LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-25-2006, 03:41 AM   #1
Kmann
LQ Newbie
 
Registered: Nov 2006
Posts: 4

Rep: Reputation: 0
Being Attacked By Bot or Person, Opinions plz


well, i had SSH enabled on the machine before i killed it, i am new to Linux but i have been always interested in computer security and some day wish to be a consultant or computer security for a company.

Any how, i checked my log files and came upon a user that is trying to gain access through SSH, from the looks of it, it looks like a program scanning defaults passwords and accounts, hoping to get lucky. I only have 3 ports opened, so i don't think he will get in that easy.

Any how, i wont use the persons real IP address. So i start investigating by doing a whois, Figure out the ISP is Comcast Cable Communications. So i am guessing this is a regular script kiddie just scanning hoping to get lucky. (This is what i thought at first)

So i scan his ip address, and, has some ports opened

Code:
22/tcp    open     ssh
53/tcp    open     domain
111/tcp   open     rpcbind
135/tcp   filtered msrpc
136/tcp   filtered profile
137/tcp   filtered netbios-ns
138/tcp   filtered netbios-dgm
139/tcp   filtered netbios-ssn
351/tcp   filtered matip-type-b
445/tcp   filtered microsoft-ds
638/tcp   filtered unknown
1080/tcp  filtered socks
1720/tcp  filtered H.323/Q.931
2401/tcp  open     cvspserver
3306/tcp  open     mysql
8888/tcp  open     sun-answerbook
22321/tcp filtered wnn6_Tw
you can connect to SSH, MySQL, you can also connect to cvspserver but it kicks you out.

I am not really sure what wnn6_Tw is, but i found out that sun-answerbook is a mIRC bot that does many things

Quote:
* custom definitions
* custom random quotes
* dictionary word definition lookups
* language translator for 8 different languages
* domain/whois lookup (supports most major registrars)
* weather forecast for US, Canada and every major city on this planet
* currency converter between 173 countries/currencies
* units converter with 100+ units spread over 14 categories
* thesaurus lookups
* tv show lookups
* news headlines
* movie info and weekend boxoffice stats
* actors/actresses short biography/filmography
* sports schedules and scores
* find distance between two cities
* US & Canada residential/business phone number lookup
* eBay item lookup
* webserver software/OS lookup
* IP/Arin netblock lookup
* stock quote lookup for US & Canadian exchanges
* horoscopes
* spellchecker
* word of the day
So what do you guys think, has this computer been rooted and is pretty much a Zombie for scanning out PC's or is it a user trying to break into my PC directly..

I am thinking its a zombie.. and the user doesn't even know.

Would like to hear from some of you and what you think

Thanks in Advance
 
Old 11-25-2006, 04:04 AM   #2
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 76
I would bet large sums of money it's some poor sap who got "owned". The service on port 8888 is most likely an IRC server for remote control of the bot. As to how the box was rooted, there are all kinds of ways with all the services that were left open. First, only royal idiots would leave a database open to connections from the Internet (MySQL). It's quite possible that MySQL was the attack vector, especially if it was slightly out of date. More likely though, is simply an SSH brute-force password attack.

Nearly 100% of current "hacking attempts" are simply automated bots in a zombie army. It's simply not efficient (or safe) to actually launch attacks from your own system, or in an interactive way.
 
Old 11-25-2006, 04:38 AM   #3
Kmann
LQ Newbie
 
Registered: Nov 2006
Posts: 4

Original Poster
Rep: Reputation: 0
ya thats what i figured.

I have 1 more question, i have three ports opened on this machine, i am not really sure what they are for, could you please explain and tell me if its safe to have this opened or its best to close these ports..

37 time
113 auth
6000 X11

i have a feeling that 6000 is used to get an GUI while using remote access ??

Not really sure what the other to are for.
 
Old 11-26-2006, 03:21 AM   #4
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 76
Disable time and auth in inetd.conf (or xinetd, whatever provides inetd on your distro). Edit your X server config file to include the -nolisten tcp option and restart X. You definitely do not want to allow X connections across the Internet.
 
Old 11-30-2006, 12:40 PM   #5
derxob
Member
 
Registered: Apr 2006
Location: Los Angeles, California
Distribution: Slackware, Ubuntu
Posts: 68

Rep: Reputation: 16
As said in another thread, you should take some steps to better secure your SSH daemon. These attacks to your SSH server are most likely automated and will continue to happen. I hope your password is secure and non-dictionary. Take a look at this article that explains a few simple steps to better secure your SSHD. Modify SSH to Maximize Security

Good luck
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Being attacked. WRXSTi Linux - Security 11 06-18-2006 09:48 AM
Got attacked or I don't know what... What should I do? frzburn Linux - Security 8 03-16-2006 12:15 AM
I think I've been attacked! smacky Linux - Security 7 10-21-2003 03:39 AM
Have I been attacked? tangle Linux - Security 6 08-03-2003 09:33 PM
Being Attacked? andy18 Linux - Security 1 05-11-2003 12:09 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:55 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration