[olug] compromised again

Phil Brutsche pbrutsch at creighton.edu
Sun Oct 1 20:52:51 UTC 2000 

A long time ago, in a galaxy far, far way, someone said...

>  I just realized I have bigger problems than my previous post x server
> permisions.A few days ago my logcheck kept e-mailing me about an ip that
> was trying to connect to port 25 but the connection was refused.This
> went on for 4 hours.I  dropped the ip into hosts.deny and thought that
> was the end of it.

hosts.deny isn't a total solution - it doesn't work with services that
don't use tcpwrappers.

> Now I realize I should have disconnected from the net after this went
> on for an hour or 2,a hard lesson learned.He/she must have got in
> because I found this script in my cron.daily..

> #!/bin/sh
> /sbin/chkconfig innd && su - news -c /usr/bin/nntpsend

It's not necessarily something an attacker put on your system - my best
guess is that it's something needed to keep your nntp server in sync with
the rest of the world.

> ........it was executable so I chmoded it to 040 so I could read it
> and paste it to you.I'm no programmer but with su and send in it it
> doesn't look good.Maybe one of you could tell me what it does.I can't
> paste the last line logcheck e-mailed me with his/her ip in it because
> I can't get into x and none of my console e-mail progs were configured
> so none of them have the message but it went something like
> this.....his ip>xxx.xxx.xxx.xxx relay my_isps_domain_name.com.Does
> this ring a bell to any of you as far as to how he/she may have got
> in?

Doesn't ring a bell here.  I think you're overreacting :)

> I'm going to wipe my o/s clean (again....argh) but I sure would like
> to know how he/she got in so I can plug that hole:)I have port 25 open
> so my news server can connect to it but I guess there's no way around
> that.

If you needed to have port 25 open it would have been easier to add the
following to your ipchains rules:

ipchains -A input -s 127.0.0.1 -d 0/0 25 -p tcp -j ACCEPT
ipchains -A input -s <your cox ip number here> -d 0/0 25 -p tcp -j ACCEPT

Personally I think you'd be a good candidate for a Linksys Cablemodem/DSL
router.  Basically it's a hardware firewall that sits between you and your
ISP.  They're not that expsenive (I don't think so, at least :) and as
long as you don't enable any of the "virtual servers" (what it calls port
forwarding) any and all incoming new connections are "dropped on the
floor".

If that's not an option and you have a spare PC laying around I can help
you get a really locked down firewall (separate from your main PC)
running.

-- 
----------------------------------------------------------------------
Phil Brutsche					pbrutsch at creighton.edu

"There are two things that are infinite; Human stupidity and the universe.
And I'm not sure about the universe." - Albert Einstein


---------------------------------------------------------------------
To unsubscribe, e-mail: olug-unsubscribe at bstc.net
For additional commands, e-mail: olug-help at bstc.net

More information about the OLUG mailing list