Mailinglist Archive: opensuse-security (636 mails)

< Previous Next >
RE: [suse-security] compromised?
  • From: Boris Lorenz <bolo@xxxxxxx>
  • Date: Fri, 09 Feb 2001 10:49:32 +0100 (MET)
  • Message-id: <XFMail.010209104932.bolo@xxxxxxx>

On 08-Feb-01 Achim Ehrlich wrote:
> Hello list,
>
> i'm running a little homenetwork and scan my messages only occasionally.
> Today i found, that my var/log/messages was flodded with the following
> messages from
> ipchains:
>
> Jan 24 00:00:58 coalmine kernel: Packet log: input DENY ppp0 PROTO=6
> 213.93.2.117:64834 213.23.38.146:6346 L=48 S=0x00 I=11174 F=0x4000 T=107
> SYN(#3)
> Jan 24 00:00:59 coalmine kernel: Packet log: input DENY ppp0 PROTO=6
> 168.95.0.198:38071 213.23.38.146:6346 L=44 S=0x00 I=46941 F=0x4000 T=237
> SYN(#3)
> Jan 24 00:00:59 coalmine kernel: Packet log: input DENY ppp0 PROTO=6
> 168.95.0.11:56795 213.23.38.146:6346 L=44 S=0x00 I=9 F=0x4000 T=236 SYN (#3)
> Jan 24 00:00:59 coalmine kernel: Packet log: input DENY ppp0 PROTO=6
> 24.176.200.234:4734 213.23.38.146:6346 L=48 S=0x00 I=53948 F=0x4000 T=112
> SYN (#3)
[...]
> This went on for hours. Afterwards there were similar messages, the access
> port varying, but 6346 and 27374 being the most often used ones. It was not
> this long anymore, though. I looked up the ports in /etc/services but found
> no service attached to them. Sometimes it was also followed up by a try to
> access my box on port 22 or 80 by one of the adresses (denied also). I also
> ran netstat -apln, the only entries i couldn't explain were:
>
> tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
> 120/
> tcp 0 0 0.0.0.0:20011 0.0.0.0:* LISTEN
> 61/

The connection attempts were made to your dynamic ip assigned to you by your
ISP on port 6346, which is gnutella-svc. Maybe you used gnutella to upload or
download files. The connection attempts (coming from an ip range assigned to
Chungwha Telecom, Taipei, Taiwan) may have been caused by an user of this
network desperately trying to download a file you offered shareable via
gnutella.

On the other hand, port 27374 is used by a trojan called SubSeven, a malware
for Win. If the scans to either 6346 and 27374 come from the same IP addresses
the person on the other end maybe is up to finding some vulnerable Windows boxes
to take over.

If these scans go on, do a whois on the particular IP(s) and try to get in
touch with the provider. Most of them do have some sort of security/acceptable
use policy which forbids such actions. At least, give it a try...

> I'm quite worried about all these because although my firewall denies all
> these packages, there seems to be a programm running, which broadcasts my
> dynamic ip-address, when connected to the internet. This makes me feel quite
> uncomfortable.
> I also added two new rules now to my firewall script, rejecting outgoing
> requests to port 6346 and 27374 to be able to trace this matter further.
> Until now nothing showed up.

As shown from your log file excerpts the connection attempts to both ports were
made FROM the net TO your home system. IMO a logging rule for outgoing
connection attempts may be obsolete.

> I have only a basic understanding of all these things, so please can
> somebody tell me if this is now a compromise or am i paranoid?
> Is it also possible, that it is not the linux-server but a client which is
> compromised? Would be a apple box in this case.
> It's a suse 6.4 box with firewalling/masquerading. The firwall script is my
> own (at least partially).
> thx for any help
>
> achim

---
Boris Lorenz <bolo@xxxxxxx>
System Security Admin *nix - *nux
---

< Previous Next >
References