LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-24-2004, 11:54 AM   #1
Evilone
Member
 
Registered: Oct 2002
Location: UK
Distribution: Slack 9.1 (2.6.5)
Posts: 307

Rep: Reputation: 30
HELP Hacker suspected


Hi,

I've got a linux box that does all my web related stuff, ie, file sharing, internet dialup (broadband), mail server , samba, etc etc.

I've had a couple of weird experiences over the last couple of days, where my server just ditches the internet, and requires a reboot. I checked the /var/log folder and found literally hundreds of name.log files, where name can be anythign from jack to xxx283838 and a lot of ipnumber.log files. Upon looking inside them, i've found this :

[2004/03/21 05:19:08, 0] lib/util_sock.c:read_socket_data(342)
read_socket_data: recv failure for 4. Error = Connection reset by peer
[2004/03/21 05:20:06, 0] lib/util_sock.c:read_socket_data(342)
read_socket_data: recv failure for 4. Error = Connection reset by peer
[2004/03/21 05:22:33, 0] lib/util_sock.c:read_socket_data(342)
read_socket_data: recv failure for 4. Error = Connection reset by peer
[2004/03/21 05:23:36, 0] lib/util_sock.c:read_socket_data(342)
read_socket_data: recv failure for 4. Error = Connection reset by peer
[2004/03/21 05:24:01, 0] lib/util_sock.c:read_socket_data(342)
read_socket_data: recv failure for 4. Error = Connection reset by peer
[2004/03/21 05:29:32, 0] lib/util_sock.c:read_socket_data(342)
read_socket_data: recv failure for 4. Error = Connection reset by peer

And :

[2004/03/18 22:14:20, 1] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(576)
Unknown packet in reply_sesssetup_and_X_spnego

And finally. a huge one consisting of mainly @@@@@@@@@@@ etc etc.


Please help, does anyone know what's going on??

My system :

Linux Slackware using 2.6.3, Samba 3 (Latest) Apache 2 (Latest)

Thanks in advance.

Evilone
 
Old 03-24-2004, 12:52 PM   #2
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
I could be wrong, but I think those log files are created by Samba every time a new client tries to connect (then it keeps track of their subsequent activities). It seems like you have Samba enabled on your external IP!

What's the output of this command?
$ netstat -lanF inet
?
Note: I think it's -F inet on Linux, I can't remember... just -l should get what I'm looking for, then don't paste all the stuff that's UNIX sockets.
 
Old 03-24-2004, 12:56 PM   #3
Evilone
Member
 
Registered: Oct 2002
Location: UK
Distribution: Slack 9.1 (2.6.5)
Posts: 307

Original Poster
Rep: Reputation: 30
Yes indeedy it's samba, i've turned off smbd and nmbd and the logfiles have stopped being created.

I've a fair idea of how this has happened. I recently upgraded to samba 3.0.2a, and had to rewrite my smb.conf (my old one did'nt work).

Would you mind taking a look at my config and suggesting how i can make it local only, ie , only available to local lan and NOT outside access.

SMB.conf :

#[global]
netbios name = merlin
workgroup = home
encrypt passwords = Yes
security = user
log file = /var/log/%m.log
log level = 1
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192
wins support = yes
domain logons = yes
os level = 99
[htdocs]
path = /var/www/htdocs
read only = no
public = yes
guest ok = no
browseable = yes
hosts allow = 192.168.7.0/24
valid users = +users
[win32share]
path = /backup
read only = no
public = yes
guest ok = no
browseable = yes
hosts allow = 192.168.7.0/24
valid users = +users



Cheers,

Ade


Edit :

All i want is for local users of the machine to be able to browse and change files. I do not even want it broadcasting to the web at all.

Last edited by Evilone; 03-24-2004 at 12:57 PM.
 
Old 03-24-2004, 05:22 PM   #4
Khabi
Member
 
Registered: Aug 2003
Location: Arizona
Distribution: Gentoo
Posts: 142

Rep: Reputation: 15
The easy way would be to block samba on a firewall level on the external Iface.
iptables -A INPUT -i [external interface] -p tcp --destination-port 135 -j DROP
iptables -A INPUT -i [external interface] -p tcp --destination-port 137 -j DROP

*thats just off the top of my head.. someone might wanna double check the syntax*
 
Old 03-24-2004, 08:27 PM   #5
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Well it shouldn't be listening on the external interface any way. By the way Khabi, you have it backwards. Samba uses 137 & 138 UDP and 139 TCP.

In my smb.conf I have:
interfaces = 10.0.0.5/28

10.0.0.5 is the IP that Samba listens on, and /28 is my subnet bitmask.

By the way, does this box have 2 network interfaces or only one?
 
Old 03-25-2004, 04:55 AM   #6
Evilone
Member
 
Registered: Oct 2002
Location: UK
Distribution: Slack 9.1 (2.6.5)
Posts: 307

Original Poster
Rep: Reputation: 30
Thanks for that, the interfaces= line did the job. No more log files bar my own now. Will let it run for a few hours and if i've still got problems, i'll post.

Cheers for the advice.

Ade
 
Old 03-25-2004, 09:08 AM   #7
Evilone
Member
 
Registered: Oct 2002
Location: UK
Distribution: Slack 9.1 (2.6.5)
Posts: 307

Original Poster
Rep: Reputation: 30
Well, back to drawing board... Still getting those hits to samba externaly.

I've added your suggestion about the interfaces = and still no joy. I then modified my firewall script with the previous suggestions. Here is my firewall script :

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -A INPUT -i ppp0 -p udp --destination-port 137 -j DROP
iptables -A INPUT -i ppp0 -p udp --destination-port 138 -j DROP
iptables -A INPUT -i ppp0 -p tcp --destination-port 139 -j DROP
echo 1 > /proc/sys/net/ipv4/ip_forward



Still getting those log files building up. Any more idea's??

