Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a PHP-based site that appears to have been compromised. Running tcpdump results in entries like:
Code:
19:00:10.882396 IP dialup-4.231.2.175.Dial1.Houston1.Level3.net.49754 > 64.x.x.x.http: S 3394384288:3394384288(0) win 8192 <mss 1380,nop,wscale 2,nop,nop,sackOK>
19:00:11.941656 IP dialup-4.231.2.175.Dial1.Houston1.Level3.net.49753 > 64.x.x.x.http: . ack 257740321 win 2048
19:00:11.971062 IP dialup-4.231.2.175.Dial1.Houston1.Level3.net.49753 > 64.x.x.x.http: P 0:495(495) ack 1 win 2048
19:00:12.246219 IP dialup-4.231.2.175.Dial1.Houston1.Level3.net.49754 > 64.x.x.x.http: . ack 257282436 win 2048
19:00:12.246236 IP dialup-4.231.2.175.Dial1.Houston1.Level3.net.49754 > 64.x.x.x.http: P 0:501(501) ack 1 win 2048
This site is not even in production (though it originated as a copy of a production site), so I know that the server is being used for nefarious means. The 64.x.x.x IP is not mine, but is that of a server on the same subnet as me, where this server is being attacked via my server. I've set up some pretty restrictive iptables rules:
Code:
#!/bin/bash
iptables -F -t filter
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -p tcp --dport 22 -s 63.x.x.x -d mymachine.mydomain.com -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -s mymachine.mydomain.com -d 63.x.x.x -j ACCEPT
where only my IP (63.x.x.x) is allowed in and out over SSH. Even with these rules present, the tcpdump is still the same - that is, my subnet neighbor is still being attacked.
If anyone has any advice to give, I'm all ears (and all thanks too).
-TWR
Last edited by thetawaverider; 07-25-2007 at 07:20 PM.
Okay, added more rules, as port 80 is not dropped by the initial INPUT/OUTPUT DROP (thought it was). Definitely more than what is needed, but doing it just to demonstrate the point.
Code:
#!/bin/bash
iptables -F -t filter
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -p tcp --dport 22 -s 63.x.x.x -d mymachine.mydomain.com -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -s mymachine.mydomain.com -d 63.x.x.x -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --sport 80 -j DROP
iptables -A OUTPUT -p tcp --dport 80 -j DROP
iptables -A OUTPUT -p tcp --sport 80 -j DROP
Anything to do with port 80 both in INPUT and OUTPUT should be dropped. But it's not - the tcpdump still has entries with http as the destination port.
Could it be the case that my rules are being modified by a bot infecting my system? If so, it is not possible to tell with an "iptables -L", which shows:
What makes you think those packets are from your machine? If there's only a hub between you and the other machine, then you could see traffic to it on tcpdump.
What makes you think those packets are from your machine? If there's only a hub between you and the other machine, then you could see traffic to it on tcpdump.
I agree.
A few things...
tcpdump will do you no good if you don't know how to tell the packets are being dropped. Look at the TCP flags in the dump to see at what state the connections are.
Also, if you're sniffing before your firewall, you're going to see the traffic, regardless if you've blocked it or not.
Because you've a firewall and a packet trace, you have to remember to factor in how to read your sniffed logs, where you're sniffing at, and what type of device your interface is connected to.
I think you may be right on the money - this is most likely traffic destined for a local machine. I've been a bit cautious recently (overly so), and here's why:
Recently, disabling port 443 caused a substantial decrease in the number of idle httpd processes. The site doesn't even use port 443, yet the number of idle processes was constantly 20-40% of the active ones (much greater than MaxSpareServers), leading me to believe that the targeting of port 443 was intentional. After this change, my fork rate (as per munin) jumped from near zero to a nice cycle between 15 and 25 forks/second.
Upon a recent reboot of the server, though, this large number of idle connections returned almost immediately, plus the fork rate dropped to near zero again. This machine has been the target of DDoS attacks in the past, plus has been infected via a hole in the PHP application (which is not current due to it's eminent replacement), so I wanted to make sure that the reboot did not trigger any sort of latent bot. It is possible that I may have been looking for a problem where none exists, but I'd rather be a bit over cautious in a situation like this.
The idle httpd connection problem does still exist, though, so if anyone has any suggestions, I'd like to hear them.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
