LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Hacked or not? (https://www.linuxquestions.org/questions/linux-security-4/hacked-or-not-257499/)

knutove1728 11-21-2004 03:12 AM
Hacked or not?
 
3 weeks after fresh install of Redhat Fedora core 2 things started to happened. First I couldn't get into the setup of my broadband router connected to the internet using http://<ip-address of the router> in the browser address field. I had to replace the router with a new one. Then after a while I should for some reason restart the iptables service I got an error in line 26 in the iptables script. The COMMIT line. I had to comment out the COMMIT line and the error disappeared. I cant quote the file because somehow I lost it. I was after applying a new firewall script called iptables and thought I saved the original. I'm afraid I'm not quite familiar with iptables since in my old RH7.2 distro used ipchains and never had any problems or suspect being hacked. Anyway here is my new iptables script.

#!/bin/bash
IPTABLES="/sbin/iptables"
# Load required modules
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_MASQUERADE

# Then flush all rules
/sbin/iptables -F
/sbin/iptables -t nat -F

/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT

# In the NAT table (-t nat), Append a rule (-A) after routing
# (POSTROUTING) for all packets going out eth0 (-o ppp0) which says to
# MASQUERADE the connection (-j MASQUERADE).

/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE





/sbin/iptables -A FORWARD -d 192.168.0.0/24 -j ACCEPT
/sbin/iptables -A FORWARD -s ! 192.168.0.0/24 -j DROP

# Disallow NEW and INVALID incoming or forwarded packets from eth0.
/sbin/iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP
/sbin/iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP

# port 113 is evil ;)
/sbin/iptables -A INPUT --protocol udp --source-port 113 -j DROP
/sbin/iptables -A INPUT --protocol udp --destination-port 113 -j DROP

/sbin/iptables -A INPUT --protocol tcp --source-port 25 -j ACCEPT
/sbin/iptables -A INPUT --protocol tcp --source-port 80 -j ACCEPT
#/sbin/iptables -A INPUT --protocol udp --destination-port 25 -j ACCEPT
/sbin/iptables -A INPUT --protocol tcp --source-port 111 -j DROP
/sbin/iptables -A INPUT --protocol tcp --source-port 139 -j DROP
/sbin/iptables -A INPUT --protocol udp --source-port 138 -j DROP
/sbin/iptables -A INPUT --protocol udp --source-port 137 -j DROP


$IPTABLES -A INPUT -i lo -j ACCEPT

# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward


#Now, our firewall chain
#We use the limit commands to cap the rate at which it alerts to 15
#log messages per minute
$IPTABLES -N firewall
$IPTABLES -A firewall -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level notice --log-prefix "Netfilter in: "
$IPTABLES -A firewall -j DROP

#Now, our dropwall chain, for the final catchall filter
$IPTABLES -N dropwall
$IPTABLES -A dropwall -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level notice --log-prefix "Netfilter in: "
$IPTABLES -A dropwall -j DROP

#Our "hey, them's some bad tcp flags!" chain
$IPTABLES -N badflags
$IPTABLES -A badflags -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level notice --log-prefix "Netfilter in: "
$IPTABLES -A badflags -j DROP
#And our silent logging chain
$IPTABLES -N silent
$IPTABLES -A silent -j DROP

#Drop those nasty packets!
#These are all TCP flag combinations that should never, ever occur in the
#wild. All of these are illegal combinations that are used to attack a box
#in various ways, so we just drop them and log them here.
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags

#Drop icmp, but only after letting certain types through
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPTABLES -A INPUT -p icmp -j firewall


$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -j dropwall
#Accept my 2 lan windozes
$IPTABLES -A INPUT -s 192.168.0.4 -d 0/0 -p all -j ACCEPT
$IPTABLES -A INPUT -s 192.168.0.3 -d 0/0 -p all -j ACCEPT


/etc/rc.d/init.d/iptables restart

/sbin/iptables-save > /etc/sysconfig/iptables
#********************END OF SCRIPT***********
I found the script on google and edited a little. As I said I'm a newbie to this.
Ok. First trouble. The last line save command doesn't save this roules in /etc/sysconfig/iptables
I pico it and get nothing in the file.

But when I ran the script I get no errors and iptables use the rules. It prints out OK to this. It put rules to ACCEPT: filter,nat [OK]
I cant quote these outputs because it's printed in norwegian.

Second trouble:
When I type /sbin/iptables -nvL filer I get this:

[root@ove root]# /sbin/iptables -nvL filter
iptables: Table does not exist (do you need to insmod?)
[root@ove root]#

And I don't understand this because the nessessary modules for iptables is loaded. And it says table does not exist meaning in my opinion I don't have no protection at all. Or I'm I wrong?
I get the same answer with -nvL nat
Before all the trouble I could check both filter status ant nat typing this commands. So I'm really worried if I've been hacked or is it only a bug in FC2.

In my old rh7.2 I could type rpm -V kernel to see if the kernel was changed (MD5 as an answer)
but here the same command shows nothing. No dots as in rh7.2 which tells me it's all ok.
I'm really worried about what happened to my system and need help to solve this.

XavierP 11-21-2004 03:32 AM
Moved: This thread is more suitable in Linux-Security and has been moved accordingly to help your thread/question get the exposure it deserves.

jailbait 11-21-2004 10:46 AM
"I'm really worried about what happened to my system and need help to solve this."

Here are two links which might help you:

http://www.devx.com/security/Article/22442

http://wiki.linuxquestions.org/wiki/Security


--------------------------------------
Steve Stites

Capt_Caveman 11-21-2004 09:04 PM
Try specifying the table using the -t option, like this:

iptables -t filter -nVL
-and-
iptables -t nat -nvL

------
With the rpm verify command (rpm -V package), if the package doesn't fail any verifications then there will be no output, it will just return a fresh command line (no dots).

---
With regards to the iptables script, move the iptables-save before the iptables restart. I believe that they way your doing it flushes the rules you just loaded, restarts iptables and then loads the old rules. Also might help to add a debugging message in the script to make sure that it doesn't fail out somewhere.

------
In general though, it doesn't sound like you've been hacked. Just sounds like you're adjusting to the quirks of a new system.


All times are GMT -5. The time now is 04:42 AM.