Thanks in advance.

Ade

Edit:

In answer to previous question, 1 nic card, local lan (eth0), 1 USB Broadband modem (ppp0). Two other machines (Wireless laptop, and my main windows xp box), share the internet connection and the samba shared files, as above.

Last edited by Evilone; 03-25-2004 at 09:11 AM.
 
Old 03-25-2004, 12:28 PM   #8
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Are you sure one of your Windows boxes wasn't compromised?
 
Old 03-25-2004, 03:10 PM   #9
Khabi
Member
 
Registered: Aug 2003
Location: Arizona
Distribution: Gentoo
Posts: 142

Rep: Reputation: 15
Quote:
Originally posted by chort
By the way Khabi, you have it backwards. Samba uses 137 & 138 UDP and 139 TCP.
Well.. Can't always be perfect
 
Old 03-26-2004, 10:17 AM   #10
Evilone
Member
 
Registered: Oct 2002
Location: UK
Distribution: Slack 9.1 (2.6.5)
Posts: 307

Original Poster
Rep: Reputation: 30
OK, i nailed it..... the samba 3 smb.conf uses a few different parameters from the version 2 smb.conf... Here's the code that finally stopped me broadcasting all over the internet and beyond

#[global]
netbios name = merlin
workgroup = home


bind interfaces only = true
interfaces = eth0 192.168.7.1


hosts deny = all
hosts allow = 192.168.7.2 192.168.7.4
encrypt passwords = Yes
security = user
log file = /var/log/%m.log
socket options = TCP_NODELAY IPTOS_LOWDELAY
local master = yes
prefered master = yes
wins support = yes
domain logons = yes

The bind interfaces only and the interfaces line tells samba 3 to ony use the specified device and what ip to broadcast on.

Hope this helps someone else in the future, took a good deal of time to find.


Cheer's for the help and idea's,

Ade


Edit :

I should really add, in response to the "you sure your win box is'nt compromised" question. Yes i'm sure , it's a brand new installation on my newly put togeather P4 3Ghz box. And it's running the latest norton antivirus, corporate edition.. The problem was deffinately samba related, by default, it searches for all available connections and broadcasts on them ALL by default.

Last edited by Evilone; 03-26-2004 at 10:21 AM.
 
Old 03-26-2004, 11:34 AM   #11
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,132
Blog Entries: 54

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
Hope this helps someone else in the future, took a good deal of time to find.
Thanks for adding your solution Evilone!
 
Old 03-26-2004, 11:38 AM   #12
Evilone
Member
 
Registered: Oct 2002
Location: UK
Distribution: Slack 9.1 (2.6.5)
Posts: 307

Original Poster
Rep: Reputation: 30
No problems, i've had a good deal of help from this forum over the last year, just giving a little back.
 
Old 03-29-2004, 06:17 PM   #13
catman_za
LQ Newbie
 
Registered: Oct 2003
Distribution: Mandrake 9.1
Posts: 11

Rep: Reputation: 0
Smile

Quote:
Originally posted by Evilone

Edit :

I should really add, in response to the "you sure your win box is'nt compromised" question. Yes i'm sure , it's a brand new installation on my newly put togeather P4 3Ghz box. And it's running the latest norton antivirus, corporate edition.. The problem was deffinately samba related, by default, it searches for all available connections and broadcasts on them ALL by default.
The problem lies with Norton you should be using Norman Virus Control with personal firewall on your win box, then only will you be sure that you have not been hacked!

Also most of the latest viruses cut through Norton with ease as well as Black Ice Defender, if you have any doubts go to www.norman.com site and download a trial version for your win box.

Do a scan on your machine, once you have Norman installed and norton taken off and tell use what you find ?

Norman runs on Linux as well

Edit :

I have been and still am running a smoothwall box as a firewall on an old P1 Cyrix 166, with 96 meg ram, to take care of my firewall and other requirements.

I read lots and post seldom

Last edited by catman_za; 03-29-2004 at 06:22 PM.
 
Old 03-29-2004, 06:36 PM   #14
catman_za
LQ Newbie
 
Registered: Oct 2003
Distribution: Mandrake 9.1
Posts: 11

Rep: Reputation: 0
You could of course install a chkrootkit to make double sure that your linux box has not been hacked, it will also look for any trojans etc.
The latest version .043 which you can get from this link distro.ibiblio.org/pub/linux/distributions/ sorcerer/sources/chkrootkit/0.43/
 
Old 03-29-2004, 09:49 PM   #15
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
catman_za, I might restrict your enthusiasm a little bit there. Perhaps in your opinion Norman is better than Norton, but not product is perfect so your statement
Quote:
then only will you be sure that you have not been hacked!
isn't really factual.

Please avoid the appearance of advertising any products. You're welcome to give your experience, but in the world of software there's never a perfect product that fits everyone's needs or is 100% effective at what it's supposed to do.

One might speculate why products like Norton, McAfee, Trend, and Sophos do so well in the commercial market if Norman is so thoroughly superior as you suggest...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Ultra slow gnome login on ubuntu linux. Suspected network issues ShaneK Linux - Networking 2 06-11-2005 07:45 AM
How can a hacker get in!? Impossible! AC97Conquerer Linux - Security 13 03-24-2005 06:52 PM
Exim4 conf problem (spam suspected by Yahoo) zahoo Linux - Networking 5 03-04-2005 10:44 PM
Catching a Hacker... Shr00mBoXx Linux - Security 14 06-30-2004 09:59 PM
suspected misconfiguration of my LFS system because of it's slowness. schatoor Linux - General 1 11-02-2003 11:46 PM


All times are GMT -5. The time now is 06:21 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration