LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-12-2009, 11:57 AM   #1
johnh10000
Member
 
Registered: Nov 2008
Distribution: Ubuntu Lucid Lynx
Posts: 541

Rep: Reputation: 33
possible security breach


Hi folks,

I have just come hoe, and notice my modem and router lights going like mad.

Checked the logs, noth major I had a visit from google bot over night, and a yahoo bot.

Killed all of my port forwards on the router, still flashing like mad.

So me in nievity, thinks its out going. How do I check that?

...PAnic what can I do.
 
Old 10-12-2009, 12:03 PM   #2
poctob
LQ Newbie
 
Registered: Feb 2006
Location: USA
Posts: 10

Rep: Reputation: 0
Sounds like a power surge. If you haven't done so power down your modem and router wait 15 seconds and power them back up.
 
Old 10-12-2009, 12:03 PM   #3
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
How about: $ netstat -tn
?
 
Old 10-12-2009, 12:13 PM   #4
tredegar
Guru
 
Registered: May 2003
Location: London, UK
Distribution: Ubuntu 10.04, mostly
Posts: 6,007

Rep: Reputation: 366Reputation: 366Reputation: 366Reputation: 366
Quote:
Checked the logs, noth major I had a visit from google bot over night, and a yahoo bot.
So you are running something potentially vulnerable, like a server.

It would be helpful to future readers if you posted a lot more information: Distro, services running (apache, ssh, telnet (the gods forbid!) etc.) See similar threads in this forum.

Quote:
...PAnic what can I do.
My suggestions:
0] Stay calm.
1] Unplug the network, before you are blacklisted, or distribute more spam and prOn.
2] Do NOT reboot or reinstall.
3] Wait for someone who knows more about this than I do to come here and help you. unSpawn, where are you?

Rebooting / reinstalling may destroy the evidence you need to find out how / when they got in (if they did at all).

Be patient.

But if you are worried, please take your site offline NOW.
 
Old 10-12-2009, 01:19 PM   #5
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Like the second poster, this sounds like the router/modem may need to be power-cycled, especially since that appears to be the only symptom. But, as anomie stated, a proper nestat should be run (on each machine) to determine what may be going on. I almost never factor the state of my router lights to suspicious activity, since they are always lit anyways (I keep my machines on all the time).

Note that skiddie scripts will probably keep hammering the network with ssh brute force attempts even after the router is recycled...they are that dumb.
 
Old 10-12-2009, 01:27 PM   #6
smeezekitty
Senior Member
 
Registered: Sep 2009
Location: Washington U.S.
Distribution: M$ Windows / Debian / Ubuntu / DSL / many others
Posts: 2,223

Rep: Reputation: 167Reputation: 167
Quote:
Originally Posted by tredegar View Post
So you are running something potentially
2] Do NOT reboot or reinstall.
WTF?
i am no security expert but maybe the modem driver went
bonkers and a reboot will cure the problem
 
Old 10-12-2009, 01:37 PM   #7
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
What type of modem are you talking about? 56/128 modem? DSL modem? Is this a modem/router combo?

Don't reboot the machine(s). If both (if you've one of each) are showing lit up constantly, you DO have an issue, IMO. Just make sure you aren't streaming music or using some such network multimedia app. Check all machines' network connections (before getting genuinely alarmed). I'm betting its something you may have left running and aren't accounting for.
 
Old 10-12-2009, 02:18 PM   #8
smeezekitty
Senior Member
 
Registered: Sep 2009
Location: Washington U.S.
Distribution: M$ Windows / Debian / Ubuntu / DSL / many others
Posts: 2,223

Rep: Reputation: 167Reputation: 167
Quote:
Originally Posted by unixfool View Post
Don't reboot the machine(s).
WHY?
 
Old 10-12-2009, 03:26 PM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,988
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
Modem and router have different scopes. A modem will be on a subnet to your ISPs head-end, DSLAM or whatever else equivalent. Basically (think OSI) the device doesn't concern itself with whatever traffic or traffic content goes up and down the line: it just establishes a connection between endpoints and that's about it (OK, except if somebody finds herself onto that ISP subnet and is fscking around with exposed services ;-p, very unlikely). Not telling which lights (power, upstream, downstream, link state,) go nuts doesn't help much. Modem trouble, as I've experienced it, usually points to ISP-side (common), link carrier (not that rare but depending) or physical cable (rare) or equipment (very rare and I'm no Cisco wiz) probs.

