LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 02-22-2012, 01:41 PM   #1
ghandizzle8
Member
 
Registered: Jun 2010
Posts: 30

Rep: Reputation: 0
Port Scanner


Good Day,

Iam presently using fedora 8 64-bit and i recently got a message from my host provider...

The message read..
IP Address ***8
has been port scanning remote hosts on the Internet;


012-02-22 03:49:42.641042 IP (tos 0x0, ttl 128, id 38423, offset 0, flags [none], proto: TCP (6), length: 48) 10.240.59.144.50138 > 72.85.127.106.22: S, cksum 0xa97d (correct), 1895398740:1895398740(0) win 65535 <mss 1460,nop,nop,sackOK>
2012-02-22 03:49:42.641082 IP (tos 0x0, ttl 128, id 12051, offset 0, flags [none], proto: TCP (6), length: 48) 10.240.59.144.50138 > 72.85.127.107.22: S, cksum 0x4270 (correct), 1661916386:1661916386(0) win 65535 <mss 1460,nop,nop,sackOK>
2012-02-22 03:49:42.641128 IP (tos 0x0, ttl 128, id 61531, offset 0, flags [none], proto: TCP (6), length: 48) 10.240.59.144.50138 > 72.85.127.108.22: S, cksum 0x69d4 (correct), 961569611:961569611(0) win 65535 <mss 1460,nop,nop,sackOK>
2012-02-22 03:49:42.641167 IP (tos 0x0, ttl 128, id 41740, offset 0, flags [none], proto: TCP (6), length: 48) 10.240.59.144.50138 > 72.85.127.109.22: S, cksum 0x6983 (correct), 741612138:741612138(0) win 65535 <mss 1460,nop,nop,sackOK>
2012-02-22 03:49:42.641205 IP (tos 0x0, ttl 128, id 51108, offset 0, flags [none], proto: TCP (6), length: 48) 10.240.59.144.50138 > 72.85.127.110.22: S, cksum 0xf880 (correct), 621863317:621863317(0) win 65535 <mss 1460,nop,nop,sackOK>
2012-02-22 03:49:42.641249 IP (tos 0x0, ttl 128, id 30734, offset 0, flags [none], proto: TCP (6), length: 48) 10.240.59.144.50138 > 72.85.127.111.22: S, cksum 0x4ff8 (correct), 370496146:370496146(0) win 65535 <mss 1460,nop,nop,sackOK>
2012-02-22 03:49:42.641288 IP (tos 0x0, ttl 128, id 64703, offset 0, flags [none], proto: TCP (6), length: 48) 10.240.59.144.50138 > 72.85.127.112.22: S, cksum 0x9a84 (correct), 1059316156:1059316156(0) win 65535 <mss 1460,nop,nop,sackOK>
2012-02-22 03:49:42.641325 IP (tos 0x0, ttl 128, id 19724, offset 0, flags [none], proto: TCP (6), length: 48) 10.240.59.144.50138 > 72.85.127.113.22: S, cksum 0x64e0 (correct), 1761799519:1761799519(0) win 65535 <mss 1460,nop,nop,sackOK>
2012-02-22 03:49:42.641370 IP (tos 0x0, ttl 128, id 58106, offset 0, flags [none], proto: TCP (6), length: 48) 10.240.59.144.50138 > 72.85.127.114.22: S, cksum 0xe963 (correct), 519714959:519714959(0) win 65535 <mss 1460,nop,nop,sackOK>
2012-02-22 03:49:42.641414 IP (tos 0x0, ttl 128, id 22162, offset 0, flags [none], proto: TCP (6), length: 48) 10.240.59.144.50138 > 72.85.127.115.22: S, cksum 0x1ad3 (correct), 481575203:481575203(0) win 65535 <mss 1460,nop,nop,sackOK>



How do i solve this??

So far i have found two processes that should not be running 1) xinetd and 2) dhclient and i have stopped then...would that resolve it..


Regards,
Brian Hall
 
Old 02-22-2012, 02:44 PM   #2
ButterflyMelissa
Senior Member
 
Registered: Nov 2007
Location: Somewhere on my hard drive...
Distribution: Manjaro
Posts: 2,686
Blog Entries: 23

Rep: Reputation: 398Reputation: 398Reputation: 398Reputation: 398
Just being curious, what is the output of

Quote:
netstat -anp | more
...run as root, you'll see more. Just, what programs are on to the net?

I suspect the ip *.*.*.8 to be your public IP address...you just blanked out the thing (clever, would have done the same)...

