[CLUE-Tech] network issues

Mike Staver staver at fimble.com
Mon Oct 13 11:13:32 MDT 2003 

There HAS to be a security exploit for Red Hat 9 that Red Hat isn't 
letting onto the public about yet... the reason I say this is that my 
same linux box keeps getting hacked over and over and over again, not 
matter what I do to stop it.  I only have 2 ports open to it, 80 and 53. 
  Other than that, it's completely cut off from the outside world... the 
security issue has to be with one of those two things.  And yes, I'm 
running the very latest rpms from Red Hat immediately after installing, 
no joke.  I've changed all the passwords on the box, and checked and 
double checked things time and time again.  I completely rebuilt this 
box last week, and at some point over the weekend, it got comprimised 
again.  When I run netstat now, it says:

[root at timmy staver]# netstat -a | more
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address           Foreign Address 
State
tcp        0      0 localhost.localdo:51010 localhost.localdo:34232 
ESTABLISHED
tcp        0      0 localhost.localdo:51010 localhost.localdo:34233 
ESTABLISHED
tcp        0      0 localhost.localdo:51010 localhost.localdo:34234 
ESTABLISHED
tcp        0      0 localhost.localdo:51010 localhost.localdo:34235 
ESTABLISHED
tcp        0      0 localhost.localdo:51010 localhost.localdo:34236 
ESTABLISHED
tcp        0      0 localhost.localdo:51010 localhost.localdo:34224 
ESTABLISHED
tcp        0      0 localhost.localdo:51010 localhost.localdo:34225 
ESTABLISHED
tcp        0      0 localhost.localdo:51010 localhost.localdo:34226 
ESTABLISHED
tcp        0      0 localhost.localdo:51010 localhost.localdo:34227 
ESTABLISHED
tcp        0      0 localhost.localdo:51010 localhost.localdo:34228 
ESTABLISHED
tcp        0      0 localhost.localdo:51010 localhost.localdo:34229 
ESTABLISHED
tcp        0      0 localhost.localdo:51010 localhost.localdo:34230 
ESTABLISHED
tcp        0      0 localhost.localdo:51010 localhost.localdo:34231 
ESTABLISHED
tcp        0      0 localhost.localdo:51010 localhost.localdo:34216 
ESTABLISHED
tcp        0      0 localhost.localdo:51010 localhost.localdo:34217 
ESTABLISHED
tcp        0      0 localhost.localdo:51010 localhost.localdo:34218 
ESTABLISHED
tcp        0      0 timmy.globa:netbios-ssn tim.globaltaxnetwo:1469 
ESTABLISHED
tcp        0      0 localhost.localdo:51010 localhost.localdo:34219 
ESTABLISHED
tcp        0      0 localhost.localdo:51010 localhost.localdo:34220 
ESTABLISHED
tcp        0      0 localhost.localdo:51010 localhost.localdo:34221 
ESTABLISHED
tcp        0      0 localhost.localdo:51010 localhost.localdo:34222 
ESTABLISHED
tcp        0      0 timmy.globaltaxnetw:ssh mike.globaltaxnetw:1839 
ESTABLISHED
tcp        0      0 localhost.localdo:51010 localhost.localdo:34223 
ESTABLISHED
tcp        0      0 localhost.localdo:51010 localhost.localdo:34213 
ESTABLISHED
tcp        0      0 localhost.localdo:51010 localhost.localdo:34214 
ESTABLISHED
tcp        0      0 localhost.localdo:51010 localhost.localdo:34215 
ESTABLISHED
tcp        0      0 timmy.globa:netbios-ssn mike.globaltaxnetw:1876 
ESTABLISHED
tcp        0      0 localhost.localdo:34236 localhost.localdo:51010 
ESTABLISHED
tcp        0      0 localhost.localdo:34235 localhost.localdo:51010 
ESTABLISHED
tcp        0      0 localhost.localdo:34234 localhost.localdo:51010 
ESTABLISHED
tcp        0      0 localhost.localdo:34233 localhost.localdo:51010 
ESTABLISHED
tcp        0      0 localhost.localdo:34232 localhost.localdo:51010 
ESTABLISHED
tcp        0      0 localhost.localdo:34231 localhost.localdo:51010 
ESTABLISHED
tcp        0      0 localhost.localdo:34230 localhost.localdo:51010 
ESTABLISHED
tcp        0      0 localhost.localdo:34229 localhost.localdo:51010 
ESTABLISHED
tcp        0      0 localhost.localdo:34228 localhost.localdo:51010 
ESTABLISHED
tcp        0      0 localhost.localdo:34227 localhost.localdo:51010 
ESTABLISHED
tcp        0      0 localhost.localdo:34226 localhost.localdo:51010 
ESTABLISHED
tcp        0      0 localhost.localdo:34225 localhost.localdo:51010 
ESTABLISHED
tcp        0      0 localhost.localdo:34224 localhost.localdo:51010 
ESTABLISHED
tcp        0      0 localhost.localdo:34223 localhost.localdo:51010 
ESTABLISHED
tcp        0      0 localhost.localdo:34222 localhost.localdo:51010 
ESTABLISHED
tcp        0      0 localhost.localdo:34221 localhost.localdo:51010 
ESTABLISHED
tcp        0      0 localhost.localdo:34220 localhost.localdo:51010 
ESTABLISHED
tcp        0      0 localhost.localdo:34219 localhost.localdo:51010 
ESTABLISHED
tcp        0      0 localhost.localdo:34218 localhost.localdo:51010 
ESTABLISHED
tcp        0      0 localhost.localdo:34217 localhost.localdo:51010 
ESTABLISHED
tcp        0      0 localhost.localdo:34216 localhost.localdo:51010 
ESTABLISHED
tcp        0      0 localhost.localdo:34215 localhost.localdo:51010 
ESTABLISHED
tcp        0      0 localhost.localdo:34214 localhost.localdo:51010 
ESTABLISHED
tcp        0      0 localhost.localdo:34213 localhost.localdo:51010 
ESTABLISHED

