[CLUE-Tech] network issues

Adam Bultman adamb at glaven.org
Mon Oct 13 11:51:18 MDT 2003 

Mike, can you give us an IP address, so we can scan it ourselves?

Are you running any IDS: Be it network or filesystem-based?

What DNS server are you running (and why are you running a DNS Server 
again?)  What version is it?  

What apache server is it? Which modules?

Would you also be averse to people logging in and checking it out from a 
filesystem point of view? 



-- 
adamb at glaven.org
[ www.glaven.org ]

On Mon, 13 Oct 2003, Mike Staver wrote:

> There HAS to be a security exploit for Red Hat 9 that Red Hat isn't 
> letting onto the public about yet... the reason I say this is that my 
> same linux box keeps getting hacked over and over and over again, not 
> matter what I do to stop it.  I only have 2 ports open to it, 80 and 53. 
>   Other than that, it's completely cut off from the outside world... the 
> security issue has to be with one of those two things.  And yes, I'm 
> running the very latest rpms from Red Hat immediately after installing, 
> no joke.  I've changed all the passwords on the box, and checked and 
> double checked things time and time again.  I completely rebuilt this 
> box last week, and at some point over the weekend, it got comprimised 
> again.  When I run netstat now, it says:
> 
> [root at timmy staver]# netstat -a | more
> Active Internet connections (including servers)
> Proto Recv-Q Send-Q Local Address           Foreign Address 
> State
> tcp        0      0 localhost.localdo:51010 localhost.localdo:34232 
> ESTABLISHED
> tcp        0      0 localhost.localdo:51010 localhost.localdo:34233 
> ESTABLISHED
> tcp        0      0 localhost.localdo:51010 localhost.localdo:34234 
> ESTABLISHED
> tcp        0      0 localhost.localdo:51010 localhost.localdo:34235 
> ESTABLISHED
> tcp        0      0 localhost.localdo:51010 localhost.localdo:34236 
> ESTABLISHED
> tcp        0      0 localhost.localdo:51010 localhost.localdo:34224 
> ESTABLISHED
> tcp        0      0 localhost.localdo:51010 localhost.localdo:34225 
> ESTABLISHED
> tcp        0      0 localhost.localdo:51010 localhost.localdo:34226 
> ESTABLISHED
> tcp        0      0 localhost.localdo:51010 localhost.localdo:34227 
> ESTABLISHED
> tcp        0      0 localhost.localdo:51010 localhost.localdo:34228 
> ESTABLISHED
> tcp        0      0 localhost.localdo:51010 localhost.localdo:34229 
> ESTABLISHED
> tcp        0      0 localhost.localdo:51010 localhost.localdo:34230 
> ESTABLISHED
> tcp        0      0 localhost.localdo:51010 localhost.localdo:34231 
> ESTABLISHED
> tcp        0      0 localhost.localdo:51010 localhost.localdo:34216 
> ESTABLISHED
> tcp        0      0 localhost.localdo:51010 localhost.localdo:34217 
> ESTABLISHED
> tcp        0      0 localhost.localdo:51010 localhost.localdo:34218 
> ESTABLISHED
> tcp        0      0 timmy.globa:netbios-ssn tim.globaltaxnetwo:1469 
> ESTABLISHED
> tcp        0      0 localhost.localdo:51010 localhost.localdo:34219 
> ESTABLISHED
> tcp        0      0 localhost.localdo:51010 localhost.localdo:34220 
> ESTABLISHED
> tcp        0      0 localhost.localdo:51010 localhost.localdo:34221 
> ESTABLISHED
> tcp        0      0 localhost.localdo:51010 localhost.localdo:34222 
> ESTABLISHED
> tcp        0      0 timmy.globaltaxnetw:ssh mike.globaltaxnetw:1839 
> ESTABLISHED
> tcp        0      0 localhost.localdo:51010 localhost.localdo:34223 
> ESTABLISHED
> tcp        0      0 localhost.localdo:51010 localhost.localdo:34213 
> ESTABLISHED
> tcp        0      0 localhost.localdo:51010 localhost.localdo:34214 
> ESTABLISHED
> tcp        0      0 localhost.localdo:51010 localhost.localdo:34215 
> ESTABLISHED
> tcp        0      0 timmy.globa:netbios-ssn mike.globaltaxnetw:1876 
> ESTABLISHED
> tcp        0      0 localhost.localdo:34236 localhost.localdo:51010 
> ESTABLISHED
> tcp        0      0 localhost.localdo:34235 localhost.localdo:51010 
