nethogs finds a lot of connections directed to my server ip...
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
i tried and run alexs3's code, but i get this error:
Code:
$ nc -4nv -l 3263
nc: Address already in use
$ sudo nc -4nv -l 3263
nc: Address already in use
$ killall nc
nc: no process found
$ sudo killall nc
nc: no process found
$ sudo nc -4nv -l 3263
nc: Address already in use
$ sudo auditctl -A exit,always -S connect
WARNING - 32/64 bit syscall mismatch, you should specify an arch
$ sudo auditctl -A exit,always -S socket
WARNING - 32/64 bit syscall mismatch, you should specify an arch
then i started nethogs, waiting for one of those suspicious records...
after a couple of minutes i got this:
I don't think you're missing something, I think you have found something. That number range traces to fastweb.it, but at the time I try it didn't exist. Possible, with an isp. Why haven't you got all these crazy port numbers blocked in the firewall except the very few that you use?
well, they SHOULD be closed... i only have a few ports open...
there is one weird thing i found while checking the router virtual server, though: there is one rule i wouldn't say i've ever set:
rule name: Skype UDP at 192.168.1.113:4109 (2831)
start port: 4109
end port: 4109
protocol: udp
ip address: 192.168.1.113
i've just deactivated that rule, and pinging 192.168.1.113 gives no result.
after deleting that rule on router virtual server, nethogs does not show those suspicious records anymore...
what i've learnt:
1) do never enable router remote administration: i swear, it has remained enabled for a few days some months ago. am i right if i suspect that someone bruteforced my pwd and added that virtual server rule to connect to my system? would it be possibile?
2) periodically check nethogs (do you know if it's scriptable?)
can you help me learning something from this case?
Some hacker got in, messed with nothing except what he wanted. He probably had root if he could set a firewall rule, or user teo and he could sudo (I am guessing).
Setting a firewall rule by itself isn't enough. If you could trace what he was using, that would be good. There's may be something using inetd, or a second instance thereof. If you could plug how he got in, that would be better again. This is bad news for a sysadmin. He hardly breaks in every time, so something is open to him. I would be looking to reinstall elsewhere on a clean disk. Then shut down (yes, shut down) and swap them over. And skype on an internet facing box is a silly idea, imho. Have you changed your passwords for really obtuse ones? Is it still your girlfriend's name or something like that?
Some hacker got in, messed with nothing except what he wanted. He probably had root if he could set a firewall rule, or user teo and he could sudo (I am guessing).
sorry, maybe i wasn't clear: the firewall rule was not set on the machine but on the router.
a few months ago the router was set with "enable remote administration", so that i could connect to the router web interface from anywhere (i was on holiday). during this period a brute force attack COULD have found the password to log into the router administration page.
if i'm not wrong, this does not necessarily mean that someone broke into my server, right?
why an hacker should have opened that port for an unassigned ip (192.168.1.113)?
in this period i didn't notice any abnormal cpu nor network usage...
Well auditd isn't so comfortable as to map all ips to processes.
But after laboring through audit.log I have found some references to "/usr/sbin/exim4", uninstalled it and nethogs gives a clean picture so far.
Thank everybody for bearing with me.
Whatever happened (and I don't know) I wouldn't rate the security of your network too highly. I have no information on your router. If it's a cisco thing, then you have some chance. If it's a modem/router, there's exploits for them lying about all over the web. Full marks for spotting the rule though.
They don't exactly inspire confidence. I think you need to rethink security, as the p[robability is that your punishment for getting compromised could have been much worse than it actually was.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.