[CLUE-Tech] network issues
Adam Bultman
adamb at glaven.org
Mon Oct 13 11:51:18 MDT 2003
Mike, can you give us an IP address, so we can scan it ourselves?
Are you running any IDS: Be it network or filesystem-based?
What DNS server are you running (and why are you running a DNS Server
again?) What version is it?
What apache server is it? Which modules?
Would you also be averse to people logging in and checking it out from a
filesystem point of view?
--
adamb at glaven.org
[ www.glaven.org ]
On Mon, 13 Oct 2003, Mike Staver wrote:
> There HAS to be a security exploit for Red Hat 9 that Red Hat isn't
> letting onto the public about yet... the reason I say this is that my
> same linux box keeps getting hacked over and over and over again, not
> matter what I do to stop it. I only have 2 ports open to it, 80 and 53.
> Other than that, it's completely cut off from the outside world... the
> security issue has to be with one of those two things. And yes, I'm
> running the very latest rpms from Red Hat immediately after installing,
> no joke. I've changed all the passwords on the box, and checked and
> double checked things time and time again. I completely rebuilt this
> box last week, and at some point over the weekend, it got comprimised
> again. When I run netstat now, it says:
>
> [root at timmy staver]# netstat -a | more
> Active Internet connections (including servers)
> Proto Recv-Q Send-Q Local Address Foreign Address
> State
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34232
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34233
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34234
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34235
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34236
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34224
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34225
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34226
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34227
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34228
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34229
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34230
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34231
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34216
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34217
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34218
> ESTABLISHED
> tcp 0 0 timmy.globa:netbios-ssn tim.globaltaxnetwo:1469
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34219
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34220
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34221
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34222
> ESTABLISHED
> tcp 0 0 timmy.globaltaxnetw:ssh mike.globaltaxnetw:1839
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34223
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34213
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34214
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34215
> ESTABLISHED
> tcp 0 0 timmy.globa:netbios-ssn mike.globaltaxnetw:1876
> ESTABLISHED
> tcp 0 0 localhost.localdo:34236 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34235 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34234 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34233 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34232 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34231 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34230 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34229 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34228 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34227 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34226 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34225 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34224 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34223 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34222 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34221 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34220 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34219 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34218 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34217 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34216 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34215 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34214 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34213 localhost.localdo:51010
> ESTABLISHED
>
> Also, when I run nmap against it, it now magically has 6667 open -
> however it's being blocked from the outside world, so nobody would be
> able to use it anyways... so I'm perplexed to how this keeps happening....
>
> Starting nmap 3.45 ( http://www.insecure.org/nmap/ ) at 2003-10-13 10:59 MDT
> Host token (XX.XX.XX.XX) appears to be up ... good.
> Initiating SYN Stealth Scan against token (XX.XX.XX.XX) at 10:59
> Adding open port 443/tcp
> Adding open port 111/tcp
> Adding open port 22/tcp
> Adding open port 139/tcp
> Adding open port 80/tcp
> Adding open port 53/tcp
> The SYN Stealth Scan took 0 seconds to scan 1657 ports.
> For OSScan assuming that port 22 is open and port 1 is closed and
> neither are firewalled
> Interesting ports on token.globaltaxnetwork.com (XX.XX.XX.XX):
> (The 1650 ports scanned but not shown below are in state: closed)
> PORT STATE SERVICE
> 22/tcp open ssh
> 53/tcp open domain
> 80/tcp open http
> 111/tcp open rpcbind
> 139/tcp open netbios-ssn
> 443/tcp open https
> 6667/tcp filtered irc
> Device type: general purpose
> Running: Linux 2.4.X|2.5.X
> OS details: Linux Kernel 2.4.0 - 2.5.20
> Uptime 11.918 days (since Wed Oct 1 12:57:51 2003)
> TCP Sequence Prediction: Class=random positive increments
> Difficulty=5320654 (Good luck!)
> IPID Sequence Generation: All zeros
>
> I can't find jack in any of the logs, and when I run ps -auwx, nothing
> shows up as running. Nmap and netstat are the only things that tell me
> something is up that I can see... that and whatever is running keeps
> killing samba off. I'm sick and tired of these undernet.org bastards
> using my server as their own person irc playground, so if anyone has any
> tips on how to shut this down and protect my box - I would appreciate
> it. If I can't run linux box with only 2 ports open to the outside
> world, I see that as a huge negative.
>
More information about the clue-tech
mailing list