Time for Mucman to kick some arse!!! (Mucman's losing)

[Mucman]

Last week a client of ours got a machine hacked. They went from their normal 1G of traffic a day, to 40GB a day! Considering that we charge for bandwidth, this is going to be an expensive lesson for them. We blocked the IP of the hacked box and now today, I see they have been hacked again!!! Now the entire class C has been entered into several blacklists and other customers in that IP range are getting blocked.

I phoned the guy to notify him that the he got hacked again... He was completely unaware of how they got in again.... here's a port scan I did on his machine from home :

(The 1578 ports scanned but not shown below are in state: closed)
Port State Service
7/tcp open echo
9/tcp open discard
13/tcp open daytime
17/tcp open qotd
19/tcp open chargen
21/tcp open ftp
42/tcp open nameserver
53/tcp open domain
80/tcp open http
113/tcp open auth
135/tcp open loc-srv
139/tcp open netbios-ssn
443/tcp open https
515/tcp open printer
548/tcp open afpovertcp
1025/tcp open NFS-or-IIS
1027/tcp open IIS
1033/tcp open netinfo
1433/tcp open ms-sql-s
3372/tcp open msdtc
3389/tcp open ms-term-serv
6666/tcp open irc-serv
7007/tcp open afs3-bos

I asked if he was running a firewall (obviously not). He asked for my suggestions. I told him that he should setup some box running some form of BSD
and a firewall filter like ipfw,ipf, or pf... He had no clue what I was talking about. I then asked for the head computer tech for the company and I got
the dreaded response "I am!". DOH

Just thought some of you might enjoy this mini rant

 

[n0cmonkey]

Send him my way. Ill hook him up. For a small fee and a contract that says I never have to talk to him again.

mmm echo/chargen bounces....

 

[Thor86]

Send him my way. Ill hook him up. For a large fee and a contract I'll set it up properly for the Internet.

 

[skyking]

Hey I want a piece of the action here! I can charge his CC..........

 

[mcveigh]

may I suggest a night stick officer.


well I just got back from someone who's "computer guy" told him not to worry about reinstalling anti-virus after his last virus infection.

klez and nimda all over the place.

 

[Soybomb]

Wow thats a heft list of open ports, I wonder how many are normally open though anyway?

What is it with irc servers that ever hacked box gets an irc server and a bot put on it? Do they really need that many irc servers?

 

[Mucman]

Originally posted by: Soybomb
Wow thats a heft list of open ports, I wonder how many are normally open though anyway?

What is it with irc servers that ever hacked box gets an irc server and a bot put on it? Do they really need that many irc servers?

I think the guy installed AD, IIS, and MS SQL Server all on one box . It was a honeypot, even though it wasn't supposed to be

What has really got me pissed of now is that he got the whole /24 block that he is on blacklisted by spews.org. I happen to have a /28
subnet on this block and I was going to migrate my mail server there! This guy better cleanup his act, because not it's personal

*note* You'd think I was a hard-ass the way I act online, eh?

 

[mcveigh]

Originally posted by: Mucman


*note* You'd think I was a hard-ass the way I act online, eh?

I would except you are a rush fan

 

[Mucman]

Originally posted by: mcveigh

Originally posted by: Mucman


*note* You'd think I was a hard-ass the way I act online, eh?

I would except you are a rush fan

Oooooooooh... and you are.... you .......
blah....

I'll just sit here and pout

 

[cleverhandle]

Originally posted by: mcveigh
well I just got back from someone who's "computer guy" told him not to worry about reinstalling anti-virus after his last virus infection.

Ah, yes, how close to home... the "computer guy" at our school (who makes much more than me, a lowly teacher) reinstalled Win98 on some machines in an office, and set up an open share on one to hold teachers' files. I was watching him and asked if he was installing an anti-virus program or any Windows Updates. He had never heard of Windows Update, and assured me that "we have anti-virus through the Internet."

It was no surprise to find riched.dll and nimda'd mail messages splattered through the directories this morning. The wonders of the public sector never cease to amaze me...

 

[Mucman]

Def'n

"Computer Guy" = The guy that everyone assumes knows his stuff about computers, because he spends all day playing games and making his
Windows desktop look "funky" . A typical "Computer Guy" can quote computer protocols and computer hardware without knowing what any
of it truly means. The "Computer Guy" is easy to spot anywhere there are massive computer problems

 

[Mucman]

#$@#$@# because of this arse and his 2 hacked machines... our entire /20 network has been put on Spews.org!

