[lug] Re: [CLUE-Tech] Hacker question

Kevin Fenzi kevin at scrye.com
Thu Jul 31 20:16:45 MDT 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>>>>> "Mike" == Mike Staver <staver at fimble.com> writes:

Mike> I have had 3 RedHat 7.3 boxes apparently comprised on my network
Mike> this week alone.  I have no clue if I need to contact the FBI on
Mike> this issue (I just tried, and they said they didn't know if a
Mike> crime had even been committed), but I don't think they are going

Well, the criteria (as I recall) is that there needs to be more than
2500$ of dammage and it has to cross state boundries. 

Mike> to worry about my pidley little network here.  So, my company is
Mike> own it's own - and here are some stats on my box:

Mike> RedHat 7.3 Kernel 2.4.20-19.7smp openssh-3.1p1-6
Mike> openssh-server-3.1p1-6 openssh-clients-3.1p1-6 samba-2.2.7-3.7.3
Mike> apache-1.3.27-2 openssl-devel-0.9.6b-32.7 openssl-0.9.6b-32.7
Mike> openssl-perl-0.9.6b-32.7 mod_ssl-2.8.12-2

ok.

Mike> Now, if we scan the machines in question, this is what ports are
Mike> open:

Mike> Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Host blah
Mike> (xx.xx.xx.xx) appears to be up ... good.  Initiating SYN Stealth
Mike> Scan against www1.globaltaxnetwork.com (xx.xx.xx.xx) Adding open
Mike> port 80/tcp Adding open port 19/tcp Adding open port 22/tcp
Mike> Adding open port 139/tcp Adding open port 443/tcp Adding open
Mike> port 111/tcp The SYN Stealth Scan took 0 seconds to scan 1601
Mike> ports.  For OSScan assuming that port 19 is open and port 1 is
Mike> closed and neither are firewalled

ok. 

Mike> Interesting ports on blah (xx.xx.xx.xx): (The 1595 ports scanned
Mike> but not shown below are in state: closed) Port State Service
Mike> 19/tcp open chargen 22/tcp open ssh 80/tcp open http 111/tcp
Mike> open sunrpc 139/tcp open netbios-ssn 443/tcp open https Remote
Mike> operating system guess: Linux Kernel 2.4.0 - 2.5.20

Mike> Uptime 3.032 days (since Mon Jul 28 14:51:01 2003) TCP Sequence
Mike> Prediction: Class=random positive increments Difficulty=1104306
Mike> (Good luck!)  IPID Sequence Generation: All zeros

Mike> Whoever comprimised my machine, did it with only ports 443 and
Mike> 80 open to it through my firewall.  I have no idea how this
Mike> happened.  I have the latest apache from RedHat, is that verion
Mike> suseptible to a buffer overflow of some kind that I'm unaware
Mike> of?  My RedHat 9 boxes are fine -

Ok, how about cgi's or other user code on the web server?
Also, if they were in before did you totally re-install since then? 

Also, there was a new wu-ftp vulnerablity that has a root explot that
just was announced today. 

You have portmap open? why? (port 111/tcp)?

Mike> only the 7.3 boxes have been affected, 3 of them so far this
Mike> week.  And what happens when these boxes get comprimised is that
Mike> my routers get shut down because they are apparently ddos'n
Mike> grc.com.  I see a lot of ircd traffic on port 6667, and many
Mike> other ports as well.  The machines the ircd traffic is coming
Mike> from are:

Mike> undernet.irc.rcn.net undernet.tiscali.be ircu.bredband.com
Mike> minotor.spale.com proxyscan.undernet.org

yeah, those are normal irc networks. 

Mike> Besides upgrading to RedHat 9 on these boxes (which isn't an
Mike> option yet), how can I protect myself, and who should I report
Mike> this activity to?? I now don't get to go home tonite to spend
Mike> time with my family, I'm forced to rebuild these damned boxes
Mike> from scratch once again. --

Protect yourself?

- - make sure all updates are applied (use apt, krud2date, up2date, etc
to make sure you didn't miss any). 

- - make sure you have a firewall blocking all non 80/443/whatever you
need ports. 

- - run tripwire or the like to check for modified binaries. 

Report to?

- - fbi, but only if it's over their threshold. 

- - the perps ISP (if you can identify it)

Mike>                                 -Mike Staver staver at fimble.com
Mike> mstaver at globaltaxnetwork.com

good luck. 

kevin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>

iD8DBQE/Kc2S3imCezTjY0ERArZZAJ9ukfF7J2Kn6ilI2CsPM3cYn9aPcQCcCe4P
kicMyy78MkFtU38wuTowtCU=
=8cGJ
-----END PGP SIGNATURE-----

More information about the LUG mailing list