Security Basics mailing list archives

Re: Server Compromised ?

From: Leif Ericksen <leife () dls net>
Date: Fri, 27 Jan 2006 07:54:29 -0600

Much snippage will have been done...

On Thu, 2006-01-26 at 15:08 -0300, Daniel Gil wrote:


123.123.123.124) behind my ISP firewall.


You are actually trusting that your ISP is providing a firewall or do
you have your own firewall that you manage between your servers and your
ISP?  What ISP do you use that provides a firewall?  I was once told by
a tech at an ISP I have used that a NAT box i.e my router would be a
decent firewall and I needed no more than that! >shudder<  I balled him
out and asked for there security go to person so I could get my
questions answered.

Now, if your server is responding on a port that you are not
anticipating to be active you seem to have a problem.
1) run a sniffer on the network and see what kind of traffic is going
back and forth.
2) Isolate the 'bad' system from the net and see if it is trying to
generate traffic (does it have a smtp engine sending spam?)

TCP    123.123.123.124:25        85.250.57.67:1278      TIME_WAIT
TCP    123.123.123.124:25        201.25.170.200:4174    TIME_WAIT


should pop be in use?

TCP    123.123.123.124:110       200.59.34.91:1050      TIME_WAIT
TCP    123.123.123.124:110       200.59.34.91:2089      TIME_WAIT
TCP    123.123.123.124:110       200.59.34.91:2090      TIME_WAIT >TCP

123.123.123.124:110       200.59.34.91:2091      TIME_WAIT

3) LOTS of listening ports is always a scary thing...  Do you have a
fresh install Dozer box that you can use to compare netstat info on?

For instance on my *nix system. This is what I have listening.
# lsof -i TCP
COMMAND    PID   USER   FD   TYPE DEVICE SIZE NODE NAME
mDNSRespo 1945 nobody    7u  IPv4   5539       TCP mybox:5335 (LISTEN)
cupsd     1980   root    0u  IPv4   5749       TCP mybox:ipp (LISTEN)
sshd      2012   root    3u  IPv4   5769       TCP X..X.X.X:ssh (LISTEN)
sendmail  2054   root    4u  IPv4   5935       TCP mybox:smtp (LISTEN)
httpd     2100   root    3u  IPv4   6008       TCP X.X.X.X:http (LISTEN)
httpd     2107 apache    3u  IPv4   6008       TCP X.X.X.X:http (LISTEN)
httpd     2108 apache    3u  IPv4   6008       TCP X.X.X.X:http (LISTEN)
httpd     2109 apache    3u  IPv4   6008       TCP X.X.X.X:http (LISTEN)
httpd     2110 apache    3u  IPv4   6008       TCP X.X.X.X:http (LISTEN)
httpd     2111 apache    3u  IPv4   6008       TCP X.X.X.X:http (LISTEN)
httpd     2112 apache    3u  IPv4   6008       TCP X.X.X.X:http (LISTEN)
httpd     2113 apache    3u  IPv4   6008       TCP X.X.X.X:http (LISTEN)
httpd     2114 apache    3u  IPv4   6008       TCP X.X.X.X:http (LISTEN)

4) If in doubt, remove the system form the network and reload the OS
scrub and reload.

--
Leif Ericksen




---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Current thread:

Server Compromised ? Daniel Gil (Jan 26)
- Re: Server Compromised ? Aman Raheja (Jan 27)
- Re: Server Compromised ? Ivan . (Jan 27)
- Re: Server Compromised ? Ansgar -59cobalt- Wiechers (Jan 27)
- Re: Server Compromised ? List Spam (Jan 27)
- Re: Server Compromised ? Leif Ericksen (Jan 27)
- Re: Server Compromised ? xyberpix (Jan 30)
- <Possible follow-ups>
- Re: Server Compromised ? Daniel Gil (Jan 30)