[CLUE-Tech] Re: CLUE-Tech digest, Vol 1 #1519 - 5 msgs
JD. Brown
brownstixzz at yahoo.com
Thu Jul 29 13:48:09 MDT 2004
I also have a question? What type of services were you running? Did you turn off unneeded ports?
Just curious?
JD
--- clue-tech-request at clue.denver.co.us wrote:
> Send CLUE-Tech mailing list submissions to
> clue-tech at clue.denver.co.us
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://clue.denver.co.us/mailman/listinfo/clue-tech
> or, via email, send a message with subject or body 'help' to
> clue-tech-request at clue.denver.co.us
>
> You can reach the person managing the list at
> clue-tech-admin at clue.denver.co.us
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of CLUE-Tech digest..."
>
>
> Today's Topics:
>
> 1. Hack information (Mike Staver)
> 2. Re: Hack information (Angelo Bertolli)
> 3. Re: Hack information (Chris Schock)
> 4. Auto blocking hosts w/ iptables (Hani Duwaik)
> 5. Re: Hack information (Jeff Falgout)
>
> --__--__--
>
> Message: 1
> Date: Thu, 29 Jul 2004 11:03:10 -0600
> From: Mike Staver <staver at fimble.com>
> To: CLUE LUG <clue-tech at clue.denver.co.us>
> Subject: [CLUE-Tech] Hack information
> Reply-To: clue-tech at clue.denver.co.us
>
> I wanted to provide the list with some information about my RedHat 9
> box, which just got hacked yesterday (from what I can tell). I noticed
> a high amount of traffic spewing from my box, and I then noticed it was
> smtp traffic. I figured that somebody's machine on a static ip that I
> allow to relay mail through my server had been rooted, and mail was
> getting relayed through my box as result. I couldn't have been more
> wrong. After poking around using things like netstat, I discovered a
> pretty complex spammer set up located on my very own server, all running
> as root and smmsp. Using nmap, I see:
>
> Initiating SYN Stealth Scan against fimble.com (127.0.0.1) at 11:00
> Adding open port 3306/tcp
> Adding open port 22/tcp
> Adding open port 995/tcp
> Adding open port 25/tcp
> Adding open port 106/tcp
> Adding open port 110/tcp
> Adding open port 80/tcp
> Adding open port 953/tcp
> Adding open port 32775/tcp
> Adding open port 53/tcp
> Adding open port 21/tcp
> Adding open port 143/tcp
> Adding open port 783/tcp
> Adding open port 139/tcp
> Adding open port 23/tcp
> The SYN Stealth Scan took 3 seconds to scan 1657 ports.
> For OSScan assuming that port 21 is open and port 1 is closed and
> neither are firewalled
> Interesting ports on fimble.com (127.0.0.1):
> (The 1642 ports scanned but not shown below are in state: closed)
> PORT STATE SERVICE
> 21/tcp open ftp
> 22/tcp open ssh
> 23/tcp open telnet
> 25/tcp open smtp
> 53/tcp open domain
> 80/tcp open http
> 106/tcp open pop3pw
> 110/tcp open pop-3
> 139/tcp open netbios-ssn
> 143/tcp open imap
> 783/tcp open hp-alarm-mgr
> 953/tcp open rndc
> 995/tcp open pop3s
> 3306/tcp open mysql
> 32775/tcp open sometimes-rpc13
>
> I have no idea what port 32775 is, but from what I can tell, that's what
> the spammer was listening on and sending his spam lists through to my
> server on. Then, sendmail was sending out a Citi Bank phishing email,
> even after I had killed sendmail, it would restart itself. So, it's
> gone beyond spamming now. We're into very illegal activity here. I
> haven't reformated the box yet, just firewalled off the ports that the
> data was being fed through on. The local branch of the FBI has never
> given a damn about hacks I've reported before, so I'm thinking I'll get
> the same response this time... but this phishing email being sent out
> concerns me. Now, not only will my box be possibly blacklisted as a
> spamming relay, it could be confiscated by the authorities. I just
> thought I'd let people know to look for similar things if you're still
> running Red Hat 9. I will now wisely switch to something else, and
> better firewall the server.