Also, when I run nmap against it, it now magically has 6667 open - 
however it's being blocked from the outside world, so nobody would be 
able to use it anyways... so I'm perplexed to how this keeps happening....

Starting nmap 3.45 ( http://www.insecure.org/nmap/ ) at 2003-10-13 10:59 MDT
Host token (XX.XX.XX.XX) appears to be up ... good.
Initiating SYN Stealth Scan against token (XX.XX.XX.XX) at 10:59
Adding open port 443/tcp
Adding open port 111/tcp
Adding open port 22/tcp
Adding open port 139/tcp
Adding open port 80/tcp
Adding open port 53/tcp
The SYN Stealth Scan took 0 seconds to scan 1657 ports.
For OSScan assuming that port 22 is open and port 1 is closed and 
neither are firewalled
Interesting ports on token.globaltaxnetwork.com (XX.XX.XX.XX):
(The 1650 ports scanned but not shown below are in state: closed)
PORT     STATE    SERVICE
22/tcp   open     ssh
53/tcp   open     domain
80/tcp   open     http
111/tcp  open     rpcbind
139/tcp  open     netbios-ssn
443/tcp  open     https
6667/tcp filtered irc
Device type: general purpose
Running: Linux 2.4.X|2.5.X
OS details: Linux Kernel 2.4.0 - 2.5.20
Uptime 11.918 days (since Wed Oct  1 12:57:51 2003)
TCP Sequence Prediction: Class=random positive increments
                          Difficulty=5320654 (Good luck!)
IPID Sequence Generation: All zeros

I can't find jack in any of the logs, and when I run ps -auwx, nothing 
shows up as running.  Nmap and netstat are the only things that tell me 
something is up that I can see... that and whatever is running keeps 
killing samba off.  I'm sick and tired of these undernet.org bastards 
using my server as their own person irc playground, so if anyone has any 
tips on how to shut this down and protect my box - I would appreciate 
it.  If I can't run linux box with only 2 ports open to the outside 
world, I see that as a huge negative.
-- 

                                 -Mike Staver
                                  staver at fimble.com
                                  mstaver at globaltaxnetwork.com

More information about the clue-tech mailing list