[lug] Re: [CLUE-Tech] Hacker question
kevin at scrye.com
Thu Jul 31 20:16:45 MDT 2003
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Mike" == Mike Staver <staver at fimble.com> writes:
Mike> I have had 3 RedHat 7.3 boxes apparently comprised on my network
Mike> this week alone. I have no clue if I need to contact the FBI on
Mike> this issue (I just tried, and they said they didn't know if a
Mike> crime had even been committed), but I don't think they are going
Well, the criteria (as I recall) is that there needs to be more than
2500$ of dammage and it has to cross state boundries.
Mike> to worry about my pidley little network here. So, my company is
Mike> own it's own - and here are some stats on my box:
Mike> RedHat 7.3 Kernel 2.4.20-19.7smp openssh-3.1p1-6
Mike> openssh-server-3.1p1-6 openssh-clients-3.1p1-6 samba-2.2.7-3.7.3
Mike> apache-1.3.27-2 openssl-devel-0.9.6b-32.7 openssl-0.9.6b-32.7
Mike> openssl-perl-0.9.6b-32.7 mod_ssl-2.8.12-2
Mike> Now, if we scan the machines in question, this is what ports are
Mike> Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Host blah
Mike> (xx.xx.xx.xx) appears to be up ... good. Initiating SYN Stealth
Mike> Scan against www1.globaltaxnetwork.com (xx.xx.xx.xx) Adding open
Mike> port 80/tcp Adding open port 19/tcp Adding open port 22/tcp
Mike> Adding open port 139/tcp Adding open port 443/tcp Adding open
Mike> port 111/tcp The SYN Stealth Scan took 0 seconds to scan 1601
Mike> ports. For OSScan assuming that port 19 is open and port 1 is
Mike> closed and neither are firewalled
Mike> Interesting ports on blah (xx.xx.xx.xx): (The 1595 ports scanned
Mike> but not shown below are in state: closed) Port State Service
Mike> 19/tcp open chargen 22/tcp open ssh 80/tcp open http 111/tcp
Mike> open sunrpc 139/tcp open netbios-ssn 443/tcp open https Remote
Mike> operating system guess: Linux Kernel 2.4.0 - 2.5.20
Mike> Uptime 3.032 days (since Mon Jul 28 14:51:01 2003) TCP Sequence
Mike> Prediction: Class=random positive increments Difficulty=1104306
Mike> (Good luck!) IPID Sequence Generation: All zeros
Mike> Whoever comprimised my machine, did it with only ports 443 and
Mike> 80 open to it through my firewall. I have no idea how this
Mike> happened. I have the latest apache from RedHat, is that verion
Mike> suseptible to a buffer overflow of some kind that I'm unaware
Mike> of? My RedHat 9 boxes are fine -
Ok, how about cgi's or other user code on the web server?
Also, if they were in before did you totally re-install since then?
Also, there was a new wu-ftp vulnerablity that has a root explot that
just was announced today.
You have portmap open? why? (port 111/tcp)?
Mike> only the 7.3 boxes have been affected, 3 of them so far this
Mike> week. And what happens when these boxes get comprimised is that
Mike> my routers get shut down because they are apparently ddos'n
Mike> grc.com. I see a lot of ircd traffic on port 6667, and many
Mike> other ports as well. The machines the ircd traffic is coming
Mike> from are:
Mike> undernet.irc.rcn.net undernet.tiscali.be ircu.bredband.com
Mike> minotor.spale.com proxyscan.undernet.org
yeah, those are normal irc networks.
Mike> Besides upgrading to RedHat 9 on these boxes (which isn't an
Mike> option yet), how can I protect myself, and who should I report
Mike> this activity to?? I now don't get to go home tonite to spend
Mike> time with my family, I'm forced to rebuild these damned boxes
Mike> from scratch once again. --
- - make sure all updates are applied (use apt, krud2date, up2date, etc
to make sure you didn't miss any).
- - make sure you have a firewall blocking all non 80/443/whatever you
- - run tripwire or the like to check for modified binaries.
- - fbi, but only if it's over their threshold.
- - the perps ISP (if you can identify it)
Mike> -Mike Staver staver at fimble.com
Mike> mstaver at globaltaxnetwork.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>
-----END PGP SIGNATURE-----
More information about the LUG