The horribly aggresive RBL has no staff to enquire about such listings, thus making it a pain in the arse to get off of it! Our mail server runs
like a top and is pretty darn secure. It does not relay mail, but spews thinks it is in the worlds best interested to block 16x255 IP addresses!
Why the heck are people even using such aggressive RBL's? We use RBL's too, but no the most aggressive ones... even so I have to deal with
complaints everyday about the false positives.

Argh :|

 

[n0cmonkey]

Originally posted by: Mucman
#$@#$@# because of this arse and his 2 hacked machines... our entire /20 network has been put on Spews.org!

The horribly aggresive RBL has no staff to enquire about such listings, thus making it a pain in the arse to get off of it! Our mail server runs
like a top and is pretty darn secure. It does not relay mail, but spews thinks it is in the worlds best interested to block 16x255 IP addresses!
Why the heck are people even using such aggressive RBL's? We use RBL's too, but no the most aggressive ones... even so I have to deal with
complaints everyday about the false positives.

Argh :|

Its to give people a clue. Sometimes a piece of sugar doesnt quite clue people in, sometimes you need a really big bat. Dont support companies that spam and you usually dont have to worry about it. That was the logic behind using spews for spamd in OpenBSD. Anyhow, Ive heard is a PITA to get off their list, but it is possible.

 

[Poontos]

What a mucking mess!

For everyone: What are your network policies for scanning servers on your hosted network for security vulns and informing the clients, especially co-lo, shared, dedicated, etc.

 

[Mucman]

Originally posted by: n0cmonkey

Originally posted by: Mucman
#$@#$@# because of this arse and his 2 hacked machines... our entire /20 network has been put on Spews.org!

The horribly aggresive RBL has no staff to enquire about such listings, thus making it a pain in the arse to get off of it! Our mail server runs
like a top and is pretty darn secure. It does not relay mail, but spews thinks it is in the worlds best interested to block 16x255 IP addresses!
Why the heck are people even using such aggressive RBL's? We use RBL's too, but no the most aggressive ones... even so I have to deal with
complaints everyday about the false positives.

Argh :|

Its to give people a clue. Sometimes a piece of sugar doesnt quite clue people in, sometimes you need a really big bat. Dont support companies that spam and you usually dont have to worry about it. That was the logic behind using spews for spamd in OpenBSD. Anyhow, Ive heard is a PITA to get off their list, but it is possible.

Yeah that's fine... but we don't support spam!!! We stopped all routes to the bloody IPs that were hacked! What else do they want us to do? Stick CAT5 up our butts
and pray to the gods of the ether? A few of our customers have questioned our credability now that some of their e-mail has bounce when it was sent to usa.com... usa.com
even blocks my home SMTP server because it my IP is dynamic! If I ever meet a script kiddie in person I am going to level them!

Poontos, we don't have time to babysit our clients. They get a direct feed to the Net which they can manage however they want. If they get hacked, we block routes to the hacked IP. It's easy to find out if a customer is hacked because complaints start coming to our abuse address, and bandwidth usage goes from 1G a day to 40G. I just scanned their machine because I was interested...

 

[Poontos]

Mucman,

Nor do most ISP's, but when your /20 block of IP's is propagating around the Internet as being "bad", "spam source", "malicious activity", etc., then being pro-active and doing some basic/general things to make sure your clients software is somewhat secure, would save a lot (NOT ALL, but a lot) of hassels in future. Just my opinion, I may be wrong.

 

[Mucman]

We only have about 25 dedicated Internet access customers. Most of which have been with us for over 4-5 years. We do not worry about them since they seem to know what they are doing. The customer that I am ranting about is fairly new so we have no idea they were this obtuse. The damage is done, and I believe we responded to the threat fast enough.
Our way of checking for hackage is purely by bandwidth usage. We monitor that every single day. If a customers bandwidth goes up 10 fold, then we give them a call (usually we just remind them how much it is going to cost, so they don't freak out before their bill ).

So the reason for my rant is... what would spews.org want us to have done differently? We saw the problem, rectified it as soon as we heard about it...

 

[Poontos]

Shoot for pro-active.

 

[Mucman]

Blah... my trusty side-kick inquired about the entries in SPEWS.ORG, and he ended up being the butt end of a bunch of flamers and trolls.

deja.com linky

I've been having a discussion regarding this issue with the CommuniGate Pro mailing list (an awesome MTA btw), and many have similar issues. In fact, on
of the subscribers saw the newsgroup post, and new of the trolls that had replied.

Hopefully I can convince my boss to just boot the customer... I need to start my own company where I can enforce my own rules

 

[mcveigh]

could you get a lawyer involved? perhaps a nicely worded letter might get some action?

i've never dealt with them before though, just throwing out suggestions

 

[Oaf357]

Shoot him. Then put a SonicWALL up.