[CLUE-Tech] Hacker question
Mike Staver
staver at fimble.com
Thu Jul 31 16:28:29 MDT 2003
I have had 3 RedHat 7.3 boxes apparently comprised on my network this
week alone. I have no clue if I need to contact the FBI on this issue
(I just tried, and they said they didn't know if a crime had even been
committed), but I don't think they are going to worry about my pidley
little network here. So, my company is own it's own - and here are some
stats on my box:
RedHat 7.3
Kernel 2.4.20-19.7smp
openssh-3.1p1-6
openssh-server-3.1p1-6
openssh-clients-3.1p1-6
samba-2.2.7-3.7.3
apache-1.3.27-2
openssl-devel-0.9.6b-32.7
openssl-0.9.6b-32.7
openssl-perl-0.9.6b-32.7
mod_ssl-2.8.12-2
Now, if we scan the machines in question, this is what ports are open:
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Host blah (xx.xx.xx.xx) appears to be up ... good.
Initiating SYN Stealth Scan against www1.globaltaxnetwork.com (xx.xx.xx.xx)
Adding open port 80/tcp
Adding open port 19/tcp
Adding open port 22/tcp
Adding open port 139/tcp
Adding open port 443/tcp
Adding open port 111/tcp
The SYN Stealth Scan took 0 seconds to scan 1601 ports.
For OSScan assuming that port 19 is open and port 1 is closed and
neither are firewalled
Interesting ports on blah (xx.xx.xx.xx):
(The 1595 ports scanned but not shown below are in state: closed)
Port State Service
19/tcp open chargen
22/tcp open ssh
80/tcp open http
111/tcp open sunrpc
139/tcp open netbios-ssn
443/tcp open https
Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20
Uptime 3.032 days (since Mon Jul 28 14:51:01 2003)
TCP Sequence Prediction: Class=random positive increments
Difficulty=1104306 (Good luck!)
IPID Sequence Generation: All zeros
Whoever comprimised my machine, did it with only ports 443 and 80 open
to it through my firewall. I have no idea how this happened. I have
the latest apache from RedHat, is that verion suseptible to a buffer
overflow of some kind that I'm unaware of? My RedHat 9 boxes are fine -
only the 7.3 boxes have been affected, 3 of them so far this week. And
what happens when these boxes get comprimised is that my routers get
shut down because they are apparently ddos'n grc.com. I see a lot of
ircd traffic on port 6667, and many other ports as well. The machines
the ircd traffic is coming from are:
undernet.irc.rcn.net
undernet.tiscali.be
ircu.bredband.com
minotor.spale.com
proxyscan.undernet.org
Besides upgrading to RedHat 9 on these boxes (which isn't an option
yet), how can I protect myself, and who should I report this activity
to?? I now don't get to go home tonite to spend time with my family, I'm
forced to rebuild these damned boxes from scratch once again.
--
-Mike Staver
staver at fimble.com
mstaver at globaltaxnetwork.com
More information about the clue-tech
mailing list