[CLUE-Tech] network issues

Mike Staver staver at fimble.com
Mon Oct 13 12:23:00 MDT 2003 

Kevin Fenzi wrote:

> Mike> There HAS to be a security exploit for Red Hat 9 that Red Hat
> Mike> isn't letting onto the public about yet... 
> 
> Or perhaps there is a new exploit in the wild they don't know about
> yet? 

Yeah - but I would have to think they know about it, this has been going 
on for me for the last several months non stop.  I even left this 
machine off the network for 3 weeks before I rebuilt it this last time, 
and after a few days of uptime, the punks from undernet.org struck 
again.  I even contacted the Denver FBI office the first 2 times, and 
they ignored me because I didn't have any credit card information stored 
on the box.

> 
> Mike> the reason I say this
> Mike> is that my same linux box keeps getting hacked over and over and
> Mike> over again, not matter what I do to stop it.  I only have 2
> Mike> ports open to it, 80 and 53. Other than that, it's completely
> Mike> cut off from the outside world... the security issue has to be
> Mike> with one of those two things.  And yes, I'm running the very
> Mike> latest rpms from Red Hat immediately after installing, no joke.
> Mike> I've changed all the passwords on the box, and checked and
> Mike> double checked things time and time again.  I completely rebuilt
> Mike> this box last week, and at some point over the weekend, it got
> Mike> comprimised again.  When I run netstat now, it says:
> 
> So you totally re-installed it with a new install, applied all the
> update rpms and made sure it was using diffrent passwords than before?
> 

Yep, it's driving me crazy.

> 
> Mike> Also, when I run nmap against it, it now magically has 6667 open
> Mike> - however it's being blocked from the outside world, so nobody
> Mike> would be able to use it anyways... so I'm perplexed to how this
> Mike> keeps happening....
> 
> Could anything have been copied over with your data when you
> re-installed the machine? Could be a cgi or other web vulnerability? 

I'm only copying over my html code and my cfm code, no cgi stuff... so 
if there is a hole in it, I can't think of one.  None of my code 
interacts with the system, just a database server on another machine 
through odbc via cold fusion mx.

> 
> Mike> ...snipp...
> 
> Mike> 111/tcp  open     rpcbind
> 
> portmap running? portmap is pretty insecure. Althought you said you
> have that blocked off from the outside?

Yeah, I do have it blocked off from the outside... what is that service 
exactly, and would I need it for anything?  I've never shut it off 
because I assumed it was something I needed.

-- 

                                 -Mike Staver
                                  staver at fimble.com
                                  mstaver at globaltaxnetwork.com

More information about the clue-tech mailing list