Some more specific comments appear inline. I hope you consider them "patient" ... you are unlikely to get *more* patient help than this here.
At 06:16 PM 12/22/2003 -0800, Ken wrote:
Hello All,
Please be patient with me, I am new to the Linux world and I am not a security expert.
I built a uClibc firewall version 2.0 Linux firewall kernel 2.4.20 from the image Bering-uClibc_2.0_img_bering-uclibc-1680.exe and I have been compromised. I have included a lot of information here because I need to know how the hackers compromised this machine and I want to give you as much information as you need to help me figure it how. For the most part this is a default configuration with no special services needed or running, I setup dropbear (default config) but have not removed the package yet. The Shorewall is set to accept all outbound traffic and paranoid ALL inbound, I have not changed anything in this configuration file. Please see Configuration and rules below for more detail and please let me know if you need any additional information.
Thank you in advance to all that will help me. I am learning, and I am sure this is NOT an issue with the shorewall product but with my configuration. Please also remember who you are addressing (dope newbie/wannabie) so please if you could. :)
Ken [EMAIL PROTECTED]
Issue: ===============-==============-============================================= = My shorewall has been compromised. I need to find out how they are compromising this machine repeatedly and what I need to do to stop it! The hackers have already used the shorewall box to spam others on the internet and god knows what else.
Unfortunately, He is not subscribed to this list, so we lack access to what He knows and have to make do with what you actually tell us.
First thing, please provide a copy of a sample SPAM message, one that includes ***all*** the Received: headers. Have you made sure that this is not just someone forging you as a From: address? Or that it is not from a LAN host that got a virus in any of the many ways an inept user can manage even behind a good firewall?
Second thing, please provide ANY other specifics you can that indicate that a compromise has taken place.
I have a CISCO PIX 515 behind the shorewall firewall with eth0 set to 192.168.1.99. As far as I can tell it has not been compromised and I have not noticed any strange events internally on my home network (yet).
Does traffic to the LAN go from the LEAF router *through* the Cisco? If so, is it proxy-arp'ing the rest of 192.168.1.0/24 to the LEAF router? Or is it NAT'ing some other private network? THe LEAF router doesn't know 192.168.1.99 as a route to anything.
(I am told the PIX cannot be configured for dhcp so I am using shorewall for this; unfortunately in my area I have a choice between Comcast and dialup). The version of uClibc I am using may need some patches but I am not sure about this as I downloaded this image and set it up less than a month ago, please let me know if there are any critical updates that I need to apply. I have read the installation/user guides and have read hundreds of man pages and I can only hope I did everything right.
This clip is from my shorewall.log:0: Note the date on the first entry and the source IP. The problem is that the SRC is my IP and I do not have an IP 192.43.244.18 on my network. I have added 123.1.1.1 to my blacklist. Since this IP has been added to my blacklist it still shows up in my log and looks something like the log from DEC 20 below with Shorewall:blacklst:DROP:IN=eth0 OUT=eth1 SRC=123.1.1.1 DST=192.168.1.99. This is bad because this IP is eth0 to my CISCO PIX 515.
Maybe it is bad, maybe not ... but what it definitely is is incomplete (never, never tell troublshooters that a problem looks "something like" what you want to report ... if you are asking for help, you don't know enough to know what needs to be included and what can safely be left out).
If you've blacklisted 123.1.1.1, then why do you think it "bad" that packets from that address show up in the blacklst log? It is what I would expect to see. (But a lower packet involving this source address is more complete, so I say more there.)
Jan 1 00:00:00 firewall Shorewall:all2all:REJECT: IN= OUT=eth0 MAC= SRC=12.213.227.185 DST=192.43.244.18 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=4083 DPT=37 SEQ=3441321937 ACK=0 WINDOW=5840 SYN URGP=0
Of course you "do not have an IP 192.43.244.18 on [your] network". This is a packet originating on the router and going to a public IP address on the external interface (the *router's* eth0), connecting to the "time" service port. All quite reasonable, since this IP address is a public timeserver:
[EMAIL PROTECTED]:~$ ping 192.43.244.18 PING 192.43.244.18 (192.43.244.18): 56 data bytes 64 bytes from 192.43.244.18: icmp_seq=0 ttl=52 time=45.7 ms 64 bytes from 192.43.244.18: icmp_seq=1 ttl=52 time=44.2 ms 64 bytes from 192.43.244.18: icmp_seq=2 ttl=52 time=43.6 ms 64 bytes from 192.43.244.18: icmp_seq=3 ttl=52 time=43.7 ms
--- 192.43.244.18 ping statistics --- 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max = 43.6/44.3/45.7 ms [EMAIL PROTECTED]:~$ host 192.43.244.18 Name: time.nist.gov Address: 192.43.244.18
This is just the router trying to adjust its clock (I forget how Bering does this, but there are several standard ways to choose from). You should not blacklist it' you *want* the router to keep good time..
