________________________________________
Web Page:  http://lug.boulder.co.us
Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

More information about the LUG mailing list