Thor
 
Old 02-22-2012, 03:18 PM   #3
PTrenholme
Senior Member
 
Registered: Dec 2004
Location: Olympia, WA, USA
Distribution: Fedora, (K)Ubuntu
Posts: 4,186

Rep: Reputation: 346Reputation: 346Reputation: 346Reputation: 346
Fedora 8 has been unsupported for at least four years. (The current release is Fedora 16, and Fedora makes a new release about every six months. Only the immediately prior release is supported one month after a new release is made. If a release is unsupported, no software or security updates are generally available for that release.)

There are a few "standard" applications that will automatically scan for network availability. IIRC, Fedora 8 often ran nmap for that purpose.
 
Old 02-22-2012, 04:12 PM   #4
ghandizzle8
Member
 
Registered: Jun 2010
Posts: 30

Original Poster
Rep: Reputation: 0
Output of netstat - anp |more


Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN
17864/mysqld
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
23299/httpd
tcp 0 0 10.240.59.144:80 72.27.43.174:2992 SYN_RECV
-
tcp 0 0 10.240.59.144:80 72.27.43.174:2997 SYN_RECV
-
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
5503/sshd
tcp 0 0 10.240.59.144:80 72.27.43.174:1991 TIME_WAIT
-
tcp 0 0 10.240.59.144:80 72.27.43.174:1992 TIME_WAIT
-
tcp 0 0 10.240.59.144:80 72.27.43.174:3295 TIME_WAIT
-
tcp 0 0 10.240.59.144:80 72.27.43.174:2991 TIME_WAIT
-
tcp 0 0 10.240.59.144:80 72.27.43.174:2996 TIME_WAIT
-
tcp 0 0 10.240.59.144:80 72.27.43.174:2999 TIME_WAIT -
tcp 0 0 10.240.59.144:80 72.27.43.174:2995 TIME_WAIT -
tcp 0 0 10.240.59.144:80 72.27.43.174:2994 TIME_WAIT -
tcp 0 0 10.240.59.144:80 72.27.43.174:1127 TIME_WAIT -
tcp 0 0 10.240.59.144:80 72.27.8.112:10314 TIME_WAIT -
tcp 0 52 10.240.59.144:22 72.252.148.188:5477 ESTABLISHED 3506/1
udp 0 0 0.0.0.0:46378 0.0.0.0:* 16207/bash
raw 0 0 0.0.0.0:1 0.0.0.0:* 7 2173/ttymon
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ] DGRAM 1248 719/udevd @/org/kernel/udev/udevd
unix 2 [ ACC ] STREAM LISTENING 119643 17864/mysqld /var/lib/mysql/mysql.sock
unix 4 [ ] DGRAM 7082 1770/rsyslogd /dev/log
unix 2 [ ] DGRAM 7413 1961/crond
unix 2 [ ] DGRAM 7096 1774/rklogd


The issue is that someone has been using my server to port scan other machines on the internet..

Regards,
Brian Hall

Last edited by ghandizzle8; 02-22-2012 at 04:19 PM.
 
Old 02-22-2012, 05:57 PM   #5
John VV
LQ Muse
 
Registered: Aug 2005
Location: A2 area Mi.
Posts: 16,818

Rep: Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408
Quote:
The issue is that someone has been using my server to port scan other machines on the internet..
the issue is that fedora8 is wide open to EVERY known and FIXED security hole for the last 8 fedora releases

your unsecured server was hacked

the best fix
reformat to ext4 and install fedora 16 .Then in 4 months install fedora 17, then 6 months after that install fedora 18

but you might want to use a LONG life distro like RHEL 6 ( 7 years of support ) verse the 13 month support of fedora
 
Old 02-22-2012, 06:24 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
Quote:
Originally Posted by Thor_2.0 View Post
Code:
netstat -anp | more
A better way is to run 'netstat -antupe' as this omits UNIX sockets and gets you the process details of the applications as well.


Quote:
Originally Posted by PTrenholme View Post
IIRC, Fedora 8 often ran nmap for that purpose.
Can you name one application that F8 installed by default that ran nmap?


Quote:
Originally Posted by John VV View Post
you might want to use a LONG life distro like RHEL 6 ( 7 years of support ) verse the 13 month support of fedora
IMHO it is not good to push people towards a commercially licensed distribution like RHEL without mentioning free alternatives like Centos and Scientific Linux are available.


