Information Systems Grad School

IIf you've ever wondered exactly how a vulnerability is exploited, or how botnets happen, check the below. Keep in mind that my system is up-to-date on just about everything I can find to update on it. I've also informed the abuse address of the IP in question about what was going on over a month ago, and the rogue server is still out there, relaying information from compromised Linux servers.

I keep a lot of outbound ports closed so that if one of my servers is compromised, it doesn't become another bot on the net. I finally caught the process again, so I started a capture and then opened the ports. I'm not sure what to make of it because the IP address in question goes back to what appears to be a dedicated server in Italy, but the login information says it's a NASA IRC server. What NASA would be doing on serving IRC to the public is beyond me, unless it's a honeypot. It's probably not a real NASA server, at least that's what I hope. Anyway, here are the fun details of what happens when my server tries to call home to its haxor:

The packet analysis also reveals a clue about the origin of the hack: Mihai is the Romanian version of Michael.

Download the uncensored TCPDump file and see for yourself.

My server: SYN
213.92.118.223 223-118-92-213.serverdedicati.seflow.net ACK
my server: ACK SYN
my server: ...i
my server: NICK a3sh-.
: NOTICE AUTH :*** Looking up your hostname..NOTICE AUTH :*** Checking Ident..
my server: ....
: NOTICE AUTH :*** No ident response..
my server: FF 86 C5 CD
: NOTICE AUTH :*** Found your hostname.
my server: ....
:.y.I
my server: USER nh2ies x.x.x.x 213.92.118.223 :Linux mrtg.sampas.net 2.6.9-42.0.10.ELsmp #1 SMP Fri Feb 16 17:17:21 EST 2007 i686 i686 i386 GNU/Linux.
: PING :1041065789..
my server: ....
: .y..
my server: PONG :1041065789.
: (ACK)
: www.nasa.gov 433 * a3sh- :Nickname is already in use..
my server: (ACK)
my server: NICK a3sh-685.
: :www.nasa.gov 001 a3sh-685 :Welcome to the Internet Relay Network : a3sh-685..:www.nasa.gov 002 a3sh-685 :Your host is www.nasa.gov, running version beware1.5.7..:www.nasa.gov 003 a3sh-685 :This server was created Tue Jul 13 2004 at 20:36:17 GMT..:www.nasa.gov 004 a3sh-685 www.nasa.gov beware1.5.7 dgikoswx biklmnoprstv..:www.nasa.gov 005 a3sh-685 MAP SILENCE=15 WHOX WALLCHOPS WALLVOICES USERIP CPRIVMSG CNOTICE MODES=6 MAXCHANNELS=10 MAXBANS=45 :are supported by this server..:www.nasa.gov 005 a3sh-685 NICKLEN=19 TOPICLEN=160 AWAYLEN=160 KICKLEN=160 CHANTYPES=#& PREFIX=(ov)@+ CHANMODES=b,k,l,rimnpst CASEMAPPING=rfc1459 :are supported by this server..:www.nasa.gov 251 a3sh-685 :There are 172 users and 0 invisible on 1 servers..:www.nasa.gov 254 a3sh-685 1 :channels formed..:www.nasa.gov 255 a3sh-685 :I have 172 clients and 0 servers..:www.nasa.gov NOTICE a3sh-685 :Highest connection count: 195 (195 clients)..:www.nasa.gov 422 a3sh-685 :MOTD File is missing..:www.nasa.gov NOTICE a3sh-685 :on 1 ca 1(4) ft 10(10)..
my server: JOIN #mihai.
::www.nasa.gov 001 a3sh-685 :Welcome to the Internet Relay Network a3sh-685..:www.nasa.gov 002 a3sh-685 :Your host is www.nasa.gov, running version beware1.5.7..:www.nasa.gov 003 a3sh-685 :This server was created Tue Jul 13 2004 at 20:36:17 GMT..:www.nasa.gov 004 a3sh-685 www.nasa.gov beware1.5.7 dgikoswx biklmnoprstv..:www.nasa.gov 005 a3sh-685 MAP SILENCE=15 WHOX WALLCHOPS WALLVOICES USERIP CPRIVMSG CNOTICE MODES=6 MAXCHANNELS=10 MAXBANS=45 :are supported by this server..:www.nasa.gov 005 a3sh-685 NICKLEN=19 TOPICLEN=160 AWAYLEN=160 KICKLEN=160 CHANTYPES=#& PREFIX=(ov)@+ CHANMODES=b,k,l,rimnpst CASEMAPPING=rfc1459 :are supported by this server..:www.nasa.gov 251 a3sh-685 :There are 172 users and 0 invisible on 1 servers..:www.nasa.gov 254 a3sh-685 1 :channels formed..:www.nasa.gov 255 a3sh-685 :I have 172 clients and 0 servers..:www.nasa.gov NOTICE a3sh-685 :Highest connection count: 195 (195 clients)..:www.nasa.gov 422 a3sh-685 :MOTD File is missing..:www.nasa.gov NOTICE a3sh-685 :on 1 ca 1(4) ft 10(10)..

