[CLUE-Tech] network issues

Dave Hahh dhahn at techangle.com
Mon Oct 13 12:30:21 MDT 2003 

netstat -apn will add the PID of process running that is opening the 
ports.  However, if you have been rooted, that *may not* report correctly.

Also, try www.chkrootikit.org - the application will check for the 
presence of a root kit and let you know which one it has found.

If you end re-installing again, do so without an internet connection.  
(Grab updates from an FTP site and install locally.) Then, tripwire the 
box *before* copying over your data or hooking up the next.  Then, if 
this happens again, you will know exactly what system files have been 
modified that let this happen


hth,

-d

Mike Staver wrote:

> There HAS to be a security exploit for Red Hat 9 that Red Hat isn't 
> letting onto the public about yet... the reason I say this is that my 
> same linux box keeps getting hacked over and over and over again, not 
> matter what I do to stop it.  I only have 2 ports open to it, 80 and 
> 53.  Other than that, it's completely cut off from the outside 
> world... the security issue has to be with one of those two things.  
> And yes, I'm running the very latest rpms from Red Hat immediately 
> after installing, no joke.  I've changed all the passwords on the box, 
> and checked and double checked things time and time again.  I 
> completely rebuilt this box last week, and at some point over the 
> weekend, it got comprimised again.  When I run netstat now, it says:
>
> [root at timmy staver]# netstat -a | more
> Active Internet connections (including servers)
> Proto Recv-Q Send-Q Local Address           Foreign Address State
> tcp        0      0 localhost.localdo:51010 localhost.localdo:34232 
> ESTABLISHED
> tcp        0      0 localhost.localdo:51010 localhost.localdo:34233 
> ESTABLISHED
> tcp        0      0 localhost.localdo:51010 localhost.localdo:34234 
> ESTABLISHED
> tcp        0      0 localhost.localdo:51010 localhost.localdo:34235 
> ESTABLISHED
> tcp        0      0 localhost.localdo:51010 localhost.localdo:34236 
> ESTABLISHED
> tcp        0      0 localhost.localdo:51010 localhost.localdo:34224 
> ESTABLISHED
> tcp        0      0 localhost.localdo:51010 localhost.localdo:34225 
> ESTABLISHED
> tcp        0      0 localhost.localdo:51010 localhost.localdo:34226 
> ESTABLISHED
> tcp        0      0 localhost.localdo:51010 localhost.localdo:34227 
> ESTABLISHED
> tcp        0      0 localhost.localdo:51010 localhost.localdo:34228 
> ESTABLISHED
> tcp        0      0 localhost.localdo:51010 localhost.localdo:34229 
> ESTABLISHED
> tcp        0      0 localhost.localdo:51010 localhost.localdo:34230 
> ESTABLISHED
> tcp        0      0 localhost.localdo:51010 localhost.localdo:34231 
> ESTABLISHED
> tcp        0      0 localhost.localdo:51010 localhost.localdo:34216 
> ESTABLISHED
> tcp        0      0 localhost.localdo:51010 localhost.localdo:34217 
> ESTABLISHED
> tcp        0      0 localhost.localdo:51010 localhost.localdo:34218 
> ESTABLISHED
> tcp        0      0 timmy.globa:netbios-ssn tim.globaltaxnetwo:1469 
> ESTABLISHED
> tcp        0      0 localhost.localdo:51010 localhost.localdo:34219 
> ESTABLISHED
> tcp        0      0 localhost.localdo:51010 localhost.localdo:34220 
> ESTABLISHED
> tcp        0      0 localhost.localdo:51010 localhost.localdo:34221 
> ESTABLISHED
> tcp        0      0 localhost.localdo:51010 localhost.localdo:34222 
> ESTABLISHED
> tcp        0      0 timmy.globaltaxnetw:ssh mike.globaltaxnetw:1839 
> ESTABLISHED
> tcp        0      0 localhost.localdo:51010 localhost.localdo:34223 
> ESTABLISHED
> tcp        0      0 localhost.localdo:51010 localhost.localdo:34213 
> ESTABLISHED
> tcp        0      0 localhost.localdo:51010 localhost.localdo:34214 
> ESTABLISHED
> tcp        0      0 localhost.localdo:51010 localhost.localdo:34215 
> ESTABLISHED
> tcp        0      0 timmy.globa:netbios-ssn mike.globaltaxnetw:1876 
> ESTABLISHED
> tcp        0      0 localhost.localdo:34236 localhost.localdo:51010 
