[CLUE-Tech] network issues
Mike Staver
staver at fimble.com
Mon Oct 13 11:13:32 MDT 2003
There HAS to be a security exploit for Red Hat 9 that Red Hat isn't
letting onto the public about yet... the reason I say this is that my
same linux box keeps getting hacked over and over and over again, not
matter what I do to stop it. I only have 2 ports open to it, 80 and 53.
Other than that, it's completely cut off from the outside world... the
security issue has to be with one of those two things. And yes, I'm
running the very latest rpms from Red Hat immediately after installing,
no joke. I've changed all the passwords on the box, and checked and
double checked things time and time again. I completely rebuilt this
box last week, and at some point over the weekend, it got comprimised
again. When I run netstat now, it says:
[root at timmy staver]# netstat -a | more
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address
State
tcp 0 0 localhost.localdo:51010 localhost.localdo:34232
ESTABLISHED
tcp 0 0 localhost.localdo:51010 localhost.localdo:34233
ESTABLISHED
tcp 0 0 localhost.localdo:51010 localhost.localdo:34234
ESTABLISHED
tcp 0 0 localhost.localdo:51010 localhost.localdo:34235
ESTABLISHED
tcp 0 0 localhost.localdo:51010 localhost.localdo:34236
ESTABLISHED
tcp 0 0 localhost.localdo:51010 localhost.localdo:34224
ESTABLISHED
tcp 0 0 localhost.localdo:51010 localhost.localdo:34225
ESTABLISHED
tcp 0 0 localhost.localdo:51010 localhost.localdo:34226
ESTABLISHED
tcp 0 0 localhost.localdo:51010 localhost.localdo:34227
ESTABLISHED
tcp 0 0 localhost.localdo:51010 localhost.localdo:34228
ESTABLISHED
tcp 0 0 localhost.localdo:51010 localhost.localdo:34229
ESTABLISHED
tcp 0 0 localhost.localdo:51010 localhost.localdo:34230
ESTABLISHED
tcp 0 0 localhost.localdo:51010 localhost.localdo:34231
ESTABLISHED
tcp 0 0 localhost.localdo:51010 localhost.localdo:34216
ESTABLISHED
tcp 0 0 localhost.localdo:51010 localhost.localdo:34217
ESTABLISHED
tcp 0 0 localhost.localdo:51010 localhost.localdo:34218
ESTABLISHED
tcp 0 0 timmy.globa:netbios-ssn tim.globaltaxnetwo:1469
ESTABLISHED
tcp 0 0 localhost.localdo:51010 localhost.localdo:34219
ESTABLISHED
tcp 0 0 localhost.localdo:51010 localhost.localdo:34220
ESTABLISHED
tcp 0 0 localhost.localdo:51010 localhost.localdo:34221
ESTABLISHED
tcp 0 0 localhost.localdo:51010 localhost.localdo:34222
ESTABLISHED
tcp 0 0 timmy.globaltaxnetw:ssh mike.globaltaxnetw:1839
ESTABLISHED
tcp 0 0 localhost.localdo:51010 localhost.localdo:34223
ESTABLISHED
tcp 0 0 localhost.localdo:51010 localhost.localdo:34213
ESTABLISHED
tcp 0 0 localhost.localdo:51010 localhost.localdo:34214
ESTABLISHED
tcp 0 0 localhost.localdo:51010 localhost.localdo:34215
ESTABLISHED
tcp 0 0 timmy.globa:netbios-ssn mike.globaltaxnetw:1876
ESTABLISHED
tcp 0 0 localhost.localdo:34236 localhost.localdo:51010
ESTABLISHED
tcp 0 0 localhost.localdo:34235 localhost.localdo:51010
ESTABLISHED
tcp 0 0 localhost.localdo:34234 localhost.localdo:51010
ESTABLISHED
tcp 0 0 localhost.localdo:34233 localhost.localdo:51010
ESTABLISHED
tcp 0 0 localhost.localdo:34232 localhost.localdo:51010
ESTABLISHED
tcp 0 0 localhost.localdo:34231 localhost.localdo:51010
ESTABLISHED
tcp 0 0 localhost.localdo:34230 localhost.localdo:51010
ESTABLISHED
tcp 0 0 localhost.localdo:34229 localhost.localdo:51010
ESTABLISHED
tcp 0 0 localhost.localdo:34228 localhost.localdo:51010
ESTABLISHED
tcp 0 0 localhost.localdo:34227 localhost.localdo:51010
ESTABLISHED
tcp 0 0 localhost.localdo:34226 localhost.localdo:51010
ESTABLISHED
tcp 0 0 localhost.localdo:34225 localhost.localdo:51010
ESTABLISHED
tcp 0 0 localhost.localdo:34224 localhost.localdo:51010
ESTABLISHED
tcp 0 0 localhost.localdo:34223 localhost.localdo:51010
ESTABLISHED
tcp 0 0 localhost.localdo:34222 localhost.localdo:51010
ESTABLISHED
tcp 0 0 localhost.localdo:34221 localhost.localdo:51010
ESTABLISHED
tcp 0 0 localhost.localdo:34220 localhost.localdo:51010
ESTABLISHED
tcp 0 0 localhost.localdo:34219 localhost.localdo:51010
ESTABLISHED
tcp 0 0 localhost.localdo:34218 localhost.localdo:51010
ESTABLISHED
tcp 0 0 localhost.localdo:34217 localhost.localdo:51010
ESTABLISHED
tcp 0 0 localhost.localdo:34216 localhost.localdo:51010
ESTABLISHED
tcp 0 0 localhost.localdo:34215 localhost.localdo:51010
ESTABLISHED
tcp 0 0 localhost.localdo:34214 localhost.localdo:51010
ESTABLISHED
tcp 0 0 localhost.localdo:34213 localhost.localdo:51010
ESTABLISHED
Also, when I run nmap against it, it now magically has 6667 open -
however it's being blocked from the outside world, so nobody would be
able to use it anyways... so I'm perplexed to how this keeps happening....
Starting nmap 3.45 ( http://www.insecure.org/nmap/ ) at 2003-10-13 10:59 MDT
Host token (XX.XX.XX.XX) appears to be up ... good.
Initiating SYN Stealth Scan against token (XX.XX.XX.XX) at 10:59
Adding open port 443/tcp
Adding open port 111/tcp
Adding open port 22/tcp
Adding open port 139/tcp
Adding open port 80/tcp
Adding open port 53/tcp
The SYN Stealth Scan took 0 seconds to scan 1657 ports.
For OSScan assuming that port 22 is open and port 1 is closed and
neither are firewalled
Interesting ports on token.globaltaxnetwork.com (XX.XX.XX.XX):
(The 1650 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
443/tcp open https
6667/tcp filtered irc
Device type: general purpose
Running: Linux 2.4.X|2.5.X
OS details: Linux Kernel 2.4.0 - 2.5.20
Uptime 11.918 days (since Wed Oct 1 12:57:51 2003)
TCP Sequence Prediction: Class=random positive increments
Difficulty=5320654 (Good luck!)
IPID Sequence Generation: All zeros
I can't find jack in any of the logs, and when I run ps -auwx, nothing
shows up as running. Nmap and netstat are the only things that tell me
something is up that I can see... that and whatever is running keeps
killing samba off. I'm sick and tired of these undernet.org bastards
using my server as their own person irc playground, so if anyone has any
tips on how to shut this down and protect my box - I would appreciate
it. If I can't run linux box with only 2 ports open to the outside
world, I see that as a huge negative.
--
-Mike Staver
staver at fimble.com
mstaver at globaltaxnetwork.com
More information about the clue-tech
mailing list