[CLUE-Tech] Hack information
Mike Staver
staver at fimble.com
Thu Jul 29 11:03:10 MDT 2004
I wanted to provide the list with some information about my RedHat 9
box, which just got hacked yesterday (from what I can tell). I noticed
a high amount of traffic spewing from my box, and I then noticed it was
smtp traffic. I figured that somebody's machine on a static ip that I
allow to relay mail through my server had been rooted, and mail was
getting relayed through my box as result. I couldn't have been more
wrong. After poking around using things like netstat, I discovered a
pretty complex spammer set up located on my very own server, all running
as root and smmsp. Using nmap, I see:
Initiating SYN Stealth Scan against fimble.com (127.0.0.1) at 11:00
Adding open port 3306/tcp
Adding open port 22/tcp
Adding open port 995/tcp
Adding open port 25/tcp
Adding open port 106/tcp
Adding open port 110/tcp
Adding open port 80/tcp
Adding open port 953/tcp
Adding open port 32775/tcp
Adding open port 53/tcp
Adding open port 21/tcp
Adding open port 143/tcp
Adding open port 783/tcp
Adding open port 139/tcp
Adding open port 23/tcp
The SYN Stealth Scan took 3 seconds to scan 1657 ports.
For OSScan assuming that port 21 is open and port 1 is closed and
neither are firewalled
Interesting ports on fimble.com (127.0.0.1):
(The 1642 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
106/tcp open pop3pw
110/tcp open pop-3
139/tcp open netbios-ssn
143/tcp open imap
783/tcp open hp-alarm-mgr
953/tcp open rndc
995/tcp open pop3s
3306/tcp open mysql
32775/tcp open sometimes-rpc13
I have no idea what port 32775 is, but from what I can tell, that's what
the spammer was listening on and sending his spam lists through to my
server on. Then, sendmail was sending out a Citi Bank phishing email,
even after I had killed sendmail, it would restart itself. So, it's
gone beyond spamming now. We're into very illegal activity here. I
haven't reformated the box yet, just firewalled off the ports that the
data was being fed through on. The local branch of the FBI has never
given a damn about hacks I've reported before, so I'm thinking I'll get
the same response this time... but this phishing email being sent out
concerns me. Now, not only will my box be possibly blacklisted as a
spamming relay, it could be confiscated by the authorities. I just
thought I'd let people know to look for similar things if you're still
running Red Hat 9. I will now wisely switch to something else, and
better firewall the server.
--
-Mike Staver
staver at fimble.com
mstaver at globaltaxnetwork.com
More information about the clue-tech
mailing list