OCR of the Document

View the Document >>

National Infrastructure Protection Center, Memorandum to CIU Chief and (redacted), "Wright Patterson Air Force Base Victim; CITA - Computer Intrusion 288-CI-NEW," August 10, 1998. Unclassified.

DNAL it 31' RE l ii UTE Cl'l ON CENTER August 10 1998 MEMORANDUM From was TO Subj WRIGHT PATTERSON AIR FORCE BASE CITA COMPUTER INTRUSION 28 8-CI-NEW 1 As requested I forwarded a request to the Fleet Intelligence Warfare Center F C to provide all information relating to the following Russian ISPs Citylinexu Microdinru Sovam com Orc ru Demosnet hp Demos su Additionally the following passwords and tools usemames were researched Passwords I Tools usernames 2 Attached are the results of a search of database The FIWC will report any additional information pertinent to this tasking as it becomes available 18 93 BEBSRM NCIS EREG 5214 445 335 10 August 1998 The following pages pertain to the Russian Internet addresses you provided Ihave also included the incidents that we have seen from those sites and We don t have any information in our database on the passwords nor do we have any inferrnation on the usernames Additionally we have no information regarding the les that were sto en fro right-Patterson APB We don't monitor the IRC so I can't answer the question regarding anyone bragging about this activity Lastly we don't have enough information to dere'rmine if this hacking style is similar to other hacks There's nothing in our database to indicate any similarities Regarding the other known threats using a windows the following is provided There are three major areas to look at when talking about security concerns with a X-Windows system The rst is access control The rl thost command denys remote connectios to an x- server An improper configured x-server would allow an unauthorized user to watch key strokes grab copies of window on the local system or even export displays onto themisconfigured box The second concern is connections to the the x-server In order to connect to the server to tell-it bx to expert it displays a user must log into it via a shell login rah telnet or ssh Most protocols don't use and the legin could be sniffed This would allow a hacker to use a valid account and use an 1 system for their own-purposes The last concern is buffer overruns A hacker would exploit a bufferoverun by tasking the Jun-application with input it was not designed to handle The user would then have shell access equivalent to the access the process was running at If the program was setuid to run as root for everybody then the hacker has root access All three of the concerns can he address and handled The access control problem is simple A command of xhost denies anyone access Then access can be granted for those that absolutely need it The logging can be solved by using a securelogin method like secure shell The buffer overruns are a bit harder to get a hold of These type of exploits range from operation system to operating system The system administrator of the network needs to know the different - operating systems and check the vendor pages for alerts and paths on a routine basis These precautions keep the security risks associated with this service under control - I hope this information is useful and what 34m need Please let me know if there is anything else I can do LU le LKLL cityh'neru Name no Loitylinen Address inotniml nemame CITYLINERU descr Citylino offm dial-up and leased line access to Internet donor for Moscow and Srfeurburg region country RU admin-e ADIOS-RIPE q tech-c MB427-RIPE status ASSIGNED PA notify Error Bookmark not de ned mot-by CITYLINERU-MNT source RIPE routem descr my on -upa ndleued line descr for Moscow and SLPeterburg regions Origin A58498 notify Error Bookmark not de ned rout-by CITYLINERU-MNT source RIPE person 510 nio-hdl AD705-RJPB notify Error Bookmark not de ned source RIPE source RIPE RUG 13 53 NCIS EREG 824 445-2982 microdmm NAvcmT Incident 93 5 of 6Jan98 Name microdimru Addaw inetnuni b1 netnnme MICRONET descr MicroNot Ltd deacr Requested network ip numbers will be used for connecting closer to MAeomnot country RU admin-e SB 1 ISA-RIPE tech-c status ASSIGNED PA mitify Error Bookmark not de ned source RIPE mm decor ozone desor 18 Novozevodekayau decor Moscow Russia 121309 ozigin ASS47O - notify Error Bookmark not de ned notify Error Bookmark not de ned rum-by MACOMNET-MNT source RIPE Psmm 9 address WmNet Lid address 18 Novozavodskeyu address 121309 Mosww Russia phone 7 095 145-9520 phone 7 095 145-9522 phone 7 095 142-0618 fax-no 7 095 92443464 e-mail Error Bookmark not de ned nie-hdl SB 1 164-RIPE some RIPE person address address address phone email r Book nic-hdl DVSG-RIPE source RIPE RUG 18 98 39 43Fif 1 NCIS EREG 834 445-2982 wvamcom memento preference 1 200 mail exchange relay2 eovam com sovam com preference 100 mil exchanger relayl sovam oom sovmcom