Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a security question. I’m running Red Hat 9.0 on an Intel box and it looks like yesterday I suffered some sort of Trojan or DDOS attack. The network came to a halt! When running the TOP command I found that Apache was eating 96% of the CPU and the command was 'm'.
Even after disconnecting from the network (I unplugged the Ethernet) the Firestarter Firewall GUI was showing attempts from my own IP Address for Trin 00, Trinity 3, Back Orfice and ms-rpc. A reboot seemed to stop it for the time being.
Can anyone tell me what it might have been??
I’m running the Firestarter Firewall and have only allowed ports open for SSH, httpd, smtp and DNS. However a netstat –l (below) shows open ports on 651, 32768. I have Myql databases running as well. Should I be concerned?? Any ideas or advice would be much appreciated.
BTW Apache, mysql, named & sendmail have been updated using up2date
Thanks in advance
Darrel
Code:
[root@www]# netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:mysql *:* LISTEN
tcp 0 0 *:x11 *:* LISTEN
tcp 0 0 my.domian.com.au :http *:* LISTEN
tcp 0 0 my.domian.com.au:domain *:* LISTEN
tcp 0 0 localhost.locald:domain *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 *:smtp *:* LISTEN
tcp 0 0 localhost.localdom:rndc *:* LISTEN
tcp 0 0 *:https *:* LISTEN
udp 0 0 *:32768 *:*
udp 0 0 *:651 *:*
udp 0 0 my.domian.com.au:domain *:*
udp 0 0 localhost.locald:domain *:*
mydomian.com.au has been substituted for the real address
Use lsof -i to get a listing of what files/PIDs have those ports open. If you don't get a filename, trace back the PID in /proc/<PID>/cmdline.
Verify the integrity Apache/httpd binary with 'rpm -V httpd' , in fact you may want to verify everythng with 'rpm -Va'. I'd also recommend download chkrootkit or rootkit hunter and running a scan on the system.
Fwiw, port 32768 is usually the first unpriveldge port used by default in linux so that may not mean much, but the apache/m oddness is usually an indication of eggdrop (an ircbot).
Also a good idea to look through the system for abnormal directories and hidden files (especially in /tmp), as well verify that /etc/passwd looks normal, check the output of 'last' for odd logins.
Those kernel log msgs look like standard bootp/dhcp broadcasts from 172.23.0.1, does that IP look familiar? It is IANA reserved and it's broadcast, so it's got to be locally generated.
btw, Redhat stopped supporting RH 9.0 almost a year ago, so if you've been relying on Redhat for updates using up2date, then your system has been getting updated for almost a year.
Last edited by Capt_Caveman; 02-15-2005 at 06:05 AM.
I just want to say thanks for the great suggestions for checking my install It's very very much appreciated.
As for the machine in question, I checked the tmp directory and deleted two files, cback.pl and bot.txt and although I looked inside them I couldn't quite understand what they did. I figured if they are tmp it wouldn't hurt to delete them (especially with names like that)!
I tried to run lsof but although it was in the /usr/sbin/ it wouldn't run. So I download and installed from scratch, rebooted and everything seems ok for the time being. I also downloaded chkrootkit and run it - it didn't find anything.
What would be the best thing to do considering I'm running Red Hat 9.0 should I (and can I) upgrade to Fedora and would that break many of my existing services eg http, sendmail & mysql?
Did you re-install the whole system or just the lsof -i binary? It's starting to sound like you definitely need to do a complete re-install. The presence of those cracking tools in /tmp indicate that someone had at least system access and with your system not being updated for a year there would be multiple vulnerabilities that would allow privilege elevation (getting root fairly easily). The fact that you couldn't run lsof, even though it was installed on the system is definitely reason to be very concerned.
If you really want to stick with Redhat 9.0, you can ditch up2date and use YUM to grab updates from The Fedora Legacy Project which does maintain a repository of current updates for Redhat 9. There are instructions on their site for modifying the yum.conf file so that it points to the proper repository, then have yum automatically update your system nightly. You can back up and copy over necessary DBs and configs that you can manually inspect, but don't backup any binaries from the system.
Originally posted by darrel
...
/var/log/messages is full of these statements ....
Feb 15 16:50:38 www kernel: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:02:4b:aa:50:38:08:00 SRC=172.23.0.1 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=48202 PROTO=UDP SPT=67 DPT=68 LEN=308
...
Any other thoughts ... ????/ [/B]
They are DHCP broadcast requests, but the source IP is
NetRange: 172.16.0.0 - 172.31.255.255
CIDR: 172.16.0.0/12
NetName: IANA-BBLK-RESERVED
NetHandle: NET-172-16-0-0-1
Parent: NET-172-0-0-0-0
NetType: IANA Special Use
NameServer: BLACKHOLE-1.IANA.ORG
NameServer: BLACKHOLE-2.IANA.ORG
Comment: This block is reserved for special purposes.
Comment: Please see RFC 1918 for additional information.
not supposed to be on the Internet. If that source IP is coming from outside,
your firewall rules need to block them. I'd be re-installing if I felt the machine
was compromised, assuming you have separate /home, copy /etc and your
kernel configs somewhere safe and nuke the OS partition with dd if=/dev/zero ...
format and reinstall.
Most interesting thread. As eluded to previously, those IP address ranges are not publicly routed. They are private IP addresses within the class B range. And the protocol in use is UDP. I don't see how that could even be spoofed. Would love to hear a update on this one.
Hello All,
Thanks for all your help.. it is much appreciated!!!
After recieving all the great advice from this forum, I realised I just couldn't be confident that the machine wasn't still compromised. So I did a back up and then did a complete/fresh install of Fedora Core 3, updated every package on the system, new root passwords etc ... Hopefully everything is ok now. Everything seems to be going well again
Cool. Make sure to spend some added time securing your system now, so that you don't end up facing the same problems later on. Turn off un-necessary services and do yourself a big favor by enabling nightly YUM updates with 'chkconfig yum on'. Also remember that fedora is releasing new versions approx every 6 months and currently plans to support them on a "three-and-out" basis, meaning that you'll need to find a new place for upgrades after 2 new versions have been released.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.