:a3sh-685!~nh2ies@c-68-34-65-58.hsd1.md.comcast.net JOIN :#mihai..:www.nasa.gov 353 a3sh-685 = #mihai :a3sh-685 a3sh-9337 a3sh-4554 a3sh-8354 a3sh-2934 a3sh-3103 a3sh-8151 a3sh-4633 a3sh-3872 a3sh-2552 a3sh-1595 a3sh-9230 a3sh-5907 a3sh-2313 a3sh-6041 a3sh-2448 a3sh-5134 a3sh-3633 a3sh-5025 a3sh-1979 a3sh-9893 a3sh-8688 a3sh-7544 a3sh-4987 a3sh-975 a3sh-8640 a3sh-7756 a3sh-6376 a3sh-9321 a3sh-5422 a3sh-5761 a3sh-9259 a3sh-5956 a3sh-7978 a3sh-9088 a3sh-701 a3sh-4473 a3sh-7260 a3sh-2013 a3sh-9890 a3sh-933 a3sh-8007 a3sh-6486 a3sh-7318 a3sh-5495 a3sh-6205 a3sh-6078..:www.nasa.gov 353 a3sh-685 = #mihai :a3sh-7555 a3sh-791 a3sh-1336 a3sh-5923 a3sh-4822 a3sh-8527 a3sh-4988 a3sh-90 a3sh-4895 a3sh-7019 a3sh-6666 a3sh-4330 a3sh-8521 a3sh-215 a3sh-5509 a3sh-6106 a3sh-4579 a3sh-8655 a3sh-1998 a3sh-9573 a3sh-5017 a3sh-6554 a3sh-8403 a3sh-288 a3sh-3328 a3sh-4059 a3sh-6246 a3sh-697 a3sh-7085 a3sh-9646 a3sh-8876 a3sh-6779 a3sh-3730 a3sh-8248 a3sh-4757 a3sh-7497 a3sh-4715 a3sh-4357 a3sh-229 a3sh-4681 a3sh-8629 a3sh-2734 a3sh-6290 a3sh-930 a3sh-1515 a3sh-1103 a3sh-3405 a3sh-9597..:www.nasa.gov 353 a3sh-685 = #mihai :a3sh-914 a3sh-2419 a3sh-1961 a3sh-624 a3sh-9217 a3sh-8124 a3sh-9198 a3sh-1667 a3sh-7710 a3sh-3272 a3sh-2880 a3sh-5360 a3sh-9749 a3sh-60 a3sh-6378 a3sh-2191 a3sh-8644 a3sh-1313 a3sh-2447 a3sh-3410 a3sh-4480 a3sh-8506 a3sh-1625 a3sh-5664 a3sh-5614 a3sh-9804 a3sh-1344 a3sh-4523 a3sh-7203 a3sh-3438 a3sh-36

46 a3sh-6682 a3sh-8430 a3sh-700 a3sh-4929 a3sh-9957 a3sh-9284 a3sh-1775 +a3sh-3250 a3sh-2594 a3sh-3037 a3sh-3353 a3sh-2931 a3sh-366 a3sh-934 a3sh-1772 a3sh-8760 a3sh-7777..:www.nasa.gov 353 a3sh-685 = #mihai :a3sh-8519 a3sh-8691 a3sh-9382 a3sh-3749 a3sh-8126 a3sh-5627 a3sh-1038 a3sh-3316 a3sh-5240 a3sh-379 a3sh-6854 a3sh-9518 a3sh-1493 a3sh-7073 a3sh-9670 +a3sh-3201 a3sh-7933 a3sh-4989 a3sh-960 a3sh-3584 a3sh-7571 a3sh-9905 a3sh-6198 a3sh-9436 a3sh-7021 a3sh-9951 a3sh-43 a3sh-1578 @a3sh-..:www.nasa.gov 366 a3sh-685 #mihai :End of /NAMES list...