Tell me I don't have a hacker

Discuss Networking
worker201
guru
guru
Posts: 668
Joined: Sun Jun 13, 2004 6:38 pm
Location: Hawaii

Tell me I don't have a hacker

Post by worker201 »

I was looking at my firewall events for this weekend, and there was a lot of activity. Here's a text file of all the stuff from Sunday May 9. I know that 123 is the ntp daemon, and it now has access. But what's all that other crap? I notice that it is originating at my IP, and it seems to be similar ports over and over again. Bit torrent was running over the weekend, but it shouldn't be using those ports. Anybody know what this is?

http://www.triple-bypass.net/download/f ... events.txt

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

These are the destination addresses:

64.228.177.108 - Montreal-ppp-89825.qc.sympatico.ca.
66.222.144.94 - d66-222-144-94.abhsia.telus.net.
70.28.98.171 - CPE00207817dd53-CM0011aec7fa26.cpe.net.cable.rogers.com.
82.18.196.89 - client-82-18-196-89.brnt.adsl.tesco.net.
83.226.141.124 - c-7c8de253.022-2012-7570701.cust.bredbandsbolaget.se.

Do you recognize any of them?

What ports do you have exposed that these clients could access? Have you looked through the logs for the services behind those ports for the above addresses? For instance, if you are running a web server do those addresses show up in your web server logs? Do the times correlate? Does the activity look legit?

I don't recognize the log format, what program is writing this log? Most of those look like source ports. I don't see both source and destination ports listed. Here's what my Shorewall log entries look like:

http://voidmain.is-a-geek.net/files/misc/shorewall.log

There is a little more info there.

worker201
guru
guru
Posts: 668
Joined: Sun Jun 13, 2004 6:38 pm
Location: Hawaii

Post by worker201 »

I am using a firewall gui for gtk called firestarter, which I picked up from synaptic. There might be more info I could get out of it, I haven't spent a whole lot of time with it.

None of these looks even remotely familiar. As you might know from my other post about my firewall, the only service allowed in or out of the computer over the weekend was the standard range of bit-torrent ports - everything else was locked down tight. I wonder if these 'hits' have anything to do with bit-torrent? Perhaps some leecher was trying to get in with bit-torrent and get out on some other port? I'm still a little shaky on how bit-torrent can seed data out to multiple clients at different network locations.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

worker201 wrote:As you might know from my other post about my firewall, the only service allowed in or out of the computer over the weekend was the standard range of bit-torrent ports - everything else was locked down tight.
Ahh, I must not be very observant. This is most probably your bittorrent traffic. Is there a way to log your bittorrent connections? I don't use it so I wouldn't be much help. Looking over the firestarter site I would read one of your sample entries as:

Time:May 8 00:14:37 Direction: Outbound In: Out:eth0 Port:65535 Source:128.194.106.137 Destination:64.228.177.108 Length:44 TOS:0x08 Protocol:TCP Service:Unknown

This is outbound traffic that was going out your eth0 interface configured with address 128.194.106.137 destined for 128.194.106.137 port 65535.

I assume this packet was blocked by firestarted based on what it says on this page:

http://www.fs-security.com/docs/events-page.php

Now, why it was blocked I can't say without seeing your rules. I believe firestarter is just a front-end for iptables right? If so I could look at your /etc/sysconfig/iptables file to see your rules.

worker201
guru
guru
Posts: 668
Joined: Sun Jun 13, 2004 6:38 pm
Location: Hawaii

Post by worker201 »

Here's a page from the Firestarter site that shows you how the rules are setup. Over the weekend, I had only bit-torrent as an allowed service. Now, smtp, submission, ntp, ftp, telnet, and a few others are allowed.

I can produce any iptables output you like tomorrow.

worker201
guru
guru
Posts: 668
Joined: Sun Jun 13, 2004 6:38 pm
Location: Hawaii

Post by worker201 »

What is Microsoft-ds on port 445? That one showed up today, and it bothers me a little bit.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

Could I see the log entry? If you see people on the net repeatedly attempting to connect to that port on your server and it is being denied it is nothing to worry about. This is probably a Windows machine out on the internet infected with the Korgo virus (or other LSAS related virus). We have been fighting for months on our corporate network to rid our network completely of this thing. It eats up massive bandwidth. The infected machines on our network do not ever get to the Internet but they eat up all the bandwidth on some of our smaller pipes from remote branches.

worker201
guru
guru
Posts: 668
Joined: Sun Jun 13, 2004 6:38 pm
Location: Hawaii

Post by worker201 »

I'll post the log entry for you tomorrow. With all this activity, I want to make sure that all my open ports are properly protected. Currently, I have the following services having complete access both in and out:
smtp (25)
ftp (20-21)
telnet (23)
yahoo IM (5050)
AIM (5190)
ntp (123)
http (80)
pop3 (110)
bittorrent (6881-6999)
submission (587) - balsa uses this to send email

Should any of these have one-way access? And if I have pretty good passwords, and don't use root unless installing something, will I be okay with these ports open?

