[leaf-user] Firewall compromised-V2.0 uClibc-0. image Bering-uClibc_2.0_img_bering-uclibc-1680.exe
Hello All, Please be patient with me, I am new to the Linux world and I am not a security expert. I built a uClibc firewall version 2.0 Linux firewall kernel 2.4.20 from the image Bering-uClibc_2.0_img_bering-uclibc-1680.exe and I have been compromised. I have included a lot of information here because I need to know how the hackers compromised this machine and I want to give you as much information as you need to help me figure it how. For the most part this is a default configuration with no special services needed or running, I setup dropbear (default config) but have not removed the package yet. The Shorewall is set to accept all outbound traffic and paranoid ALL inbound, I have not changed anything in this configuration file. Please see Configuration and rules below for more detail and please let me know if you need any additional information. Thank you in advance to all that will help me. I am learning, and I am sure this is NOT an issue with the shorewall product but with my configuration. Please also remember who you are addressing (dope newbie/wannabie) so please if you could. :) Ken [EMAIL PROTECTED] Issue: ===-==-= = My shorewall has been compromised. I need to find out how they are compromising this machine repeatedly and what I need to do to stop it! The hackers have already used the shorewall box to spam others on the internet and god knows what else. I have a CISCO PIX 515 behind the shorewall firewall with eth0 set to 192.168.1.99. As far as I can tell it has not been compromised and I have not noticed any strange events internally on my home network (yet). (I am told the PIX cannot be configured for dhcp so I am using shorewall for this; unfortunately in my area I have a choice between Comcast and dialup). The version of uClibc I am using may need some patches but I am not sure about this as I downloaded this image and set it up less than a month ago, please let me know if there are any critical updates that I need to apply. I have read the installation/user guides and have read hundreds of man pages and I can only hope I did everything right. This clip is from my shorewall.log:0: Note the date on the first entry and the source IP. The problem is that the SRC is my IP and I do not have an IP 192.43.244.18 on my network. I have added 123.1.1.1 to my blacklist. Since this IP has been added to my blacklist it still shows up in my log and looks something like the log from DEC 20 below with Shorewall:blacklst:DROP:IN=eth0 OUT=eth1 SRC=123.1.1.1 DST=192.168.1.99. This is bad because this IP is eth0 to my CISCO PIX 515. Jan 1 00:00:00 firewall Shorewall:all2all:REJECT: IN= OUT=eth0 MAC= SRC=12.213.227.185 DST=192.43.244.18 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=4083 DPT=37 SEQ=3441321937 ACK=0 WINDOW=5840 SYN URGP=0 Dec 21 10:19:38 firewall Shorewall:logdrop:DROP: IN=eth0 OUT= MAC=00:a0:c9:68:18:28:00:01:5c:22:5d:42:08:00 SRC=123.1.1.1 DST=12.213.227.185 LEN=783 TOS=00 PREC=0x00 TTL=112 ID=28872 PROTO=UDP SPT=14833 DPT=1026 LEN=763 Dec 21 15:13:10 firewall Shorewall:net2all:DROP: IN=eth0 OUT= MAC=00:a0:c9:68:18:28:00:01:5c:22:5d:42:08:00 SRC=205.240.153.242 DST=12.213.227.185 LEN=60 TOS=00 PREC=0x00 TTL=49 ID=13109 DF PROTO=TCP SPT=1787 DPT=21 SEQ=3260295433 ACK=0 WINDOW=5840 SYN URGP=0 Also SRC IP 66.218.70.35 has seemingly exploited the uClibc firewall. The IP 192.168.1.99 is eth0 for my CISCO PIX 515. You can see shorewall start and then 66.218.70.35 (v4.vc.scd.yahoo.com [66.218.70.35]) is out eth1, looks bad to me. The hacker is using several boxes from yahoo IP's: v3.vc.scd.yahoo.com [66.218.70.45], v1.vc.scd.yahoo.com [66.218.70.32], v13.vc.scd.yahoo.com [66.218.70.34] Dec 20 14:59:16 firewall dhcpcd.exe: interface eth0 has been configured with new IP=12.213.227.185 Dec 20 14:59:23 firewall root: Shorewall Started Dec 20 15:41:06 firewall kernel: Shorewall:blacklst:DROP:IN=eth0 OUT=eth1 SRC=66.218.70.35 DST=192.168.1.99 LEN=44 TOS=0x00 PREC=0x00 TTL=51 ID=2091 DF PROTO=TCP SPT=5001 DPT=10468 WINDOW=65535 