Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have Libranet 2.8.1, kind of a mix of Sarge and testing Debian. This linux machine is on a cable modem behind a hardware firewall with all ports to drop incoming except (occasionally) 22. When enabled, Port 22 is forwarded to LN, where sshd and Firestarter are running. Firestarter allows only ssh to be publicly available. I use ssh to log in from work and check e-mail via a remote X session. [My workplace has all e-mail protocols disallowed for non-internal pop and smtp servers, and they also block access to all web-based email sites like mail2web.com. Thus I really need ssh.]
Three days ago Firestarter picked up the following hits,
A few prior to that I had port 22 forwarded to my LN box, but Firestarter was NOT running. My bad. In that case, the default Libranet Adminmenu Firewall would be the default. Unfortunately, it was set to allow public access to the following services: dhcp, ssh, smtp, www, samba, and https, all on their standard ports. Yikes. So bottom line, my security was briefly let down. Please note that telnet and remote ssh root login have long been disabled on my linux box.
I ran chkrootkit, which came out clean. I checked the system logs, especially auth.log, and found only a couple ssh login attempts that were correctly refused. No big deal.
Yesterday, I ran ethereal in NON-promiscuous mode for about half an hour to see what was coming in. When I stopped the capture, a warning box came up. It said "Loading etherXXXXD82Ymm, 588 KB of 2334 KB. Do you wish to continue?" Obviously not. (That file name is exact, BTW.)
Here's what I've done so far: turned off all port forwarding from my Linksys router. Disconnected the suspect machine from the internet. Searched my machine for the component files of trinity v3. These are: uucico (altered version of standard linux file) fsflush and idle.so. Nothing has turned up. There's an excellent link to the whitepaper on trinity v3: I can't post it unfortunatley due to the "5-posts rule." Unless you append 3w's ahead of .findarticles.com/p/articles/mi_m0NEW/is_2000_Sept_5/ai_65024645
So, did someone root my LN box? How can I check, and are there any tools to remove trinity v3? How did they route the packet to an unrouteable 192.168.x.x.address through a router with only port 22 open and sshd listening on that port?
Does the above info mean my machine is now zombified to DDOS doubleclick on some future date? Or is doubleclick infected and trying to access my linux macine looking for trinity v3 clients?
Sorry for the long post and many questions. Any help appreciated.
win32sux, thanks for your reply. At the risk of offending someone due to length, I will post the relevant syslog entries. The first six (total) were the incoming ones picked up by Firestarter, on Sep. 8, 1125 am. Then on Sep. 9 there are many OUTBOUND packets going to the same address, a server at doubleclick. It looks to me like part of a SYN flood, but please tell me what you think. Seems like my machine has been rooted and recruited to be part of a DDoS.
I did not do any portscanning recently. I use snort just for local purposes and that not very well, it seems.
Remote root login in ssh has long been disabled on my machine. I just tuned it up today to also allow no password auth (only public-private keys) and only protocol 2. (It used to be 2,1).
I downloaded and ran RootKit Hunter as per your suggestion. Sweet little app. It found one vulnerability in PHP 4.3.4, but not anything else. No rootkits, no backdoors. I don't know what PHP does; perhaps that's how they got in.
How sure are you that I really got cracked? It bothers me that I might have to reinstall without ever finding the evidence. I have looked at my crontab and found a lot of automated running of programs, including 5snort. I have disabled the crontab entries and will check tomorrow for any strange activity on the linux machine. For instance, snort was set to check a range of ip addresses to find new AOL AIM servers. Something is not adding up quite yet. Perhaps I should grep every file on my machine to find where that doubleclick IP address is located.
If this was trinity v3, someone is using a very old technique from late 2000, to access my machine and doing it without my detecting exactly how. Trinity was a DDoS tool, not a port scanner, though. Probably more than one hack has taken place or the trinity label was spoofed.
