[CLUE-Tech] Hacker question

Solid D skitzot33 at yahoo.com
Sat Aug 2 01:26:21 MDT 2003 

yeah, nessus rocks.  Hell even Saint/Satan, nmap (Just
to see what it says), everything.  The best way to
protect your network is by trying to break into it. 
If you have a webserver, especially if it's IIS, run
cgi/expliot scans on it.  Best way to stay ahead of
everyone, oh and please everyone, if you have a cisco
router, change the fucking password from cisco to
something 13 digits long with numbers, I am so tired
of seeing cisco as the vty pass and the Enable pass,
how lazy are people.  Oh, and check ur IOS version,
there was a bad vulenrability to 11 and something else
a while back, and use MD5 encryption not cisco's lame
ass one.  

oh, on a more serious note.  If you really need so
help with this, I'm a bit of a grey-hat, so I can scan
your ports and just give you a basic idea of what I
think needs to be tightened down.  I like doing that
stuff for people, makes for great resume candy. 

One last thing, if your network isn't switched, or
even if it is, watch out for Dsniff ot tcp dump, hell
these script kiddies are getting decent sometimes,
also keep an eye out for arp floods, they force the
switch into passive hub mode and allow for traffic to
be sniffed...

peace... and luck

skitzot33 at yahoo.com

--- black at galaxy.silvren.com wrote:
> It may also be worth scanning your boxes with Nessus
> or some other
> relatively mature tools and just see what they come
> up with. I try to do
> that on our DMZ machines on a regular basis,
> especially since it's so easy
> to do, I just type in the network address and let it
> go, then read the
> report.
> 
> 
> On Thu, 31 Jul 2003, Crawford Rainwater wrote:
> 
> > A couple of wild guesses to look at here.
> >
> > - What does "last" show you on the box (might want
> to
> >   cut and paste this to the list for more input)? 
> Might
> >   have an IP addy that is unusual for tracing
> purposes.
> >
> > - Do you have ssh1 disabled and only ssh2?
> >
> > - Is there a (from memory here) in /root/.ssh a
> "key_athorize2"
> >   (might have the spelling wrong on the file) that
> has a current
> >   date?  Could indicate that a new key is placed
> there by your visitor.
> >
> > The latter two are an interesting access issue
> with ssh2 that I
> > know of (again, not in front of a Linux machine at
> the moment for
> > the correct file name there).  This allows a
> remote root user access
> > without root password, just via the ssh key.
> >
> > Might want to look up a few tools on SourceForge
> for the hacking
> > end, then think about Bastille and/or SE Linux for
> hardening things.
> >
> > HTH.
> >
> > --- Crawford
> >
> > > -----Original Message-----
> > > From: clue-tech-admin at clue.denver.co.us
> > > [mailto:clue-tech-admin at clue.denver.co.us]On
> Behalf Of Mike Staver
> > > Sent: Thursday, July 31, 2003 5:28 PM
> > > To: CLUE LUG
> > > Subject: [CLUE-Tech] Hacker question
> > >
> > >
> > > I have had 3 RedHat 7.3 boxes apparently
> comprised on my network this
> > > week alone.  I have no clue if I need to contact
> the FBI on this issue
> > > (I just tried, and they said they didn't know if
> a crime had even been
> > > committed), but I don't think they are going to
> worry about my pidley
> > > little network here.  So, my company is own it's
> own - and here are some
> > > stats on my box:
> > >
> > > RedHat 7.3
> > > Kernel 2.4.20-19.7smp
> > > openssh-3.1p1-6
> > > openssh-server-3.1p1-6
> > > openssh-clients-3.1p1-6
> > > samba-2.2.7-3.7.3
> > > apache-1.3.27-2
> > > openssl-devel-0.9.6b-32.7
> > > openssl-0.9.6b-32.7
> > > openssl-perl-0.9.6b-32.7
> > > mod_ssl-2.8.12-2
> > >
> > > Now, if we scan the machines in question, this
> is what ports are open:
> > >
> > > Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
> > > Host blah (xx.xx.xx.xx) appears to be up ...
> good.
> > > Initiating SYN Stealth Scan against
> www1.globaltaxnetwork.com
> > > (xx.xx.xx.xx)
> > > Adding open port 80/tcp
> > > Adding open port 19/tcp
> > > Adding open port 22/tcp
> > > Adding open port 139/tcp
> > > Adding open port 443/tcp
> > > Adding open port 111/tcp
> > > The SYN Stealth Scan took 0 seconds to scan 1601
> ports.
> > > For OSScan assuming that port 19 is open and
> port 1 is closed and
> > > neither are firewalled
> > > Interesting ports on blah (xx.xx.xx.xx):
> > > (The 1595 ports scanned but not shown below are
> in state: closed)
> > > Port       State       Service
> > > 19/tcp     open        chargen
> > > 22/tcp     open        ssh
> > > 80/tcp     open        http
> > > 111/tcp    open        sunrpc
> > > 139/tcp    open        netbios-ssn
> > > 443/tcp    open        https
> > > Remote operating system guess: Linux Kernel
> 2.4.0 - 2.5.20
> > > Uptime 3.032 days (since Mon Jul 28 14:51:01
> 2003)
> > > TCP Sequence Prediction: Class=random positive
> increments
> > >                          Difficulty=1104306
> (Good luck!)
> > > IPID Sequence Generation: All zeros
> > >
> > > Whoever comprimised my machine, did it with only
> ports 443 and 80 open
> > > to it through my firewall.  I have no idea how
> this happened.  I have
> > > the latest apache from RedHat, is that verion
> suseptible to a buffer
> > > overflow of some kind that I'm unaware of?  My
> RedHat 9 boxes are fine -
> > > only the 7.3 boxes have been affected, 3 of them
> so far this week.  And
> > > what happens when these boxes get comprimised is
> that my routers get
> > > shut down because they are apparently ddos'n
> grc.com.  I see a lot of
> > > ircd traffic on port 6667, and many other ports
> as well.  The machines
> > > the ircd traffic is coming from are:
> > >
> > > undernet.irc.rcn.net
> > > undernet.tiscali.be
> > > ircu.bredband.com
> > > minotor.spale.com
> > > proxyscan.undernet.org
> > >
> > > Besides upgrading to RedHat 9 on these boxes
> (which isn't an option
> > > yet), how can I protect myself, and who should I
> report this activity
> > > to?? I now don't get to go home tonite to spend
> time with my family, I'm
> > > forced to rebuild these damned boxes from
> scratch once again.
> > >
> > > --
> > >
> > >                                 -Mike Staver
> > >                                 
> staver at fimble.com
> > >                                 
> mstaver at globaltaxnetwork.com
> > >
> > >
> > > _______________________________________________
> > > CLUE-Tech mailing list
> > > Post messages to: CLUE-Tech at clue.denver.co.us
> > > Unsubscribe or manage your options:
> >
> http://clue.denver.co.us/mailman/listinfo/clue-tech
> >
> >
> > _______________________________________________
> > CLUE-Tech mailing list
> > Post messages to: CLUE-Tech at clue.denver.co.us
> > Unsubscribe or manage your options:
> http://clue.denver.co.us/mailman/listinfo/clue-tech
> >
> _______________________________________________
> CLUE-Tech mailing list
> Post messages to: CLUE-Tech at clue.denver.co.us
> Unsubscribe or manage your options:
http://clue.denver.co.us/mailman/listinfo/clue-tech


=====


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

More information about the clue-tech mailing list