Re: Security Help
From: dono (dono_at_queyosepa.net)
Date: Wed, 15 Sep 2004 01:06:12 GMT
On Tue, 14 Sep 2004 16:41:29 GMT, "Al" <firstname.lastname@example.org> wrote:
>I have a small network set up at home. NetworkEverywhere NAT
>Firewall/Router (http://www.networkeverywhere.com/products/nr041.asp) with 2
>Windows and 1 Debian computer. I recently added the people in the apartment
>downstairs to my network. They have their own router (Lynksys) and 2
>computers. Before I hooked the downstairs people in, I could not port scan
>my network from outside (maybe I had a shitty port scanner, I don't know).
>Today at work (while I had some free time) I decided to port scan my
>computer. I used Network Activ Scanner to do the scan. When it was
>finished there were several ports open on my network.
>A few of these were:
>When I done the scan all downstairs computers were turned off. I know I
>don't have Citrix, LDAP or anything else running on my machines. I only
>have SSH and a web server (Tomcat) on my Debian box. There are no IRC
>clients on my computer.
>I am a programmer, not a security expert, to me the scan seems to show that
>a back door was installed on my computer. I read about viruses that install
>a IRC client to issue commands to, I think citrix is used for remote logins,
>rlogin was also detected and I never installed this I use SSH. I'm not sure
>if I was taken over by a skiddie or if the computer that I plugged into my
>network were already compromised.
>Here are my questions: Do you think my computer is taken over? Is there a
>tool similar to what skiddies use that I can run against my network that
>will show the vulnerability instead of exploiting it and creating a back
>door. Once my network is clean again what are some security tools I can use
>to better monitor my network? Does this security course that I am thinking
>of doing look good to you experts
>(http://www.polarbear.com/outline_storage/PS613.pdf)? Its only a two day
>course so I'm not sure if its a good one. My security knowledge goes as far
>as a couple of security how-tos for Windows and Linux.
>Thanks in advance for all your input,
You said that the people downstairs have their own router. What about
your router? If you have a router, how did it pass the ports to the
machines? What internal block are you using? Is it different from
theirs? Just check the configuration. I don't think your network has
been owned. I don't use debian if it has an inetd.conf file, comment
out any services that you don't need.