[CLUE-Tech] RE: CLUE-Tech digest, Vol 1 #1214 - 6 msgs
mcotton
mcotton at mcotton.net
Mon Oct 13 13:25:10 MDT 2003
Mike,
This is my first comment to the list and I hope it helps.
I like RedHat a lot (along with other flavors of *nix), but when I learned how to build production webservers, the guys that showed me did not use the RPMs from RedHat. I was taught to download the source from the main sites and compile them locally. For example the Apache version you listed 2.0.40 is vulnernable, and the current version available from apache.org is 2.0.47. This may be 'sploit you are looking for. This also goes for Bind, Samba and any other major production service software. It does make it a bit more difficult to administrate, but you tend to stay more current than if you are relying on Up2Date to release the patches for install.
I am in the process of updating a few of my servers as well, I hope this helps.
Mike
Mike Cotton
-----Original Message-----
From: clue-tech-request at clue.denver.co.us
[mailto:clue-tech-request at clue.denver.co.us]
Sent: Monday, October 13, 2003 12:00 PM
To: clue-tech at clue.denver.co.us
Subject: CLUE-Tech digest, Vol 1 #1214 - 6 msgs
Send CLUE-Tech mailing list submissions to
clue-tech at clue.denver.co.us
To subscribe or unsubscribe via the World Wide Web, visit
http://clue.denver.co.us/mailman/listinfo/clue-tech
or, via email, send a message with subject or body 'help' to
clue-tech-request at clue.denver.co.us
You can reach the person managing the list at
clue-tech-admin at clue.denver.co.us
When replying, please edit your Subject line so it is more specific
than "Re: Contents of CLUE-Tech digest..."
Today's Topics:
1. Re: network issues (Adam Bultman)
2. RE: network issues (Casagrande, Steve)
3. Re: network issues (Mike Staver)
4. Re: network issues (Kevin Fenzi)
5. Re: network issues (Mike Staver)
6. Re: network issues (Mike Staver)
--__--__--
Message: 1
Date: Mon, 13 Oct 2003 13:51:18 -0400 (EDT)
From: Adam Bultman <adamb at glaven.org>
To: CLUE LUG <clue-tech at clue.denver.co.us>
Subject: Re: [CLUE-Tech] network issues
Reply-To: clue-tech at clue.denver.co.us
Mike, can you give us an IP address, so we can scan it ourselves?
Are you running any IDS: Be it network or filesystem-based?
What DNS server are you running (and why are you running a DNS Server
again?) What version is it?
What apache server is it? Which modules?
Would you also be averse to people logging in and checking it out from a
filesystem point of view?
--
adamb at glaven.org
[ www.glaven.org ]
On Mon, 13 Oct 2003, Mike Staver wrote:
> There HAS to be a security exploit for Red Hat 9 that Red Hat isn't
> letting onto the public about yet... the reason I say this is that my
> same linux box keeps getting hacked over and over and over again, not
> matter what I do to stop it. I only have 2 ports open to it, 80 and 53.
> Other than that, it's completely cut off from the outside world... the
> security issue has to be with one of those two things. And yes, I'm
> running the very latest rpms from Red Hat immediately after installing,
> no joke. I've changed all the passwords on the box, and checked and
> double checked things time and time again. I completely rebuilt this
> box last week, and at some point over the weekend, it got comprimised
> again. When I run netstat now, it says:
>
> [root at timmy staver]# netstat -a | more
> Active Internet connections (including servers)
> Proto Recv-Q Send-Q Local Address Foreign Address
> State
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34232
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34233
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34234
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34235
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34236
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34224
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34225
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34226
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34227
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34228
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34229
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34230
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34231
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34216
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34217
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34218
> ESTABLISHED
> tcp 0 0 timmy.globa:netbios-ssn tim.globaltaxnetwo:1469
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34219
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34220
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34221
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34222
> ESTABLISHED
> tcp 0 0 timmy.globaltaxnetw:ssh mike.globaltaxnetw:1839
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34223
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34213
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34214
> ESTABLISHED
> tcp 0 0 localhost.localdo:51010 localhost.localdo:34215
> ESTABLISHED
> tcp 0 0 timmy.globa:netbios-ssn mike.globaltaxnetw:1876
> ESTABLISHED
> tcp 0 0 localhost.localdo:34236 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34235 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34234 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34233 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34232 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34231 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34230 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34229 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34228 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34227 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34226 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34225 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34224 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34223 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34222 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34221 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34220 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34219 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34218 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34217 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34216 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34215 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34214 localhost.localdo:51010
> ESTABLISHED
> tcp 0 0 localhost.localdo:34213 localhost.localdo:51010
> ESTABLISHED
>
> Also, when I run nmap against it, it now magically has 6667 open -
> however it's being blocked from the outside world, so nobody would be
> able to use it anyways... so I'm perplexed to how this keeps happening....