Dec 21 10:19:38 firewall Shorewall:logdrop:DROP: IN=eth0 OUT= MAC=00:a0:c9:68:18:28:00:01:5c:22:5d:42:08:00 SRC=123.1.1.1 DST=12.213.227.185 LEN=783 TOS=00 PREC=0x00 TTL=112 ID=28872 PROTO=UDP SPT=14833 DPT=1026 LEN=763
This may well be an attack; it is traffic addressed to the Windows Messenger port, and I can neither ping nor reverse-lookup the alleged source address. But since Shorewall is DROPping the packet, it is hardly a successful compromise. Anyway, a Messenger worm would have a hard time infecting a Linux router ... if Shorewall did not DROP or REJECT it, the router would REJECT it with "port unreachable", since it almost certainly is not listening on port 1026.
Dec 21 15:13:10 firewall Shorewall:net2all:DROP: IN=eth0 OUT= MAC=00:a0:c9:68:18:28:00:01:5c:22:5d:42:08:00 SRC=205.240.153.242 DST=12.213.227.185 LEN=60 TOS=00 PREC=0x00 TTL=49 ID=13109 DF PROTO=TCP SPT=1787 DPT=21 SEQ=3260295433 ACK=0 WINDOW=5840 SYN URGP=0
An ftp connection attempt, again blocked just fine by Shorewall. Could be an attack, but if so, a harmless, wimpy one.
Also SRC IP 66.218.70.35 has seemingly exploited the uClibc firewall.
Not based on what you report below.
The IP 192.168.1.99 is eth0 for my CISCO PIX 515. You can see shorewall start and then 66.218.70.35 (v4.vc.scd.yahoo.com [66.218.70.35]) is out eth1, looks bad to me. The hacker is using several boxes from yahoo IP's: v3.vc.scd.yahoo.com [66.218.70.45], v1.vc.scd.yahoo.com [66.218.70.32], v13.vc.scd.yahoo.com [66.218.70.34] Dec 20 14:59:16 firewall dhcpcd.exe: interface eth0 has been configured with new IP=12.213.227.185 Dec 20 14:59:23 firewall root: Shorewall Started Dec 20 15:41:06 firewall kernel: Shorewall:blacklst:DROP:IN=eth0 OUT=eth1 SRC=66.218.70.35 DST=192.168.1.99 LEN=44 TOS=0x00 PREC=0x00 TTL=51 ID=2091 DF PROTO=TCP SPT=5001 DPT=10468 WINDOW=65535 RES=0x00 ACK SYN URGP=0
Again, this logs a packet successfully stopped by Shorewall. (That's what DROP *means*.)
The source port here (5001) seems to be associated with a tool called "iperf" -- an Open Source Linux app, also (apparently) available for Mac OS/X -- that is used to monitor network performance. I wonder if the Cisco is initiating some connection to that server (the dest port is high, enough so that it suggests the internal system is initiating the connection). I'd recommend you check the configuration of the Cisco.
Or, if the Cisco is NAT'ing (see questions above), this could really be any client on the LAN. Since you've told us nothing about the LAN ... I don't even know if this setup is a home LAN or a business, from what you wrote ... all I can suggest is that you check the LAN hosts for unauthorized software.
Configuration: ===============-==============-============================================= = The Shoewall box has two Intel Pro 100 NIC's. Eth0 to internet with dhcp, routefilter, blacklist, rfc1918 and dropunclean set to yes. I had set blacklist logging to 6 (informational) and then changed it to 4 (ergent) just to see if this would show different events in the log. Eth0 pulls dhcp IP 12.213.227.185 from Comcast. Eth1 is configured with default address 192.168.1.254. Incoming ICMP on port 8 set to DROP packets. Ident Port 113 set to DROP packets.
I've deleted the rest of the detailed report. It's not bad as reports go ... everything we usually ask for but an actual description of the network, really ... but in the absence of any actual evidence of a compromise, it is pretty much useless.
------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html