RES=0x00 ACK SYN URGP=0 Configuration: ===-==-= = The Shoewall box has two Intel Pro 100 NIC's. Eth0 to internet with dhcp, routefilter, blacklist, rfc1918 and dropunclean set to yes. I had set blacklist logging to 6 (informational) and then changed it to 4 (ergent) just to see if this would show different events in the log. Eth0 pulls dhcp IP 12.213.227.185 from Comcast. Eth1 is configured with default address 192.168.1.254. Incoming ICMP on port 8 set to DROP packets. Ident Port 113 set to DROP packets. Modules Loaded: ===-==-= = Modules: softdog 1476 1 ip_nat_irc 2176 0 (unused) ip_nat_ftp 2784 0 (unused) ip_conntrack_irc2880 1 ip_conntrack_ftp3648 1 eepro100
Re: [leaf-user] Firewall compromised-V2.0 uClibc-0. image Bering-uClibc_2.0_img_bering-uclibc-1680.exe
On Mon, 22 Dec 2003, Ken wrote: Please be patient with me, I am new to the Linux world and I am not a security expert. Then big red flashing lights should have been going off in your head before you posted. I'm not going to respond -- when you can provide conslusive evidence that your Shorewall box has been compromised and why then you let me know. Otherwise, I'm just going to pretend that I didn't see your post... And if you want to talk, I'm listed (but not published) in the Shoreline directory... -Tom Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Firewall compromised-V2.0 uClibc-0. image Bering-uClibc_2.0_img_bering-uclibc-1680.exe
On Monday 22 December 2003 08:16 pm, Ken wrote: Hello All, Please be patient with me, I am new to the Linux world and I am not a security expert. I built a uClibc firewall version 2.0 Linux firewall kernel 2.4.20 from the image Bering-uClibc_2.0_img_bering-uclibc-1680.exe and I have been compromised. I have included a lot of information here because I need to know how the hackers compromised this machine and I want to give you as much information as you need to help me figure it how. You did a pretty good job of showing the logs of packets that have been dropped (that never got through the firewall). Believe it or not, it would be next to impossible to relay spam or send it from a compromised LEAF box. First of all, you would have to enable some form of login to the outside, which isn't available unless you opened the firewall to accept such requests. Second of all, the likely culprit of spewing emails is Outlook/Outlook-Express on a Win32 machine with a virus which can very easily happen if you use IM, chat, or P2P applications on the client-side (LEAF doesn't content-filter traffic). I would check your client machine(s) for possible infection first, then find sort of proof that the LEAF firewall was compromised (which likely won't be found in any logs). Remember, your clients will show the external ip of the firewall when sending traffic because of the masquerading done by the firewall. Your local ip's of the client machines will/should never be sent from the firewall. which is the entire point of masquerading/NAT. If your LEAF firewall has actually been compromised, it would be the first that I know of in memory. -- ~Lynn Avants Linux Embedded Appliance Firewall Developer http://leaf.sourceforge.net http://guitarlynn.homelinux.org:81 --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Firewall compromised-V2.0 uClibc-0. image Bering-uClibc_2.0_img_bering-uclibc-1680.exe
Preliminary comment: Tom is right. You've provided here nothing to indicate that your router/firewall has been compromised, so there is no way we (or anyone) can tell you how they did it. Some more specific comments appear inline. I hope you consider them patient ... you are unlikely to get *more* patient help than this here. At 06:16 PM 12/22/2003 -0800, Ken wrote: Hello All, Please be patient with me, I am new to the Linux world and I am not a security expert. I built a uClibc firewall version 2.0 Linux firewall kernel 2.4.20 from the image Bering-uClibc_2.0_img_bering-uclibc-1680.exe and I have been compromised. I have included a lot of information here because I need to know how the hackers compromised this machine and I want to give you as much