On Monday 22 December 2003 08:16 pm, Ken wrote: > Hello All, > > Please be patient with me, I am new to the Linux world and I am not a > security expert. > > I built a uClibc firewall version 2.0 Linux firewall kernel 2.4.20 from the > image Bering-uClibc_2.0_img_bering-uclibc-1680.exe and I have been > compromised. I have included a lot of information here because I need to > know how the hackers compromised this machine and I want to give you as > much information as you need to help me figure it how.
You did a pretty good job of showing the logs of packets that have been dropped (that never got through the firewall). Believe it or not, it would be next to impossible to relay spam or send it from a compromised LEAF box. First of all, you would have to enable some form of login to the outside, which isn't available unless you opened the firewall to accept such requests. Second of all, the likely culprit of spewing emails is Outlook/Outlook-Express on a Win32 machine with a virus which can very easily happen if you use IM, chat, or P2P applications on the client-side (LEAF doesn't content-filter traffic). I would check your client machine(s) for possible infection first, then find sort of proof that the LEAF firewall was compromised (which likely won't be found in any logs). Remember, your clients will show the external ip of the firewall when sending traffic because of the masquerading done by the firewall. Your local ip's of the client machines will/should never be sent from the firewall..... which is the entire point of masquerading/NAT. If your LEAF firewall has actually been compromised, it would be the first that I know of in memory. -- ~Lynn Avants Linux Embedded Appliance Firewall Developer http://leaf.sourceforge.net http://guitarlynn.homelinux.org:81 ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
