[CLUE-Tech] network issues

Kevin Fenzi kevin at scrye.com
Mon Oct 13 12:06:49 MDT 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>>>>> "Mike" == Mike Staver <staver at fimble.com> writes:

Mike> There HAS to be a security exploit for Red Hat 9 that Red Hat
Mike> isn't letting onto the public about yet... 

Or perhaps there is a new exploit in the wild they don't know about
yet? 

Mike> the reason I say this
Mike> is that my same linux box keeps getting hacked over and over and
Mike> over again, not matter what I do to stop it.  I only have 2
Mike> ports open to it, 80 and 53. Other than that, it's completely
Mike> cut off from the outside world... the security issue has to be
Mike> with one of those two things.  And yes, I'm running the very
Mike> latest rpms from Red Hat immediately after installing, no joke.
Mike> I've changed all the passwords on the box, and checked and
Mike> double checked things time and time again.  I completely rebuilt
Mike> this box last week, and at some point over the weekend, it got
Mike> comprimised again.  When I run netstat now, it says:

So you totally re-installed it with a new install, applied all the
update rpms and made sure it was using diffrent passwords than before?

Mike> ...snipp...

Mike> Also, when I run nmap against it, it now magically has 6667 open
Mike> - however it's being blocked from the outside world, so nobody
Mike> would be able to use it anyways... so I'm perplexed to how this
Mike> keeps happening....

Could anything have been copied over with your data when you
re-installed the machine? Could be a cgi or other web vulnerability? 

Mike> ...snipp...

Mike> 111/tcp  open     rpcbind

portmap running? portmap is pretty insecure. Althought you said you
have that blocked off from the outside?

Mike> I can't find jack in any of the logs, and when I run ps -auwx,
Mike> nothing shows up as running.  Nmap and netstat are the only
Mike> things that tell me something is up that I can see... that and
Mike> whatever is running keeps killing samba off.  I'm sick and tired
Mike> of these undernet.org bastards using my server as their own
Mike> person irc playground, so if anyone has any tips on how to shut
Mike> this down and protect my box - I would appreciate it.  If I
Mike> can't run linux box with only 2 ports open to the outside world,
Mike> I see that as a huge negative. 

You might try doing a 'rpm -Va' that should show you any modified
files in from the rpm database. Of course if they modified the rpm
database on rpm command then you are out of luck there. 

I would guess: 

- - something in your data you restored after re-installing is allowing
them to recompromise you via http or dns. 

- - Some new exploit against those 2 services. 

- - They are attacking from another machine inside your network,
bypassing your firewall. 

I would say your best bet is to get a new machine, install it. Apply
all updates. Copy data over to it from the old machine and check it
for any backdoors, etc... 

Mike>                                  -Mike Staver staver at fimble.com
Mike> mstaver at globaltaxnetwork.com

kevin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>

iD8DBQE/ium73imCezTjY0ERAiMxAJ9/JkZCOy2oSo/VGbyOlCriGx4UPwCfaCi5
Snj0XWs8LbysiLpOxlZxEnI=
=73hO
-----END PGP SIGNATURE-----

More information about the clue-tech mailing list