LinuxQuestions.org - I am being hacked please help!!!

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - I am being hacked please help!!! (https://www.linuxquestions.org/questions/linux-security-4/i-am-being-hacked-please-help-85786/)

I am being hacked please help!!!

Hi all,

New to linux now a month or so and I questions I badly need help with.

I am running redhat 9 as a router and small server (just http, no mail or ftp). I did a nmap scan from my dialup account at work and was horrified to learn I had quite a few more open ports than there should have been.

the open ports of notice were
22 ssh
80
135 filtered loc-svr ?????
4444 KRB ????
12345 Netbus ?????????
12346 Netbus ?????????
31337 Elite ?????????

I did notice a week or so ago that someone was connected to my linux router on port 111 sunrpc, I didnt really think much of it at the time, now I think that could have been a mistake.

Would these nmap reuslts indicate a windows comp on the network has netbus and backorifice running or would it likely be these offending services are running on the redhat machine?

Any help will be greatly appreciated.

Thanks

Lucas

check your redhat box for unknown services running and by god man turn that router into a firewall :cool: it's possible a machine inside the network has a trojan. Use AV on your boxes too....

AFAIK, Netbus and BO are windows-specific backdoor remote controllers. So that suggests either someone has rooted you and installed linux-specific backdoors that listen on those windows-trojan default ports (which would be pretty dumb) or they have configured your box to forward those ports to backdoored windows machines. Either way, it sounds like you got 0wn3d pretty good. You need to take all those machine off the network and clean them. Make sure to check out unspawn's security links at the top of this forum. Running unnecessary and vulnerable services (ie RPC) is one of the best ways to get hacked and is probably the easiest to prevent.

That reminds why i don't run RH. It just seemed to be installed with so much stuff I had to clean up later. Anyway, keep calm. Get some AV software like AVG from www.grisoft.com: get the updates and the disconnect from the internet. Scan your windows boxes, then rebuild your linux box while still disconnected. Before bringing up your linux box onto the internet, put a nice firewall on it. I'm sure unspawn has some great links at the top of this forum.

--tarballedtux

Sun RPC is no better than MS RPC. If you run portmapper (port 111) you're a nuts as someone running the dce mapper on Windows (port 135).

That reminds why i don't run RH. It just seemed to be installed with so much stuff I had to clean up later.
Slightly OT, but I have to comment a custom install fixes *most* of the "problems" you mention here. Also plase don't advertise this as a RH-specific flaw unless you know sure all other distro's don't have this problem.

Can anyone solve this..

I did a little invetigating and found something interesting. While I was at work, which uses a completely different ISP from my network, I scanned my server from nmap on my laptop.

The following ports were shown as open:

80 (apache server)
4444 KRB ????
12345 Netbus ?????????
12346 Netbus ?????????
31337 Elite ?????????

I checked my box and checked it again, and could not find anything to suggest these ports were open.

I then thought to scan some other comps found by

nmap -sP XXX.XXX.XXX.*

I then proceeded to scan them from another isp connection and everyone had these ports showing as open:

4444 KRB ????
12345 Netbus ?????????
12346 Netbus ?????????
31337 Elite ?????????
I tried contacting my ISP about the problem, but they said it must be my comp alone, despite the fact I told them other computers in their adsl network are showing these ports when scanned.

Has anyone heard of this before, or know what is going on?

When you say you "scan(ned) some other comps", what do you mean? Do mean that you scanned other computers on your network and they all showed those ports open OR do you mean you just randomly picked ip addresses and scanned those?

As a general rule, I wouldn't trust any output on the Redhat box. Alot of root kits will installed trojaned utilities like netstat. So if you machine was compromised, if you nmap'd it you would see all these ports open, but a trojaned netstat might happily report that no ports are open.

What doesn't make sense is the part about other machines not on your network showing the same nmap profile, especially if you randomly scanned ip addresses.

I

I would suggest that your run "rpm -V" on on what ever rpm contains netstat (probably net-tools).
To see which rpm contains netstat run "rpm -qlif /bin/netstat|more"
(See man rpm) If you get suspicious output reinstall the rpm and run netstat again. Ports 4444 and 31337 are both backdoor ports, 4444 is the blaster worm, so at the very least you probably have an infected windows machine on your network.

<thought to self> Funny, seems like alot of topics from the "firewall" post came up again here.</thought to selft>

First thing, pop it off the 'net. Since you don't know what's up, disconnecting is the proper way to go. You said you only have a httpd, so I don't think you're a production site. Please don't buy into the whole "You're oWeD! It was RPC Portmapper- you got root kits installed ;p !! " BS that goes around. Calmly do your research, we're interested in facts here, not someone else's personal reservations on the RPC services. Blindly closing down ports you don't know about can render services usless, and then you won't need hackers to DoS you, because you just DoS'ed yourself. Killing portmapper will disable ALL of the RPC services, as well as some other, less well-known apps. IF you're not using anything that relies on it and don't plan to, THEN OK, kill it-

