Security Basics mailing list archives
Re: Hacked ???
From: asterisk () marnock net
Date: Thu, 28 Jul 2005 06:12:48 +0100
Hello All, First of all I'd like to say a big thank you to everyone who provided information to help me track down this problem. The good news is that my box hadn't been compromised ( phew!!! ) but as always it was something I'd done ( not internationally! ). To cut a long story short, I have one nic in this box and the box is a transparent proxy for all internal users. What I hadn't done with my iptables prerouting was specify the source as the internal network. This meant, because of my mistake, that any request from the net to my site would get the site via my proxy. Obviously, someone was scanning for open proxies and came across my site. I've now altered my iptables script and everything seems ok now. Still a lot of hits but I don't think they are getting what they think. Shame! Thanks again! Phil. Fernando Amatte <famatte () gmail co m> To "asterisk () marnock net" 26/07/2005 19:45 <asterisk () marnock net> cc security-basics () securityfocus com Please respond to Subject Fernando Amatte Re: Hacked ??? <famatte () gmail co m> Hello On a Linux Box, you can try to use the "lsof" command. Use something like .. lsof | grep LISTEN You will see, users, pids, and other information. With this information, you can try to verify other things. ( If you dont have a rootkit installed ) Regards Fernando On 7/23/05, asterisk () marnock net <asterisk () marnock net> wrote:
Hi List, I'm seeing some strange things on my box. Here is a snippit from my
squid
log: BTW I don't have an icq account. 1122088113.571 308 212.227.83.197 TCP_MISS/200 184 CONNECT login.icq.com:443 - DIRECT/64.12.200.89 - 1122088114.402 140 220.160.34.238 TCP_HIT/200 482 GET http://media.adrevolver.com/adrevolver/banner? - NONE/- text/html 1122088116.711 310 212.227.65.104 TCP_MISS/200 186 CONNECT login.icq.com:443 - DIRECT/64.12.200.89 - 1122088119.769 339 212.227.83.197 TCP_MISS/200 183 CONNECT login.icq.com:443 - DIRECT/64.12.200.89 - 1122088119.950 367 72.21.34.42 TCP_MISS/200 185 CONNECT login.icq.com:443 - DIRECT/64.12.200.89 - 1122088120.466 543 200.50.23.115 TCP_MISS/401 417 GET http://www.bubblebutts.com/members/ - DIRECT/216.15.219.25 text/html 1122088121.618 404 212.227.65.104 TCP_MISS/200 186 CONNECT login.icq.com:443 - DIRECT/64.12.200.89 - 1122088122.814 885 70.118.81.253 TCP_MISS/200 6085 GET http://members.yahoo.com/interests? - DIRECT/66.218.75.151 text/html 1122088123.961 620 212.227.83.197 TCP_MISS/200 251 CONNECT login.icq.com:443 - DIRECT/64.12.200.89 - 1122088125.635 356 72.21.34.42 TCP_MISS/200 185 CONNECT login.icq.com:443 - DIRECT/64.12.200.89 - 1122088126.101 309 212.227.65.104 TCP_MISS/200 186 CONNECT login.icq.com:443 - DIRECT/64.12.200.89 - 1122088126.587 309 212.227.83.197 TCP_MISS/200 182 CONNECT login.icq.com:443 - DIRECT/64.12.200.89 - 1122088129.107 376 212.227.83.197 TCP_MISS/200 184 CONNECT login.icq.com:443 - DIRECT/64.12.200.89 - 1122088129.404 446 85.138.104.205 TCP_MISS/999 4647 GET http://216.109.127.60/config/login? - DIRECT/216.109.127.60 text/html 1122088130.415 10 220.160.34.238 TCP_MEM_HIT/200 381 GET http://ad.yieldmanager.com/imp? - NONE/- image/gif 1122088130.882 385 212.227.65.104 TCP_MISS/200 186 CONNECT login.icq.com:443 - DIRECT/64.12.200.89 - 1122088132.464 348 212.227.83.197 TCP_MISS/200 185 CONNECT login.icq.com:443 - DIRECT/64.12.200.89 - 1122088132.587 307 212.227.83.197 TCP_MISS/200 184 CONNECT login.icq.com:443 - DIRECT/64.12.200.89 - 1122088135.746 391 212.227.83.197 TCP_MISS/200 184 CONNECT login.icq.com:443 - DIRECT/64.12.200.89 - 1122088135.762 380 72.21.34.42 TCP_MISS/200 182 CONNECT login.icq.com:443 - DIRECT/64.12.200.89 - I've disconected all machines except my main linux box which is used for
a
number of things ( asterisk telephony system / squid proxy / cvs ) etc. I've also noticed port 32768 is open and others are connecting to it from the web or an app is connecting to them. How can I see which app is connecting to port 32768 ??? Heres the first line from a netstat -an [root@zeus iptraf]# netstat -an | more Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:32768 0.0.0.0:* LISTEN Thanks in advance. Phil
Current thread:
- Hacked ??? asterisk (Jul 26)
- Re: Hacked ??? Fernando Amatte (Jul 29)
- Re: Hacked ??? asterisk (Jul 29)
- Re: Hacked ??? Jeremy Heslop (Jul 29)
- Re: Hacked ??? Fernando Amatte (Jul 29)