Re: SV: SV: [SLE] Server 10.0 sending a lot of packs.
On Saturday 16 September 2006 00:28, Tage Danielsen wrote:
linux:~ # netstat -anp Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:904 0.0.0.0:*
LISTEN
Whoa, missed that one above...
Are you running Vmware Server in this machine? Are you running Windows in vmware? If so, is is using bridged virtual
nics?
Yes I am running vmware and windows with bridges nics
So what's upstream? What router is in front of this machine? Is it secure? Because the windows machine is listening to the world. I would check what ports are forwarded by your upstream router to this machine. And I would investigate what Anders pointed out about syslog. I'd seriously lock down that router of yours, and perhaps take this machine off the net till you can explain those connections. -- _____________________________________ John Andersen
Yes I am running vmware and windows with bridges nics
So what's upstream? What router is in front of this machine? Is it secure? Because the windows machine is listening to the world.
The windows machine is not listening to the world, except 904
I would check what ports are forwarded by your upstream router to this machine.
No port are forwarded to the windows machine
And I would investigate what Anders pointed out about syslog. I'd seriously lock down that router of yours, and perhaps take this machine off the net till you can explain those connections.
Nobody can access the syslogd outside from the world now.
On Saturday 16 September 2006 10:41, Tage Danielsen wrote:
Yes I am running vmware and windows with bridges nics
So what's upstream? What router is in front of this machine? Is it secure? Because the windows machine is listening to the world.
The windows machine is not listening to the world, except 904
Port 904 is listened to by xinetd on your linux machine, not your windows virtual machine. Could it be the vmware console?
Nobody can access the syslogd outside from the world now.
The point is that through one of the services you have running on this machine that accept connections from anywhere (samba, something you are running in apache or whatever) you have been hacked syslogd is not supposed to be running on your machine at all. SUSE uses syslog-ng, not syslogd. You have a rootkit on your machine, and it is not a good idea to keep using it I would suggest a reinstall, and before you put the machine back on the internet, make sure all security updates are installed, and go through the services you are offering on this machine and make sure they are all secure (and needed. Running samba against the internet is not a very good idea) At the moment there is no evidence that whoever hacked your machine has root, so it may be that it's just some "remote execute commands" hole in some web service, but it's still not advisable to keep running the machine as if nothing happened and just plug things up with a firewall. You already have malicious code on your machine, and you have no idea what it's told to do
On Saturday 16 September 2006 00:49, Anders Johansson wrote:
syslogd is not supposed to be running on your machine at all. SUSE uses syslog-ng, not syslogd.
When did they switch? With 10.0? SLES 9 still uses syslog, but my 10.1 machine uses syslog-ng? Tage has BOTH running!! I think he's likely rooted, and I'm betting they DO have root. -- _____________________________________ John Andersen
On Saturday 16 September 2006 11:03, John Andersen wrote:
and I'm betting they DO have root.
Maybe, but I can't see anything that says so definitely. For instance, syslogd is listening to unprivileged ports But it also looks like he has webmin listening to the world, so anything is possible
When did they switch? With 10.0?
SLES 9 still uses syslog, but my 10.1 machine uses syslog-ng?
Tage has BOTH running!!
I think he's likely rooted, and I'm betting they DO have root.
Maybe the result is reinstall, but I still like to find where the hole is, if it is genral I will be hacked again. My 10.1 is an upgrade from 9.3 maybe that's is the reason for both syslogd and syslog-ng?? /tage -- _____________________________________ John Andersen
On Saturday 16 September 2006 11:10, Tage Danielsen wrote:
When did they switch? With 10.0?
SLES 9 still uses syslog, but my 10.1 machine uses syslog-ng?
Tage has BOTH running!!
I think he's likely rooted, and I'm betting they DO have root.
Maybe the result is reinstall, but I still like to find where the hole is, if it is genral I will be hacked again.
To start with, what do you have running in your apache? You also have webmin listening to the world. And samba and cups Go through the log files from those services around the time when the strange traffic started happening, and see if you see anything unusual But please take the machine off the internet while you're investigating
My 10.1 is an upgrade from 9.3 maybe that's is the reason for both syslogd and syslog-ng??
No. First of all, no normal syslogd will connect to an IRC server. Secondly, 9.3 was already using syslog-ng. It is part of a root kit
On Saturday 16 September 2006 01:10, Tage Danielsen wrote:
When did they switch? With 10.0?
SLES 9 still uses syslog, but my 10.1 machine uses syslog-ng?
Tage has BOTH running!!
I think he's likely rooted, and I'm betting they DO have root.
Maybe the result is reinstall, but I still like to find where the hole is,
Try this: http://www.chkrootkit.org/
if it is genral I will be hacked again.
Its not general, or this mailing list would be filled with messages about getting rooted. SUSE installs very securely, unlike some other Linux distribrutions. -- _____________________________________ John Andersen
Try this: http://www.chkrootkit.org/
if it is genral I will be hacked again.
I found that if I reboot the server and not start apache, the strange processes is not coming, and I would like to know about a can surely move all the homepage? /tage
On Saturday 16 September 2006 00:49, Anders Johansson wrote:
syslogd is not supposed to be running on your machine at all. SUSE uses syslog-ng, not syslogd.
When did they switch? With 10.0?
SLES 9 still uses syslog, but my 10.1 machine uses syslog-ng?
Tage has BOTH running!!
I think he's likely rooted, and I'm betting they DO have root.
Now I have shutdown syslog lets see if the net is going down again? /tage -- _____________________________________ John Andersen
On Saturday 16 September 2006 11:03, John Andersen wrote:
On Saturday 16 September 2006 00:49, Anders Johansson wrote:
syslogd is not supposed to be running on your machine at all. SUSE uses syslog-ng, not syslogd.
When did they switch? With 10.0?
SLES 9 still uses syslog, but my 10.1 machine uses syslog-ng?
It was changed in 9.2 or 9.3, I forget which
What is this? tcp 0 22 10.10.10.240:41277 85.25.60.140:9870 ESTABLISHED 11804/httpds /tage
On Saturday 16 September 2006 01:27, Tage Danielsen wrote:
What is this?
tcp 0 22 10.10.10.240:41277 85.25.60.140:9870 ESTABLISHED 11804/httpds
/tage
Looks like a secure connection to your web server... Maybe webin or something? -- _____________________________________ John Andersen
On Saturday 16 September 2006 11:27, Tage Danielsen wrote:
What is this?
tcp 0 22 10.10.10.240:41277 85.25.60.140:9870 ESTABLISHED 11804/httpds
Someone in Germany connected over SSL to a web server running on your machine
On Saturday 16 September 2006 11:27, Tage Danielsen wrote:
What is this?
tcp 0 22 10.10.10.240:41277 85.25.60.140:9870 ESTABLISHED 11804/httpds
Sorry, disregard my previous mail, I wasn't thinking You have a process on your machine called httpds, I have no idea what that is, but whatever it is, it is connecting to a machine in Germany
On Saturday 16 September 2006 00:41, Tage Danielsen wrote:
The windows machine is not listening to the world, except 904
That's not the windows machine listening on 904 Tage, that's vmware-server. With bridged nics your windows machine aliases your nic (clones) and gets another IP, and I'm not sure if its connections show up in netstat or not. Never tried that. The only reason I mention this, is because with Windows in vmware, are you sure the traffic bursts are coming from Linux? Maybe they are from windows? -- _____________________________________ John Andersen
participants (3)
-
Anders Johansson
-
John Andersen
-
Tage Danielsen