Strange connection

Wed Jul 20 18:49:23 UTC 2005

On Wed, 2005-07-20 at 14:25, Mike McCarty wrote:

> I'm running FC2 now. I did a netstat and didn't see any connections
> I couldn't account for.
> 
> I have set up for FC2 legacy updates, and done a
> 
> # yum update
> 
> which pulled several packages.
> 
> What should I do in order to defend against this sort of attack?
> I'm not familiar with iptables, though I just looked, and it
> didn't look like much was blocked. I don't have awstats, I guess,
> as
> 
> $ su -
> # man awstats
> No manual entry for awstats

The first thing to do is evaluate your system to determine what might be
a path into it.  Are you running a web server that you have available
from the Internet?  If you do then you need to look at all open ports on
your system.  Either run a network scan your self from another location
or you can use http://www.grc.com to run shieldsup which will scan your
IP address and let you know which ports are exposed.  

If you have any ports exposed examine the service on those ports.  HTTP,
SSH, etc should be reviewed to make sure you are up to date on security
patches for those services.  Any service you don't need or use should be
disabled and blocked by iptables.

The default iptables should block everything unless you opened any ports
during setup.  As the someone in this thread indicated you should take
the additional step of blocking outbound ports on your system except for
those you use.  Not many people do this.  Many companies do this to
prevent someone from running code that connects from inside the firewall
to an external site.

Run chkrootkit and rkhunter, setup tripwire and review the reports
daily.  Monitor your log files and check netstat periodically for
anything strange.

The OP was probably compromised via phpBB, that is known to have various
security holes.  

If you are not providing any services to the Internet and have iptables
locked down you should not have much of a problem.  

Most linux exploits require some poorly coded application leaving a path
into the system that has a buffer overflow or some other means of
getting code loaded on to the system that can be executed.  From there
the hacker gets additional code loaded on the system to either gain
additional privileges via other security holes (packages that have not
had security updates) or simply to setup spam and bot packages to use
the system for their own purposes.

And to check for awstats (I don't think it comes with a man page) run:

find / -name awstats.pl -print

Or in a browser try: http://localhost/cgi-bin/awstats.pl

Assuming that it has been installed in the cgi-bin directory.

-- 
Scot L. Harris
webid at cfl.rr.com

God, I ask for patience -- and I want it right now! 