[CLUE-Tech] Hack information

[Mike Staver]

I wanted to provide the list with some information about my RedHat 9 
box, which just got hacked yesterday (from what I can tell).  I noticed 
a high amount of traffic spewing from my box, and I then noticed it was 
smtp traffic.  I figured that somebody's machine on a static ip that I 
allow to relay mail through my server had been rooted, and mail was 
getting relayed through my box as result.  I couldn't have been more 
wrong. After poking around using things like netstat, I discovered a 
pretty complex spammer set up located on my very own server, all running 
as root and smmsp.  Using nmap, I see:

Initiating SYN Stealth Scan against fimble.com (127.0.0.1) at 11:00
Adding open port 3306/tcp
Adding open port 22/tcp
Adding open port 995/tcp
Adding open port 25/tcp
Adding open port 106/tcp
Adding open port 110/tcp
Adding open port 80/tcp
Adding open port 953/tcp
Adding open port 32775/tcp
Adding open port 53/tcp
Adding open port 21/tcp
Adding open port 143/tcp
Adding open port 783/tcp
Adding open port 139/tcp
Adding open port 23/tcp
The SYN Stealth Scan took 3 seconds to scan 1657 ports.
For OSScan assuming that port 21 is open and port 1 is closed and 
neither are firewalled
Interesting ports on fimble.com (127.0.0.1):
(The 1642 ports scanned but not shown below are in state: closed)
PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
23/tcp    open  telnet
25/tcp    open  smtp
53/tcp    open  domain
80/tcp    open  http
106/tcp   open  pop3pw
110/tcp   open  pop-3
139/tcp   open  netbios-ssn
143/tcp   open  imap
783/tcp   open  hp-alarm-mgr
953/tcp   open  rndc
995/tcp   open  pop3s
3306/tcp  open  mysql
32775/tcp open  sometimes-rpc13

I have no idea what port 32775 is, but from what I can tell, that's what 
the spammer was listening on and sending his spam lists through to my 
server on. Then, sendmail was sending out a Citi Bank phishing email, 
even after I had killed sendmail, it would restart itself.  So, it's 
gone beyond spamming now.  We're into very illegal activity here.  I 
haven't reformated the box yet, just firewalled off the ports that the 
data was being fed through on.  The local branch of the FBI has never 
given a damn about hacks I've reported before, so I'm thinking I'll get 
the same response this time... but this phishing email being sent out 
concerns me.  Now, not only will my box be possibly blacklisted as a 
spamming relay, it could be confiscated by the authorities.  I just 
thought I'd let people know to look for similar things if you're still 
running Red Hat 9.  I will now wisely switch to something else, and 
better firewall the server.
-- 

                                 -Mike Staver
                                  staver at fimble.com
                                  mstaver at globaltaxnetwork.com