Quote:
Originally Posted by ghandizzle8 View Post
Code:
tcp        0      0 10.240.59.144:80        72.27.43.174:2992       SYN_RECV -
tcp        0      0 10.240.59.144:80        72.27.43.174:2997       SYN_RECV -
tcp        0      0 10.240.59.144:80        72.27.43.174:1991       TIME_WAIT -
tcp        0      0 10.240.59.144:80        72.27.43.174:1992       TIME_WAIT -
tcp        0      0 10.240.59.144:80        72.27.43.174:3295       TIME_WAIT -
tcp        0      0 10.240.59.144:80        72.27.43.174:2991       TIME_WAIT -
tcp        0      0 10.240.59.144:80        72.27.43.174:2996       TIME_WAIT -
tcp        0      0 10.240.59.144:80        72.27.43.174:2999       TIME_WAIT -
tcp        0      0 10.240.59.144:80        72.27.43.174:2995       TIME_WAIT -
tcp        0      0 10.240.59.144:80        72.27.43.174:2994       TIME_WAIT -
tcp        0      0 10.240.59.144:80        72.27.43.174:1127       TIME_WAIT -
tcp        0      0 10.240.59.144:80        72.27.8.112:10314       TIME_WAIT -
tcp        0     52 10.240.59.144:22        72.252.148.188:5477     ESTABLISHED 3506/1
(..)The issue is that someone has been using my server to port scan other machines on the internet..
The issue is, as John noticed from your netstat output, that you are running something in your web stack (homebrewn interpreted code without proper input validation or a vulnerable versions of forum, shopping cart, statistics, web log or other software packages) that allows a remote host to control and execute commands.
- stop your web services now and disable the database, web service and other services that are not mandatory for machine maintenance from starting again,
- raise the firewall to only allow access from your maintenance IP address or range,
- make a backup and do not restore from previous backups (if any) unless you have made certain they are free of vulnerable software.

I agree it would be best to start with a clean install of Fedora 16, Centos, Scientific Linux or any other distribution. Please do harden the machine and services and enable auditing before exposing it to the 'net again.
 
1 members found this post helpful.
Old 02-22-2012, 08:10 PM   #7
ghandizzle8
Member
 
Registered: Jun 2010
Posts: 30

Original Poster
Rep: Reputation: 0
I just ran netstat -anp|more again...i now get the below results..


Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 17864/mysqld
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 7888/httpd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 5503/sshd
tcp 0 104468 10.240.59.144:22 72.252.148.188:6339 ESTABLISHED 7723/sshd: root@not
tcp 0 0 10.240.59.144:80 72.27.8.112:10832 TIME_WAIT -
tcp 0 52 10.240.59.144:22 72.252.148.188:6384 ESTABLISHED 8017/1
udp 0 0 0.0.0.0:46378 0.0.0.0:* 16207/bash
raw 0 0 0.0.0.0:1 0.0.0.0:* 7 2173/ttymon
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ] DGRAM 1248 719/udevd @/org/kernel/udev/udevd
unix 2 [ ACC ] STREAM LISTENING 119643 17864/mysqld /var/lib/mysql/mysql.sock
unix 4 [ ] DGRAM 7082 1770/rsyslogd /dev/log
unix 3 [ ] STREAM CONNECTED 12678244 7723/sshd: root@not
unix 3 [ ] STREAM CONNECTED 12678243 7725/sftp-server
unix 3 [ ] STREAM CONNECTED 12678242 7723/sshd: root@not
unix 3 [ ] STREAM CONNECTED 12678241 7725/sftp-server
unix 2 [ ] DGRAM 7413 1961/crond
unix 2 [ ] DGRAM 7096 1774/rklogd

I realised that i stopped httpd then restarted httpd. That the results changed to the above..
Based on my limited reading...it ok in some cases to have some TIME_WAIT connections..
Is this better than before?

Thanks again for your assistance..
Brian Hall
 
Old 02-22-2012, 08:46 PM   #8
ghandizzle8
Member
 
Registered: Jun 2010
Posts: 30

Original Poster
Rep: Reputation: 0
i ran it again..and i get the results..

