Two good tools for stopping hacks from succeding are the same ones some of the hackers use..
Whisker (a perl script) and nessus. Wisker has been scanning your machine looking for exploits, gives them a report on vunerable and they probably downloaded some script kiddie tools and hacked you.. Nessus is much more powerful.. and has a huge database of potential hacks... if you want to know if your easily hackable, run nessus against your gateway.. you'll be quiet surprised at the results. Time for you to wipe your box and reinstall.. perhaps you should try Hogwash for some proactive protection.. its like portsentry on steriods.. based on some of the Snort code. I've found tripwire on mandrake to be something of a pain.. I had to modify it to even get it to compile. rgds Frank -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Lorne Sent: Saturday, 30 November 2002 1:11 AM To: [EMAIL PROTECTED] Subject: [expert] Hack attack analysis Well guys... it has been 5 years since somone got in. They finally did it. I've been using the floppy disk coyote linux for years now. They aren't keeping up it seems and the last update I got was in January. The first clue was zone alarm on my boys box popped up some denials. Regrettably, I walked over to my firewall, hit the reset button and didn't give it another thought. Now I've lost all the logs on that server and don't know what state it was in. About an hour later I notice that my linux box was showing 2 ip addresses in my samba server list that weren't even on my subnet! NOW it has my full attention!!! I did not have tripwire installed. Just ran out of time, but I DID have snort loaded and not fully or properly configured I don't think. However, I DID get some interesting log entries that I thought I'd pass on to see what you guys thought, and perhaps shed some light on how they are whacking my firewall. I'm in the process of setting up an openbsd firewall. That should give them something to chew on for awhile. I'm sure I've been hacked but good, because they screwed up my ntp, set my nic to promisuous mode, and looks like they gained root access. Here are some snippets of what my messages log shows: Nov 24 10:50:24 mandrake snort[1213]: [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [Classification: Misc activity] [Priority: 3]: {ICMP} 150.176.17.242 -> 192.168.100.7 Nov 24 11:07:52 mandrake snort[1213]: [1:466:1] ICMP L3retriever Ping [Classification: Attempted Information Leak] [Priority: 2]: {ICMP} 192.168.100.8 -> 192.168.10 0.7 Nov 24 11:23:31 mandrake snort[1213]: [1:1171:6] WEB-MISC whisker HEAD with large datagram [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 192.168 .100.8:4232 -> 66.150.3.68:80 port scans it appears, or buffer overflows on numerous ports? {TCP} 192.168 .100.8:4246 -> 66.150.3.68:80 Nov 24 11:23:34 mandrake snort[1213]: [1:1171:6] WEB-MISC whisker HEAD with large datagram [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 192.168 .100.8:4249 -> 66.150.3.68:80 Nov 24 11:23:34 mandrake snort[1213]: [1:1171:6] WEB-MISC whisker HEAD with large datagram [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 192.168 .100.8:4252 -> 66.150.3.68:80 Nov 24 11:23:34 mandrake snort[1213]: [1:1171:6] WEB-MISC whisker HEAD with large datagram [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 192.168 .100.8:4255 -> 66.150.3.68:80 Nov 24 14:07:36 mandrake snort[1213]: [1:1287:5] WEB-IIS scripts access [Classification: sid] [Priority: 2]: {TCP} 192.168.100.8:4756 -> 204.155.175.40:80 Nov 24 07:49:40 mandrake snort[1213]: [1:895:5] WEB-CGI redirect access [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 192.168.100.6:1087 -> 64.2 36.17.133:80 Nov 24 07:55:20 mandrake snort[1213]: [1:895:5] WEB-CGI redirect access [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 192.168.100.6:1126 -> 64.2 36.17.133:80 Nov 24 08:04:07 mandrake snort[1213]: [1:1564:4] WEB-MISC login.htm access [Classification: sid] [Priority: 2]: {TCP} 192.168.100.6:1242 -> 207.25.71.118:80 Nov 24 08:06:30 mandrake ntpd[1251]: time correction of 25199 seconds exceeds sanity limit (1000); set clock manually to the correct UTC time. Nov 24 08:06:30 mandrake kernel: eth0: Setting promiscuous mode. Nov 24 08:14:02 mandrake snort[1213]: [1:882:4] WEB-CGI calendar access [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 192.168.100.6:1356 -> 64.1 24.82.22:80 Nov 24 09:24:42 mandrake snort[1213]: [1:1171:6] WEB-MISC whisker HEAD with large datagram [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 192.168 .100.5:1353 -> 216.239.51.101:80 Nov 24 12:25:37 mandrake snort[1213]: [1:853:5] WEB-CGI wrap access [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 192.168.100.6:3018 -> 64.124.8 2.13:80 Nov 24 14:45:45 mandrake snort[1213]: [1:1408:5] DOS MSDTC attempt [Classification: Attempted Denial of Service] [Priority: 2]: {TCP} 66.150.3.68:80 -> 192.168.100. 8:3372 Nov 24 15:03:09 mandrake snort[1213]: [1:654:5] SMTP RCPT TO overflow [Classification: Attempted Administrator Privilege Gain] [Priority: 1]: {TCP} 192.168.100.5:15 09 -> 68.6.19.4:25 Nov 24 15:04:54 mandrake snort[1213]: [1:654:5] SMTP RCPT TO overflow [Classification: Attempted Administrator Privilege Gain] [Priority: 1]: {TCP} 192.168.100.5:15 10 -> 68.6.19.4:25 ****** somehow right in here, my samba server goes absolutely nuts. It has been forced to be master browser and he gets into a pissing match with my xp box, forcing election after election. My guess is to find out who is running shares on my little network. ? Nov 24 23:57:49 mandrake su(pam_unix)[7357]: session opened for user root by (uid=503) Nov 24 23:57:49 mandrake su(pam_unix)[7357]: session closed for user root Nov 24 23:57:50 mandrake su(pam_unix)[7362]: session opened for user root by (uid=503) Nov 24 23:58:03 mandrake snort[1213]: [1:882:4] WEB-CGI calendar access [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 192.168.100.6:3190 -> 63.2 41.29.144:80 There you go, I'm screwed. SU access. So at this point, I'm thinking rebuild eh? I ran a chkrootkit, nothing showed, but who knows what has been done. I'm thinking I need to learn tripwire eh? :(
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
