LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   My NTP has been compromised (https://www.linuxquestions.org/questions/linux-networking-3/my-ntp-has-been-compromised-321356/)

wylie1001 05-08-2005 01:26 PM
My NTP has been compromised
 
Hi,
Well I think I was hit by some low life and now my ntp keeps sending to an ip address on port 123 every 15 minutes. I stopped it in iptables from sending out to that address. I did a whois and found out where they are. I kept getting in snort ICMP Destination unreachable but it started with other ports all over except when they hit my port 123. Now I can't find any clue what they did. I looked at all my conf files pertaing to ntp see nothing. I also use tripwire which seems useless when you bang the keys like I do. Would like to find out something before I delete and reinstall ntp or even the whole machine. All I have running is squid apache ntp cups snort sendmail all is firewalled I thought pretty good. I am not sure about these ICMP hits trying to read up but not fully understanding of them I know they are not good. Sorry for the winded problem. I use slack 10.1 nothing else...
Thanks for any help here,
Rick

Hangdog42 05-08-2005 01:45 PM
You should probably do some reading in the security forum, but basically, you can't trust this machine. If I were in your shoes, I would have a good, long look at what Tripwire has flagged as changed. Look for software and/or directories that you know you haven't been messing with. Also have a look at the outputs of lsof -i, and netstat -pantu for listening processes that are things you don't normally run. Running nmap might not be a bad idea either. The problem with these is that if your system has been seriously compromised, you can't necessarily trust them if they don't show anything out of the ordinary. I would also boot from a live CD distro like Knoppix and run chkrootkit and rkhunter. Also have a look in your system logs for anything out of the ordinary. Running last to see who has logged in might be useful, but again, that command may have been compromised.

I would also suggest that simply re-installing ntp is not the way to go. If they gained access to your box through an ntp exploit, I seriously doubt that ntp is the only thing that was compromised. If any hunting finds additional issues, your going to need to nuke the disk and re-install from a trusted source. I would also ask a moderator to move this to the Security forum. You'll get a lot more good advice there than in Network.

<edit>

And I almost forgot the most important thing....Unplug the network card. Take this box off the network until you can figure out what has, or has not, happened.
</edit>

wylie1001 05-08-2005 02:17 PM
Hi,
Thanks for your quick response I will most likely look around some more and then NUKE IT. I ran chkrootkit and will look deeper into tripwire but at this time found nothing. I didn't realize there was a security forum Hopefully they will move this thread so maybe I can get some other tips. I liked the last command. Thanks again.

Hangdog42 05-08-2005 05:22 PM
I've asked the mods to move this thread, but you probably want to do some reading in Security on forensics. Also, you might want to post some of the outputs from those commands for the real experts to look at. You may not have to nuke the hard drive (I know I don't like to re-install unless I absolutely have to), but you probably should keep it off the net until you have a better understanding of what happened.

<edit>
OK, now I feel like a complete dinkleheimer and should have checked this earlier......Uh, port 123 is the normal NTP UDP port. Why do you think that the traffic you saw was unusual and not just someone updating their time off of your NTP server?
</edit>

wylie1001 05-09-2005 07:24 PM
Well I have not nuked it yet. My pc is for learning I don't use it for personel use like buying stuff etc. I did wipe out my ntp software and reloaded it and set up ntpd for the time and guess what it started to go out to the address that was from the ICMP hacker which not sure if he was going through another pc or not. I got to let you all know all the hits mainly on my computer is from corporations not home pc's! My snort tells me all that is going on....These people have nothing better to do than to try to hack our computers...They get bored at the night shift and try to hack. Well enough of that. I am going to look all around and see what other program works with ntp to see where this address is in the file sending to it. I don't think it is in the kernel maybe a library file. I will keep you guys posted. Well I am down to just three ports open now later for keeping the time in synch. Squid my apache and my sendmail. I did see that Cisco had a warning on ntp to keep the service off. I know why ...


All times are GMT -5. The time now is 03:40 PM.