Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Believe it or not, I was online for 4 hours downloading info to load on my brand new Samba server. While I was doing so, I was being hacked OVER A DIAL UP CONNECTION! At the time, I was sharing my dial connection via XP Pro (only because my modem isn't linux compatible). Proof that Windows should never directly touch the Internet. Yes I was running this apparently useless XP firewall and I keep my updates current. Once the attacker took over the XP machine, they started in on my new Samba server. The XP machine is 192.168.0.1 and the Samba server is 192.168.0.100. Here is the snort log:
[1:469:1] ICMP PING NMAP [Classification: Attempted Information Leak] [Priority: 2]: {ICMP} 192.168.0.100 -> 192.168.0.1
[1:535:4] NETBIOS SMB CD... [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 192.168.0.1:3156 -> 192.168.0.100:139
[1:535:4] NETBIOS SMB CD... [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1882:4] ATTACK-RESPONSES id check returned userid [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1882:4] ATTACK-RESPONSES id check returned userid [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1882:4] ATTACK-RESPONSES id check returned userid [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1386:4] MS-SQL/SMB raiserror possible buffer overflow [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:535:4] NETBIOS SMB CD... [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:535:4] NETBIOS SMB CD... [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1386:4] MS-SQL/SMB raiserror possible buffer overflow [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1386:4] MS-SQL/SMB raiserror possible buffer overflow [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1386:4] MS-SQL/SMB raiserror possible buffer overflow [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1882:4] ATTACK-RESPONSES id check returned userid [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1386:4] MS-SQL/SMB raiserror possible buffer overflow [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1386:4] MS-SQL/SMB raiserror possible buffer overflow [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:681:4] MS-SQL/SMB xp_cmdshell program execution [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1882:4] ATTACK-RESPONSES id check returned userid [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1882:4] ATTACK-RESPONSES id check returned userid [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1882:4] ATTACK-RESPONSES id check returned userid [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1386:4] MS-SQL/SMB raiserror possible buffer overflow [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1882:4] ATTACK-RESPONSES id check returned userid [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1386:4] MS-SQL/SMB raiserror possible buffer overflow [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:681:4] MS-SQL/SMB xp_cmdshell program execution [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1882:4] ATTACK-RESPONSES id check returned userid [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1882:4] ATTACK-RESPONSES id check returned userid [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1295:7] NETBIOS nimda RICHED20.DLL [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:677:5] MS-SQL/SMB sp_password password change [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:703:5] MS-SQL/SMB xp_setsqlsecurity possible buffer overflow [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:681:4] MS-SQL/SMB xp_cmdshell program execution [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1386:4] MS-SQL/SMB raiserror possible buffer overflow [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:678:5] MS-SQL/SMB sp_delete_alert log file deletion [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:535:4] NETBIOS SMB CD... [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:703:5] MS-SQL/SMB xp_setsqlsecurity possible buffer overflow [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1882:4] ATTACK-RESPONSES id check returned userid [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:695:5] MS-SQL/SMB xp_sprintf possible buffer overflow [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:703:5] MS-SQL/SMB xp_setsqlsecurity possible buffer overflow [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:702:5] MS-SQL/SMB xp_displayparamstmt possible buffer overflow [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:698:5] MS-SQL/SMB xp_proxiedmetadata possible buffer overflow [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1882:4] ATTACK-RESPONSES id check returned userid [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1882:4] ATTACK-RESPONSES id check returned userid [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:677:5] MS-SQL/SMB sp_password password change [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1882:4] ATTACK-RESPONSES id check returned userid [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1882:4] ATTACK-RESPONSES id check returned userid [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:469:1] ICMP PING NMAP [Classification: Attempted Information Leak] [Priority: 2]: {ICMP} 192.168.0.100 -> 192.168.0.1
[1:1386:4] MS-SQL/SMB raiserror possible buffer overflow [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1386:4] MS-SQL/SMB raiserror possible buffer overflow [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1295:7] NETBIOS nimda RICHED20.DLL [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1386:4] MS-SQL/SMB raiserror possible buffer overflow [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:677:5] MS-SQL/SMB sp_password password change [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1386:4] MS-SQL/SMB raiserror possible buffer overflow [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:678:5] MS-SQL/SMB sp_delete_alert log file deletion [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1386:4] MS-SQL/SMB raiserror possible buffer overflow [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:681:4] MS-SQL/SMB xp_cmdshell program execution [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:689:4] MS-SQL/SMB xp_reg* registry access [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1386:4] MS-SQL/SMB raiserror possible buffer overflow [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1882:4] ATTACK-RESPONSES id check returned userid [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1882:4] ATTACK-RESPONSES id check returned userid [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1882:4] ATTACK-RESPONSES id check returned userid [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1882:4] ATTACK-RESPONSES id check returned userid [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1882:4] ATTACK-RESPONSES id check returned userid [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1882:4] ATTACK-RESPONSES id check returned userid [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 192.168.0.1:3735 -> 192.168.0.100:10000
I've since updated to DSL and a true firewall. Enjoy and comments are welcome. In the meantime I have an XP machine rebuild. It will be fun calling Microsoft and telling them I need a new registration number because I had to reload their OS after being hacked!
