[olug] compromised again

mesc mescie at home.com
Sun Oct 1 16:13:32 UTC 2000


Ok......I have these rules in there now.
ipchains -A input -p tcp -s 0/0 25 -d 0/0 1024: -j ACCEPT
ipchains -A input -p udp -s 0/0 25 -d 0/0 1024: -j ACCEPT
I'm guessing the udp protocol isn't needed at all.These rules were given to me
by another person in olug so I have no clue what 1024 is either :)The -s 0/0
just means source ip of anywhere correct?In any case I'm going to put your
rules in rc.firewall and take the current rules for port 25 out.
    I think I'm a good candidate too for the Linksys Cablemodem/DSL router,at
least until I understand firewall rules better because I'm sick of getting
cracked and reinstalling my o/s.
Do you by chance know a  address for their homepage?

            Thank you,Gary Martin


Phil Brutsche wrote:

> A long time ago, in a galaxy far, far way, someone said...
>
> >  I just realized I have bigger problems than my previous post x server
> > permisions.A few days ago my logcheck kept e-mailing me about an ip that
> > was trying to connect to port 25 but the connection was refused.This
> > went on for 4 hours.I  dropped the ip into hosts.deny and thought that
> > was the end of it.
>
> hosts.deny isn't a total solution - it doesn't work with services that
> don't use tcpwrappers.
>
> > Now I realize I should have disconnected from the net after this went
> > on for an hour or 2,a hard lesson learned.He/she must have got in
> > because I found this script in my cron.daily..
>
> > #!/bin/sh
> > /sbin/chkconfig innd && su - news -c /usr/bin/nntpsend
>
> It's not necessarily something an attacker put on your system - my best
> guess is that it's something needed to keep your nntp server in sync with
> the rest of the world.
>
> > ........it was executable so I chmoded it to 040 so I could read it
> > and paste it to you.I'm no programmer but with su and send in it it
> > doesn't look good.Maybe one of you could tell me what it does.I can't
> > paste the last line logcheck e-mailed me with his/her ip in it because
> > I can't get into x and none of my console e-mail progs were configured
> > so none of them have the message but it went something like
> > this.....his ip>xxx.xxx.xxx.xxx relay my_isps_domain_name.com.Does
> > this ring a bell to any of you as far as to how he/she may have got
> > in?
>
> Doesn't ring a bell here.  I think you're overreacting :)
>
> > I'm going to wipe my o/s clean (again....argh) but I sure would like
> > to know how he/she got in so I can plug that hole:)I have port 25 open
> > so my news server can connect to it but I guess there's no way around
> > that.
>
> If you needed to have port 25 open it would have been easier to add the
> following to your ipchains rules:
>
> ipchains -A input -s 127.0.0.1 -d 0/0 25 -p tcp -j ACCEPT
> ipchains -A input -s <your cox ip number here> -d 0/0 25 -p tcp -j ACCEPT
>
> Personally I think you'd be a good candidate for a Linksys Cablemodem/DSL
> router.  Basically it's a hardware firewall that sits between you and your
> ISP.  They're not that expsenive (I don't think so, at least :) and as
> long as you don't enable any of the "virtual servers" (what it calls port
> forwarding) any and all incoming new connections are "dropped on the
> floor".
>
> If that's not an option and you have a spare PC laying around I can help
> you get a really locked down firewall (separate from your main PC)
> running.
>
> --
> ----------------------------------------------------------------------
> Phil Brutsche                                   pbrutsch at creighton.edu
>
> "There are two things that are infinite; Human stupidity and the universe.
> And I'm not sure about the universe." - Albert Einstein
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: olug-unsubscribe at bstc.net
> For additional commands, e-mail: olug-help at bstc.net


---------------------------------------------------------------------
To unsubscribe, e-mail: olug-unsubscribe at bstc.net
For additional commands, e-mail: olug-help at bstc.net



More information about the OLUG mailing list