>
> Starting nmap 3.45 ( http://www.insecure.org/nmap/ ) at 2003-10-13 10:59 MDT
> Host token (XX.XX.XX.XX) appears to be up ... good.
> Initiating SYN Stealth Scan against token (XX.XX.XX.XX) at 10:59
> Adding open port 443/tcp
> Adding open port 111/tcp
> Adding open port 22/tcp
> Adding open port 139/tcp
> Adding open port 80/tcp
> Adding open port 53/tcp
> The SYN Stealth Scan took 0 seconds to scan 1657 ports.
> For OSScan assuming that port 22 is open and port 1 is closed and
> neither are firewalled
> Interesting ports on token.globaltaxnetwork.com (XX.XX.XX.XX):
> (The 1650 ports scanned but not shown below are in state: closed)
> PORT STATE SERVICE
> 22/tcp open ssh
> 53/tcp open domain
> 80/tcp open http
> 111/tcp open rpcbind
> 139/tcp open netbios-ssn
> 443/tcp open https
> 6667/tcp filtered irc
> Device type: general purpose
> Running: Linux 2.4.X|2.5.X
> OS details: Linux Kernel 2.4.0 - 2.5.20
> Uptime 11.918 days (since Wed Oct 1 12:57:51 2003)
> TCP Sequence Prediction: Class=random positive increments
> Difficulty=5320654 (Good luck!)
> IPID Sequence Generation: All zeros
>
> I can't find jack in any of the logs, and when I run ps -auwx, nothing
> shows up as running. Nmap and netstat are the only things that tell me
> something is up that I can see... that and whatever is running keeps
> killing samba off. I'm sick and tired of these undernet.org bastards
> using my server as their own person irc playground, so if anyone has any
> tips on how to shut this down and protect my box - I would appreciate
> it. If I can't run linux box with only 2 ports open to the outside
> world, I see that as a huge negative.
>
--__--__--
Message: 2
From: "Casagrande, Steve" <Steve.Casagrande at echostar.com>
To: "'clue-tech at clue.denver.co.us'" <clue-tech at clue.denver.co.us>
Subject: RE: [CLUE-Tech] network issues
Date: Mon, 13 Oct 2003 12:00:42 -0600
Reply-To: clue-tech at clue.denver.co.us
> There HAS to be a security exploit for Red Hat 9 that Red Hat isn't
> letting onto the public about yet... the reason I say this is that my
> same linux box keeps getting hacked over and over and over again, not
> matter what I do to stop it. I only have 2 ports open to it, 80 and 53.
Perhaps a rootkit has been installed previously, and your ps/netstat/etc
were replaced with hacked versions? Either reinstall or compare binary
checksums with known (good) versions.
Steve Casagrande
--__--__--
Message: 3
Date: Mon, 13 Oct 2003 12:04:17 -0600
From: Mike Staver <staver at fimble.com>
To: clue-tech at clue.denver.co.us
Subject: Re: [CLUE-Tech] network issues
Reply-To: clue-tech at clue.denver.co.us
Adam Bultman wrote:
> Mike, can you give us an IP address, so we can scan it ourselves?
64.242.89.12
64.242.89.14
64.242.89.16
>
> Are you running any IDS: Be it network or filesystem-based?
