Re: How was my Firewall HACKED???

From: Jorey Bump (devnull@joreybump.com)
Date: 06/23/02 

From: Jorey Bump <devnull@joreybump.com>
Date: Sun, 23 Jun 2002 04:30:37 GMT

chackerd01 wrote:

> Finally got a broadband connection, so I setup an old computer with Red
> Hat 6.0 (kernel 2.2.5-15) to do firewall and IP masquerading for my local
> network. Everything appeared to be working fine. Port scans from grc.com
> showed all ports as "stealthed". I have ipchains setup to DENY access on
> the
> following ports: ftp, telnet, www, imap, smtp, finger, pop-3, auth, 135,
> https, 445, 512, and 5000. I also have all of the daemons in inetd.con
> disabled.
>
> After a couple weeks of 24/7 connection to the internet I noticed several
> status messages on the console (see below). After evaluating them and the
> system, I realized that someone had gained root access through the
> internet, and made several changes to my system, including loading 2 perl
> scripts (a.pl & tcpscan.pl). I would appreciate the help from anyone who
> recognizes these methods/symptoms, and suggest how to close the barndoor.
> Thanks.
>
> Consol messages:
> usermod[6103]: change user 'operator' UID from 11 to 0
> usermod[6104]: change user 'games' UID from 12to 0
> usermod[6105]: change user 'mail' UID from 8 to 0
>
> PAM_pwdb[6687]: password for (daemon/2) changed by ((null)/0)
>
> lockd: connect from unprivileged port: 127.0.0.1: 2082<4>

Red Hat 6.0 comes with some well-known exploits preinstalled. :)

If you didn't do any security updates, there are any number of ways to
crack your antediluvian system (that's the second time I've used that word
today - a new record). My guess is that it was a rootkit installed via a
buffer overflow attack on bind, since you don't mention blocking port 53.

Since it's just a firewall, download a distribution designed specifically
for this purpose. There are plenty that boot from a single floppy and run
only what is necessary to do the job. The problem is that you needed a
hammer, but instead you used a 1932 Bucyrus Erie 50-B Steam Shovel that had
been converted into a pile driver.

In the meantime, disconnect your machine from the Internet and reformat the
drive, or do some forensic analysis on it. In any case, it's not suitable
for further use without a complete reinstall.

 

Relevant Pages

  • Exchange Incoming Email
    ... If you have recently setup or changed your ip information ... internet to find you. ... >SBS2003 on a server with a dual port NIC. ...
    (microsoft.public.windows.server.sbs)
  • Re: How was my Firewall HACKED???
    ... > Finally got a broadband connection, so I setup an old computer with Red ... Port scans from grc.com ... You are probably running a tonn of services you don't need, ...
    (comp.os.linux.security)
  • Re: How was my Firewall HACKED???
    ... > Finally got a broadband connection, so I setup an old computer with Red ... Port scans from grc.com ... You are probably running a tonn of services you don't need, ...
    (comp.os.linux.security)
  • Re: Assistance Setting up IP Filtering in a 2003 Routing Remote Access Server
    ... So just as an example the Front End server which I Remote Desktop to should ... Src Port: ... I'm looking to setup IP filtering on both internal and external NICs to ... Workstation Internet Access: ...
    (microsoft.public.windows.server.networking)
  • Re: How was my Firewall HACKED???
    ... > Finally got a broadband connection, so I setup an old computer with Red ... > After a couple weeks of 24/7 connection to the internet I noticed several ... since you don't mention blocking port 53. ...
    (comp.os.linux.security)