> --
>
> -Mike Staver
> staver at fimble.com
> mstaver at globaltaxnetwork.com
>
> --__--__--
>
> Message: 2
> Date: Thu, 29 Jul 2004 13:13:34 -0400
> From: Angelo Bertolli <angelo at freeshell.org>
> To: clue-tech at clue.denver.co.us
> Subject: Re: [CLUE-Tech] Hack information
> Reply-To: clue-tech at clue.denver.co.us
>
>
> > I have no idea what port 32775 is, but from what I can tell, that's
> > what the spammer was listening on and sending his spam lists through
> > to my server on. Then, sendmail was sending out a Citi Bank phishing
> > email, even after I had killed sendmail, it would restart itself. So,
> > it's gone beyond spamming now. We're into very illegal activity
> > here. I haven't reformated the box yet, just firewalled off the ports
> > that the data was being fed through on. The local branch of the FBI
> > has never given a damn about hacks I've reported before, so I'm
> > thinking I'll get the same response this time... but this phishing
> > email being sent out concerns me. Now, not only will my box be
> > possibly blacklisted as a spamming relay, it could be confiscated by
> > the authorities. I just thought I'd let people know to look for
> > similar things if you're still running Red Hat 9. I will now wisely
> > switch to something else, and better firewall the server.
>
>
> I think it's more risky to run a "personal box" also as a server (if
> that's what you're doing). I've decided the safest way to go is to have
> a separate box for each service you want to provide, if possible, and
> then just strip down or firewall off everything else (removing those
> packages is safer). For example for a mail server, I leave smtp and pop
> open, but certainly don't allow ftp access, etc. This sort of thing is
> probably even worse if the machine also happens to be your own personal
> computer.
>
>
> --__--__--
>
> Message: 3
> Date: Thu, 29 Jul 2004 11:43:25 -0600 (MDT)
> Subject: Re: [CLUE-Tech] Hack information
> From: "Chris Schock" <black at clapthreetimes.com>
> To: clue-tech at clue.denver.co.us
> Reply-To: clue-tech at clue.denver.co.us
>
> > I have no idea what port 32775 is, but from what I can tell, that's what
> > the spammer was listening on and sending his spam lists through to my
> > server on. Then, sendmail was sending out a Citi Bank phishing email,
> > even after I had killed sendmail, it would restart itself. So, it's
> > gone beyond spamming now. We're into very illegal activity here. I
> > haven't reformated the box yet, just firewalled off the ports that the
> > data was being fed through on. The local branch of the FBI has never
> > given a damn about hacks I've reported before, so I'm thinking I'll get
> > the same response this time... but this phishing email being sent out
> > concerns me. Now, not only will my box be possibly blacklisted as a
> > spamming relay, it could be confiscated by the authorities. I just
> > thought I'd let people know to look for similar things if you're still
> > running Red Hat 9. I will now wisely switch to something else, and
> > better firewall the server.
>
> Just curious, you did patch the box, right? You never mentioned it.
>
>
> --__--__--
>
> Message: 4
> Date: Thu, 29 Jul 2004 10:47:57 -0700 (PDT)
> From: Hani Duwaik <hduwaik at yahoo.com>
> To: clue-tech at clue.denver.co.us
> Subject: [CLUE-Tech] Auto blocking hosts w/ iptables
> Reply-To: clue-tech at clue.denver.co.us
>
> Hello,
>
> I'm looking for information regarding either of the following:
>
> 1) A tool (script, application, module) that will monitor apache log
> files, detect attacks, and create an iptables rule to block traffic
> from offending hosts.
>
> 2) A tool (or complete solution) that will take IDS logs and perform
> the same operation with iptables as described above.
>
> I'm running gentoo linux and have a personal website I am using. In
> the few days I've had it up, I've noticed several compromise attempts
> (though they were mostly for IIS). For various reasons, I can't change
> the port apache runs on. As such, I'd to find a way to automatically
> block traffic from any host that tries to use known tools to compromise
> webservers.
>
> Any thoughts would be welcomed.
>
> TIA,
>
> -Hani
>
> =====
>
--------------------------------------------------------------------------------------------------
> "Windows [n.]
> A thirty-two bit extension and GUI shell to a sixteen bit patch to an eight bit operating system
> originally coded for a four bit microprocessor and sold by a two-bit company that can't stand
> one bit of competition."
> (Anonymous USEnet post)
>
--------------------------------------------------------------------------------------------------
>
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Mail is new and improved - Check it out!
