[CLUE-Tech] Hacker question

Mike Staver staver at fimble.com
Thu Jul 31 16:28:29 MDT 2003 

I have had 3 RedHat 7.3 boxes apparently comprised on my network this 
week alone.  I have no clue if I need to contact the FBI on this issue 
(I just tried, and they said they didn't know if a crime had even been 
committed), but I don't think they are going to worry about my pidley 
little network here.  So, my company is own it's own - and here are some 
stats on my box:

RedHat 7.3
Kernel 2.4.20-19.7smp
openssh-3.1p1-6
openssh-server-3.1p1-6
openssh-clients-3.1p1-6
samba-2.2.7-3.7.3
apache-1.3.27-2
openssl-devel-0.9.6b-32.7
openssl-0.9.6b-32.7
openssl-perl-0.9.6b-32.7
mod_ssl-2.8.12-2

Now, if we scan the machines in question, this is what ports are open:

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Host blah (xx.xx.xx.xx) appears to be up ... good.
Initiating SYN Stealth Scan against www1.globaltaxnetwork.com (xx.xx.xx.xx)
Adding open port 80/tcp
Adding open port 19/tcp
Adding open port 22/tcp
Adding open port 139/tcp
Adding open port 443/tcp
Adding open port 111/tcp
The SYN Stealth Scan took 0 seconds to scan 1601 ports.
For OSScan assuming that port 19 is open and port 1 is closed and 
neither are firewalled
Interesting ports on blah (xx.xx.xx.xx):
(The 1595 ports scanned but not shown below are in state: closed)
Port       State       Service
19/tcp     open        chargen                
22/tcp     open        ssh                    
80/tcp     open        http                   
111/tcp    open        sunrpc                 
139/tcp    open        netbios-ssn            
443/tcp    open        https                  
Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20
Uptime 3.032 days (since Mon Jul 28 14:51:01 2003)
TCP Sequence Prediction: Class=random positive increments
                         Difficulty=1104306 (Good luck!)
IPID Sequence Generation: All zeros

Whoever comprimised my machine, did it with only ports 443 and 80 open 
to it through my firewall.  I have no idea how this happened.  I have 
the latest apache from RedHat, is that verion suseptible to a buffer 
overflow of some kind that I'm unaware of?  My RedHat 9 boxes are fine - 
only the 7.3 boxes have been affected, 3 of them so far this week.  And 
what happens when these boxes get comprimised is that my routers get 
shut down because they are apparently ddos'n grc.com.  I see a lot of 
ircd traffic on port 6667, and many other ports as well.  The machines 
the ircd traffic is coming from are:

undernet.irc.rcn.net
undernet.tiscali.be
ircu.bredband.com
minotor.spale.com
proxyscan.undernet.org

Besides upgrading to RedHat 9 on these boxes (which isn't an option 
yet), how can I protect myself, and who should I report this activity 
to?? I now don't get to go home tonite to spend time with my family, I'm 
forced to rebuild these damned boxes from scratch once again. 

-- 

                                -Mike Staver
                                 staver at fimble.com
                                 mstaver at globaltaxnetwork.com

More information about the clue-tech mailing list