Security Basics mailing list archives
Re: Hack?
From: chort <chort () amaunetsgothique com>
Date: Tue, 1 Jul 2003 14:29:25 -0700 (PDT)
On Sat, 28 Jun 2003, Linux Security <lisec () ooty tenet res in> wrote:
Hello all, My redhat 7.2 is getting hacked very frequently even i got a firewall.appended bellow is the nmap output. What may be the loophole? % nmap -sA 202.xxx.xxx.xxx Initiating ACK Scan against isp.com () The ACK Scan took 275 seconds to scan 1542 ports. Interesting ports on isp.com (): (The 1538 ports scanned but not shown below are in state: filtered) Port State Service 25/tcp UNfiltered smtp 53/tcp UNfiltered domain 80/tcp UNfiltered http 443/tcp UNfiltered https Thanks in advance, A.Johnson
IIRC Red Hat uses Sendmail as the MTA by default. I see you have port 25 open, which probably means you're running sendmail behind it. There have been numerous Sendmail exploits over the years, do some Googling. In fact, all the ports you list have very exploitable services. Port 53 is domain name service--you're probably running an old version of BIND, which has had some security flaws. Port 80/443 would be an httpd, probably Apache. Although Apache is the currently the most popular web server in the world, it's older versions are not without exploits. Basically what I'm saying is: You probably haven't patched your software in a long, long time. Disconnect your server from the network, then obtain patches or upgrades for Sendmail, BIND, Apache, and any critical security updates for your OS. Then burn them to CD and install them on your server from the CD. If you haven't already rebuilt the box and restored the data to the last known good save point, you should do that before proceeding. You can't trust your current system's data if it's been comprimised. Remember, just because you have a firewall doesn't make you invulnerable. -- -chort AKA Brian Keefer The thoughts I express are generally piped from /dev/random, needless to say they do not represent my fine employer: CipherTrust, Inc - www.ciphertrust.com --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------