Originally posted by doris
()My question is how this happened. My computer is behind a linksys router and the router functions as a firewall using NAT (Network Address Translation).()

Do you allow for any services (telnet, ftp, smtp, dns, rpc, http, etc etc whatever else) to be reached behind the Linksys? Any service accesable by outside 'net users may serve as a target.

In short, check the CERT docs earlier in this thread, disconnect the box from the network, restart with a bootable cd with emergency shell (your distro's cdrom) and run chkrootkit. If you find evidence your box was compromised, save your *human readable* data (no binaries) and re-install from scratch, preferably a recent distro version.

Set up your system again using different passwords, harden your distro using Bastille-linux(.org) or from the links below, keep up with application vulnerabilities tru your vendors or general mailinglists, add some form of file integrity checking like Aide, Tripwire. Add some form of intrusion detection preferably Snort not Portsentry.

LASG: Linux Administrator's Security Guide,
Security Quick-Start HOWTO for Linux,
Armoring Linux,
SAG: The Linux System Administrator's Guide,
The SANS Reading room: Linux issues,
Bastille Linux Hardening System,
Elementary security for your Linux box.
Securityfocus.com vulnerabilities by Bugtraq/CVE ID,
SecFocus UNIX,
Xforce.

HTH somehow.

Originally posted by MartBrooks
()"firewall" is a much overused and much misunderstood term()

I agree it's being viewed somewhat like a Holy Grail of protection. Whatever is not denied passing tru the fw can harm the system, and when the cracker has a foothold the box *will* be 0wned in no time.

Hardening/securing the system and kernel should be promoted more I guess...

Great, good luck.

>>unSpawn "weird files like the ".ttyaa" you mentioned? >>Ran "strings" on it?"
unSpawn, what did you mean by run strins on it?

He meant run "strings" which is a UNIX command line utility to extract ASCII text blocks from binary files.

Regards

In secure log, I found sshd was invoked from ips belonging to California, Brazil, China and Korea. There was also an SSH-1.0-Version_Mapper scan. I noticed the file permission changed shortly (one day) after this scan. As unSpawn pointed out, any services could be used as a door. I did enabled ip forwarding to the linux box.

Another question, if I want to secure one unix machine by making it invisible and inaccessible from outside, can I just achieve it in the gateway setup of this machine?

Doris

doris:
once your machine is hacked, you will have a tough time to clean in it up, and trying to get rid of hackers, you'll *iss 'em off and they may screw your system up badly, so before do anything backup your system.
I had a case long time ago (in times of RH6-my startup with linux), when my machine was hacked, and I started to clean up everything I saw, they didn't like it I guess, and setup my machine, so I couldn't login locally (I saw login screen but it was just a picture), and shut down ssh, so I was cut off completely. Then thanks to a good friend of mine, security expert (ex hacker), he hacked into system from network, and got things straight, because I was lost completely

so be carefull

It's worth repeating this: If you suspect your machine has been compromised, the only way to ensure your still have control of it is to format the disk and re-install.

or rather take another hdd for you server.
Take the old one back home, and try to learn from your/their mistakes, and correct yours before they are in your system again.

Theres a security hole in SSH 2.4

that may be the cause for my intrudors (i had ssh2.4 installed)