HELP Hacker suspected

Hi,

I've got a linux box that does all my web related stuff, ie, file sharing, internet dialup (broadband), mail server , samba, etc etc.

I've had a couple of weird experiences over the last couple of days, where my server just ditches the internet, and requires a reboot. I checked the /var/log folder and found literally hundreds of name.log files, where name can be anythign from jack to xxx283838 and a lot of ipnumber.log files. Upon looking inside them, i've found this :

[2004/03/21 05:19:08, 0] lib/util_sock.c:read_socket_data(342)
read_socket_data: recv failure for 4. Error = Connection reset by peer
[2004/03/21 05:20:06, 0] lib/util_sock.c:read_socket_data(342)
read_socket_data: recv failure for 4. Error = Connection reset by peer
[2004/03/21 05:22:33, 0] lib/util_sock.c:read_socket_data(342)
read_socket_data: recv failure for 4. Error = Connection reset by peer
[2004/03/21 05:23:36, 0] lib/util_sock.c:read_socket_data(342)
read_socket_data: recv failure for 4. Error = Connection reset by peer
[2004/03/21 05:24:01, 0] lib/util_sock.c:read_socket_data(342)
read_socket_data: recv failure for 4. Error = Connection reset by peer
[2004/03/21 05:29:32, 0] lib/util_sock.c:read_socket_data(342)
read_socket_data: recv failure for 4. Error = Connection reset by peer

And :

[2004/03/18 22:14:20, 1] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(576)
Unknown packet in reply_sesssetup_and_X_spnego

And finally. a huge one consisting of mainly @@@@@@@@@@@ etc etc.


Please help, does anyone know what's going on??

My system :

Linux Slackware using 2.6.3, Samba 3 (Latest) Apache 2 (Latest)

Thanks in advance.

Evilone

I could be wrong, but I think those log files are created by Samba every time a new client tries to connect (then it keeps track of their subsequent activities). It seems like you have Samba enabled on your external IP!

What's the output of this command?
$ netstat -lanF inet
?
Note: I think it's -F inet on Linux, I can't remember... just -l should get what I'm looking for, then don't paste all the stuff that's UNIX sockets.

Yes indeedy it's samba, i've turned off smbd and nmbd and the logfiles have stopped being created.

I've a fair idea of how this has happened. I recently upgraded to samba 3.0.2a, and had to rewrite my smb.conf (my old one did'nt work).

Would you mind taking a look at my config and suggesting how i can make it local only, ie , only available to local lan and NOT outside access.

SMB.conf :

#[global]
netbios name = merlin
workgroup = home
encrypt passwords = Yes
security = user
log file = /var/log/%m.log
log level = 1
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192
wins support = yes
domain logons = yes
os level = 99
[htdocs]
path = /var/www/htdocs
read only = no
public = yes
guest ok = no
browseable = yes
hosts allow = 192.168.7.0/24
valid users = +users
[win32share]
path = /backup
read only = no
public = yes
guest ok = no
browseable = yes
hosts allow = 192.168.7.0/24
valid users = +users



Cheers,

Ade


Edit :

All i want is for local users of the machine to be able to browse and change files. I do not even want it broadcasting to the web at all.

The easy way would be to block samba on a firewall level on the external Iface.
iptables -A INPUT -i [external interface] -p tcp --destination-port 135 -j DROP
iptables -A INPUT -i [external interface] -p tcp --destination-port 137 -j DROP

*thats just off the top of my head.. someone might wanna double check the syntax*

Well it shouldn't be listening on the external interface any way. By the way Khabi, you have it backwards. Samba uses 137 & 138 UDP and 139 TCP.

In my smb.conf I have:
interfaces = 10.0.0.5/28

10.0.0.5 is the IP that Samba listens on, and /28 is my subnet bitmask.

By the way, does this box have 2 network interfaces or only one?

Thanks for that, the interfaces= line did the job. No more log files bar my own now. Will let it run for a few hours and if i've still got problems, i'll post.

Cheers for the advice.