I appreciate very much your offer to help me set up iptables; I will take you up on that in a few days. Do you have a favorite GUI front end for iptables?
Originally posted by laminar1 I don't know what PHP does; perhaps that's how they got in.
php is hypertext preprocessor... basically, it let's you serve dynamic web pages by interfacing your web server with your database server... unless you are running a web server, i don't think this is the entry point (if there is one)... you're sure your apache wasn't running, right??
well, i'm not 100% sure, if that's what you're asking... the portscan thing is indeed suspicious, though... is it possible that your IDS has some kinda "portscanning reaction" when a weird packet arrives?? like, maybe that dropped packet made the IDS want to find-out more about the host that sent it or something?? i'm just thinking out loud here...
Quote:
It bothers me that I might have to reinstall without ever finding the evidence.
you can copy your root partition to a cd or another partition or something (using a live cd, of course) and then you'll be able to perform an autopsy and other forensics on your current install whenever you want, even after re-installing...
Quote:
Something is not adding up quite yet.
i agree...
Quote:
If this was trinity v3, someone is using a very old technique from late 2000, to access my machine and doing it without my detecting exactly how. Trinity was a DDoS tool, not a port scanner, though. Probably more than one hack has taken place or the trinity label was spoofed.
i'm not sure what to think about this packet... the hardware router was running when this happened??
looks like it could have been part of a prior connection or something... but i'm not sure, i'm just saying that cuz it's an ACK packet and it looks like it came from a web server (SPT=80), don't take that observation too seriously... i'm sleepy... =)
Quote:
I appreciate very much your offer to help me set up iptables; I will take you up on that in a few days.
cool, just let me know...
Quote:
Do you have a favorite GUI front end for iptables?
no, i just use a regular iptables script... i think it's simpler, more effective, and more educational...
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
It cerntainly does look like someone used the box to portscan someone for common backdoors. If you had HTTP access to your box open,
and you were running a vulnerable version of PHP, it's possible that someone exploited it. Try looking in the Apache (httpd) logs to see if
anyone was making requests for strange pages or if there are odd errors. Also, does anyone else have an account on your box,
or access to the keyboard? It's possible that it was just used without your knowledge for the port scan, but no actual cracking of your
machine was involved.
Well how strange can things get? The win2000 laptop that I used last night to post the previous messages was kaputt when I turned it on this morning. No sign of ntldr, ntdetect or the ever-popular ntoskrnl.exe. Holy cow. But I'm back on that machine now using my knoppix disk, which is working extremely well. I have no explanation of what happened to my Win2K laptop. I doubt just corruption of the files, since all those mentioned files were flat out GONE. The important data has already been backed via Samba. Without linux, I'd be in a world of serious hurt right now. BTW, this laptop had up-to-date ZoneAlarm Pro and McAfee antivrus running continuously, and it sits behind the hardware firewall with all ports closed. Figure that one out for me.
Anyway, back to the Linux box issues.
chort-- I checked the apache logs, and found nothing unusual. As it turns out, I WAS running apache, without knowing it, since it was part of the original install and it ran until I disabled it in July. The logs are clean, however, and I don't have any evidence of anyone ever attempting access. There are no other users on this machine except my kids, age 5 and under, who are much more interested in sesameworkshop.org than in portscanning servers on the internet. And finally, I have not found any odd errors.
win32sux--as above, no apache running. Your comment on that one packet was on target: it was ACK, but the ones previous to it were ACK SYN. Does that imply anything? I was checking my snort directory, including the many rules files. The portscan and backdoor rules files are very similar to the output I saw in syslog. I have disabled cron and will run a test in the next few days to see if perhaps the activity disappears. snort was running essentially unconfigured when I captured these data. For instance, the HOME_NET variable was not set. Could this have caused the crontab running 5snort to scan for backdoors? What is 5snort, anyway, as opposed to snort?
As ususal, too many questions, but I appreciate your helpful comments.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
