socalgal
03-11-2001, 01:38 PM
http://www.sysopt.com/forum/frown.gif
No log, no can trace. That's too bad.
No log, no can trace. That's too bad.
Click to See Complete Forum and Search --> : Hacked - I feel violated.
CMonster
03-11-2001, 06:12 PM
Well, I'm still here - and no unauthorized attempts to log on to my box so far.
I do have the offending IP adress but it appears they have a firewall and do don't respond to any requests, anyway, the IP address I got may not even be where the attack originated.
I do have the offending IP adress but it appears they have a firewall and do don't respond to any requests, anyway, the IP address I got may not even be where the attack originated.
jad1097
03-11-2001, 07:31 PM
Thanks for reminding me I need to install my firewall! I can't beleive I forgot to install it.
I hope he did not do any damage.
I hope he did not do any damage.
jad1097
03-11-2001, 07:36 PM
Just installed ZA and it already started going off.
NDC
03-11-2001, 07:36 PM
WOW! Sorry to hear that, CMonster. http://www.sysopt.com/forum/frown.gif What kind of the damage was done from the intruder?
CMonster
03-11-2001, 11:33 PM
So far I don't know what all was done but I have a few files with suspicious "last modified" date stamps and I cleared out a couple of suspicious hidden directories.
I am now convinced that the system is still compromised I am still getting packets sent to me from ftp at sorceforge.net - and my machine has accepted them. I block one IP addy and another takes its place.
I hate to say this, but it looks like the back door may have been installed by the firewall "firestarter" a firewall utility for Linux I downloaded from www.sourceforge.net (http://www.sourceforge.net) not sure yet but it looks like I'm headed for a reinstall and I plan to setup ipchains manually this time. I have been getting misc packets sent to me on odd ports from IP addresses at sorceforge.net ever since I installed the firewall.
[This message has been edited by CMonster (edited 03-12-2001).]
I am now convinced that the system is still compromised I am still getting packets sent to me from ftp at sorceforge.net - and my machine has accepted them. I block one IP addy and another takes its place.
I hate to say this, but it looks like the back door may have been installed by the firewall "firestarter" a firewall utility for Linux I downloaded from www.sourceforge.net (http://www.sourceforge.net) not sure yet but it looks like I'm headed for a reinstall and I plan to setup ipchains manually this time. I have been getting misc packets sent to me on odd ports from IP addresses at sorceforge.net ever since I installed the firewall.
[This message has been edited by CMonster (edited 03-12-2001).]
CMonster
03-12-2001, 12:32 AM
Well, it finally happened - I guess even the monkey sometimes falls from the tree - I had an intruder.
Linux router was left on on without starting my secure firewall (ipchains starts automatically but just closes the ports - my firewall stealths them) and the security is set to low so that my other users on this box can play games with sound and such things..
Errrh! !*&^!!$#! -I really need to dedicate one box just to routing/firewall and now I am more motivated to do it.
I actually found this guy when I went to use the machine and found my DSL bandwidth had gone down the toilet and my modem activity light flashing wildly, it continued flashing even when I pulled the patch cable to the NIC. After a few minutes he disconnected.
I checked the system logs and discoved exactly when he got in, I guess he had not time or knowledge to erase the logs - I still do not understand why those packets were accepted, right after that it looked like he caused a buffer overflow and got access - think he was in the process of downloading a root kit when I cut him off. I'm not sure the extent of the dammage yet.
I have tightened security, added the offending host address to the firewall "refuse all" option, and disabled a few unnecessary services (one of which I believe he exploited to cause the buffer overflow). I have also located and removed some new hidden directory and files. I do not know if any system binaries were trojaned.
Unfortunately in a fit of insanity I cleared all my log files thinking it would be easier to detect future activity -doh! what was I thinking!
Still researching - man am I pi$$ed!
Linux router was left on on without starting my secure firewall (ipchains starts automatically but just closes the ports - my firewall stealths them) and the security is set to low so that my other users on this box can play games with sound and such things..
Errrh! !*&^!!$#! -I really need to dedicate one box just to routing/firewall and now I am more motivated to do it.
I actually found this guy when I went to use the machine and found my DSL bandwidth had gone down the toilet and my modem activity light flashing wildly, it continued flashing even when I pulled the patch cable to the NIC. After a few minutes he disconnected.
I checked the system logs and discoved exactly when he got in, I guess he had not time or knowledge to erase the logs - I still do not understand why those packets were accepted, right after that it looked like he caused a buffer overflow and got access - think he was in the process of downloading a root kit when I cut him off. I'm not sure the extent of the dammage yet.
I have tightened security, added the offending host address to the firewall "refuse all" option, and disabled a few unnecessary services (one of which I believe he exploited to cause the buffer overflow). I have also located and removed some new hidden directory and files. I do not know if any system binaries were trojaned.
Unfortunately in a fit of insanity I cleared all my log files thinking it would be easier to detect future activity -doh! what was I thinking!
Still researching - man am I pi$$ed!
Brangwen
03-12-2001, 12:53 AM
CMonster, I've not had that happen "to my knowledge." Was that at work or on your home system? I'd be rippin' too!