> ESTABLISHED
> tcp        0      0 localhost.localdo:34234 localhost.localdo:51010 
> ESTABLISHED
> tcp        0      0 localhost.localdo:34233 localhost.localdo:51010 
> ESTABLISHED
> tcp        0      0 localhost.localdo:34232 localhost.localdo:51010 
> ESTABLISHED
> tcp        0      0 localhost.localdo:34231 localhost.localdo:51010 
> ESTABLISHED
> tcp        0      0 localhost.localdo:34230 localhost.localdo:51010 
> ESTABLISHED
> tcp        0      0 localhost.localdo:34229 localhost.localdo:51010 
> ESTABLISHED
> tcp        0      0 localhost.localdo:34228 localhost.localdo:51010 
> ESTABLISHED
> tcp        0      0 localhost.localdo:34227 localhost.localdo:51010 
> ESTABLISHED
> tcp        0      0 localhost.localdo:34226 localhost.localdo:51010 
> ESTABLISHED
> tcp        0      0 localhost.localdo:34225 localhost.localdo:51010 
> ESTABLISHED
> tcp        0      0 localhost.localdo:34224 localhost.localdo:51010 
> ESTABLISHED
> tcp        0      0 localhost.localdo:34223 localhost.localdo:51010 
> ESTABLISHED
> tcp        0      0 localhost.localdo:34222 localhost.localdo:51010 
> ESTABLISHED
> tcp        0      0 localhost.localdo:34221 localhost.localdo:51010 
> ESTABLISHED
> tcp        0      0 localhost.localdo:34220 localhost.localdo:51010 
> ESTABLISHED
> tcp        0      0 localhost.localdo:34219 localhost.localdo:51010 
> ESTABLISHED
> tcp        0      0 localhost.localdo:34218 localhost.localdo:51010 
> ESTABLISHED
> tcp        0      0 localhost.localdo:34217 localhost.localdo:51010 
> ESTABLISHED
> tcp        0      0 localhost.localdo:34216 localhost.localdo:51010 
> ESTABLISHED
> tcp        0      0 localhost.localdo:34215 localhost.localdo:51010 
> ESTABLISHED
> tcp        0      0 localhost.localdo:34214 localhost.localdo:51010 
> ESTABLISHED
> tcp        0      0 localhost.localdo:34213 localhost.localdo:51010 
> ESTABLISHED
> 
> Also, when I run nmap against it, it now magically has 6667 open - 
> however it's being blocked from the outside world, so nobody would be 
> able to use it anyways... so I'm perplexed to how this keeps happening....
> 
> Starting nmap 3.45 ( http://www.insecure.org/nmap/ ) at 2003-10-13 10:59 MDT
> Host token (XX.XX.XX.XX) appears to be up ... good.
> Initiating SYN Stealth Scan against token (XX.XX.XX.XX) at 10:59
> Adding open port 443/tcp
> Adding open port 111/tcp
> Adding open port 22/tcp
> Adding open port 139/tcp
> Adding open port 80/tcp
> Adding open port 53/tcp
> The SYN Stealth Scan took 0 seconds to scan 1657 ports.
> For OSScan assuming that port 22 is open and port 1 is closed and 
> neither are firewalled
> Interesting ports on token.globaltaxnetwork.com (XX.XX.XX.XX):
> (The 1650 ports scanned but not shown below are in state: closed)
> PORT     STATE    SERVICE
> 22/tcp   open     ssh
> 53/tcp   open     domain
> 80/tcp   open     http
> 111/tcp  open     rpcbind
> 139/tcp  open     netbios-ssn
> 443/tcp  open     https
> 6667/tcp filtered irc
> Device type: general purpose
> Running: Linux 2.4.X|2.5.X
> OS details: Linux Kernel 2.4.0 - 2.5.20
> Uptime 11.918 days (since Wed Oct  1 12:57:51 2003)
> TCP Sequence Prediction: Class=random positive increments
>                           Difficulty=5320654 (Good luck!)
> IPID Sequence Generation: All zeros
> 
> I can't find jack in any of the logs, and when I run ps -auwx, nothing 
> shows up as running.  Nmap and netstat are the only things that tell me 
> something is up that I can see... that and whatever is running keeps 
> killing samba off.  I'm sick and tired of these undernet.org bastards 
> using my server as their own person irc playground, so if anyone has any 
> tips on how to shut this down and protect my box - I would appreciate 
> it.  If I can't run linux box with only 2 ports open to the outside 
> world, I see that as a huge negative.
>

More information about the clue-tech mailing list