A Terrifying Tale of TCP ... Terror

Published: 2004-11-01
Last Updated: 2004-11-01 23:03:28 UTC
by Cory Altheide (Version: 1)
0 comment(s)
The ISC received this bone-chilling email late last night. Word of warning? Cry for help? You be the judge.

"Handlers,

I thought I'd share an experience that happened to a buddy of mine this evening. Bob is a analyst at a security operations center for an ISP. He sent me this email and I decided I'd pass it on to you guys for review. Is this even possible? I'm not sure, but it sure did freak Bob out. He can't bring himself to go back to the SOC anymore, and he's looking for telecommuting jobs on Monster.

Regards,

Alice

************************

Alice,

I know you're gonna think I'm crazy but you're the only one I can think who would possibly listen to what I'm about to say without immediately dismissing it. Please, read my whole account of what happened to me tonight before writing me off.

I went into work last night for the graveyard shift. Yeah, graveyard shift on Halloween, haha. We'd just ramped up to 24/7 ops the previous week so this was going to be my first night alone in the SOC. I was pretty excited at first, since I wouldn't have any of these other knuckleheads in my hair while I was doing some hard core analysis, you know? I logged into my station, started some queries for deltas in the previous 24, and went to get some coffee, since it was going to be a long night.

Little did I know...

After returning to the SOC with my joe, Carol gave me the briefing on the days events (in a nutshell, nothing - apparently all the s'kiddies were gearing up for Trick or Treating and not harassing us). She did mention something that didn't show up in any of the reports though - a general "weirdness" to the traffic in the DMZ. She couldn't really qualify it, but she said she though something kind of odd was going on. Okay Carol, I'll keep my eyes open (as I roll them back into my head). She punched out and I was all alone.

Or was I?

I threw some tunes on WinAmp and started to rock out while pouring over the output of my earlier queries. My attempts at scripting up some rudimentary anomaly detection in our aggregation console appeared to be woefully inadequate or simply functioning properly with a dearth of anomalies when I saw it.

A new host in the DMZ.

A host which had apparently come up at midnight local, October 31st. Who the hell stands up a box in the DMZ at *midnight* on a Saturday night? It had to be the mouth-breathers in development relying on the assumption that no one would be monitoring the network over the weekend. Heh, nice try chumps, but you've just tweaked the wrong BOFH. To cover my bases, I looked up the latest network diagrams for the DMZ. Just as I thought, nothing authorized or even submitted regarding a new box in the DMZ. Finally, after months of slaving away over reports I was going to get to demand someone take a box down. I could feel the power coursing through my fingertips as I began to compose the flame to end all flames.

"Dear clownboats,"

I hesitated. What would they come back with? I needed more ammunition to stave off a possible counteroffensive. I decide to scan the box, to see how much risk these "developers" were actually exposing my DMZ to. A quick nmap returned results the likes of which I had not seen since my days at that dot bomb in Sunnyvale.

"Remote operating system guess: Linux 2.0.35-37"

W

T

F

Two-oh? Was this some sort of prank? These guys are dullards to be sure, but no one is this stupid. It's gotta be some sort of security through ob-fu or something. I had to know. Telnetting quickly confirmed my worst fears.

Trying 10.31.10.31...

Connected to 10.31.10.31.

Escape character is '^]'.


Red Hat Linux release 5.2 (Apollo)

Kernel 2.0.36 on an i486

login:


I stared, dumfounded, at the prompt's ever-blinking cursor. I tried to wrap my head around what I was seeing. Red Hat FIVE DOT FSKING TWO? Even if this was a honeypot, this was ridiculous. What were they trying to do, find out which kiddie has the oldest sploits?

I did what any sane security professional would do in my situation.

I typed "root".

The box retorted with "Password:"

I reiterated, "root".

[root@zion root]#

A chill crept out of my keyboard and up my spine as I realized that this wasn't a joke, and it wasn't a honeypot. It was a real box, and the people who put this on my DMZ were officially TOO STUPID FOR INTERNET. I was going to get to the bottom of this and it would be made right, dammit. I haven't been working in the security industry for over SIX MONTHS to have morons like this come CRAP ALL OVER MY DMZ.

I took a deep breath and considered my options. If I went off half-cocked, blasting accusatory emails to everyone in network engineering, the box would be burned and mysteriously vanish. Oh, a magic server that no one owns, how original.

No, I needed to find out who this box belonged to. I listed the contents of /home, and was rewarded with a litany of names which I did not recognize. The one with the most recent activity was an 'tanderson,' so I decided to play a hunch. The 'w' command confirmed my hunch, and showed root and tanderson currently logged in. It also showed that the box had been up for close to 12 days, and that tanderson had logged in on October 18th, 1999. This box has more problems than I thought. 'date' confirmed it, these fools apparently have the system set to a date in 1999. Still testing those Y2K compatibility patches, eh boys? It was a little outside of my jurisdiction, so to speak, but I decided to question my only witness/suspect. After googling for a bit, I discovered the "write" command.

[root@zion root]# write tanderson tty1

What's up with this box?

Message from tanderson@zion on tty1 at 23:53

> what? who are you?

I'm root, who are you

> look i dont know if your a hacker or whatever but please dont hack my computer right now i need to finish my work

You look, you bring a swiss-cheese box up on *my* DMZ and its *my* problem. What the hell are you doing?

> hey pal i dont want to fight i just want to finish this project, okay, i'm on a
d e a d l i n e ...

The word "deadline" appeared slowly, one character at a time, and for some reason really resonated with me. I could swear I felt a presence in the room with me - or was I merely feeling "sympathy pains" for this 'tanderson' and his arbitrary deadline?

Shake it off Bob, you're an infosec pro, not a social worker. You get paid to be hardcore.

Sorry dude, but your deadline ain't my problem. This box is going to have to come down immediately - it's too risky to leave up.

> No.

What? I don't think you've got much say in the matter. I'm the security admin, and you're some random cluebie who happened to be in the wrong place at the wrong time. Take it like a man.
> NO


All of the other boxes in the SOC powered down.

> NO

Then the lights.

> NO

I stared at the screen, my breath caught in my throat. My terrified trance was broken by the beeping of my calculator watch. It was midnight.

"Connection closed by foreign host."

I scooped up the phone and hurriedly dialed Ted, the night sysadmin.

"This is Ted. Whassup?"

"Hey Ted, Bob." My mouth was dry and the words barely managed to squeak out.

"Hey Bob, what can I do ya for?"

"Do you know anything about a box named 'zion' in the DMZ?"

"Our DMZ?"

My fear had begun to give way to annoyance again.

"Yes, our DMZ. At 10.31.10.31."

"Bob, there's nothing at that IP."

I quickly pinged it, and attempted to telnet in again. He was right, the box was down.

"It... it was just up. I telnetted right in, it was a Red Hat 5.2 box, and a user named 'tanderson' was logged in ..."

"tanderson? Are you sure?", Ted said, with a wavering uncertainty.

"Yes, I'm positive. He kept yammering about finishing his project," I blurted.

"Bob - Thomas Anderson was downsized back in '99. He was working on moving all of our NT servers to Linux, but he never got to finish. Bob...

... that server's been down for FIVE YEARS."

**********************

Cory Altheide

Handler-on-Duty

**********************
Keywords:
0 comment(s)

Comments


Diary Archives