Security Basics mailing list archives
Re: Server Compromised ?
From: Leif Ericksen <leife () dls net>
Date: Fri, 27 Jan 2006 07:54:29 -0600
Much snippage will have been done... On Thu, 2006-01-26 at 15:08 -0300, Daniel Gil wrote:
123.123.123.124) behind my ISP firewall.
You are actually trusting that your ISP is providing a firewall or do you have your own firewall that you manage between your servers and your ISP? What ISP do you use that provides a firewall? I was once told by a tech at an ISP I have used that a NAT box i.e my router would be a decent firewall and I needed no more than that! >shudder< I balled him out and asked for there security go to person so I could get my questions answered. Now, if your server is responding on a port that you are not anticipating to be active you seem to have a problem. 1) run a sniffer on the network and see what kind of traffic is going back and forth. 2) Isolate the 'bad' system from the net and see if it is trying to generate traffic (does it have a smtp engine sending spam?)
TCP 123.123.123.124:25 85.250.57.67:1278 TIME_WAIT TCP 123.123.123.124:25 201.25.170.200:4174 TIME_WAIT
should pop be in use?
TCP 123.123.123.124:110 200.59.34.91:1050 TIME_WAIT TCP 123.123.123.124:110 200.59.34.91:2089 TIME_WAIT TCP 123.123.123.124:110 200.59.34.91:2090 TIME_WAIT >TCP
123.123.123.124:110 200.59.34.91:2091 TIME_WAIT 3) LOTS of listening ports is always a scary thing... Do you have a fresh install Dozer box that you can use to compare netstat info on? For instance on my *nix system. This is what I have listening. # lsof -i TCP COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME mDNSRespo 1945 nobody 7u IPv4 5539 TCP mybox:5335 (LISTEN) cupsd 1980 root 0u IPv4 5749 TCP mybox:ipp (LISTEN) sshd 2012 root 3u IPv4 5769 TCP X..X.X.X:ssh (LISTEN) sendmail 2054 root 4u IPv4 5935 TCP mybox:smtp (LISTEN) httpd 2100 root 3u IPv4 6008 TCP X.X.X.X:http (LISTEN) httpd 2107 apache 3u IPv4 6008 TCP X.X.X.X:http (LISTEN) httpd 2108 apache 3u IPv4 6008 TCP X.X.X.X:http (LISTEN) httpd 2109 apache 3u IPv4 6008 TCP X.X.X.X:http (LISTEN) httpd 2110 apache 3u IPv4 6008 TCP X.X.X.X:http (LISTEN) httpd 2111 apache 3u IPv4 6008 TCP X.X.X.X:http (LISTEN) httpd 2112 apache 3u IPv4 6008 TCP X.X.X.X:http (LISTEN) httpd 2113 apache 3u IPv4 6008 TCP X.X.X.X:http (LISTEN) httpd 2114 apache 3u IPv4 6008 TCP X.X.X.X:http (LISTEN) 4) If in doubt, remove the system form the network and reload the OS scrub and reload. -- Leif Ericksen --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Server Compromised ? Daniel Gil (Jan 26)
- Re: Server Compromised ? Aman Raheja (Jan 27)
- Re: Server Compromised ? Ivan . (Jan 27)
- Re: Server Compromised ? Ansgar -59cobalt- Wiechers (Jan 27)
- Re: Server Compromised ? List Spam (Jan 27)
- Re: Server Compromised ? Leif Ericksen (Jan 27)
- Re: Server Compromised ? xyberpix (Jan 30)
- <Possible follow-ups>
- Re: Server Compromised ? Daniel Gil (Jan 30)