[CLUE-Tech] Hacker question
Jeremiah Stanley
lists at miah.org
Fri Aug 1 11:06:24 MDT 2003
> Whoever comprimised my machine, did it with only ports 443 and 80 open
> to it through my firewall. I have no idea how this happened. I have
> the latest apache from RedHat, is that verion suseptible to a buffer
> overflow of some kind that I'm unaware of? My RedHat 9 boxes are fine -
> only the 7.3 boxes have been affected, 3 of them so far this week. And
> what happens when these boxes get comprimised is that my routers get
> shut down because they are apparently ddos'n grc.com. I see a lot of
> ircd traffic on port 6667, and many other ports as well. The machines
> the ircd traffic is coming from are:
Ok, I would first be suspect of any running CGI applications that you
have running. Apache doesn't have to have a buffer overflow if you can
inject trash into a CGI script (this is mostly what suexec is for).
First step, if you don't need apache on these machines don't run it.
Second, you have a firewall do you not? Turn all access to ports outside
of a range that you specify that it can use (basically block all
outgoing traffic from these machines save for the traffic that you
intend them to transmit). Block all outgoing content from these machines
to common IRC ports. It is pretty easy to block non-http traffic.
Somebody check me on this but you just block outgoing traffic based on
the source port.
And lastly, log all packets that are invalid to your rules and have them
shipped off to you at least once a week.
And until you solve this issue, drop all packets headed for grc.com.
--
JStanley <miah at miah.org>
http://www.slavewage.com/
More information about the clue-tech
mailing list