I agree that this, together with router probs, looks more like a black-out situation than anything else. If those devices are accessable (SNMP, telnet, logs over HTTP) then getting log data could help. If they don't then I agree you should move on to whichever sources you actually can get data from to establish a timeline of events before going bezerk.


Quote:
Originally Posted by smeezekitty View Post
WHY?
Rebooting a device makes you lose all volatile data (otherwise loosely described as "evidence") like process, network and user data. You'll want to save those listings just in case.


Quote:
Originally Posted by tredegar View Post
where are you?
When I'm not around you may safely assert I'm busy elsewhere. Luckily I'm not the only one who can deal with incident response in a structured way.

Last edited by unSpawn; 10-12-2009 at 03:28 PM.
 
Old 10-12-2009, 04:50 PM   #10
johnh10000
Member
 
Registered: Nov 2008
Distribution: Ubuntu Lucid Lynx
Posts: 541

Original Poster
Rep: Reputation: 33
Quote:
Originally Posted by anomie View Post
How about: $ netstat -tn
?
right ok, this is to all of you.

I have this forum setup to email me, when someone replie. it didn't

Whatever is do this is saturatinfg my network
 
Old 10-12-2009, 05:23 PM   #11
johnh10000
Member
 
Registered: Nov 2008
Distribution: Ubuntu Lucid Lynx
Posts: 541

Original Poster
Rep: Reputation: 33
read all the posts

Thanks ! I didn't get a mail to say u'd answered:

I'll take them sorta as thay came. (I've unpluged the server box, from network) now.

