LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 05-08-2005, 02:26 PM   #1
wylie1001
Member
 
Registered: Jul 2002
Location: USA
Distribution: Slackware 10.2
Posts: 53

Rep: Reputation: 15
Angry My NTP has been compromised


Hi,
Well I think I was hit by some low life and now my ntp keeps sending to an ip address on port 123 every 15 minutes. I stopped it in iptables from sending out to that address. I did a whois and found out where they are. I kept getting in snort ICMP Destination unreachable but it started with other ports all over except when they hit my port 123. Now I can't find any clue what they did. I looked at all my conf files pertaing to ntp see nothing. I also use tripwire which seems useless when you bang the keys like I do. Would like to find out something before I delete and reinstall ntp or even the whole machine. All I have running is squid apache ntp cups snort sendmail all is firewalled I thought pretty good. I am not sure about these ICMP hits trying to read up but not fully understanding of them I know they are not good. Sorry for the winded problem. I use slack 10.1 nothing else...
Thanks for any help here,
Rick
 
Old 05-08-2005, 02:45 PM   #2
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,791
Blog Entries: 1

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
You should probably do some reading in the security forum, but basically, you can't trust this machine. If I were in your shoes, I would have a good, long look at what Tripwire has flagged as changed. Look for software and/or directories that you know you haven't been messing with. Also have a look at the outputs of lsof -i, and netstat -pantu for listening processes that are things you don't normally run. Running nmap might not be a bad idea either. The problem with these is that if your system has been seriously compromised, you can't necessarily trust them if they don't show anything out of the ordinary. I would also boot from a live CD distro like Knoppix and run chkrootkit and rkhunter. Also have a look in your system logs for anything out of the ordinary. Running last to see who has logged in might be useful, but again, that command may have been compromised.

I would also suggest that simply re-installing ntp is not the way to go. If they gained access to your box through an ntp exploit, I seriously doubt that ntp is the only thing that was compromised. If any hunting finds additional issues, your going to need to nuke the disk and re-install from a trusted source. I would also ask a moderator to move this to the Security forum. You'll get a lot more good advice there than in Network.

<edit>

And I almost forgot the most important thing....Unplug the network card. Take this box off the network until you can figure out what has, or has not, happened.
</edit>

Last edited by Hangdog42; 05-08-2005 at 02:52 PM.
 
Old 05-08-2005, 03:17 PM   #3
wylie1001
Member
 
Registered: Jul 2002
Location: USA
Distribution: Slackware 10.2
Posts: 53

Original Poster
Rep: Reputation: 15
Hi,
Thanks for your quick response I will most likely look around some more and then NUKE IT. I ran chkrootkit and will look deeper into tripwire but at this time found nothing. I didn't realize there was a security forum Hopefully they will move this thread so maybe I can get some other tips. I liked the last command. Thanks again.
 
Old 05-08-2005, 06:22 PM   #4
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,791
Blog Entries: 1

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
I've asked the mods to move this thread, but you probably want to do some reading in Security on forensics. Also, you might want to post some of the outputs from those commands for the real experts to look at. You may not have to nuke the hard drive (I know I don't like to re-install unless I absolutely have to), but you probably should keep it off the net until you have a better understanding of what happened.

<edit>
OK, now I feel like a complete dinkleheimer and should have checked this earlier......Uh, port 123 is the normal NTP UDP port. Why do you think that the traffic you saw was unusual and not just someone updating their time off of your NTP server?
</edit>

Last edited by Hangdog42; 05-08-2005 at 06:27 PM.
 
Old 05-09-2005, 08:24 PM   #5
wylie1001
Member
 
Registered: Jul 2002
Location: USA
Distribution: Slackware 10.2
Posts: 53

Original Poster
Rep: Reputation: 15
Well I have not nuked it yet. My pc is for learning I don't use it for personel use like buying stuff etc. I did wipe out my ntp software and reloaded it and set up ntpd for the time and guess what it started to go out to the address that was from the ICMP hacker which not sure if he was going through another pc or not. I got to let you all know all the hits mainly on my computer is from corporations not home pc's! My snort tells me all that is going on....These people have nothing better to do than to try to hack our computers...They get bored at the night shift and try to hack. Well enough of that. I am going to look all around and see what other program works with ntp to see where this address is in the file sending to it. I don't think it is in the kernel maybe a library file. I will keep you guys posted. Well I am down to just three ports open now later for keeping the time in synch. Squid my apache and my sendmail. I did see that Cisco had a warning on ntp to keep the service off. I know why ...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Compromised? I can't tell. Chuck23 Linux - Security 11 02-15-2005 08:33 AM
possibly compromised - what to do? TreeHugger Linux - Security 4 02-05-2005 12:03 AM
NTP cannot work with timeserver, NTP-d can jerryvapps Linux - Networking 0 08-04-2004 03:04 PM
NTP cannot use server, NTP -d can jerryvapps Linux - Newbie 0 07-28-2004 03:22 PM
Am I compromised? dripter Linux - Security 5 01-27-2004 01:31 AM


All times are GMT -5. The time now is 04:11 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration