On Saturday 30 November 2002 04:17 am, Franki wrote: > Two good tools for stopping hacks from succeding are the same ones some of > the hackers use.. > > Whisker (a perl script) and nessus. > Thanks, I'll go check them out and run it against my new firewall.
> Wisker has been scanning your machine looking for exploits, gives them a > report on vunerable and they probably downloaded some script kiddie tools > and hacked you.. > > Nessus is much more powerful.. and has a huge database of potential > hacks... if you want to know if your easily hackable, run nessus against > your gateway.. you'll be quiet surprised at the results. > > Time for you to wipe your box and reinstall.. perhaps you should try > Hogwash for some proactive protection.. its like portsentry on steriods.. > based on some of the Snort code. > Well the good news is, that I was running mandrake 9.0 on my old 200mhz box, so even though I was using it for all of my email and browsing, I need an excuse to quit using it. :) I already had a brand new partition set up on my faster box, so I just did an ifdown eth0 on the old box and booted up the new. I've spent a couple of days trying to get openbsd working, but it is so foreign to me, I got frustrated and installed Mandrake security. I just don't have a sense for how secure it is yet. > I've found tripwire on mandrake to be something of a pain.. I had to modify > it to even get it to compile. > that ended up happening to me. I started to install it and had nothing but trouble and ran out of time. > > rgds > > Frank > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Lorne > Sent: Saturday, 30 November 2002 1:11 AM > To: [EMAIL PROTECTED] > Subject: [expert] Hack attack analysis > > > Well guys... it has been 5 years since somone got in. They finally did it. > I've been using the floppy disk coyote linux for years now. They aren't > keeping up it seems and the last update I got was in January. The first > clue was zone alarm on my boys box popped up some denials. Regrettably, I > walked over to my firewall, hit the reset button and didn't give it another > thought. > Now I've lost all the logs on that server and don't know what state it was > in. > > About an hour later I notice that my linux box was showing 2 ip addresses > in my samba server list that weren't even on my subnet! NOW it has my full > attention!!! I did not have tripwire installed. Just ran out of time, but I > DID have snort loaded and not fully or properly configured I don't think. > However, I DID get some interesting log entries that I thought I'd pass on > to > see what you guys thought, and perhaps shed some light on how they are > whacking my firewall. I'm in the process of setting up an openbsd firewall. > That should give them something to chew on for awhile. > > I'm sure I've been hacked but good, because they screwed up my ntp, set my > nic > to promisuous mode, and looks like they gained root access. > > Here are some snippets of what my messages log shows: > > Nov 24 10:50:24 mandrake snort[1213]: [1:485:2] ICMP Destination > Unreachable (Communication Administratively Prohibited) [Classification: > Misc activity] [Priority: > 3]: {ICMP} 150.176.17.242 -> 192.168.100.7 > > Nov 24 11:07:52 mandrake snort[1213]: [1:466:1] ICMP L3retriever Ping > [Classification: Attempted Information Leak] [Priority: 2]: {ICMP} > 192.168.100.8 -> 192.168.10 > 0.7 > Nov 24 11:23:31 mandrake snort[1213]: [1:1171:6] WEB-MISC whisker HEAD with > large datagram [Classification: Attempted Information Leak] [Priority: 2]: > {TCP} 192.168 > .100.8:4232 -> 66.150.3.68:80 > > port scans it appears, or buffer overflows on numerous ports? > > {TCP} 192.168 > .100.8:4246 -> 66.150.3.68:80 > Nov 24 11:23:34 mandrake snort[1213]: [1:1171:6] WEB-MISC whisker HEAD with > large datagram [Classification: Attempted Information Leak] [Priority: 2]: > {TCP} 192.168 > .100.8:4249 -> 66.150.3.68:80 > Nov 24 11:23:34 mandrake snort[1213]: [1:1171:6] WEB-MISC whisker HEAD with > large datagram [Classification: Attempted Information Leak] [Priority: 2]: > {TCP} 192.168 > .100.8:4252 -> 66.150.3.68:80 > Nov 24 11:23:34 mandrake snort[1213]: [1:1171:6] WEB-MISC whisker HEAD with > large datagram [Classification: Attempted Information Leak] [Priority: 2]: > {TCP} 192.168 > .100.8:4255 -> 66.150.3.68:80 > Nov 24 14:07:36 mandrake snort[1213]: [1:1287:5] WEB-IIS scripts access > [Classification: sid] [Priority: 2]: {TCP} 192.168.100.8:4756 -> > 204.155.175.40:80 > Nov 24 07:49:40 mandrake snort[1213]: [1:895:5] WEB-CGI redirect access > [Classification: Attempted Information Leak] [Priority: 2]: {TCP} > 192.168.100.6:1087 -> 64.2 > 36.17.133:80 > Nov 24 07:55:20 mandrake snort[1213]: [1:895:5] WEB-CGI redirect access > [Classification: Attempted Information Leak] [Priority: 2]: {TCP} > 192.168.100.6:1126 -> 64.2 > 36.17.133:80 > Nov 24 08:04:07 mandrake snort[1213]: [1:1564:4] WEB-MISC login.htm access > [Classification: sid] [Priority: 2]: {TCP} 192.168.100.6:1242 -> > 207.25.71.118:80 > Nov 24 08:06:30 mandrake ntpd[1251]: time correction of 25199 seconds > exceeds > sanity limit (1000); set clock manually to the correct UTC time. > Nov 24 08:06:30 mandrake kernel: eth0: Setting promiscuous mode. > Nov 24 08:14:02 mandrake snort[1213]: [1:882:4] WEB-CGI calendar access > [Classification: Attempted Information Leak] [Priority: 2]: {TCP} > 192.168.100.6:1356 -> 64.1 > 24.82.22:80 > Nov 24 09:24:42 mandrake snort[1213]: [1:1171:6] WEB-MISC whisker HEAD with > large datagram [Classification: Attempted Information Leak] [Priority: 2]: > {TCP} 192.168 > .100.5:1353 -> 216.239.51.101:80 > Nov 24 12:25:37 mandrake snort[1213]: [1:853:5] WEB-CGI wrap access > [Classification: Attempted Information Leak] [Priority: 2]: {TCP} > 192.168.100.6:3018 -> 64.124.8 > 2.13:80 > Nov 24 14:45:45 mandrake snort[1213]: [1:1408:5] DOS MSDTC attempt > [Classification: Attempted Denial of Service] [Priority: 2]: {TCP} > 66.150.3.68:80 -> 192.168.100. > 8:3372 > Nov 24 15:03:09 mandrake snort[1213]: [1:654:5] SMTP RCPT TO overflow > [Classification: Attempted Administrator Privilege Gain] [Priority: 1]: > {TCP} > 192.168.100.5:15 > 09 -> 68.6.19.4:25 > Nov 24 15:04:54 mandrake snort[1213]: [1:654:5] SMTP RCPT TO overflow > [Classification: Attempted Administrator Privilege Gain] [Priority: 1]: > {TCP} > 192.168.100.5:15 > 10 -> 68.6.19.4:25 > > ****** somehow right in here, my samba server goes absolutely nuts. It has > been forced to be master browser and he gets into a pissing match with my > xp box, forcing election after election. My guess is to find out who is > running shares on my little network. ? > > Nov 24 23:57:49 mandrake su(pam_unix)[7357]: session opened for user root > by (uid=503) > Nov 24 23:57:49 mandrake su(pam_unix)[7357]: session closed for user root > Nov 24 23:57:50 mandrake su(pam_unix)[7362]: session opened for user root > by (uid=503) > Nov 24 23:58:03 mandrake snort[1213]: [1:882:4] WEB-CGI calendar access > [Classification: Attempted Information Leak] [Priority: 2]: {TCP} > 192.168.100.6:3190 -> 63.2 > 41.29.144:80 > > There you go, I'm screwed. SU access. So at this point, I'm thinking > rebuild eh? I ran a chkrootkit, nothing showed, but who knows what has been > done. I'm > thinking I need to learn tripwire eh? :(
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