No, I'm not running an IDS at this point - I recently purchased a book
on Snort, and have been trying to get through it ASAP, because obviously
I need it.
>
> What DNS server are you running (and why are you running a DNS Server
> again?) What version is it?
I'm running Bind, the version that comes with Red Hat 9. I need to run
DNS to host the domain names my company owns.
> What apache server is it? Which modules?
Server Version: Apache/2.0.40 (Red Hat Linux)
No extra modules, besides the SSL stuff and Cold Fusion MX 6.1, their
latest version. I have all the CF studio connectivity turned off, so
it's strictly listening on 80 and no high ports.
>
> Would you also be averse to people logging in and checking it out from a
> filesystem point of view?
No, if you would like to help me solve this, it would be greatly
appreciated.
I'm very concerned by this.
--
-Mike Staver
staver at fimble.com
mstaver at globaltaxnetwork.com
--__--__--
Message: 4
Date: Mon, 13 Oct 2003 12:06:49 -0600
From: Kevin Fenzi <kevin at scrye.com>
To: clue-tech at clue.denver.co.us
Subject: Re: [CLUE-Tech] network issues
Reply-To: clue-tech at clue.denver.co.us
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>>>>> "Mike" == Mike Staver <staver at fimble.com> writes:
Mike> There HAS to be a security exploit for Red Hat 9 that Red Hat
Mike> isn't letting onto the public about yet...
Or perhaps there is a new exploit in the wild they don't know about
yet?
Mike> the reason I say this
Mike> is that my same linux box keeps getting hacked over and over and
Mike> over again, not matter what I do to stop it. I only have 2
Mike> ports open to it, 80 and 53. Other than that, it's completely
Mike> cut off from the outside world... the security issue has to be
Mike> with one of those two things. And yes, I'm running the very
Mike> latest rpms from Red Hat immediately after installing, no joke.
Mike> I've changed all the passwords on the box, and checked and
Mike> double checked things time and time again. I completely rebuilt
Mike> this box last week, and at some point over the weekend, it got
Mike> comprimised again. When I run netstat now, it says:
So you totally re-installed it with a new install, applied all the
update rpms and made sure it was using diffrent passwords than before?
Mike> ...snipp...
Mike> Also, when I run nmap against it, it now magically has 6667 open
Mike> - however it's being blocked from the outside world, so nobody
Mike> would be able to use it anyways... so I'm perplexed to how this
Mike> keeps happening....
Could anything have been copied over with your data when you
re-installed the machine? Could be a cgi or other web vulnerability?
Mike> ...snipp...
Mike> 111/tcp open rpcbind
portmap running? portmap is pretty insecure. Althought you said you
have that blocked off from the outside?
Mike> I can't find jack in any of the logs, and when I run ps -auwx,
Mike> nothing shows up as running. Nmap and netstat are the only
Mike> things that tell me something is up that I can see... that and
Mike> whatever is running keeps killing samba off. I'm sick and tired
Mike> of these undernet.org bastards using my server as their own
Mike> person irc playground, so if anyone has any tips on how to shut
Mike> this down and protect my box - I would appreciate it. If I
Mike> can't run linux box with only 2 ports open to the outside world,
Mike> I see that as a huge negative.
You might try doing a 'rpm -Va' that should show you any modified
files in from the rpm database. Of course if they modified the rpm
database on rpm command then you are out of luck there.
I would guess:
- - something in your data you restored after re-installing is allowing
them to recompromise you via http or dns.
- - Some new exploit against those 2 services.
- - They are attacking from another machine inside your network,
bypassing your firewall.
I would say your best bet is to get a new machine, install it. Apply
all updates. Copy data over to it from the old machine and check it
for any backdoors, etc...