netsat -tn produced
Code:
johnh10000@tux2:~$ netstat -tn
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      1 192.168.1.4:55603       61.219.6.38:25          SYN_SENT   
tcp        0      1 192.168.1.4:33345       168.95.5.27:25          SYN_SENT   
tcp        0      0 192.168.1.4:53968       200.110.145.6:25        ESTABLISHED
tcp        1     38 192.168.1.4:47487       163.25.121.6:25         CLOSING    
tcp        0      1 192.168.1.4:53475       211.75.193.77:25        SYN_SENT   
tcp        0      1 192.168.1.4:51082       168.95.5.44:25          SYN_SENT   
tcp        0      0 192.168.1.4:60171       192.168.1.4:8000        ESTABLISHED
tcp        0      1 192.168.1.4:34221       61.64.127.23:25         SYN_SENT   
tcp        0      1 192.168.1.4:57170       60.249.140.136:25       SYN_SENT   
tcp        0      1 192.168.1.4:57816       218.102.23.34:25        SYN_SENT   
tcp        0      1 192.168.1.4:46092       122.146.113.20:25       SYN_SENT   
tcp        1     38 192.168.1.4:55809       61.57.29.3:25           CLOSING    
tcp        0      1 192.168.1.4:55760       158.74.236.245:25       SYN_SENT   
tcp        0      1 192.168.1.4:41551       216.39.53.2:25          SYN_SENT   
tcp        0      1 192.168.1.4:45967       202.153.190.10:25       SYN_SENT   
tcp        0      1 192.168.1.4:43170       168.95.5.6:25           SYN_SENT   
tcp        0  49152 192.168.1.4:38836       192.168.1.4:8000        ESTABLISHED
tcp        0      1 192.168.1.4:35613       168.95.5.58:25          SYN_SENT   
tcp        0      1 192.168.1.4:35709       202.39.48.25:25         SYN_SENT   
tcp        0      1 192.168.1.4:48817       81.200.64.50:25         SYN_SENT   
tcp        0      1 192.168.1.4:42305       216.66.64.29:25         SYN_SENT   
tcp        0      1 192.168.1.4:44577       211.72.204.226:25       SYN_SENT   
tcp        0      0 127.0.0.1:45567         127.0.0.1:445           TIME_WAIT  
tcp        0      1 192.168.1.4:46653       139.223.200.190:25      SYN_SENT   
tcp        0      1 192.168.1.4:49915       202.39.48.36:25         SYN_SENT   
tcp        0      1 192.168.1.4:46415       203.65.107.75:25        SYN_SENT   
tcp        0      1 192.168.1.4:39844       168.95.6.180:25         SYN_SENT   
tcp        0      1 192.168.1.4:48536       59.120.108.107:25       SYN_SENT   
tcp        0      0 192.168.1.4:48744       59.120.151.199:25       TIME_WAIT  
tcp        0      1 192.168.1.4:42276       202.133.235.170:25      SYN_SENT   
tcp        0      0 192.168.1.4:25          190.136.22.51:59752     ESTABLISHED
tcp        0      1 192.168.1.4:43919       81.200.64.50:25         SYN_SENT   
tcp        0      1 192.168.1.4:46377       168.95.5.21:25          SYN_SENT   
tcp        0      0 192.168.1.4:25          123.131.165.236:3897    ESTABLISHED
tcp        0      0 192.168.1.4:25          124.160.88.206:32801    ESTABLISHED
tcp        0      1 192.168.1.4:53911       82.98.86.169:25         SYN_SENT   
tcp        0      0 192.168.1.4:25          201.68.45.113:40393     ESTABLISHED
tcp        0      1 192.168.1.4:43503       119.160.246.23:25       SYN_SENT   
tcp        0      1 192.168.1.4:32827       82.98.86.169:25         SYN_SENT   
tcp        0      1 192.168.1.4:40904       69.50.131.86:25         SYN_SENT   
tcp        0      1 192.168.1.4:45026       168.95.5.43:25          SYN_SENT   
tcp        0      1 192.168.1.4:54990       61.64.127.24:25         SYN_SENT   
tcp        0      1 192.168.1.4:42664       163.16.128.253:25       SYN_SENT   
tcp        0      1 192.168.1.4:55588       69.25.75.72:25          SYN_SENT   
tcp        0      0 192.168.1.4:60170       192.168.1.4:8000        ESTABLISHED
tcp        0     45 192.168.1.4:25          222.170.39.137:3508     LAST_ACK   
tcp        0      1 192.168.1.4:45290       168.95.5.12:25          SYN_SENT   
tcp        0      1 192.168.1.4:35983       139.175.54.239:25       SYN_SENT   
tcp        0      0 192.168.1.4:8000        192.168.1.4:60170       ESTABLISHED
tcp        0      0 127.0.0.1:46289         127.0.0.1:5195          ESTABLISHED
tcp        0      0 192.168.1.4:35858       203.75.190.219:25       TIME_WAIT  
tcp        0      0 192.168.1.4:49132       203.64.120.2:25         ESTABLISHED
tcp        0      0 192.168.1.4:49533       210.59.228.113:25       ESTABLISHED
tcp        0  49152 192.168.1.4:38838       192.168.1.4:8000        ESTABLISHED
tcp        0      1 192.168.1.4:36463       61.218.87.146:25        SYN_SENT   
tcp        0      1 192.168.1.4:34556       81.200.64.50:25         SYN_SENT   
tcp        0      1 192.168.1.4:36981       211.23.78.2:25          SYN_SENT   
tcp        0      1 192.168.1.4:51616       65.55.92.184:25         SYN_SENT   
tcp        0      1 192.168.1.4:46169       168.95.5.98:25          SYN_SENT   
tcp        0      1 192.168.1.4:52389       61.222.168.107:25       SYN_SENT   
tcp        0      1 192.168.1.4:58881       61.222.168.107:25       SYN_SENT   
tcp        1     38 192.168.1.4:39225       61.20.222.41:25         CLOSING    
tcp        0      1 192.168.1.4:51072       61.64.127.24:25         SYN_SENT   
tcp        0      1 192.168.1.4:47576       115.43.128.5:25         SYN_SENT   
tcp        0      1 192.168.1.4:60364       168.95.5.56:25          SYN_SENT   
tcp        0      0 192.168.1.4:25          201.68.87.217:3815      ESTABLISHED
tcp        0      0 127.0.0.1:5195          127.0.0.1:46289         ESTABLISHED
tcp        0     74 192.168.1.4:25          59.124.214.30:22854     LAST_ACK   
tcp        0      1 192.168.1.4:52010       163.19.187.241:25       SYN_SENT   
tcp        0      1 192.168.1.4:35635       61.67.151.1:25          SYN_SENT   
tcp        0      1 192.168.1.4:54686       211.76.130.102:25       SYN_SENT   
tcp        0      1 192.168.1.4:44693       142.22.49.12:25         SYN_SENT   
tcp        0      1 192.168.1.4:39127       163.17.100.3:25         SYN_SENT   
tcp        0      1 192.168.1.4:56850       61.31.233.93:25         SYN_SENT   
tcp        0      0 192.168.1.4:25          123.30.179.231:1882     ESTABLISHED
tcp        0      0 192.168.1.4:8000        192.168.1.4:60171       ESTABLISHED
tcp        0      0 192.168.1.4:25          220.194.55.154:49382    ESTABLISHED
tcp        0      1 192.168.1.4:47404       168.95.5.98:25          SYN_SENT   
tcp        1     38 192.168.1.4:51706       163.25.6.5:25           CLOSING    
tcp        0      0 192.168.1.4:22          82.6.134.175:33921      ESTABLISHED
tcp        0      1 192.168.1.4:34995       61.222.168.107:25       SYN_SENT   
tcp        0      1 192.168.1.4:53431       139.175.252.15:25       SYN_SENT   
tcp        0      0 192.168.1.4:44602       203.204.27.161:25       TIME_WAIT  
tcp        0      1 192.168.1.4:40995       168.95.5.64:25          SYN_SENT   
tcp        0      0 192.168.1.4:25          58.8.129.69:53117       ESTABLISHED
tcp        0      1 192.168.1.4:52497       168.95.5.44:25          SYN_SENT   
tcp        0      1 192.168.1.4:39481       168.95.5.48:25          SYN_SENT   
tcp        0      1 192.168.1.4:50548       202.3.175.210:25        SYN_SENT   
tcp        0      0 192.168.1.4:25          222.170.36.50:4572      ESTABLISHED
tcp        0      1 192.168.1.4:39909       69.64.147.50:25         SYN_SENT   
tcp        0      1 192.168.1.4:36157       168.95.5.25:25          SYN_SENT   
tcp6       0      0 ::1:22                  ::1:38213               ESTABLISHED
tcp6       0      0 ::1:38213               ::1:22                  ESTABLISHED
I have already tried turning the modem and router off.