> http://promotions.yahoo.com/new_mail
>
> --__--__--
>
> Message: 5
> Date: Thu, 29 Jul 2004 12:04:44 -0600
> From: "Jeff Falgout" <JFalgout at co.jefferson.co.us>
> To: <clue-tech at clue.denver.co.us>
> Subject: Re: [CLUE-Tech] Hack information
> Reply-To: clue-tech at clue.denver.co.us
>
> Steve,
>
> At least image the drive before you do anything -
> Im sure someone at SANS may be interested in
> looking at what happened to the machine and what
> it was doing ( http://isc.sans.org/contact.php ),
> especially since it involves a CITI bank
> phishing scheme. Maybe contact CITI bank also.
>
> Jeff
>
>
>
> >>> staver at fimble.com 7/29/2004 11:03:10 AM >>>
> I wanted to provide the list with some information about my RedHat 9
> box, which just got hacked yesterday (from what I can tell). I noticed
>
> a high amount of traffic spewing from my box, and I then noticed it was
>
> smtp traffic. I figured that somebody's machine on a static ip that I
>
> allow to relay mail through my server had been rooted, and mail was
> getting relayed through my box as result. I couldn't have been more
> wrong. After poking around using things like netstat, I discovered a
> pretty complex spammer set up located on my very own server, all
> running
> as root and smmsp. Using nmap, I see:
>
> Initiating SYN Stealth Scan against fimble.com (127.0.0.1) at 11:00
> Adding open port 3306/tcp
> Adding open port 22/tcp
> Adding open port 995/tcp
> Adding open port 25/tcp
> Adding open port 106/tcp
> Adding open port 110/tcp
> Adding open port 80/tcp
> Adding open port 953/tcp
> Adding open port 32775/tcp
> Adding open port 53/tcp
> Adding open port 21/tcp
> Adding open port 143/tcp
> Adding open port 783/tcp
> Adding open port 139/tcp
> Adding open port 23/tcp
> The SYN Stealth Scan took 3 seconds to scan 1657 ports.
> For OSScan assuming that port 21 is open and port 1 is closed and
> neither are firewalled
> Interesting ports on fimble.com (127.0.0.1):
> (The 1642 ports scanned but not shown below are in state: closed)
> PORT STATE SERVICE
> 21/tcp open ftp
> 22/tcp open ssh
> 23/tcp open telnet
> 25/tcp open smtp
> 53/tcp open domain
> 80/tcp open http
> 106/tcp open pop3pw
> 110/tcp open pop-3
> 139/tcp open netbios-ssn
> 143/tcp open imap
> 783/tcp open hp-alarm-mgr
> 953/tcp open rndc
> 995/tcp open pop3s
> 3306/tcp open mysql
> 32775/tcp open sometimes-rpc13
>
> I have no idea what port 32775 is, but from what I can tell, that's
> what
> the spammer was listening on and sending his spam lists through to my
> server on. Then, sendmail was sending out a Citi Bank phishing email,
> even after I had killed sendmail, it would restart itself. So, it's
> gone beyond spamming now. We're into very illegal activity here. I
> haven't reformated the box yet, just firewalled off the ports that the
>
> data was being fed through on. The local branch of the FBI has never
> given a damn about hacks I've reported before, so I'm thinking I'll get
>
> the same response this time... but this phishing email being sent out
> concerns me. Now, not only will my box be possibly blacklisted as a
> spamming relay, it could be confiscated by the authorities. I just
> thought I'd let people know to look for similar things if you're still
>
> running Red Hat 9. I will now wisely switch to something else, and
> better firewall the server.
> --
>
> -Mike Staver
> staver at fimble.com
> mstaver at globaltaxnetwork.com
> _______________________________________________
> CLUE-Tech mailing list
> Post messages to: CLUE-Tech at clue.denver.co.us
> Unsubscribe or manage your options:
> http://clue.denver.co.us/mailman/listinfo/clue-tech
>
>
> --__--__--
>
> _______________________________________________
> CLUE-Tech mailing list
> Post messages to: CLUE-Tech at clue.denver.co.us
> Unsubscribe or manage your options: http://clue.denver.co.us/mailman/listinfo/clue-tech
>
> End of CLUE-Tech Digest
>
=====
JD. Brown Home phone # 303-520-9110 Main E-mail: Brownstixzz at yahoo.com
More information about the clue-tech
mailing list