Re: I think I have been hacked .. more

From: RainbowHat (nHiATlE@blSackholeP.mAit.edMu.invalid)
Date: 05/30/02 

From: RainbowHat <nHiATlE@blSackholeP.mAit.edMu.invalid>
Date: Thu, 30 May 2002 20:23:56 +0000 (UTC)

[ My snipped parts which I guess no problem. ]

< Graham Daniell

>[root@torvalds /root]# /sbin/route
>Destination Gateway Genmask Flags Metric Ref Use
>Iface
>tc2-ha.perth.we * 255.255.255.255 UH 0 0 0
>ppp0
:
>default tc2-ha.perth.we 0.0.0.0 UG 0 0 0
>ppp0
>(see 'default' above - does this look suspicious?)

>[root@torvalds /root]# /sbin/ifconfig
:
>ppp0 Link encap:Point-to-Point Protocol
> inet addr:202.72.132.108 P-t-P:203.10.1.3
>Mask:255.255.255.255
> UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1514 Metric:1
> RX packets:21321 errors:105 dropped:0 overruns:0 frame:105
> TX packets:20933 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:10

>[root@torvalds /root]# cat /proc/net/route
>Iface Destination Gateway Flags RefCnt Use Metric
>MaskMTU
>ppp0 03010ACB 00000000 0005 0 0 0
>FFFFFFF
:
>ppp0 00000000 03010ACB 0003 0 0 0
>0000000

Hexadecimal 03010ACB is translate to 203.10.1.3 (3, 1, 10, 203).

203.10.1.3 (WTECH-AU) Winthrop Technology;
           PO Box 363; Nedlands; WA 6009; AU

202.72.132.108 (WESTNET) WestNet Pty Ltd; Perth, Western Australia; AU

NNTP-Posting-Host dsp-202-72-132-108.perth.westnet.com.au

If above 'tc2-ha.perth.we'(stnet.com.au?) and 203.10.1.3 is your
provider, I think it's not suspicious.

I forgot the URI <http://www.l0pht.com/advisories/rdp.txt>.
>> L0pht Security Advisory
>> Vulnerable: Microsoft Windows95a (w/winsock2), Windows95b
>> Windows98, Windows98se and Sun Microsystems...
>> Severity: Attackers can remotely add default route entries
>> on the victims host. 

-- 
Regards, RainbowHat. To spoof or not to spoof, that is the IPv4 packet.
----+----1----+----2----+----3----+----4----+----5----+----6----+----7

Loading