Mike> -Mike Staver staver at fimble.com
Mike> mstaver at globaltaxnetwork.com
kevin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>
iD8DBQE/ium73imCezTjY0ERAiMxAJ9/JkZCOy2oSo/VGbyOlCriGx4UPwCfaCi5
Snj0XWs8LbysiLpOxlZxEnI=
=73hO
-----END PGP SIGNATURE-----
--__--__--
Message: 5
Date: Mon, 13 Oct 2003 12:07:52 -0600
From: Mike Staver <staver at fimble.com>
To: clue-tech at clue.denver.co.us
Subject: Re: [CLUE-Tech] network issues
Reply-To: clue-tech at clue.denver.co.us
Casagrande, Steve wrote:
>>There HAS to be a security exploit for Red Hat 9 that Red Hat isn't
>>letting onto the public about yet... the reason I say this is that my
>>same linux box keeps getting hacked over and over and over again, not
>>matter what I do to stop it. I only have 2 ports open to it, 80 and 53.
>
>
> Perhaps a rootkit has been installed previously, and your ps/netstat/etc
> were replaced with hacked versions? Either reinstall or compare binary
> checksums with known (good) versions.
>
> Steve Casagrande
Yeah, I figured a root kit was installed, so this is my 4th complete
reinstall from scratch - and it happens again and again, even with a
completely fresh install and formatting of the drivers. All I do is
copy over my named config files and my html code. Then, after a few
days, I'm rooted again. Very depressing.
--
-Mike Staver
staver at fimble.com
mstaver at globaltaxnetwork.com
--__--__--
Message: 6
Date: Mon, 13 Oct 2003 12:23:00 -0600
From: Mike Staver <staver at fimble.com>
To: clue-tech at clue.denver.co.us
Subject: Re: [CLUE-Tech] network issues
Reply-To: clue-tech at clue.denver.co.us
Kevin Fenzi wrote:
> Mike> There HAS to be a security exploit for Red Hat 9 that Red Hat
> Mike> isn't letting onto the public about yet...
>
> Or perhaps there is a new exploit in the wild they don't know about
> yet?
Yeah - but I would have to think they know about it, this has been going
on for me for the last several months non stop. I even left this
machine off the network for 3 weeks before I rebuilt it this last time,
and after a few days of uptime, the punks from undernet.org struck
again. I even contacted the Denver FBI office the first 2 times, and
they ignored me because I didn't have any credit card information stored
on the box.
>
> Mike> the reason I say this
> Mike> is that my same linux box keeps getting hacked over and over and
> Mike> over again, not matter what I do to stop it. I only have 2
> Mike> ports open to it, 80 and 53. Other than that, it's completely
> Mike> cut off from the outside world... the security issue has to be
> Mike> with one of those two things. And yes, I'm running the very
> Mike> latest rpms from Red Hat immediately after installing, no joke.
> Mike> I've changed all the passwords on the box, and checked and
> Mike> double checked things time and time again. I completely rebuilt
> Mike> this box last week, and at some point over the weekend, it got
> Mike> comprimised again. When I run netstat now, it says:
>
> So you totally re-installed it with a new install, applied all the
> update rpms and made sure it was using diffrent passwords than before?
>
Yep, it's driving me crazy.
>
> Mike> Also, when I run nmap against it, it now magically has 6667 open
> Mike> - however it's being blocked from the outside world, so nobody
> Mike> would be able to use it anyways... so I'm perplexed to how this
> Mike> keeps happening....
>
> Could anything have been copied over with your data when you
> re-installed the machine? Could be a cgi or other web vulnerability?
I'm only copying over my html code and my cfm code, no cgi stuff... so
if there is a hole in it, I can't think of one. None of my code
interacts with the system, just a database server on another machine
through odbc via cold fusion mx.
>
> Mike> ...snipp...
>
> Mike> 111/tcp open rpcbind
>
> portmap running? portmap is pretty insecure. Althought you said you
> have that blocked off from the outside?
Yeah, I do have it blocked off from the outside... what is that service
exactly, and would I need it for anything? I've never shut it off
because I assumed it was something I needed.
--
-Mike Staver
staver at fimble.com
mstaver at globaltaxnetwork.com
--__--__--
_______________________________________________
CLUE-Tech mailing list
Post messages to: CLUE-Tech at clue.denver.co.us
Unsubscribe or manage your options: http://clue.denver.co.us/mailman/listinfo/clue-tech
End of CLUE-Tech Digest
More information about the clue-tech
mailing list