(RADIATOR) RV: HACKER ATTACK?

Mariano Absatz radiator at lists.com.ar
Mon Nov 12 17:31:47 CST 2001


Hola Gabriela,

this doesn't seem like a Hacker attack to me...

The packet came from 200.16.169.56. Is that one of your NAS? 
I guess so... as Radiator didn't ignore the request, it must have come from 
one of your listed <Client>s.

BTW, the reverse of that address points to h200-16-169-56.easymail.com.ar 
which I could guess is owned by same people that owns easymail.net.ar... At 
least both domains have the same registrant company and you seem to be the 
technical contact in both as far as nic.ar is concerned.

Now, the completely mangled Username is more a sign of a bad modem to NAS 
connection than a hacker attack.

As I remember, this has been discussed quite a few times in the list.

You should discard everything you don't like from scratch in your config 
file.

I use the following line in my config files:
RewriteUsername s/.*['\x00-\x20\x7F-\xFF].*/username-has-invalid-chars/

But you could say:
RewriteUsername s/.*['\x00-\x20\x7F-\xFF].*/el-modem-mando-fruta/
;-)

This is actually replacing any username that has at least one non-printable 
ASCII character with the string "el-modem-mando-fruta" (which you could 
easily find in your logs).

You could actually be much more restrictive and only allow letters, digits 
and underscores, it's your call.

Suerte!!! (y achicá el pánico).

El 13 Nov 2001 a las 7:43, Mike McCauley escribió:

> Received: from bart.easymail.net.ar (h200-16-169-42.easymail.com.ar
>  [200.16.169.42]) by server1.open.com.au (8.11.0/8.11.0) with ESMTP id
>  fACCc4321374
>  for <radiator at open.com.au>; Mon, 12 Nov 2001 06:38:04 -0600
> Received: by BART with Internet Mail Service (5.5.2653.19)
>  id <WL8VWRHV>; Mon, 12 Nov 2001 11:24:33 -0300
> Message-ID: <0071AA06E729D5118619000629757A57D3BF at BART>
> From: "Barsotti, Gabriela" <gbarsotti at easymail.net.ar>
> To: "'radiator at open.com.au'" <radiator at open.com.au>
> Subject: RV: HACKER ATTACK?
> Date: Mon, 12 Nov 2001 11:24:25 -0300
> MIME-Version: 1.0
> X-Mailer: Internet Mail Service (5.5.2653.19)
> Content-Type: text/plain;
>  charset="iso-8859-1"
> Content-Transfer-Encoding: 8bit
> X-MIME-Autoconverted: from quoted-printable to 8bit by server1.open.com.au id
>  fACCc4321375
> 
> >  -----Mensaje original-----
> > De: 	Barsotti, Gabriela
> > Enviado el:	Lunes, 12 de Noviembre de 2001 11:22 a.m.
> > Para:	'piratecheck at open.com.au'
> > Asunto:	HACKER ATTACK?
> >
> > The last Saturday our Radius server received  an attack. I´m sending you the
> > information I can found on my server in order to help all Radius Server from
> > unspected attacks.
> >
> > Sat Nov 10 22:59:54 2001: DEBUG: Packet dump:
> > *** Received from 200.16.169.56 port 1645 ....
> > Code:       Access-Request
> > Identifier: 150
> > Authentic:  Ei`!:iLLLL(:r(LC
> > Attributes:
> >         User-Name = "'S R%H%G1\|g+%s8rEs3)o}p/G}/J?~o]F 4%7.+CBsg,'?j/?u"
> >         User-Password =
> > ")<162><225><251><177>o<25>9\<177>o<6>:[J<5>va<146><145>U<173>F<8><198>4<1
> > 60><249>D<179><198><239>"
> >         NAS-IP-Address = 200.16.169.56
> >         NAS-Port = 56
> >         Called-Station-Id = "6200"
> >         Calling-Station-Id = "1145674048"
> >         USR-Connect-Speed = 24000_BPS
> >         USR-Modulation-Type = v32Terbo
> >         USR-Simplified-MNP-Levels = 0
> >         USR-Simplified-V42bis-Usage = 0
> >         USR-Chassis-Call-Slot = 7
> >         USR-Chassis-Call-Span = 0
> >         USR-Chassis-Call-Channel = 27
> >         NAS-Identifier = "access2"
> >         Acct-Session-Id = "071b05f8"
> >         NAS-Port-Type = Async
> >
> > Sat Nov 10 22:59:54 2001: DEBUG: Handling request with Handler
> > 'Realm=DEFAULT'
> > Sat Nov 10 22:59:54 2001: DEBUG: SessionDbSQL Deleting session for 'S
> > R%H%G1\|g+%s8rEs3)o}p/G}/J?~o]F 4%7.+CBsg,'?j/?u, 200.16.169.56, 56
> > Sat Nov 10 22:59:54 2001: DEBUG: do query is: delete from RADONLINE where
> > NASIDENTIFIER='200.16.169.56' and NASPORT=056
> >
> > Sat Nov 10 22:59:54 2001: DEBUG: Query is: select NASIDENTIFIER, NASPORT,
> > ACCTSESSIONID from RADONLINE where USERNAME=''S R%H%G1\|g+%s8rEs3)o}
> > p/G}/J?~o]F 4%7.+CBsg,'?j/?u'
> >
> > Sat Nov 10 22:59:54 2001: ERR: Execute failed for 'select NASIDENTIFIER,
> > NASPORT, ACCTSESSIONID from RADONLINE where USERNAME=''S R%H%G1\|g+%s
> > 8rEs3)o}p/G}/J?~o]F 4%7.+CBsg,'?j/?u'': ERROR:  parser: parse error at or
> > near "s"
> >
> > Sat Nov 10 22:59:55 2001: ERR: Execute failed for 'select NASIDENTIFIER,
> > NASPORT, ACCTSESSIONID from RADONLINE where USERNAME=''S R%H%G1\|g+%s
> > 8rEs3)o}p/G}/J?~o]F 4%7.+CBsg,'?j/?u'': ERROR:  parser: parse error at or
> > near "s"
> >
> > Sat Nov 10 22:59:55 2001: DEBUG: Handling with Radius::AuthSQL
> > Sat Nov 10 22:59:55 2001: DEBUG: Handling with Radius::AuthSQL
> >
> > Lic. Gabriela Barsotti
> > Technology Manager
> > EasyMail S.A.
> > A VirtualCom Company
> > 54-11-54590-8820

--
Mariano Absatz
El Baby
----------------------------------------------------------
Daddy, why doesn't this magnet pick up this floppy disk? 


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list