Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Hack?

From: chort <chort () amaunetsgothique com>
Date: Tue, 1 Jul 2003 14:29:25 -0700 (PDT)
On Sat, 28 Jun 2003, Linux Security <lisec () ooty tenet res in> wrote:


Hello all,
              My redhat 7.2 is getting hacked very frequently even i 
got a firewall.appended bellow is the nmap output.  What may be the loophole?

% nmap  -sA 202.xxx.xxx.xxx
Initiating ACK Scan against isp.com ()
The ACK Scan took 275 seconds to scan 1542 ports.
Interesting ports on isp.com ():
(The 1538 ports scanned but not shown below are in state: filtered)
Port       State       Service
25/tcp     UNfiltered  smtp
53/tcp     UNfiltered  domain
80/tcp     UNfiltered  http
443/tcp    UNfiltered  https


Thanks in advance,
A.Johnson



IIRC Red Hat uses Sendmail as the MTA by default.  I see you have port
25 open, which probably means you're running sendmail behind it.  There
have been numerous Sendmail exploits over the years, do some Googling.
In fact, all the ports you list have very exploitable services.  Port 53
is domain name service--you're probably running an old version of BIND,
which has had some security flaws.  Port 80/443 would be an httpd,
probably Apache.  Although Apache is the currently the most popular web
server in the world, it's older versions are not without exploits.

Basically what I'm saying is:  You probably haven't patched your
software in a long, long time.  Disconnect your server from the network,
then obtain patches or upgrades for Sendmail, BIND, Apache, and any
critical security updates for your OS.  Then burn them to CD and install
them on your server from the CD.  If you haven't already rebuilt the box
and restored the data to the last known good save point, you should do
that before proceeding.  You can't trust your current system's data if
it's been comprimised.

Remember, just because you have a firewall doesn't make you
invulnerable.

-- 
-chort
AKA Brian Keefer
The thoughts I express are generally piped from /dev/random,
needless to say they do not represent my fine employer:
CipherTrust, Inc - www.ciphertrust.com

---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: