Mailinglist Archive: opensuse-security (363 mails)
| < Previous | Next > |
Re: [suse-security] have I been invaded?
- From: Richard <ratcheson@xxxxxxxxxxxxx>
- Date: 03 Jun 2003 17:05:10 -0500
- Message-id: <1054677909.3114.59.camel@xxxxxxxxxxxxxxxxxxxx>
On Tue, 2003-06-03 at 14:24, Eduard Avetisyan wrote:
> Hi Richard,
>
> Sorry, can't get any useful hint for your routing table.
> But I'd very much like to know more about the rootkit and the
> hole used for getting in your machine. As far as I understood,
> you're running a firewall, so shouldn't be too easy for an
> intruder? (read: I'm running an 8.2 too, and without a decent
> firewall, so would like to know where to expect a hit from ,-)
> Maybe a fix for it can make into the next security update?
>
> Good luck
> Ed
I went surfing bareback is what caused my problem! I'm on cable and
always playing with my machine. Occasionally I would stop and clear
Shorewall to find out why my machine wouldnt let me or my other subhosts
get on the net. It was probably during one of those excursions that it
happened. If you dont have a good firewall you have probably been hit
already.
My logs showed that I was constantly being scanned for ports 80, and the
other windows based ports like 443 and 1434, . Also I saw a lot of
scans by Korean and Chinese URL's hitting my higher ports like 27374.
One day I noticed things were not quite right. It;s hard to describe
what was going on, so I downloaded and fired up the chkrootkit app and
sure enough, I had been invaded.
Following the advice of others, I reformatted and reinstalled
everything. Not a fun process as I had a lot of neat things like
Mplayer working perfectly. After saving my /home stuff to a cd I did the
reformatting and reinstalling. Now I am very carefull to unplug the
cable modem whenever I decide to kill the firewall. I also run the
chkrootkit thing periodically.
As I am a long way from being a security expert I have learned to be
careful and seek advice from those who know a lot more than I. I have
also been a lot more cautious. I periodically go on GRC.com and let
them scan a few ports and they show that the ports they look at are in
stealth mode.
Bottom line, get a good- easy Firewall and be carefull what you allow
in. I like shorewall cause it is easy to use and the support by the
author is outstanding as is the documentation. I find SuSEfirewall to
confusing and I really dont want to know how to set up the iptables.
Shoewall does the translation for me.
As to my current problem, I'm not sure my machine has been invaded but
the routing gateway is different so I am looking for anyone that can
tell me what is going on. It may be that when I DHCP my isp for my IP
they are changing it but I sure would like to know. From all I can see
using online port scanners, my box is fairly well secured.
I hope my rambling did not get to off topic and answered your questions.
Give a look at www.blackcode.com.
Regards,
Richard
> Hi Richard,
>
> Sorry, can't get any useful hint for your routing table.
> But I'd very much like to know more about the rootkit and the
> hole used for getting in your machine. As far as I understood,
> you're running a firewall, so shouldn't be too easy for an
> intruder? (read: I'm running an 8.2 too, and without a decent
> firewall, so would like to know where to expect a hit from ,-)
> Maybe a fix for it can make into the next security update?
>
> Good luck
> Ed
I went surfing bareback is what caused my problem! I'm on cable and
always playing with my machine. Occasionally I would stop and clear
Shorewall to find out why my machine wouldnt let me or my other subhosts
get on the net. It was probably during one of those excursions that it
happened. If you dont have a good firewall you have probably been hit
already.
My logs showed that I was constantly being scanned for ports 80, and the
other windows based ports like 443 and 1434, . Also I saw a lot of
scans by Korean and Chinese URL's hitting my higher ports like 27374.
One day I noticed things were not quite right. It;s hard to describe
what was going on, so I downloaded and fired up the chkrootkit app and
sure enough, I had been invaded.
Following the advice of others, I reformatted and reinstalled
everything. Not a fun process as I had a lot of neat things like
Mplayer working perfectly. After saving my /home stuff to a cd I did the
reformatting and reinstalling. Now I am very carefull to unplug the
cable modem whenever I decide to kill the firewall. I also run the
chkrootkit thing periodically.
As I am a long way from being a security expert I have learned to be
careful and seek advice from those who know a lot more than I. I have
also been a lot more cautious. I periodically go on GRC.com and let
them scan a few ports and they show that the ports they look at are in
stealth mode.
Bottom line, get a good- easy Firewall and be carefull what you allow
in. I like shorewall cause it is easy to use and the support by the
author is outstanding as is the documentation. I find SuSEfirewall to
confusing and I really dont want to know how to set up the iptables.
Shoewall does the translation for me.
As to my current problem, I'm not sure my machine has been invaded but
the routing gateway is different so I am looking for anyone that can
tell me what is going on. It may be that when I DHCP my isp for my IP
they are changing it but I sure would like to know. From all I can see
using online port scanners, my box is fairly well secured.
I hope my rambling did not get to off topic and answered your questions.
Give a look at www.blackcode.com.
Regards,
Richard
| < Previous | Next > |