> We are using a Netmax Firewall (3.1). We were hacked and it appears > that the hacker has placed a script that runs now on the server that > tries to hit random IP addresses, looking for SSH access. We have > verified that the hacker can not get in again (we hope), and that this > SSH traffic can not as well, but the script still runs. Unfortunately > we do not have a checksum to verify what files were changed, and have > looked at t0rn to make sure that is not the kit used. Does anyone have > any suggestions on where to look to try to rectify this? > > > > Matthew Carpenter, MCP, CNA, A+ > Network Engineer and Exchange Administrator > SARMA > 1801 Broadway > San Antonio, TX 78215
The brand/vendor/product of netmax may not have been the problem. Security is not going to be a drop in box or cellophane-wrapped solution. Unfortunately your system was compromised. In the true sense of the word, *nothing* can be trusted after a compromise. Why? Well how well do you trust your kernel? How about the utilities to generate checksums? Was dump or tar modified? How about your loadable kernel module for your network card? Netmax is a linux based firewall suite that uses ipchains to filter IP traffic. If you did not filter ALL your services on the firewall, then the problem is *beyond* the firewall. The problem then lies in the services you run. If one of those services was a vulnerable version of SSH, (which is sounds like it was), listening on a public IP address, then you will have a serious problem. What probably happened: Someone used a script that exploited a listening service on your firewall. They then, either manually or with the help of a rootkit, setup a service to hack other machines from your machine. Keep in mind your machine may have been compromised through another script on another machine. The cracker may not have even chosen you as a target. This script might have. What you gotta do: 1. Re-install. You cant trust any of the binaries. I know that *probably* most binaries are fine. But ITS YOUR FIREWALL, so you gotta make sure its clean. 2. Put the firewall software back on with your rulesets. Lock it down tight. Then *DONT FORGET* to lock down the services. There is no reason to listen for any service on the public side. And quite possibly, you may find it safer to run NO services on the box. Only console. 3. Scan the box from outside and ensure the system is tight. 4. Forget reading what the rootkit does. You know what it does. It modifies somethings here and there. Installs a cron entry or daemon. Maybe copies /bin/sh to some strange place and makes it suid. Either way, if the box is tight, screw the aftermath forensics. good luck! cheers, --truman _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