they being virginmedia uk, and the router is a netgear wgr614

The services I'm running are:
ssh
mail (Axigen) Apache
icecast
and ftp on port 90-91

Recently like in the last 2 days been gettin google bot (66.249.71.12)
hanging around for hours.
 
Old 10-12-2009, 05:31 PM   #12
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
I do notice that you're sending a lot of requests to different SMTP (mail) servers. Does that seem unusual?
 
Old 10-12-2009, 05:37 PM   #13
johnh10000
Member
 
Registered: Nov 2008
Distribution: Ubuntu Lucid Lynx
Posts: 541

Original Poster
Rep: Reputation: 33
Quote:
Originally Posted by tredegar View Post
So you are running something potentially vulnerable, like a server.

It would be helpful to future readers if you posted a lot more information: Distro, services running (apache, ssh, telnet (the gods forbid!) etc.) See similar threads in this forum.
sorry ubuntu jaunty



Be patient.
 
Old 10-12-2009, 05:38 PM   #14
johnh10000
Member
 
Registered: Nov 2008
Distribution: Ubuntu Lucid Lynx
Posts: 541

Original Poster
Rep: Reputation: 33
Quote:
Originally Posted by anomie View Post
I do notice that you're sending a lot of requests to different SMTP (mail) servers. Does that seem unusual?
very
 
Old 10-12-2009, 05:51 PM   #15
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
I'm sure others will have better advice for comprehensive analysis and response than I will, but...

I'd recommend that you keep that Ubuntu box physically unplugged (ethernet cable) from the network. You're going to get blacklisted and/or contacted by your ISP regarding abuse.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Yet another thread about a security breach Fredde87 Linux - Security 19 10-16-2009 08:12 AM
Breach in Sendmail Security? bper Linux - Security 2 08-02-2005 05:40 PM
[Security Questions] Last Login, how good is this feature for security breach info? t3gah Linux - Security 2 06-14-2005 01:02 AM
Network Security Breach nbjayme Linux - Security 0 03-17-2004 06:49 PM
Security breach? lhoff Linux - Security 5 02-15-2002 01:33 AM


All times are GMT -5. The time now is 07:05 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration