Re: Hacked ???

asterisk_at_marnock.net
Date: 07/28/05

  • Next message: Mark Teicher: "VoIP testing Help" 
    To: security-basics@securityfocus.com
Date: Thu, 28 Jul 2005 06:12:48 +0100

    Hello All,

    First of all I'd like to say a big thank you to everyone who provided
    information to help me track down this problem. The good news is that my
    box hadn't been compromised ( phew!!! ) but as always it was something I'd
    done ( not internationally! ). To cut a long story short, I have one nic
    in this box and the box is a transparent proxy for all internal users.
    What I hadn't done with my iptables prerouting was specify the source as
    the internal network. This meant, because of my mistake, that any request
    from the net to my site would get the site via my proxy. Obviously,
    someone was scanning for open proxies and came across my site. I've now
    altered my iptables script and everything seems ok now. Still a lot of
    hits but I don't think they are getting what they think. Shame!

    Thanks again!

    Phil.

                                                                               
                 Fernando Amatte
                 <famatte@gmail.co
                 m> To
                                           "asterisk@marnock.net"
                 26/07/2005 19:45 <asterisk@marnock.net>
                                                                            cc
                                           security-basics@securityfocus.com
                 Please respond to Subject
                  Fernando Amatte Re: Hacked ???
                 <famatte@gmail.co
                        m>
                                                                               
                                                                               
                                                                               
                                                                               

    Hello

    On a Linux Box, you can try to use the "lsof" command.
    Use something like .. lsof | grep LISTEN

    You will see, users, pids, and other information.
    With this information, you can try to verify other things. ( If you
    dont have a rootkit installed )

    Regards

    Fernando

    On 7/23/05, asterisk@marnock.net <asterisk@marnock.net> wrote:
    >
    > Hi List,
    >
    > I'm seeing some strange things on my box. Here is a snippit from my
    squid
    > log: BTW I don't have an icq account.
    >
    >
    > 1122088113.571 308 212.227.83.197 TCP_MISS/200 184 CONNECT
    > login.icq.com:443 - DIRECT/64.12.200.89 -
    > 1122088114.402 140 220.160.34.238 TCP_HIT/200 482 GET
    > http://media.adrevolver.com/adrevolver/banner? - NONE/- text/html
    > 1122088116.711 310 212.227.65.104 TCP_MISS/200 186 CONNECT
    > login.icq.com:443 - DIRECT/64.12.200.89 -
    > 1122088119.769 339 212.227.83.197 TCP_MISS/200 183 CONNECT
    > login.icq.com:443 - DIRECT/64.12.200.89 -
    > 1122088119.950 367 72.21.34.42 TCP_MISS/200 185 CONNECT
    > login.icq.com:443 - DIRECT/64.12.200.89 -
    > 1122088120.466 543 200.50.23.115 TCP_MISS/401 417 GET
    > http://www.bubblebutts.com/members/ - DIRECT/216.15.219.25 text/html
    > 1122088121.618 404 212.227.65.104 TCP_MISS/200 186 CONNECT
    > login.icq.com:443 - DIRECT/64.12.200.89 -
    > 1122088122.814 885 70.118.81.253 TCP_MISS/200 6085 GET
    > http://members.yahoo.com/interests? - DIRECT/66.218.75.151 text/html
    > 1122088123.961 620 212.227.83.197 TCP_MISS/200 251 CONNECT
    > login.icq.com:443 - DIRECT/64.12.200.89 -
    > 1122088125.635 356 72.21.34.42 TCP_MISS/200 185 CONNECT
    > login.icq.com:443 - DIRECT/64.12.200.89 -
    > 1122088126.101 309 212.227.65.104 TCP_MISS/200 186 CONNECT
    > login.icq.com:443 - DIRECT/64.12.200.89 -
    > 1122088126.587 309 212.227.83.197 TCP_MISS/200 182 CONNECT
    > login.icq.com:443 - DIRECT/64.12.200.89 -
    > 1122088129.107 376 212.227.83.197 TCP_MISS/200 184 CONNECT
    > login.icq.com:443 - DIRECT/64.12.200.89 -
    > 1122088129.404 446 85.138.104.205 TCP_MISS/999 4647 GET
    > http://216.109.127.60/config/login? - DIRECT/216.109.127.60 text/html
    > 1122088130.415 10 220.160.34.238 TCP_MEM_HIT/200 381 GET
    > http://ad.yieldmanager.com/imp? - NONE/- image/gif
    > 1122088130.882 385 212.227.65.104 TCP_MISS/200 186 CONNECT
    > login.icq.com:443 - DIRECT/64.12.200.89 -
    > 1122088132.464 348 212.227.83.197 TCP_MISS/200 185 CONNECT
    > login.icq.com:443 - DIRECT/64.12.200.89 -
    > 1122088132.587 307 212.227.83.197 TCP_MISS/200 184 CONNECT
    > login.icq.com:443 - DIRECT/64.12.200.89 -
    > 1122088135.746 391 212.227.83.197 TCP_MISS/200 184 CONNECT
    > login.icq.com:443 - DIRECT/64.12.200.89 -
    > 1122088135.762 380 72.21.34.42 TCP_MISS/200 182 CONNECT
    > login.icq.com:443 - DIRECT/64.12.200.89 -
    >
    >
    > I've disconected all machines except my main linux box which is used for
    a
    > number of things ( asterisk telephony system / squid proxy / cvs ) etc.
    > I've also noticed port 32768 is open and others are connecting to it from
    > the web or an app is connecting to them. How can I see which app is
    > connecting to port 32768 ???
    >
    > Heres the first line from a netstat -an
    >
    > [root@zeus iptraf]# netstat -an | more
    > Active Internet connections (servers and established)
    > Proto Recv-Q Send-Q Local Address Foreign Address
    > State
    > tcp 0 0 0.0.0.0:32768 0.0.0.0:*
    > LISTEN
    >
    >
    > Thanks in advance.
    >
    >
    >
    > Phil
    >
    >
    >

  • Next message: Mark Teicher: "VoIP testing Help"
    • Quantcast