information as you need to help me figure it how. For the most part this is a default configuration with no special services needed or running, I setup dropbear (default config) but have not removed the package yet. The Shorewall is set to accept all outbound traffic and paranoid ALL inbound, I have not changed anything in this configuration file. Please see Configuration and rules below for more detail and please let me know if you need any additional information. Thank you in advance to all that will help me. I am learning, and I am sure this is NOT an issue with the shorewall product but with my configuration. Please also remember who you are addressing (dope newbie/wannabie) so please if you could. :) Ken [EMAIL PROTECTED] Issue: ===-==-= = My shorewall has been compromised. I need to find out how they are compromising this machine repeatedly and what I need to do to stop it! The hackers have already used the shorewall box to spam others on the internet and god knows what else. Unfortunately, He is not subscribed to this list, so we lack access to what He knows and have to make do with what you actually tell us. First thing, please provide a copy of a sample SPAM message, one that includes ***all*** the Received: headers. Have you made sure that this is not just someone forging you as a From: address? Or that it is not from a LAN host that got a virus in any of the many ways an inept user can manage even behind a good firewall? Second thing, please provide ANY other specifics you can that indicate that a compromise has taken place. I have a CISCO PIX 515 behind the shorewall firewall with eth0 set to 192.168.1.99. As far as I can tell it has not been compromised and I have not noticed any strange events internally on my home network (yet). Does traffic to the LAN go from the LEAF router *through* the Cisco? If so, is it proxy-arp'ing the rest of 192.168.1.0/24 to the LEAF router? Or is it NAT'ing some other private network? THe LEAF router doesn't know 192.168.1.99 as a route to anything. (I am told the PIX cannot be configured for dhcp so I am using shorewall for this; unfortunately in my area I have a choice between Comcast and dialup). The version of uClibc I am using may need some patches but I am not sure about this as I downloaded this image and set it up less than a month ago, please let me know if there are any critical updates that I need to apply. I have read the installation/user guides and have read hundreds of man pages and I can only hope I did everything right. This clip is from my shorewall.log:0: Note the date on the first entry and the source IP. The problem is that the SRC is my IP and I do not have an IP 192.43.244.18 on my network. I have added 123.1.1.1 to my blacklist. Since this IP has been added to my blacklist it still shows up in my log and looks something like the log from DEC 20 below with Shorewall:blacklst:DROP:IN=eth0 OUT=eth1 SRC=123.1.1.1 DST=192.168.1.99. This is bad because this IP is eth0 to my CISCO PIX 515. Maybe it is bad, maybe not ... but what it definitely is is incomplete (never, never tell troublshooters that a problem looks something like what you want to report ... if you are asking for help, you don't know enough to know what needs to be included and what can safely be left out). If you've blacklisted 123.1.1.1, then why do you think it bad that packets from that address show up in the blacklst log? It is what I would expect to see. (But a lower packet involving this source address is more complete, so I say more there.) Jan 1 00:00:00 firewall Shorewall:all2all:REJECT: IN= OUT=eth0 MAC= SRC=12.213.227.185 DST=192.43.244.18 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=4083 DPT=37 SEQ=3441321937 ACK=0 WINDOW=5840 SYN URGP=0 Of course you do not have an IP 192.43.244.18 on [your] network. This is a packet originating on the router and going to a public IP address on the external interface (the *router's* eth0), connecting to the time service port. All quite reasonable, since this IP address is a public timeserver: [EMAIL PROTECTED]:~$ ping 192.43.244.18 PING 192.43.244.18
