Strange connection

[Tomas Larsson]

As far as I understand it, this is what has happened.
By mistake I left an old phpBB running on my server. The hacker found it,
and if I understand it correctly he/she used an known weakness in phpBB
and created a buffer overflow in the php-code, by doing this he
incorporated a wget-command and managed to make the server to download an
trojan, when this was done the system was sort of open for him, but as far
as I understand it, he was only able to work as user "apache" an do what
ever damage possible.

Now as I've learned the hard way, don't forget old sw running, upgrade it
or remove it.
It doesn't matter how good your firewall is, if you are running a
webserver behind it, there is always a way to get into the system.
What I probably will do, is to have a second firewall sitting on the
webserver, blocking all in and outgoing ports that isn't needed, just
leave http, https and ftp open, and some other ports locked to a certain
MAC, for maintenance. Cant block outgoing on the main FW, since it will
create problems with access for the other boxes.

With best regards

Tomas Larsson
Sweden

Verus Amicus Est Tamquam Alter Idem

> -----Original Message-----
> From: fedora-list-bounces at redhat.com
> [mailto:fedora-list-bounces at redhat.com] On Behalf Of Mike McCarty
> Sent: Wednesday, July 20, 2005 10:16 PM
> To: For users of Fedora Core releases
> Subject: Re: Strange connection
>
>
> Scot L. Harris wrote:
>
> >On Wed, 2005-07-20 at 14:25, Mike McCarty wrote:
> >
> >
> [what should I do?]
>
> BTW, should probably have mentioned my setup. I have one (1)
> computer running FC2 with a fixed IP address, connected to a
> router (D-LINK) set up to accept DHCP connected to a DSL
> modem (SPEEDSTREAM 5100) to an ADSL.
>
> >The first thing to do is evaluate your system to determine
> what might
> >be a path into it.  Are you running a web server that you have
> >available from the Internet?  If you do then you need to look at all
> >open ports on your system.  Either run a network scan your self from
> >another location or you can use http://www.grc.com to run shieldsup
> >which will scan your IP address and let you know which ports
> are exposed.
> >
> >
> That is a wonderful site.
>
> Results from scan of ports: 0-1055
>
>
>
>     0 Ports Open
>     1 Ports Closed
>  1055 Ports Stealth
> ---------------------
>  1056 Ports Tested
>
>
>
> NO PORTS were found to be OPEN.
>
>
>
> The port found to be CLOSED was: 113
>
>
>
> Other than what is listed above, all ports are STEALTH.
>
>
>
> TruStealth: FAILED - NOT all tested ports were STEALTH,
>                    - NO unsolicited packets were received,
>                    - A PING REPLY (ICMP Echo) WAS RECEIVED.
>
>
>
>
> Apparently, 113 is used for some old e-mail query/response.
> Since that port is closed, I'm probably ok on that score.
>
> File sharing, Messenger Spam, and Headers all looked ok to
> me, too. The headers don't reveal any serious info about my
> machine. And no cookies appeared. My reverse DNS was just my
> router's temp IP address and my ISP name munged around a bit.
>
> >If you have any ports exposed examine the service on those ports.
> >HTTP, SSH, etc should be reviewed to make sure you are up to date on
> >security patches for those services.  Any service you don't
> need or use
> >should be disabled and blocked by iptables.
> >
> >
> >
> How do I check that port? I guess I could just stealth it on
> my router,
> if I poked
> around some. Actually, since I'm behind my router, I'm not
> even really
> looking at
> my machine. I'm looking at the firewall in my router.
>
> >The default iptables should block everything unless you opened any
> >ports during setup.  As the someone in this thread indicated
> you should
> >take the additional step of blocking outbound ports on your system
> >except for those you use.  Not many people do this.  Many
> companies do
> >this to prevent someone from running code that connects from
> inside the
> >firewall to an external site.
> >
> >
> I used the default. The output from iptables is rather long,
> so I won't
> post it here,
> but how do I check exactly what is open? The output is a
> little confusing.
>
> >Run chkrootkit and rkhunter, setup tripwire and review the reports
> >daily.  Monitor your log files and check netstat periodically for
> >anything strange.
> >
> >
> Hmm, I seem not to have chkrootkit, rkhunter, nor tripwire installed.
>
> >The OP was probably compromised via phpBB, that is known to have
> >various security holes.
> >
> >If you are not providing any services to the Internet and
> have iptables
> >locked down you should not have much of a problem.
> >
> >
> I don't know how to "lock down" iptables, but if no ports are
> exposed,
> how can
> anything get in? Except by doing something like overflowing
> my browser buffer on a request I make (or email buffer,
> etc.)? I've got Java and
> Javascript
> disabled. OTOH, I have heard of "evil" .png problems. I do
> accept images.
>
> [snip]
>
> >And to check for awstats (I don't think it comes with a man
> page) run:
> >
> >find / -name awstats.pl -print
> >
> >Or in a browser try: http://localhost/cgi-bin/awstats.pl
> >
> >Assuming that it has been installed in the cgi-bin directory.
> >
> >
> >
> >
> My browser reports that localhost refused the connection.
> The find (ghastly idea to search the whole system) did not
> find anything, after about 20 minutes.
>
> Mike
>
> --
> p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
> This message made from 100% recycled bits.
> I can explain it for you, but I can't understand it for you.
> I speak only for myself, and I am unanimous in that!
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3018 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20050720/bdcc36e2/attachment-0001.bin>