[CLUE-Tech] Lousy no-good @!$#%@#$% (cracked)

Mon Jan 28 21:08:44 MST 2002

On 01-28 20:39, Dave Anselmi wrote:
> Sean LeBlanc wrote:
> 
> > Well, I've been noticing weird things on my firewall box since Friday.  I
> > wasn't able to SSH in several times, had to turn it on from the console,
> > only to discover hours later or next day it's not working again. So this
> > morning I'm eating my bagel and coffee before work and I decide to try SSH
> > again.  It's not on. So I start getting suspicious (finally) and decide to
> > snoop about for any foul play - sure enough, I've been cracked.
> 
> That's cool!  Well, not for you, but that I now know someone who has been and
> mostly that you were able to find hard evidence of it.  (Not the "I keep getting
> this blue screen, could I have a virus?" whining.)

:) Yeah, how many times have we all got to hear that? Even if a Dr. Watson
happens, people suspect they have a virus. 

Actually, it *is* sort of cool, even for me, since he didn't do any data
damage (yet)...there really isn't much I care about on that machine that I
couldn't recover from - but it's not as if I care to go through getting it
again. It'd be even cooler if there were 48 hours in a day. My Inner
Nerd(tm) can't help but be fascinated by it, though. I still wouldn't mind
getting a nice, firm grip on this fellow's neck...

> 
> [...]
> 
> 
> > I also scribbled down the IP numbers from where some of the logins took
> > place. Is there anything I can do in retaliation?
> 
> Retaliation is pointless IMHO.  Most likely you'd blast some site that's a
> victim like you.  Now a honeypot is a different story.  Take a look at that, and
> the deception toolkit (sorry, no URLs handy at the moment).

Whoops, retaliation wasn't the best word. I meant more along the lines of
legal or other type of recourse. Yeah, unleashing the dogs of war (a little
Texas justice, shall we say?) on that IP would be a bad idea, since it's
probably not the culprit.  Yeah, a honeypot would be cool if I had the
time...I almost wish this happened when I was out of work.

> 
> [...]
> 
> 
> > Prior to attack, I was running some services which I know I shouldn't have
> > been , at least not without denying packets from outside - bind, smbd, nmbd,
> > identd. I still have no idea what he did to crack machine, and that really
> > bothers me. What I'd like to do is get ipchains rules together that block
> > all incoming packets except for ssh and except for stuff returning from
> > machines behind firewall. Getting cut off from home machine while at work is
> > a real PITA w/o the added worry of what this induhvidual intentions are...
> 
> Running NAT (source only, no destination) is a good way to protect machines
> behind your router (wherever you do the NAT).  You can use DNAT to let in SSH,
> but it would be good to limit the source addresses you allow (there are several
> places you can do that).  Linux firewalling is good enough and easy enough that
> you can run iptables on every machine.  But running a bunch of services isn't a
> good idea on a firewall, as you see.

Yeah, I guess it was only a matter of time. I've been running it this way
(well, not always running bind or identd) for almost two years.

> Here's a link to what Rusty has to say.  It gets you most of what you want as
> far as only letting outbound connections through:
> 
> http://netfilter.samba.org/unreliable-guides/packet-filtering-HOWTO/packet-filtering-HOWTO.linuxdoc-5.html
> 
> HTH.  Good luck with the cleanup.

I'm using ipchains at the moment. 

Frantically downloading OpenBSD...I wanted to do this anyway, so this guy
might just be doing me a favor. I want to leave the box I am using as a
firewall intact, and install a firewall that doesn't even have gcc or the
like on it, then move current machine behind firewall. 

-- 
Sean LeBlanc:seanleblanc at attbi.com Yahoo:seanleblancathome 
ICQ:138565743 MSN:seanleblancathome AIM:sleblancathome 
Anti-trust laws should be approached with exactly that attitude. 