Strange connection
Mike McCarty
mike.mccarty at sbcglobal.net
Wed Jul 20 20:15:56 UTC 2005
Scot L. Harris wrote:
>On Wed, 2005-07-20 at 14:25, Mike McCarty wrote:
>
>
[what should I do?]
BTW, should probably have mentioned my setup. I have one (1)
computer running FC2 with a fixed IP address, connected to a
router (D-LINK) set up to accept DHCP connected to a DSL
modem (SPEEDSTREAM 5100) to an ADSL.
>The first thing to do is evaluate your system to determine what might be
>a path into it. Are you running a web server that you have available
>from the Internet? If you do then you need to look at all open ports on
>your system. Either run a network scan your self from another location
>or you can use http://www.grc.com to run shieldsup which will scan your
>IP address and let you know which ports are exposed.
>
>
That is a wonderful site.
Results from scan of ports: 0-1055
0 Ports Open
1 Ports Closed
1055 Ports Stealth
---------------------
1056 Ports Tested
NO PORTS were found to be OPEN.
The port found to be CLOSED was: 113
Other than what is listed above, all ports are STEALTH.
TruStealth: FAILED - NOT all tested ports were STEALTH,
- NO unsolicited packets were received,
- A PING REPLY (ICMP Echo) WAS RECEIVED.
Apparently, 113 is used for some old e-mail query/response. Since
that port is closed, I'm probably ok on that score.
File sharing, Messenger Spam, and Headers all looked ok to me, too.
The headers don't reveal any serious info about my machine. And
no cookies appeared. My reverse DNS was just my router's temp IP
address and my ISP name munged around a bit.
>If you have any ports exposed examine the service on those ports. HTTP,
>SSH, etc should be reviewed to make sure you are up to date on security
>patches for those services. Any service you don't need or use should be
>disabled and blocked by iptables.
>
>
>
How do I check that port? I guess I could just stealth it on my router,
if I poked
around some. Actually, since I'm behind my router, I'm not even really
looking at
my machine. I'm looking at the firewall in my router.
>The default iptables should block everything unless you opened any ports
>during setup. As the someone in this thread indicated you should take
>the additional step of blocking outbound ports on your system except for
>those you use. Not many people do this. Many companies do this to
>prevent someone from running code that connects from inside the firewall
>to an external site.
>
>
I used the default. The output from iptables is rather long, so I won't
post it here,
but how do I check exactly what is open? The output is a little confusing.
>Run chkrootkit and rkhunter, setup tripwire and review the reports
>daily. Monitor your log files and check netstat periodically for
>anything strange.
>
>
Hmm, I seem not to have chkrootkit, rkhunter, nor tripwire installed.
>The OP was probably compromised via phpBB, that is known to have various
>security holes.
>
>If you are not providing any services to the Internet and have iptables
>locked down you should not have much of a problem.
>
>
I don't know how to "lock down" iptables, but if no ports are exposed,
how can
anything get in? Except by doing something like overflowing my browser
buffer on a request I make (or email buffer, etc.)? I've got Java and
Javascript
disabled. OTOH, I have heard of "evil" .png problems. I do accept images.
[snip]
>And to check for awstats (I don't think it comes with a man page) run:
>
>find / -name awstats.pl -print
>
>Or in a browser try: http://localhost/cgi-bin/awstats.pl
>
>Assuming that it has been installed in the cgi-bin directory.
>
>
>
>
My browser reports that localhost refused the connection.
The find (ghastly idea to search the whole system) did not
find anything, after about 20 minutes.
Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
This message made from 100% recycled bits.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!
More information about the fedora-list
mailing list