I'm surprised no one said to run lsof -i, that'll show what is listening on those ports, better than netstat -ap or any of the map's, remember, they're designed as remote tools. You're inside. Check many methods of finding running processes and daemons- it's unlikely that all of them are trojanned, if in fact that's what you're up against. And I don't think you can be 100% sure right now. If you don't know what you're running and how to run it, you shouldn't be running it, and I mean that in a positive way. The access mode differs greatly from Apache, to, say, Proftpd or tcpwrappers. I tend to think that's what's going on here, but without more info I can't say 100% for sure. Find the source, ask is it needed? If no, cut it, if yes, go to the next. When done, comb thru the system good (root should do this daily, IMO) and check: are file premissions OK, are the latest and greatest versions of daemons being run, what are the general connection patterns; i.e. who and from where, are all security applications properly implemented and functioning as you think they are, full virus & trojan scan (even if it is for shits & giggles). Read on the newest exploits to see what may come you're way. Check CERT and see what's the popular threat at the time. Examine unknown binaries & scripts using utils such as "strings" & "hexdump". Check commonly trojan'ed apps: login, ls & rm, httpd, netstat, ps, telnet & sshd, and any other things you use frequently. Look in the /tmp dir. for hidden stuff, that's a popular place to hide things. Check "dot-files" For security, I'd recommend you look at these:

tcpwrappers
libwrap
libsafe.so.2
grsecure (from what I've heard, I don't use it)
iptables (as a prewritten script if you find iptables daunting)
f-prot, latest version (big inconsistancies with this, i.e. flaggin false alarms, but it tends to err on the side of safety so that's why I recommend it. Just don't freak out if it says "tar" is a dangerous program.)
xinetd
defuserootkit

And know what these are, what they look like when used, how not be vulerable to them or what they look like when someone may use them on you innocently:

nmap, amap, vmap, nessus, all the scanners. Scans are a daily thing, they aren't a problem unless you see the same host checking you out all the while or probes to the same place. Remember, every linux box (just about every one) comes with nmap, and most newbies don't realize that it will set off many common trip wires if used against another host. Some newbie is most likely scanning you as you scan them.
password crackers, remote password crackers, John & Hydra
bufferoverflow exploits
formate string exploits
root kits & LKM root kits, such as Adore
sniffers & tcpdump,, imcpinfo, sendip
common I-net worms (check out slapper & SSL, scarey stuff!)

Sorry to get abit off course, but the job of root is never done.... Security should run quietly in the background until it's needed. Be prepared, but not fanatical about security. Look thru your logs, gather your info, and make your game plan- then take back your box, if it IS in fact owned. It's not mine, I've never seen it, so I can't say exactly what you need to do on your machine. You're root of your box, make sure it stays that way. When I started with Linux, all I got was RTFM'ed and Google'ed to death, but the info to run a strong server is out there, if you look

Quote:

better than netstat -ap

I should have been more specific. Run "netstat -pantu"

What the hell are you doing jayjwa? Are you a security expert of any kind? So far you have not indicated any kind of professional experience or accredidation. If you do not have qualifications, SHUT UP! You're giving people bad security advice.

Read any book on system hardening, it will tell you the first thing you do is turn off all services you don't need or don't know know what they do. If something absolutely cricitcal no longer functions, turn services on/off one at a time to determine which service caused the stoppage (or much better, research the issue and figure out which service it was) and then decide whether the risks outweight the benefits.

Quit telling people to do stupid things with their system and flying in the face of the advice you would get from paid professionals and security experts. YOU are merely stating YOUR personal opinion (which you criticise firewall proponents of doing). The difference is I am an experienced and accredited security expert and I've done professional services for some of the largest companies in the world, including the credit cards you carry in your wallet, the network gear your ISP uses, the banks that you most likely have accounts or loans with, etc. Any professional will say the same thing. It is obvious you're an amature and doing nothing more than giving false hope with your own opinion, which is not grounded in reality.

I did not say RPC was responsible, I just said it's a stupid service to run exposed to the Internet. There have been just as many exploits for Sun RPC services as for MS RPC. In fact, it's likely that the original popularity of firewalls was due to security failures with Sun services, not Microsoft's. Many distributions of Linux (in particular, Red Hat) ship by default with nearly all the UNIX services turned on. Those services are still possible to exploit and most of them were never designed to withstand attack, so any resistence they have to attack now is by patch, not by design. It's absolutely fool-hardy to expose those services to the Internet, especially when you don't need them. What RPC-dependent service are you going to run across the Internet, NFS? That would be insane.

By the way, I should point out that this is not intended as a personal attack. I'm just very frustrated with unqualified people giving advice on very important topics. It would be like someone who has watched a lot of shuttle launches claiming to be an expert on shuttle safety. Please do not undermine the advice of qualified people with personal opinions and pass it off as fact. If you must disagree, state plaining that it's your OPINION and that you are not really qualified or considered an expert. I deal with companies every day that have stupid policies and are very confused by all the misinformation and conflicting information circulating around informally. It helps the whole infrastructure when security is left to the experts and companies can get a clear picture of what the information security landscape looks like.

I am only a beginner when it comes to security, but jayjwa, I have to ask about your comment "... be prepared but not fanatical about security". That seems pretty simplistic if you ask me -- put it this way: If you hired a bodyguard or a home alarm company, would you want them to take such a casual attitude towards security? I wouldn't, that's for sure, and the more gung-ho and proactive they were about blocking possible threats, the happier I'd be.

I won't pretend to think I can offer anyone specific advice about how to secure their system (not yet, anyway) but I think chort has it right. If you hire (or pay a salary to) someone to provide security for your system, that person better be 100% focused on being totally aggressive against potential threats. You seem to advocate a laid-back, go-read-your-horoscope, mellow-out approach to security, which I think would expose the system you are watching to unnecessary risks. Am I misreading your posts?? -- J.W.