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Looks like they may have exploited the MS-SQL vuln that SQL Slammer took advantage of... Were you even keeping your XP box up to date with security fixes? If not, that's hardly Microsoft's fault. The patches have been out for a looooooong time.
Originally posted by chort Looks like they may have exploited the MS-SQL vuln that SQL Slammer took advantage of... Were you even keeping your XP box up to date with security fixes? If not, that's hardly Microsoft's fault. The patches have been out for a looooooong time.
The question already seems answered at the top of this thread...
Originally posted by ghight ... and I keep my updates current.
Yes, even with my dial up connection, I was keeping up to date with the updates, but apparently, keeping my dial up online long enough to download the new update is in itself a security issue. The very definition of "catch 22".
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
I missed the part about the updates, still it's very strange. It looks pretty obvious that it was a SQL exploit. Did you have a SQL server on the XP box? Perhaps some of the table permissions were not set correctly or something, and the attacker was able to use a SQL command injection or some similar method.
Any way, looks like a good reason to have Snort running and up to date. Even if you think everything is secure, you still may be successfully attacked.
I use a LAMP server system on my XP machine to test my Dreamweaver pages, but that would not have been the problem, otherwise, nope, no IIS or MS-SQL or anything. I am a network administrator by profession, so I keep a pretty tight ship, at least what I am aware of. I made one stupid mistake and it bit me. The part the gets me is that if the attacker didn't go after my linux server with the snort detection, I would have never known. There is absolutely NO indication that my computer was hacked. I even keep a virus scanner that would have noticed a script such as this, yet it missed it too.
There was nothing that the attacker could have gotten off of any of my computers that was worth a damn, so I'm not too worried. I will reload both of these computers however, just to be safe.
If you look at the timestamps of the snort entries, are they spaced relatively close together indicating an automated tool/worm or are they farther apart and relatively un-uniform indicating someone manually trying exploits? Interesting to trace through each sequence of attacks.
Originally posted by dekket The question already seems answered at the top of this thread...
I think this has an angle that is faster then analyzing all the logs. the doz native firewall lacks outgoing packet scans totally I agree that quiting the XP firewall and downloading Zonelabs may actually help! this is the firewall that surprised me with absolute success in my last doz days It's worth a look! http://www.zonelabs.com I was impressed!
Originally posted by Capt_Caveman If you look at the timestamps of the snort entries, are they spaced relatively close together indicating an automated tool/worm or are they farther apart and relatively un-uniform indicating someone manually trying exploits? Interesting to trace through each sequence of attacks.
Like I have suggested before timing is crucial nice Capt_Caveman I hope my previous helps
Obviously there was a lot edited out of the log so I could get a resonable size post, but everything you see was over a 2 and a half hour timeframe. There are furies of activity that are within 40 seconds of each other, then it stopped for a few minutes to an hour and then more short furies. Looks like scripts to me being run manually.
Shut down the SQL server and get online to grab the windows updates. I agree with the poster who says this is all your fault for not keeping up to date. Same thing happens to Linux users who run too many services and don't watch the security updates for them.
Man are you even bothering to read the posts?? I always keep XP up to date and I have NO MS-SQL server running. Geez, if you are going to post some half-assed comment atleast make sure it hasn't already been answered, AND TWICE MIGHT I ADD!
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
BTW, the System Monitor application in Windows actually has an embedded SQL server to store the stats in. Even if you're not explicitly running MS SQL, it will be there (let me see if I can find the exact name of the app). A lot of companies were very surprised when their Windows boxen got hosed by the SQL Slammer worm, even though they didn't think they were running SQL databases on those boxen.
Edit: Well I couldn't find the specific information I was looking for, but it does look like "System Monitor" (actual name) uses an embedded SQL Server, so that would be vulnerable. Also interesting is that MS Visual Studios and MS Office Development Edition also contain SQL servers.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.