Ade

Well, back to drawing board... Still getting those hits to samba externaly.

I've added your suggestion about the interfaces = and still no joy. I then modified my firewall script with the previous suggestions. Here is my firewall script :

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -A INPUT -i ppp0 -p udp --destination-port 137 -j DROP
iptables -A INPUT -i ppp0 -p udp --destination-port 138 -j DROP
iptables -A INPUT -i ppp0 -p tcp --destination-port 139 -j DROP
echo 1 > /proc/sys/net/ipv4/ip_forward



Still getting those log files building up. Any more idea's??

Thanks in advance.

Ade

Edit:

In answer to previous question, 1 nic card, local lan (eth0), 1 USB Broadband modem (ppp0). Two other machines (Wireless laptop, and my main windows xp box), share the internet connection and the samba shared files, as above.

Are you sure one of your Windows boxes wasn't compromised?

Quote:

Originally posted by chort By the way Khabi, you have it backwards. Samba uses 137 & 138 UDP and 139 TCP.

Well.. Can't always be perfect

OK, i nailed it..... the samba 3 smb.conf uses a few different parameters from the version 2 smb.conf... Here's the code that finally stopped me broadcasting all over the internet and beyond

#[global]
netbios name = merlin
workgroup = home


bind interfaces only = true
interfaces = eth0 192.168.7.1


hosts deny = all
hosts allow = 192.168.7.2 192.168.7.4
encrypt passwords = Yes
security = user
log file = /var/log/%m.log
socket options = TCP_NODELAY IPTOS_LOWDELAY
local master = yes
prefered master = yes
wins support = yes
domain logons = yes

The bind interfaces only and the interfaces line tells samba 3 to ony use the specified device and what ip to broadcast on.

Hope this helps someone else in the future, took a good deal of time to find.


Cheer's for the help and idea's,

Ade


Edit :

I should really add, in response to the "you sure your win box is'nt compromised" question. Yes i'm sure , it's a brand new installation on my newly put togeather P4 3Ghz box. And it's running the latest norton antivirus, corporate edition.. The problem was deffinately samba related, by default, it searches for all available connections and broadcasts on them ALL by default.

Hope this helps someone else in the future, took a good deal of time to find.
Thanks for adding your solution Evilone!

No problems, i've had a good deal of help from this forum over the last year, just giving a little back.

Quote:

Originally posted by Evilone Edit : I should really add, in response to the "you sure your win box is'nt compromised" question. Yes i'm sure , it's a brand new installation on my newly put togeather P4 3Ghz box. And it's running the latest norton antivirus, corporate edition.. The problem was deffinately samba related, by default, it searches for all available connections and broadcasts on them ALL by default.

The problem lies with Norton you should be using Norman Virus Control with personal firewall on your win box, then only will you be sure that you have not been hacked!

Also most of the latest viruses cut through Norton with ease as well as Black Ice Defender, if you have any doubts go to www.norman.com site and download a trial version for your win box.

Do a scan on your machine, once you have Norman installed and norton taken off and tell use what you find ?

Norman runs on Linux as well

Edit :

I have been and still am running a smoothwall box as a firewall on an old P1 Cyrix 166, with 96 meg ram, to take care of my firewall and other requirements.

I read lots and post seldom

You could of course install a chkrootkit to make double sure that your linux box has not been hacked, it will also look for any trojans etc.
The latest version .043 which you can get from this link distro.ibiblio.org/pub/linux/distributions/ sorcerer/sources/chkrootkit/0.43/

catman_za, I might restrict your enthusiasm a little bit there. Perhaps in your opinion Norman is better than Norton, but not product is perfect so your statement

Quote:

then only will you be sure that you have not been hacked!

isn't really factual.

Please avoid the appearance of advertising any products. You're welcome to give your experience, but in the world of software there's never a perfect product that fits everyone's needs or is 100% effective at what it's supposed to do.

One might speculate why products like Norton, McAfee, Trend, and Sophos do so well in the commercial market if Norman is so thoroughly superior as you suggest...