[CLUE-Tech] network issues
Dave Hahh
dhahn at techangle.com
Mon Oct 13 12:30:21 MDT 2003
netstat -apn will add the PID of process running that is opening the
ports. However, if you have been rooted, that *may not* report correctly.
Also, try www.chkrootikit.org - the application will check for the
presence of a root kit and let you know which one it has found.
If you end re-installing again, do so without an internet connection.
(Grab updates from an FTP site and install locally.) Then, tripwire the
box *before* copying over your data or hooking up the next. Then, if
this happens again, you will know exactly what system files have been
modified that let this happen
hth,
-d
Mike Staver wrote:
> There HAS to be a security exploit for Red Hat 9 that Red Hat isn't
> letting onto the public about yet... the reason I say this is that my
> same linux box keeps getting hacked over and over and over again, not
> matter what I do to stop it. I only have 2 ports open to it, 80 and
> 53. Other than that, it's completely cut off from the outside
> world... the security issue has to be with one of those two things.
> And yes, I'm running the very latest rpms from Red Hat immediately
> after installing, no joke. I've changed all the passwords on the box,
> and checked and double checked things time and time again. I
> completely rebuilt this box last week, and at some point over the
> weekend, it got comprimised again. When I run netstat now, it says:
>
> [root at timmy staver]# netstat -a | more
> Active Internet connections (including servers)
> Proto Recv-Q Send-Q Local Address Foreign Address State
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34232
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34233
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34234
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34235
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34236
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34224
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34225
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34226
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34227
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34228
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34229
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34230
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34231
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34216
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34217
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34218
> ESTABLISHED
> tcp 0 0 timmy.globa:netbios-ssn tim.globaltaxnetwo:1469
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34219
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34220
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34221
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34222
> ESTABLISHED
> tcp 0 0 timmy.globaltaxnetw:ssh mike.globaltaxnetw:1839
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34223
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34213
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34214
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34215
> ESTABLISHED
> tcp 0 0 timmy.globa:netbios-ssn mike.globaltaxnetw:1876
> ESTABLISHED
> tcp 0 0 localhost.localdo:34236 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34235 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34234 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34233 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34232 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34231 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34230 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34229 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34228 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34227 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34226 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34225 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34224 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34223 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34222 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34221 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34220 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34219 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34218 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34217 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34216 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34215 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34214 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34213 localhost.localdo:51010
> ESTABLISHED
>
> Also, when I run nmap against it, it now magically has 6667 open -
> however it's being blocked from the outside world, so nobody would be
> able to use it anyways... so I'm perplexed to how this keeps
> happening....
>
> Starting nmap 3.45 ( http://www.insecure.org/nmap/ ) at 2003-10-13
> 10:59 MDT
> Host token (XX.XX.XX.XX) appears to be up ... good.
> Initiating SYN Stealth Scan against token (XX.XX.XX.XX) at 10:59
> Adding open port 443/tcp
> Adding open port 111/tcp
> Adding open port 22/tcp
> Adding open port 139/tcp
> Adding open port 80/tcp
> Adding open port 53/tcp
> The SYN Stealth Scan took 0 seconds to scan 1657 ports.
> For OSScan assuming that port 22 is open and port 1 is closed and
> neither are firewalled
> Interesting ports on token.globaltaxnetwork.com (XX.XX.XX.XX):
> (The 1650 ports scanned but not shown below are in state: closed)
> PORT STATE SERVICE
> 22/tcp open ssh
> 53/tcp open domain
> 80/tcp open http
> 111/tcp open rpcbind
> 139/tcp open netbios-ssn
> 443/tcp open https
> 6667/tcp filtered irc
> Device type: general purpose
> Running: Linux 2.4.X|2.5.X
> OS details: Linux Kernel 2.4.0 - 2.5.20
> Uptime 11.918 days (since Wed Oct 1 12:57:51 2003)
> TCP Sequence Prediction: Class=random positive increments
> Difficulty=5320654 (Good luck!)
> IPID Sequence Generation: All zeros
>
> I can't find jack in any of the logs, and when I run ps -auwx, nothing
> shows up as running. Nmap and netstat are the only things that tell
> me something is up that I can see... that and whatever is running
> keeps killing samba off. I'm sick and tired of these undernet.org
> bastards using my server as their own person irc playground, so if
> anyone has any tips on how to shut this down and protect my box - I
> would appreciate it. If I can't run linux box with only 2 ports open
> to the outside world, I see that as a huge negative.
More information about the clue-tech
mailing list