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address * * * * * Foreign Address * * * * State * * * PID/Program name
tcp * * * *0 * * *0 0.0.0.0:3306 * * * * * *0.0.0.0:* * * * * * * * LISTEN * * *17864/mysqld
tcp * * * *0 * * *0 0.0.0.0:80 * * * * * * *0.0.0.0:* * * * * * * * LISTEN * * *7888/httpd
tcp * * * *0 * * *0 0.0.0.0:22 * * * * * * *0.0.0.0:* * * * * * * * LISTEN * * *5503/sshd
tcp * * * *0 * * *0 10.240.59.144:80 * * * *66.249.72.239:49116 * * TIME_WAIT * -
tcp * * * *0 101352 10.240.59.144:22 * * * *72.252.148.188:6339 * * ESTABLISHED 7723/sshd: root@not
tcp * * * *0 * * 52 10.240.59.144:22 * * * *72.252.148.188:6896 * * ESTABLISHED 8875/1
tcp * * * *0 * * *0 10.240.59.144:80 * * * *72.27.8.112:10917 * * * TIME_WAIT * -
tcp * * * *0 * * *0 10.240.59.144:80 * * * *72.27.8.112:10918 * * * TIME_WAIT * -
udp * * * *0 * * *0 0.0.0.0:46378 * * * * * 0.0.0.0:* * * * * * * * * * * * * * 16207/bash
raw * * * *0 * * *0 0.0.0.0:1 * * * * * * * 0.0.0.0:* * * * * * * * 7 * * * * * 2173/ttymon
raw * * 1260 * * *0 0.0.0.0:1 * * * * * * * 0.0.0.0:* * * * * * * * 7 * * * * * 2173/ttymon
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags * * * Type * * * State * * * * I-Node PID/Program name * *Path
unix *2 * * *[ ] * * * * DGRAM * * * * * * * * * *1248 * 719/udevd * * * * * @/org/kernel/udev/udevd
unix *2 * * *[ ACC ] * * STREAM * * LISTENING * * 119643 17864/mysqld * * * */var/lib/mysql/mysql.sock
unix *4 * * *[ ] * * * * DGRAM * * * * * * * * * *7082 * 1770/rsyslogd * * * /dev/log
unix *3 * * *[ ] * * * * STREAM * * CONNECTED * * 12678244 7723/sshd: root@not
unix *3 * * *[ ] * * * * STREAM * * CONNECTED * * 12678243 7725/sftp-server
unix *3 * * *[ ] * * * * STREAM * * CONNECTED * * 12678242 7723/sshd: root@not
unix *3 * * *[ ] * * * * STREAM * * CONNECTED * * 12678241 7725/sftp-server
unix *2 * * *[ ] * * * * DGRAM * * * * * * * * * *7413 * 1961/crond
unix *2 * * *[ ] * * * * DGRAM * * * * * * * * * *7096 * 1774/rklogd

Is this much better than before?

Regards,
Brian Hall

Last edited by ghandizzle8; 02-22-2012 at 08:55 PM.
 
Old 02-22-2012, 11:00 PM   #9
ButterflyMelissa
Senior Member
 
Registered: Nov 2007
Location: Somewhere on my hard drive...
Distribution: Manjaro
Posts: 2,686
Blog Entries: 23

Rep: Reputation: 398Reputation: 398Reputation: 398Reputation: 398
...or...upgrade to a more recent version...that detail escaped me, it seems.
newer releases cater much better for the current internet challenges...

Good luck

Thor
 
Old 02-23-2012, 04:14 AM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
Houston, he's got a problem.

I just found out things are even worse than I thought. Past threads show the OP has been tinkering with Fedora 8 since 2010 during which time he installed and had problems with Drupal, MySQL 5.0.45, Moodle 1.9 (CVE: Drupal, MySQL 5.0.45 and Moodle) and since yesterday SSH access. From reading these threads it seems the OP often forgets to add he's using an Amazon-provided AMI instead of using the Fedora 16 Amazon Elastic Compute Cloud (EC2) images, the Amazon Linux AMI or building his own image. The OP always hides behind the "I am new to Linux" excuse, has been given advice not to run a deprecated distribution release before and appears to disregard such advice. As such I would not be surprised if his management does not know or care either.

Let's draw the line here and keep reminding the OP in this and future threads the only way to start fixing any of his problems is to start from scratch using a recent, supported and maintained distribution image.
 
3 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
best port scanner To scan open port in a network tanveer Linux - Security 8 01-21-2007 09:19 PM
port scanner and more ANU Linux - Software 1 05-26-2006 10:53 AM
Port scanner alon005 Linux - Security 1 10-15-2004 12:20 AM
In need of the best port scanner there is! Pcghost Linux - Security 11 03-10-2003 10:37 AM
Port Scanner tfrye Linux - Security 1 04-18-2001 12:22 PM


All times are GMT -5. The time now is 04:33 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration