Have I been hacked?

QuakerJ · 06-15-2004, 08:31 AM

Just 15 minutes after you started Samba. I think it is more likely that the source of that message was already on your system. Did you MD5 all stuff you have downloaded? Did you download Samba?

You might like to try

grep -Rl 'Be VERY careful sharing ' / > /tmp/tmpx

to get a list of the files where that string occurs. Of course a sophisticated virus would hold the output string transposed and de-transpose it into the output string at run time

The -l flag is important otherwise it will keep on listing what it has found in /tmp/tmpx into /tmp/tmpx until your file system is full. Ooops!

If I got that message I should be worried - even if I had double checked my firewalls. Yes I run two firewall too. One dedicated firewall machine bewteen the Internet and my local lan and one which automatically starts on boot on my laptop. If the laptop is connected to my own LAN I run iptables -F so that I can ftp or telnet in from another host on the lan. In general my firewalls do not allow any new connection to pass data from outside into my systems. Input is only on connections that have been established from the inside.

Good luck

QuakerJ

a1phaomega · 06-15-2004, 09:53 AM

Quote:

Originally posted by TBomb
Okay the scans been done... I got him to scan the full IP range 0 - 65535, here's the results:

Ports (13 opened, 65523 closed)

110 Open (pop3)
80 Open (www-http)
25 Open (smtp)
23 Open (telnet)
21 Open (ftp)
254 Open
255 Open
3516 Open
8080 Open (http-proxy)
8644 Open
27134 Open
39436 Open
44257 Open

I looked up some of the un-named ports in that list, and in all of the port listings I looked at, some of the port numbers where skipped....

Some of the ports in that list I know of, 80, 8080 and 21 I knew were open, as I use those regulary. Note aswell that both 139 and 137 are closed....

BTW, the telnet port I realised is for one of my routers, not my client PC's.

Thats a disturbing number of open ports for a supposedly secure machine - plus the fact you don't know what some of these ports are for are worrying

WHat happens if you telnet to them?

TBomb · 06-15-2004, 09:59 AM

Okay, I was going to post this in the security forum, but since I did'nt know at that point whether it was a security question, more a question about samba/windows sharing.

I'll have a look at what you all said, so thanks for the help.

Also @ shelby:
Yes I have a wireless router. I've already considered this as a possible exploit. But I think the security on there is adequate. I have WEP enabled (128bit) with Broadcast SSID OFF, also I'm not using the default SSID anyway. I also have enabled MAC address Filtering. I'm pretty happy that an intruder did'nt gain access at that point.

Quote:

It could be that one of your machines got a Trojan, and connected out to the hacker to establish a connection, in which case, the firewall wouldn't help much.

Interesting.... I removed a worm (missed the name) from my Windows system a few days ago... That might have something to do with it.

Anyway, thanks for the help, I'll let you know how it goes.

TBomb · 06-15-2004, 10:01 AM

a1phaomega, you posted while I was writing my reply, so did'nt see it before I posted. I don't think I can telnet to any of the ports on my WAN address from behind my routers. I'll have someone from outside of my network try again tonight.

a1phaomega · 06-15-2004, 10:18 AM

Quote:

Originally posted by TBomb
a1phaomega, you posted while I was writing my reply, so did'nt see it before I posted. I don't think I can telnet to any of the ports on my WAN address from behind my routers. I'll have someone from outside of my network try again tonight.

Probably wise - some of those high ports open are worrying - there's a smell of something weird here ;-)