Well, sendmail and samba... I get connect attempts to 31337 and 111 daily.
You could try lsof to find out what process is listening to 31337. (I take
it the others you listed are supposed to be open?) But if you've been
hacked and you weren't running TripWire you have no idea what binaries,
etc. may have been replaced so you are basically looking at a reinstall.
hosts.deny probably is not enough. It still allows spoofed UDP packets to
come in. The hosts.deny man page claims that ident protects from spoofed
TCP packets but I'm skeptical. Anyways, my recommendation (after you
reinstall) is not to run sendmail unless you REALLY know what you are
doing. Samba probably also is not a good idea unless you really need it
and somewhat know what you are doing.
I suggest you download and install Portsentry. It listens on ports that
are commonly included in portscans. When someone connects to one, it kills
that socket and puts that host in /etc/hosts.deny and can either add
routing rules or ipchains rules to block the host. It is not real
security, but it makes it much much harder for someone to get in. (a
cracker would need to either spoof packets from or have access to, say, 30
hosts to scan 30 ports (a bit less).)
And *do* use qmail next time.
Look in /var/log/messages or /var/log/secure for clues, but the relevant
portions have probably been removed.
I don't remember if there are any big security holes in RH 6.0. But I am
sure there are. If you are going to run services such as these you need to
know security fairly well and keep up-to-date on security holes in RH. RH
has a mailing list to which you can subscribe to get such info.
Or you can just shut down all of your services. I just leave sshd open and
I am quite happy.
(If you don't *need* to be a print server, mail server, Winxx file server,
etc. kill those services.)
I would also advise installing ipchains and blocking incoming access to
any ports where you want to run the service but you only want to be able
to access them from your host. It's easier than figuring out security
options for lpd, X (especially), sendmail, etc.
--
The absurd is the essential concept and the first truth.
-- A. Camus
On Thu, 22 Jun 2000, David Smith wrote:
> OK, I'm pissed. I found, by doing a random 'netstat', that
> port 31337 is open on my computer. And with a little fiddling,
> I found that it's a primitive root shell. So my question
> is how the hell did that happen? I also found that my hosts.allow
> and hosts.deny were deleted. I used to deny access to non-UT IPs.
> It was wide open when I found it. I have everything closed
> except the stuff on the netstat output:
>
> tcp 0 0 *:ssh *:* LISTEN
> tcp 0 0 *:6000 *:* LISTEN
> tcp 0 0 *:smtp *:* LISTEN
> tcp 0 0 *:printer *:* LISTEN
> tcp 0 0 localhost:domain *:* LISTEN
> tcp 0 0 *:netbios-ssn *:* LISTEN
> tcp 0 0 *:111 *:* LISTEN
> tcp 0 0 *:31337 *:* LISTEN
>
> The only weak link I can think of is samba, or maybe sendmail.
> I only allow my LAN IPs and the UT 127.*.*.* IPs on Samba, and
> I'm using the sendmail that came with RH 6.0 -- I never
> bothered with qmail. Does RH 6 have a big exploit that
> I somehow missed hearing about? I'm running the 2.2.5-15 kernel
> that came on the CD with a few modifications.
>
> I also know that 31337 is used with Back Orifice, but I'm running
> Linux. Any ideas? I'm not looking for a complete security
> analysis, just some hunches. I'm by no means a security expert.
>
> Thanks,
> Dave
>
>
>
> ---------------------------------------------------------------------------
> Send administrative requests to [EMAIL PROTECTED]
>
---------------------------------------------------------------------------
Send administrative requests to [EMAIL PROTECTED]
