Re: Been hacked

From: Jim Patterson (
Date: 11/14/03

Date: Fri, 14 Nov 2003 16:27:46 GMT

Newsbox wrote:
> On Fri, 14 Nov 2003 02:26:47 -0500, Jim Patterson wrote:
>>Newsbox wrote:
>>>On Thu, 13 Nov 2003 23:38:19 -0500, Jim Patterson wrote:
>>>>It appears one of my firewalls was hacked. I don't know how yet. But
>>>>that is what I came to ask. Is or how would I go about monitoring what
>>>>this guy is doing? I'd really like to figure out how far this guy has
>>>>gotten beyond my firewall. Or whether he got through the firewall at
>>>>all and just got to it from the inside? Any suggestions would be
>>>You haven't given any information as a basis for any but the most
>>>general help.
>>>How do you know that you have been hacked?
>>>What os are you running; what services are exposed to the public; what
>>>services are open on a LAN; have you applied all security updates?
>>>What are the exact versions of all the services that you are running?
>>>For all anyone could tell from your message, you are running Windows 98
>>>SE unpatched, and you got the blaster worm. How would anyone know
>>>Best wishes.
>>>ps. If you think your system has been hacked, you should disconnect it
>>>from the public network, NOW!! Thanks.
>>The system is running linux with an iptables firewall. There is a
>>monitoring program which is missing and there is another monitoring
>>program which is not working correctly. The firewall is intact. Going
> What monitoring program were you using that is now missing? What
> monitoring program were you using that is not working correctly? I don't
> necessarily know the answer to your needs, but you have so far not made
> your situation clear enough for any "answer", as far as I can tell.
>>over the what's in place and what's missing I believe that this was
>>hacked from someone inside the firewall. I have monitored the system for
>>a couple of hours with ethereal and do not see extraneous attempts to
>>communicate externally.
>> From what I have seen thus far, I surmise that this was someones way of
>>saying, see I can hack into your linux box. The firewall was set to
>>mainly log external communications and currently
>> is not monitoring internal communications.
>>My current plan is to reinstall the system and place everything the same
>>as it was before. I also need to put in place a means of monitoring
>>this system as stealthily as possible, I also need to consider that this
>>person may be working in the computer group and does know something
>>about covering/minimizing their tracks and may be able to access this
>>computer from multiple systems.
> If there is someone knowledgeable with inside access to your system, s/he
> may (obviously) know more about your system than you have said here so
> far.
>>I do not know of a tool which will tell me immediately if someone is
>>manipulating files on a system?
> If your system is hacked, you cannot trust any executables on that system
> to give you trustworthy results. You should only be trusting utilities
> and executables that are running from (for example) CD-ROM or other
> read-only media.
> You haven't yet said anything to indicate that you have indeed been
> hacked, except that you have two monitoring programs (that you did not
> identify) that are not working. There could be other reasons they are not
> working, but you haven't been specific about this.
> I repeat:
> If you think your system has been hacked, you should disconnect it from
> the public network, NOW!! Thanks.
Is there a program out there that will monitor a system and indicate
immediately if someone is modifying files? Low cost?

Relevant Pages

  • Re: Real Storage Occupancy
    ... has the monitoring program been checked ... For IBM-MAIN subscribe / signoff / archive access instructions, ... send email to listserv@xxxxxxxxxxx with the message: GET IBM-MAIN INFO ...
  • Re: Been hacked
    ... > The system is running linux with an iptables firewall. ... > monitoring program which is missing and there is another monitoring ... Or leaving themselves a nice little hacked-up box for later use on more ...
  • Re: Traffic Monitor
    ... You can bind such monitoring tool to any NIC on the firewall, ... > My network looks like this: My Link comes in on a Cisco 805 from the router ... > and then one port for the rest of the network which connects to a 100base ...
  • Re: Protecting your router.
    ... > and not monitoring your firewalls/routers leaves them exposed. ... and an internal IDS for monitoring hosts should be sustainable. ... That's why I think monitoring in front of your firewall is a needless task. ... looking into the traffic between the perimeter router and the next-layer ...
  • Re: blocking Kazaa and other P2P
    ... > They can reboot machine, insert floppy, load old registry etc... ... they physically have someone on the firewall monitoring it at all ... I feel for you, dude. ...