User avatar
Basher52
guru
guru
Posts: 928
Joined: Wed Oct 22, 2003 5:57 am
Location: .SE

Post by Basher52 »

You have telnet open?
i would prefer shutting that down and open 22 for SSH instead

worker201
guru
guru
Posts: 668
Joined: Sun Jun 13, 2004 6:38 pm
Location: Hawaii

Post by worker201 »

I only use telnet in the rare occasions that I need to get on our local domain server (ocean.tamu.edu), for checking email with pine, transferring files, or changing remote terminal settings (modifying .bashrc, so I can login from my Mac, etc).

One of these days, I'm going to have to figure out how to use ssh, cron, getty, kerberos, iptables, and a whole host of other things that seem kinda important.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

I don't see why you even have a firewall at all. It looks like you probably have opened up all ports for all services you have running. :)

worker201
guru
guru
Posts: 668
Joined: Sun Jun 13, 2004 6:38 pm
Location: Hawaii

Post by worker201 »

My main reason for having a firewall is to verify that no one can get in on any of the other ports - I want assurances for myself that no other ports are open.

Here's the description of that 445 I asked about earlier:

Time: May 11 15:55:07 Source: 128.194.163.214 Destination: 128.194.106.137 In IF: eth0 Out IF: Port: 445 Length: 48 ToS: 0x00 Protocol: TCP Service: Microsoft-ds

It seems that this port is reserved for this service, so I just wanted to know what the service was.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

Yes, that is a machine out on the net that is probably scanning for Windows machines that haven't been patched looking to root (Admin) a Windows system via the LSAS vulnerability. There are several viruses that scan for open port 445 which is exactly what your log entry says it is (microsoft-ds). You have nothing to worry about on this one because 1) you aren't running Windows and 2) even if you were running Windows you are blocking this port. You will probably see this one hit often, there are a lot of Windows machines out there with viruses on them hogging up most of the precious Internet bandwidth.

EDIT: Actually this looks like a machine on your own network. It resolves to:

128.194.163.214 - DHCP-AREL214.TAMU.EDU

From my server an nmap shows:

# nmp 128.194.163.214

Code: Select all

Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2005-05-11 20:14 CDT
Warning:  OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
Interesting ports on DHCP-AREL214.TAMU.EDU (128.194.163.214):
(The 1655 ports scanned but not shown below are in state: filtered)
PORT    STATE  SERVICE
25/tcp  closed smtp
113/tcp closed auth
Too many fingerprints match this host to give specific OS details

Nmap run completed -- 1 IP address (1 host up) scanned in 121.873 seconds
That doesn't look like a Windows machine but it is a DHCP address so it may not be the same machine that was up on that address when that log entry was generated.

worker201
guru
guru
Posts: 668
Joined: Sun Jun 13, 2004 6:38 pm
Location: Hawaii

Post by worker201 »

According to this resource that Tux directed me to:
http://www.iana.org/assignments/port-numbers
port 445 is supposed to be Microsoft-DS. While lots of Windows machines like to spread viruses like crazy, this seems like something that Windows is supposed to do. That's what confused me.

We don't have any DHCP servers in my building. But if the dorms are offering some kind of internet access, it must be via DHCP. I wonder if I should report this? If it is malicious activity coming from a campus computer, that's kinda dangerous. As we all know around this forum, Windows default behavior is to have all ports open, unless closed by hand. It serves them right, but I don't wish computer harm on anyone. I'm sure that campus network services could figure out who was assigned that IP address at that time.

Unless this isn't a serious threat.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

You already knew that 445 was supposed to be microsoft-ds (it's in your log entry which translated from /etc/services). I am very familiar with this port and have written programs to sniff out Korgo infected machines on our network based on traffic on this port:

http://voidmain.is-a-geek.net/files/isasniffer/

See this thread:

http://voidmain.is-a-geek.net/forums/vi ... php?t=1207

You are going to see this kind of stuff all the time. There is a sea of infected Windows machines out there causing this kind of "noise". Trying to report them is like using a teaspoon to drain the sea. You can report it if you want but you will find there aren't enough hours in a day if you want to report everything like this that you see and if you are lucky enough to actually get someone on the other end who is responsible for this they will just look at you cross eyed and say "huh?". It's become a sad Internet world since Microsoft entered it.

You can see on this on these graphs that 445 is the most attacked port:

http://isc.sans.org/large_map.php
http://www.techzoom.net/radar-ports.asp

And it's because of all these Windows viruses scanning for other unpatched Windows machines to infect and continue the scan.

Post Reply