[CLUE-Tech] network issues
Mike Staver
staver at fimble.com
Mon Oct 13 12:23:00 MDT 2003
Kevin Fenzi wrote:
> Mike> There HAS to be a security exploit for Red Hat 9 that Red Hat
> Mike> isn't letting onto the public about yet...
>
> Or perhaps there is a new exploit in the wild they don't know about
> yet?
Yeah - but I would have to think they know about it, this has been going
on for me for the last several months non stop. I even left this
machine off the network for 3 weeks before I rebuilt it this last time,
and after a few days of uptime, the punks from undernet.org struck
again. I even contacted the Denver FBI office the first 2 times, and
they ignored me because I didn't have any credit card information stored
on the box.
>
> Mike> the reason I say this
> Mike> is that my same linux box keeps getting hacked over and over and
> Mike> over again, not matter what I do to stop it. I only have 2
> Mike> ports open to it, 80 and 53. Other than that, it's completely
> Mike> cut off from the outside world... the security issue has to be
> Mike> with one of those two things. And yes, I'm running the very
> Mike> latest rpms from Red Hat immediately after installing, no joke.
> Mike> I've changed all the passwords on the box, and checked and
> Mike> double checked things time and time again. I completely rebuilt
> Mike> this box last week, and at some point over the weekend, it got
> Mike> comprimised again. When I run netstat now, it says:
>
> So you totally re-installed it with a new install, applied all the
> update rpms and made sure it was using diffrent passwords than before?
>
Yep, it's driving me crazy.
>
> Mike> Also, when I run nmap against it, it now magically has 6667 open
> Mike> - however it's being blocked from the outside world, so nobody
> Mike> would be able to use it anyways... so I'm perplexed to how this
> Mike> keeps happening....
>
> Could anything have been copied over with your data when you
> re-installed the machine? Could be a cgi or other web vulnerability?
I'm only copying over my html code and my cfm code, no cgi stuff... so
if there is a hole in it, I can't think of one. None of my code
interacts with the system, just a database server on another machine
through odbc via cold fusion mx.
>
> Mike> ...snipp...
>
> Mike> 111/tcp open rpcbind
>
> portmap running? portmap is pretty insecure. Althought you said you
> have that blocked off from the outside?
Yeah, I do have it blocked off from the outside... what is that service
exactly, and would I need it for anything? I've never shut it off
because I assumed it was something I needed.
--
-Mike Staver
staver at fimble.com
mstaver at globaltaxnetwork.com
More information about the clue-tech
mailing list