Security Basics mailing list archives

Re: Hacked ???

From: asterisk () marnock net
Date: Thu, 28 Jul 2005 06:12:48 +0100

Hello All,

First of all I'd like to say a big thank you to everyone who provided
information to help me track down this problem.  The good news is that my
box hadn't been compromised ( phew!!! ) but as always it was something I'd
done ( not internationally! ).  To cut a long story short, I have one nic
in this box and the box is a transparent proxy for all internal users.
What I hadn't done with my iptables prerouting was specify the source as
the internal network.  This meant, because of my mistake, that any request
from the net to my site would get the site via my proxy.  Obviously,
someone was scanning for open proxies and came across my site.  I've now
altered my iptables script and everything seems ok now.  Still a lot of
hits but I don't think they are getting what they think.  Shame!


Thanks again!


Phil.






                                                                           
             Fernando Amatte                                               
             <famatte () gmail co                                             
             m>                                                         To 
                                       "asterisk () marnock net"              
             26/07/2005 19:45          <asterisk () marnock net>              
                                                                        cc 
                                       security-basics () securityfocus com   
             Please respond to                                     Subject 
              Fernando Amatte          Re: Hacked ???                      
             <famatte () gmail co                                             
                    m>                                                     
                                                                           
                                                                           
                                                                           
                                                                           




Hello

On a Linux Box, you can try to use the   "lsof" command.
Use something like   ..   lsof | grep LISTEN

You will see, users, pids, and other information.
With this information, you can try to verify other things. ( If you
dont have a rootkit installed )

Regards

Fernando


On 7/23/05, asterisk () marnock net <asterisk () marnock net> wrote:


Hi List,

I'm seeing some strange things on my box.  Here is a snippit from my

squid

log:  BTW I don't have an icq account.


1122088113.571    308 212.227.83.197 TCP_MISS/200 184 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088114.402    140 220.160.34.238 TCP_HIT/200 482 GET
http://media.adrevolver.com/adrevolver/banner? - NONE/- text/html
1122088116.711    310 212.227.65.104 TCP_MISS/200 186 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088119.769    339 212.227.83.197 TCP_MISS/200 183 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088119.950    367 72.21.34.42 TCP_MISS/200 185 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088120.466    543 200.50.23.115 TCP_MISS/401 417 GET
http://www.bubblebutts.com/members/ - DIRECT/216.15.219.25 text/html
1122088121.618    404 212.227.65.104 TCP_MISS/200 186 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088122.814    885 70.118.81.253 TCP_MISS/200 6085 GET
http://members.yahoo.com/interests? - DIRECT/66.218.75.151 text/html
1122088123.961    620 212.227.83.197 TCP_MISS/200 251 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088125.635    356 72.21.34.42 TCP_MISS/200 185 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088126.101    309 212.227.65.104 TCP_MISS/200 186 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088126.587    309 212.227.83.197 TCP_MISS/200 182 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088129.107    376 212.227.83.197 TCP_MISS/200 184 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088129.404    446 85.138.104.205 TCP_MISS/999 4647 GET
http://216.109.127.60/config/login? - DIRECT/216.109.127.60 text/html
1122088130.415     10 220.160.34.238 TCP_MEM_HIT/200 381 GET
http://ad.yieldmanager.com/imp? - NONE/- image/gif
1122088130.882    385 212.227.65.104 TCP_MISS/200 186 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088132.464    348 212.227.83.197 TCP_MISS/200 185 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088132.587    307 212.227.83.197 TCP_MISS/200 184 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088135.746    391 212.227.83.197 TCP_MISS/200 184 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088135.762    380 72.21.34.42 TCP_MISS/200 182 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -


I've disconected all machines except my main linux box which is used for

number of things ( asterisk telephony system / squid proxy / cvs ) etc.
I've also noticed port 32768 is open and others are connecting to it from
the web or an app is connecting to them.  How can I see which app is
connecting to port 32768 ???

Heres the first line from a netstat -an

[root@zeus iptraf]# netstat -an | more
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address
State
tcp        0      0 0.0.0.0:32768               0.0.0.0:*
LISTEN


Thanks in advance.



Phil

Current thread:

Hacked ??? asterisk (Jul 26)
- Re: Hacked ??? Fernando Amatte (Jul 29)
  - Re: Hacked ??? asterisk (Jul 29)
- Re: Hacked ??? Jeremy Heslop (Jul 29)