> ESTABLISHED
> tcp        0      0 localhost.localdo:34235 localhost.localdo:51010 
> ESTABLISHED
> tcp        0      0 localhost.localdo:34234 localhost.localdo:51010 
> ESTABLISHED
> tcp        0      0 localhost.localdo:34233 localhost.localdo:51010 
> ESTABLISHED
> tcp        0      0 localhost.localdo:34232 localhost.localdo:51010 
> ESTABLISHED
> tcp        0      0 localhost.localdo:34231 localhost.localdo:51010 
> ESTABLISHED
> tcp        0      0 localhost.localdo:34230 localhost.localdo:51010 
> ESTABLISHED
> tcp        0      0 localhost.localdo:34229 localhost.localdo:51010 
> ESTABLISHED
> tcp        0      0 localhost.localdo:34228 localhost.localdo:51010 
> ESTABLISHED
> tcp        0      0 localhost.localdo:34227 localhost.localdo:51010 
> ESTABLISHED
> tcp        0      0 localhost.localdo:34226 localhost.localdo:51010 
> ESTABLISHED
> tcp        0      0 localhost.localdo:34225 localhost.localdo:51010 
> ESTABLISHED
> tcp        0      0 localhost.localdo:34224 localhost.localdo:51010 
> ESTABLISHED
> tcp        0      0 localhost.localdo:34223 localhost.localdo:51010 
> ESTABLISHED
> tcp        0      0 localhost.localdo:34222 localhost.localdo:51010 
> ESTABLISHED
> tcp        0      0 localhost.localdo:34221 localhost.localdo:51010 
> ESTABLISHED
> tcp        0      0 localhost.localdo:34220 localhost.localdo:51010 
> ESTABLISHED
> tcp        0      0 localhost.localdo:34219 localhost.localdo:51010 
> ESTABLISHED
> tcp        0      0 localhost.localdo:34218 localhost.localdo:51010 
> ESTABLISHED
> tcp        0      0 localhost.localdo:34217 localhost.localdo:51010 
> ESTABLISHED
> tcp        0      0 localhost.localdo:34216 localhost.localdo:51010 
> ESTABLISHED
> tcp        0      0 localhost.localdo:34215 localhost.localdo:51010 
> ESTABLISHED
> tcp        0      0 localhost.localdo:34214 localhost.localdo:51010 
> ESTABLISHED
> tcp        0      0 localhost.localdo:34213 localhost.localdo:51010 
> ESTABLISHED
>
> Also, when I run nmap against it, it now magically has 6667 open - 
> however it's being blocked from the outside world, so nobody would be 
> able to use it anyways... so I'm perplexed to how this keeps 
> happening....
>
> Starting nmap 3.45 ( http://www.insecure.org/nmap/ ) at 2003-10-13 
> 10:59 MDT
> Host token (XX.XX.XX.XX) appears to be up ... good.
> Initiating SYN Stealth Scan against token (XX.XX.XX.XX) at 10:59
> Adding open port 443/tcp
> Adding open port 111/tcp
> Adding open port 22/tcp
> Adding open port 139/tcp
> Adding open port 80/tcp
> Adding open port 53/tcp
> The SYN Stealth Scan took 0 seconds to scan 1657 ports.
> For OSScan assuming that port 22 is open and port 1 is closed and 
> neither are firewalled
> Interesting ports on token.globaltaxnetwork.com (XX.XX.XX.XX):
> (The 1650 ports scanned but not shown below are in state: closed)
> PORT     STATE    SERVICE
> 22/tcp   open     ssh
> 53/tcp   open     domain
> 80/tcp   open     http
> 111/tcp  open     rpcbind
> 139/tcp  open     netbios-ssn
> 443/tcp  open     https
> 6667/tcp filtered irc
> Device type: general purpose
> Running: Linux 2.4.X|2.5.X
> OS details: Linux Kernel 2.4.0 - 2.5.20
> Uptime 11.918 days (since Wed Oct  1 12:57:51 2003)
> TCP Sequence Prediction: Class=random positive increments
>                          Difficulty=5320654 (Good luck!)
> IPID Sequence Generation: All zeros
>
> I can't find jack in any of the logs, and when I run ps -auwx, nothing 
> shows up as running.  Nmap and netstat are the only things that tell 
> me something is up that I can see... that and whatever is running 
> keeps killing samba off.  I'm sick and tired of these undernet.org 
> bastards using my server as their own person irc playground, so if 
> anyone has any tips on how to shut this down and protect my box - I 
> would appreciate it.  If I can't run linux box with only 2 ports open 
> to the outside world, I see that as a huge negative.

More information about the clue-tech mailing list