Brangwen http://www.sysopt.com/forum/wink.gif
Brangwen http://www.sysopt.com/forum/wink.gif
MiKe85
03-12-2001, 04:49 AM
CMonster:
Keep your eyes open http://www.sysopt.com/forum/smile.gif
Mike
Keep your eyes open http://www.sysopt.com/forum/smile.gif
Mike
CMonster
03-12-2001, 02:41 PM
Back on a fresh install with better security.
Loveless
03-15-2001, 06:10 AM
interesting. I have a hard router linksys BEFSR41. 1 nt4 pdc 1 linux and 1 nt5 pro. I am somewhat worried about my linux system, I read a few articles about intruding where cmonster's case isnt supricing to me. should I be concerned? is there something I can install?
oh yah, can you play games like half life on linux? or do I have to use vmware or am I better off with a microsoft OS?
oh yah, can you play games like half life on linux? or do I have to use vmware or am I better off with a microsoft OS?
CMonster
03-16-2001, 11:20 AM
Loveless,
PMfirewall is a nice utility for Linux - I am using it now. I also highly recommend Perro -which is a packet logging utility, and AIDE -an intrusion detection utility.
The most important thing you can do is a little reading on Linux security. Some important issues are: firewall (of course), services -not running "servers" that you don't need, passwords, and logging.
PMfirewall is a nice utility for Linux - I am using it now. I also highly recommend Perro -which is a packet logging utility, and AIDE -an intrusion detection utility.
The most important thing you can do is a little reading on Linux security. Some important issues are: firewall (of course), services -not running "servers" that you don't need, passwords, and logging.
Wilan Wong
03-18-2001, 01:39 PM
Dam, I really need to get a firewall. Probably heaps of hackers been draining my cable bandwidth. Yikes! http://www.sysopt.com/forum/frown.gif
King_Kooba_Fantastique
03-19-2001, 04:40 AM
Here is a site containing a lot of information on the weaknesses of many systems and how hackers abuse these weaknesses, i hope it helps.
www.astalavista.box.sk (http://www.astalavista.box.sk)
KKF.
www.astalavista.box.sk (http://www.astalavista.box.sk)
KKF.
sharder8
03-19-2001, 07:26 AM
Not sure if I posted this at SysOpt forums, but I received this from Steve Gibson of GRC last week. It might help you to find any weaknesses.
Harder
Last Thursday (March 8th) the United States Federal Bureau of
Investigation -- the FBI -- announced that the Windows NT and
Windows 2000 Internet web servers belonging to at least 40
prominent eCommerce companies have been systematically broken
into by Eastern European hackers. After having their private
customer credit card data stolen, the companies were financially
extorted under the threat of public disclosure of their customers'
data. More than one million credit card purchasing records have
been stolen. You can read the full FBI press release here: www.grc.com/pw/FBIannouncement.htm (http://www.grc.com/pw/FBIannouncement.htm)
Shortly before the FBI's public announcement, I was contacted by
people in Washington and asked if I could produce a utility to
instantly determine whether a Windows NT or 2000 Internet server
was vulnerable to these attacks, and to search the server for any
evidence of previous penetration. The FBI provided all of the
specific details required, so I quickly created my latest
freeware: "PatchWork" (just 30k bytes).
PatchWork is ONLY useful for users running Windows NT or 2000
-- so I know that it will not be of interest to everyone -- but I
wanted you to know that it exists. If you, or anyone you know,
ARE using any version of Windows NT or 2000, you really should
check out PatchWork! It is opening MANY people's eyes ... www.grc.com/pw/patchwork.htm (http://www.grc.com/pw/patchwork.htm)
__________________________________________________ _______________
[This message has been edited by sharder8 (edited 03-19-2001).]
Harder
Last Thursday (March 8th) the United States Federal Bureau of
Investigation -- the FBI -- announced that the Windows NT and
Windows 2000 Internet web servers belonging to at least 40
prominent eCommerce companies have been systematically broken
into by Eastern European hackers. After having their private
customer credit card data stolen, the companies were financially
extorted under the threat of public disclosure of their customers'
data. More than one million credit card purchasing records have
been stolen. You can read the full FBI press release here: www.grc.com/pw/FBIannouncement.htm (http://www.grc.com/pw/FBIannouncement.htm)
Shortly before the FBI's public announcement, I was contacted by
people in Washington and asked if I could produce a utility to
instantly determine whether a Windows NT or 2000 Internet server
was vulnerable to these attacks, and to search the server for any
evidence of previous penetration. The FBI provided all of the
specific details required, so I quickly created my latest
freeware: "PatchWork" (just 30k bytes).
PatchWork is ONLY useful for users running Windows NT or 2000
-- so I know that it will not be of interest to everyone -- but I
wanted you to know that it exists. If you, or anyone you know,
ARE using any version of Windows NT or 2000, you really should
check out PatchWork! It is opening MANY people's eyes ... www.grc.com/pw/patchwork.htm (http://www.grc.com/pw/patchwork.htm)
__________________________________________________ _______________
[This message has been edited by sharder8 (edited 03-19-2001).]
smunzli
03-19-2001, 10:15 AM
whats the IP address? if you don't mind telling
[This message has been edited by smunzli (edited 03-19-2001).]
[This message has been edited by smunzli (edited 03-19-2001).]
SysOpt.com
Copyright Internet.com Inc. All Rights Reserved.
Copyright Internet.com Inc. All Rights Reserved.