[CLUE-Tech] Hacker question

black at galaxy.silvren.com black at galaxy.silvren.com
Fri Aug 1 09:22:01 MDT 2003 

It may also be worth scanning your boxes with Nessus or some other
relatively mature tools and just see what they come up with. I try to do
that on our DMZ machines on a regular basis, especially since it's so easy
to do, I just type in the network address and let it go, then read the
report.


On Thu, 31 Jul 2003, Crawford Rainwater wrote:

> A couple of wild guesses to look at here.
>
> - What does "last" show you on the box (might want to
>   cut and paste this to the list for more input)?  Might
>   have an IP addy that is unusual for tracing purposes.
>
> - Do you have ssh1 disabled and only ssh2?
>
> - Is there a (from memory here) in /root/.ssh a "key_athorize2"
>   (might have the spelling wrong on the file) that has a current
>   date?  Could indicate that a new key is placed there by your visitor.
>
> The latter two are an interesting access issue with ssh2 that I
> know of (again, not in front of a Linux machine at the moment for
> the correct file name there).  This allows a remote root user access
> without root password, just via the ssh key.
>
> Might want to look up a few tools on SourceForge for the hacking
> end, then think about Bastille and/or SE Linux for hardening things.
>
> HTH.
>
> --- Crawford
>
> > -----Original Message-----
> > From: clue-tech-admin at clue.denver.co.us
> > [mailto:clue-tech-admin at clue.denver.co.us]On Behalf Of Mike Staver
> > Sent: Thursday, July 31, 2003 5:28 PM
> > To: CLUE LUG
> > Subject: [CLUE-Tech] Hacker question
> >
> >
> > I have had 3 RedHat 7.3 boxes apparently comprised on my network this
> > week alone.  I have no clue if I need to contact the FBI on this issue
> > (I just tried, and they said they didn't know if a crime had even been
> > committed), but I don't think they are going to worry about my pidley
> > little network here.  So, my company is own it's own - and here are some
> > stats on my box:
> >
> > RedHat 7.3
> > Kernel 2.4.20-19.7smp
> > openssh-3.1p1-6
> > openssh-server-3.1p1-6
> > openssh-clients-3.1p1-6
> > samba-2.2.7-3.7.3
> > apache-1.3.27-2
> > openssl-devel-0.9.6b-32.7
> > openssl-0.9.6b-32.7
> > openssl-perl-0.9.6b-32.7
> > mod_ssl-2.8.12-2
> >
> > Now, if we scan the machines in question, this is what ports are open:
> >
> > Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
> > Host blah (xx.xx.xx.xx) appears to be up ... good.
> > Initiating SYN Stealth Scan against www1.globaltaxnetwork.com
> > (xx.xx.xx.xx)
> > Adding open port 80/tcp
> > Adding open port 19/tcp
> > Adding open port 22/tcp
> > Adding open port 139/tcp
> > Adding open port 443/tcp
> > Adding open port 111/tcp
> > The SYN Stealth Scan took 0 seconds to scan 1601 ports.
> > For OSScan assuming that port 19 is open and port 1 is closed and
> > neither are firewalled
> > Interesting ports on blah (xx.xx.xx.xx):
> > (The 1595 ports scanned but not shown below are in state: closed)
> > Port       State       Service
> > 19/tcp     open        chargen
> > 22/tcp     open        ssh
> > 80/tcp     open        http
> > 111/tcp    open        sunrpc
> > 139/tcp    open        netbios-ssn
> > 443/tcp    open        https
> > Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20
> > Uptime 3.032 days (since Mon Jul 28 14:51:01 2003)
> > TCP Sequence Prediction: Class=random positive increments
> >                          Difficulty=1104306 (Good luck!)
> > IPID Sequence Generation: All zeros
> >
> > Whoever comprimised my machine, did it with only ports 443 and 80 open
> > to it through my firewall.  I have no idea how this happened.  I have
> > the latest apache from RedHat, is that verion suseptible to a buffer
> > overflow of some kind that I'm unaware of?  My RedHat 9 boxes are fine -
> > only the 7.3 boxes have been affected, 3 of them so far this week.  And
> > what happens when these boxes get comprimised is that my routers get
> > shut down because they are apparently ddos'n grc.com.  I see a lot of
> > ircd traffic on port 6667, and many other ports as well.  The machines
> > the ircd traffic is coming from are:
> >
> > undernet.irc.rcn.net
> > undernet.tiscali.be
> > ircu.bredband.com
> > minotor.spale.com
> > proxyscan.undernet.org
> >
> > Besides upgrading to RedHat 9 on these boxes (which isn't an option
> > yet), how can I protect myself, and who should I report this activity
> > to?? I now don't get to go home tonite to spend time with my family, I'm
> > forced to rebuild these damned boxes from scratch once again.
> >
> > --
> >
> >                                 -Mike Staver
> >                                  staver at fimble.com
> >                                  mstaver at globaltaxnetwork.com
> >
> >
> > _______________________________________________
> > CLUE-Tech mailing list
> > Post messages to: CLUE-Tech at clue.denver.co.us
> > Unsubscribe or manage your options:
> http://clue.denver.co.us/mailman/listinfo/clue-tech
>
>
> _______________________________________________
> CLUE-Tech mailing list
> Post messages to: CLUE-Tech at clue.denver.co.us
> Unsubscribe or manage your options: http://clue.denver.co.us/mailman/listinfo/clue-tech
>

More information about the clue-tech mailing list