sovam eom nameaerver a nioneamet mvmcom meme 1 pendomefmm sovemsom nameserver - relny2 sovam com httemet address relay internet address intetnet adults nic neo r net internet address tnemet address a internet address reintemienet Registrant Sovatn Teleport 2A Nezhdanova 8 Moscow Russia 109003 RU Domain Name SOVAMSOM Administrative Contact gum Error Bookmark not de ned Teehnical Contact Zone Contact Semenyuk Igor 1813 Enor Bookmark not de ned Record last updated on 19-Mar-98 0 Record created on 22-Jan-93 Database last updated on Gol ng-98 04 06 34 EDT 1 Domain servers in listed order NS SOVAM COM N52 SOVAM C0 mommr inetnum neonate deem Savant elepon delta Moscow Russia country RU admin-o tech-c 1813 rev-m rev-m nelsovemsom when nic neer ttet RUG 18 98 219344FIP1 NCIS EREG BSHQ 834 445-2982 status ASSIGNED PA Error Bookmark not de ned tum-by AS3216-MNT 50m RIPE mum duct AM DELEGATED origin A83216 advisory A5690 l 35612 1128 notify Error Bookmark not de ned mat-by ASSZIG-MNT source RIPE 36 WW addrass Company Ltd address admin address- phone fax-no email Error Bookmark not anged 4c source RIPE person addnu Ltd e-mail Error Bankmark not de ned nic-hdl IS 13 sumac RIPE - Hut 1% 16 NCIS EREG 624 445-2982 arena orc ru prefermee a 20 ml exchanger ore ru preference a 5 mail exchanger msiLoreru 0mm preference 10 mail exchanger a mail Lomu orent preference a 15 mail exchanger meill ras ru 0mm nemeserver - moron oxen nameserver a nss orc m orc ru nemeserver nss msu ru ma zrasn internet address mailLorcru internal address neuron internet address nss ore ru inner-net address neemeuru- internet address bb mimemienet No name Ns zoss-Hsn 51c Hosmame NS ORC RU Address System her-min 7 Coordinator Error Bookmark not de ned Record last updated on 18-Sep-97 Database last updated on 6-Aug-98 04 06 34 EDT demosmet Navcirt 98-6211 of 3 Aug 98 demosmet preference a 50 ineil exchanger a relay 1 demos su demowet preference I 100 mil exchanger relay2 demes su detnomet meat-vet- - nedemouu demtmnet nuneservet a nsl demoe net me relay 1 demos su inner-net address a relsy2 demos su internet address ns demos su internet sddrea ns demos su inteznet address as demoemet internet address sequoiedpenet inetnum nemame desert DEMOS Corporate Network 10 Hue 1a '3b 69 46 31 NCIS EREG 851-16 684 445-2982 i donor Demos Plus Co Ltd donor Moscow Russia country RU admin-c PA7S- tech-o EDIZ-RIPE tech-o GEM-RIPE tech-o GK41-RIPE nun-by A82578-MNT source RIPE b donor origin AS2578 notify Error Bookmark not de ned mus-by A52578-MNT source RIPE address nab 611 address Moscow 113035 address Russia phone 7 095 9566233 0 phone 7 095 9566234 fax-no 7 095 9566042 e-mail Error Bookmark not dE ned nio-hdl PA7S source RIPE venom address emos inpany Ltd address 6-1 Ovohinn iovskaya nab address Moscow 113035 uldoess Russia phone 7 095 956 6233 phone 7 095 956 6234 fax-no 7 095 233 5016 email Error Bookmark not de ned nio-hdl EDD-RIPE notify Error Bookmark not de ned mum RIPE Wm address emos rd P 1 ll HUL 1U 18 NCIS EREG BSHQ 834 445-2982 demeasu demoseu preference 100 mil exchanger relayidemouu demeaau preference 50 mil exchanger relaylldemomu demeaau nameaerver ns demos su demosau nameaerver nsl demos net demouu nameaerver a ns ua r eu net relayZdemos au internet address relay denroa su internet address m demos su intemet address nademoasu internet address nahdemuanet Intemet address 3 at mnemeumet intemet address 9% Rights restricted by copyright See Error Bookmark not de ned Mumm notnarne - $70415 doser PROVIDER desert Demos Company Ltd country RU admin-c EDD-RIPE admin-c tech-c SLG-RIPB tech-c GEE-RIPE status ALLOCATBD PA mot-by RIPE-NCC-HM-MNT source RIPE - TOW m as 1 0 origin A52578 notify Error-I Bookmark not de ned mot-by source RIPE person address or pony Ltd address 6-1 Ovchinnikovskaya nab address Moscow 113035 address Russia phone 7 095 956 6233 phone 7 095 956 6234 fax-no 7 095 233 5016 email Error Bookmark not de ned nie-hdl EDD-RIPE notify Error Bookmark not de ned source RIPE P 2 l3 LU Bb HCIS EREG wears- address more for Public Networks addnu IrK n uwoqu address Moscow address Russia phone 7 095 1967278 fax-no 7 095 964984 e-mail Error Bookmark not de ned nio-hdl remarks Admin contact for SU domain remarks NIC contact source RIPE Wm address an an blio'Networka address 1 Kumhatov square address 123182 Moscow address Russia phone 7 095 196 7363 fax-no 7 095 196 4984 e-mail Error Bookmark not de ned nic-hdl SUE-RIPE source RIPE person address Russian Institute for Pubiic Network address lKurchanov square address 123182 Moreow address Russia phone 7 095 192 7933 fax-no 7 095 946 9841 e-mail Error Bookmark not de ned nin-hdl DEBS-RIPE notify Error Bookmark not de ned source RIPE 384 445-2982 50 6 0 P 3 173 HUL 10 zit NCIS EREG BSHQ 884 445-2982 L summon 0mm no hits on old database to mid Jul 1998 demosmt demomn no hits on old database to mid L11 1998 P 4 _lH