Hi there, On Sat, 2003-04-19 at 14:43, Adam Leach wrote:
Hi,
Thanks for everyones advice. The attack is still continuing at a rate of around 10 attempts a second. Between around 4pm & 8pm I received just under 65000 attempts just from that one ip address.
That is rather a hefty rate of connection attempts.
SuSE firewall is working well and no degrade in system performance, but some web sites are timing out and it gets a bit annoying.
They should not do that. The firewall should not block you from getting out ideally.
There is definately no P2P software running at the moment. I had used some before this attack started.
That will up the rate of connection attempts to your machine, but not to the levels you are describing.
I know that I get scanned all the time, however my /var/log/warn file for just yesterday was massive (at least 10MB), today it is well over 30MB.
I wonder how I pissed this person off. Probably because I reported them for sending SPAM or something along those lines.
The system seems really unsecure. I just did a simple port scan and found the following services running. I wouldn't normally do that, however the attack has now been going on for nearly 24 hours.
You did not describe from where you did the portscan. What is open on your machine if you scan from that machine might not be open to other hosts. Best is to scan from another host on the same segment of the network.
Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on kes.wirehub.nl (195.86.128.45): (The 1583 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp
Do you need to run an ftp server? They are known for being security problems.
22/tcp open ssh 23/tcp open telnet
Switch telnet off as well. Try and only use SSH if you can as that is a lot more secure and ssh does not transmit your password in clear text as telnet does.
25/tcp open smtp 53/tcp open domain 80/tcp open http 111/tcp open sunrpc
You running some r-services or NFS or something? You probably want to block external access to this service.
443/tcp open https 513/tcp open login 514/tcp open shell
You want to block access to login and shell here (rlogin/rsh) as they are not as secure as ssh.
587/tcp open submission
Your sendmail is configured to use port 587 for mail submission.
1020/tcp open unknown 1021/tcp open unknown 1022/tcp open unknown 1023/tcp open unknown
No idea what these are for, I'd be suspicious of anything that I am not 100% certain of what it is.
2049/tcp open nfs 12346/tcp filtered NetBus 31337/tcp filtered Elite
No idea what the NetBus stuff is, so I'd be naturally suspicious, and the Elite port tells me you have been had, as in hacked. Port 31337 is a known backdoor port.
Nmap run completed -- 1 IP address (1 host up) scanned in 11 seconds
I'm unsure what some of these services are.
If you are unsure of services, query with others what they are for, and if you think you will not use them, switch them off. Of course, if that breaks something you do on a regular basis, switch it back on, but perhaps limit external access to your machine. From what things look like, your box has been hacked. I am a pessimist, so I might be wrong, but if I were you, I'd isolate that box from the net, completely, then try and find a root-kit detector somewhere and try and find out how they got onto your box. Needless to say, if you were hacked, wipe the system and re-install from scratch to make sure there is no chance of anything they left behind to come back and haunt you.
Regards
Adam
HTH and Rgds,
--
Anders Karlsson