Re: How was my Firewall HACKED???

From: Michael Burnem (nospam@spam.no)
Date: 06/23/02 

From: "Michael Burnem" <nospam@spam.no>
Date: Sun, 23 Jun 2002 09:31:30 GMT

"chackerd01" <chackerd01@attbi.com> wrote in message
news:eOaR8.284698$352.26630@sccrnsc02...
> Finally got a broadband connection, so I setup an old computer with Red
Hat
> 6.0 (kernel 2.2.5-15) to do firewall and IP masquerading for my local
> network. Everything appeared to be working fine. Port scans from grc.com
> showed all ports as "stealthed". I have ipchains setup to DENY access on
the
> following ports: ftp, telnet, www, imap, smtp, finger, pop-3, auth, 135,
> https, 445, 512, and 5000. I also have all of the daemons in inetd.con
> disabled.
>
> After a couple weeks of 24/7 connection to the internet I noticed several
> status messages on the console (see below). After evaluating them and the
> system, I realized that someone had gained root access through the
internet,
> and made several changes to my system, including loading 2 perl scripts
> (a.pl & tcpscan.pl). I would appreciate the help from anyone who
recognizes
> these methods/symptoms, and suggest how to close the barndoor. Thanks.
>
> Consol messages:
> usermod[6103]: change user 'operator' UID from 11 to 0
> usermod[6104]: change user 'games' UID from 12to 0
> usermod[6105]: change user 'mail' UID from 8 to 0
>
> PAM_pwdb[6687]: password for (daemon/2) changed by ((null)/0)
>
> lockd: connect from unprivileged port: 127.0.0.1: 2082<4>

You are probably running a tonn of services you don't need, and have
probably installed a tonn of programs you don't need!.
Allot of fat to grap on too there!

Relevant Pages

  • Re: How was my Firewall HACKED???
    ... > Finally got a broadband connection, so I setup an old computer with Red ... Port scans from grc.com ... You are probably running a tonn of services you don't need, ...
    (comp.os.linux.security)
  • Re: How was my Firewall HACKED???
    ... > Finally got a broadband connection, so I setup an old computer with Red ... > After a couple weeks of 24/7 connection to the internet I noticed several ... since you don't mention blocking port 53. ...
    (comp.os.linux.security)
  • Re: How was my Firewall HACKED???
    ... > Finally got a broadband connection, so I setup an old computer with Red ... > After a couple weeks of 24/7 connection to the internet I noticed several ... since you don't mention blocking port 53. ...
    (comp.os.linux.security)
  • Re: A question about a basic security setup...
    ... > I have been thinking about a setup for my basic ADSL network at home that ... > before I go through motions of setting up the network. ... > I am running a web server on port 80. ... > machine for all port 80 requests. ...
    (Security-Basics)
  • Re: cannot connect to /remote externally
    ... Les Connor [SBS MVP] ... account to a static IP account, or use another port for the server. ... > does not work for the Default Website setup in IIS. ...
    (microsoft.public.windows.server.sbs)