|
Author
|
Topic: Got hacked
|
Mighty
General
|
posted 02-05- 02:40 PM
   
A bit of a strange sequence of events. My roommate got an email from some guy saying, "You should add port scanning to your resume."We thought, "Huh?" So we switched the monitor over to the Linux firewall, and there on the screen were several error messages listing failed login attempts. I'm not a Linux guru, so it took me a few hours of thrashing around to figure out that there was a user named "core" logged in and that he was spawning and killing dozens of processes every second. Eventually, I figured out how to kill the account, and it appears that it hasn't come back. Then, today, I got an email from my cable modem ISP stating that my computer had been caught port scanning other computers. We're still not sure how the first guy connected my roommate to this IP address. But it seems clear that someone took over my machine to hopscotch his way into finding other vulnerable computers. We're trying to decide what to do about this. The alternatives we're considering are: - Upgrade the 486/33 to the latest version of Linux
- I have a piece of Linux-based firewall software that requires a Pentium. My other roomie has a spare P133 that we might put to that use
- Get one of those standalone firewall boxes What a pain. The security hole is still open (I don't know how the guy got in in the first place) so we have to decide what we're going to do quickly. IP: Logged |
charmstar
Pilot
|
posted 02-05- 03:48 PM
I don't know anything about linux either, but my recommendation is to minimize the number of ports you expose to the web. Run a port scan against your own machine using a couple different scanners, and see what you've got available. Apply the latest patches, as hackers are always finding new ways in. If I remember right, there is some file (inetd.src maybe?) on UNIX systems which will limit the IP addresses that can access your machine. Use that if you want to lock out particular addresses. Make sure you don't support some file transport protocol on the machine (unless you need it). Often hackers will "upload" their files to your machine by making your machine download them.Good luck! It should be fun :-) charm IP: Logged |
Lothar
Pilot
|
posted 02-05- 07:36 PM
I'm not a network guru either, but I have this Linksys router which does block remote requests. It also allows you to set up port forwarding for specific purposes, such as a web server. It is also a four port hub, and makes an excellent cable/dsl sharing device (it even supports PPPOE if you have that). It costs about $110.IP: Logged |
Tailslide
Pilot
|
posted 02-05- 09:32 PM
It's probable he got in through some known vulnerability in your version of linux. There is a program available that will check your linux system for most known security holes, I can't remember the name of it but it was on the sunsite ftp site when I last used it. TS IP: Logged |
Da Jug head
Pilot
|
posted 02-06- 12:24 AM
Go to sourceforge.net and do a search on the word firewall- you won't believe how many firewalls there are for linux.Also, there is an opensource firewall project called T.REX Go to http://www.opensourcefirewall.com/ Talk to your cable modem people and ask them if they can give you the info on the name of the program and the port it was using.
Hope this helps ------------------
"Where'd he GO!?!?"
thunk-thunk-thunk-zing-OUCH
That answered my question IP: Logged |
ArgonV
Pilot
|
posted 02-06- 12:34 AM
DAMN HACKARS!  If I had my way with them, theyd never touch another keyboard as long as they live... (Or in the after life)IP: Logged |
Tailslide
Pilot
|
posted 02-06- 02:49 AM
Also he likely ran some sort of "back door" program on your machine. These scripts setup dozens of incospicuous ways to enter your system in case you plug the original hole. TS IP: Logged |
Mighty
General
|
posted 02-06- 03:01 PM
For a while during all this, there was a file called a.log that had a bunch of IP addresses. I think they might have been a list of the sources of the failed login attempts. The file's gone now. I don't know if the hacker killed it, or if Linux did itself. It was under a directory called .tmp, so it may have been considered a temp file. They all appeared to be using port 100024. I don't have that port mapped to anything. I guess I don't understand how connecting to a random port can gain one access to a machine.All off the IP addresses were 24.xxx.xxx.xxx. Those are all @Home addresses, I believe. I'm guessing that I was being probed from several other machines that this guy had already gotten control of. We've been watching the processes on that machine for the last couple of days. It doesn't appear that the guy has been back. IP: Logged |
Whirlwind
Pilot
|
posted 02-08- 03:40 PM
You might want to check out a book called 'Hacking Exposed'. You'll find that the quickest way to get root on a computer is to buffer overflow one of the processes somehow. Perhaps Winblows has an exploit on 100024 that the hacker was scanning for. You should really see if you can find a way to boot a connection from a given IP address after X number of failed attempts. Also check out www.SecurityFocus.com as I have found them to have a lot of information about vulnerabilities.IP: Logged |
Mighty
General
|
posted 02-09- 12:05 PM
Thanks for the pointer. I'll check that out.We got my roomie's P133 running with the new firewall software. It went in pretty easily. It is Linux-based, but it's not RedHat-based. Hopefully the new system is obscure enough that it won't fall to mainstream hacks. Apparently, RH 6.0 is "hacker-friendly" in that several holes are well-known and there are kits available to automate breaking into it. IP: Logged |
FSIC Messageboard
UBBFriend: Email This Page to Someone! 
