Page 2 of 5 FirstFirst 1234 ... LastLast
Results 11 to 20 of 45

Thread: I'm gonna cry. I'm a victim!

  1. #11
    AntiOnline Newbie
    Join Date
    Dec 2001
    Posts
    28
    I honestly don't see what the big tragedy is. You yourself said that it was up for a mere 3 hours. Surely, as Vorlin has suggested, there is nothing of much worth on the machine. At the very worst, it is perhaps being used as a launching point for further attacks. That will be rectified whence you get home, will it not? Not something to cry about, right?

    Concerning Vorlin's paranoid claim that your "so-called friend" acted in a slightly unfriendly manner, I think it should be taken with a grain of salt. Some tools might have scanned a block of IPs that you merely happened to be in, as such your computer was perhaps not specifically targetted as you seem to think. It was most likely a coincidence, is all. Also, there are tools that will construct random IPs to scan, quietly compiling a list of random targets.

    My question is: why didn't you secure your box before bringing it online? You are the only one to blame. However, your "i will learn from my mistakes" attitude is highly commendable.

  2. #12
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534
    I told him on irc it was pretty-secure
    as in I know a lot of big websites that are a lot less secure..
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  3. #13
    Senior Member
    Join Date
    Oct 2001
    Posts
    689

    Post

    jason-mis I cant believe you were hacked. By the wat where is the screenshot?
    Wine maketh merry: but money answereth all things.
    --Ecclesiastes 10:19

  4. #14
    Senior Member
    Join Date
    Nov 2001
    Posts
    185
    Hi jason-mis, I am sorry to hear that you were attacked. This is unfortunate, especially since you are just beginning to learn.

    I suspect that if you were ever hacked in Windows that you would not know it if the attacker decided to keep it quite. It is common for Windows boxes to be compromised with no obvious indication that a compromise has taken place.

    As for your Linux system, please give it another try. Collect all of the papers and How-To's you find on securing Linux and be sure and do these things before bringing the box back online. The are some really good how-to's at http://www.linuxdoc.org.

    Here are some tools that I believe that Linux users should run on their systems to aid in security.

    iptables - get a good iptables script and run that everytime the box is up and running. You need some kind of packet filtering rules.

    Securing X Windows How-To - can be found at http://www.linuxdoc.org.

    portsentry - and excellent IDS tool that can be found at http://www.psionic.com. Portsentry is very good at detecting scans and attacks , and it can use iptables to block an ip and drop it in /etc/hosts.deny.

    logcheck - you need a good log monitoring tool to help you decifer what security related events have taken place. logcheck can be found at http://www.psionic.com. it is a fantastic tool.

    iplog - can be found at http://www.freshmeat.net, I use it to monitor suspicious activity, and all network events since it simulateously monitors ICMP, UDP, and TCP in easy to read output. iplog does not block traffic by itself, but it is an excellent tool for the paranoid.

    root-tail - A handy small tool for printing the most recent entries in logs directly to your wallpaper. I will show you a screen-shot of this at the end of my reply. root-tail can be found at http://www.freshmeat.net

    Kernel How-To - I recommend that you go and get a copy of this at http://www.linuxdoc.org. It will guide you through a kernel upgrade, which I recommend in addition to the latest grsecurity patch.

    Kernel upgrade - make a directory under your home /home/username, called kernel, then make one under kernel named 2.4.17. Then download the 2.4.17 kernel from http://www.kernel.org into that directory and unpack it.

    gresecurity kernel patch - you can get the grsecurity patch from http://www.grsecurity.net. Place it in the same directory as your 2.4.17 kernel. example: /home/username/kernel/2.4.17. then run `patch -p0 < grsecurity-1.9.2-2.4.17.patch' and you should see some updates scroll by. Then cd into the directory called linux (the unpacked name of the 2.4.17 kernel) and run `make xconfig'. This will give you a nice gui kernel option menu. Following the instructions in the Kernel How-To build your new kernel. There are options at the end for grsecurity that allow for some pretty sweet security options, but my favorite is the denial of executeable code on the stack (many *nix exploits involve executing arbitrary code on the stack, this grsecurity feature makes that difficult/impossible).

    nessus - I highly recommend getting nessus, you can find it and it's documnetation at http://www.nessus.org. I will include in my screenshot a picture of nessus attack setup. nessus uses plugins which attack well known problems in all flavors of Unix and Windows. It can scan multiple hosts at a time, and has really easy to read results output in plain english that tell you what the problem is and what needs to be done to resolve it. The plugins are what are toatlly powerfull, it uses nmap or any other availbale port scanner that you specify, or a combination of port scanners. The plugins can do such nasty things as testing the integrity of ftp by storing unauthorized files, denial of service attacks, buffer overflows, and lots of other goodies.

    setuid and setgrpid - these are dangerous, I recommend that you do the following.

    # find / \( -perm -02000 -o -perm -4000 \) -ls > setXid.txt

    this will put a list of all of these in a file for you to read. Then go and find some good documentation about each of those programs and determine if they really need to be setXid. this can be tedious, but it is worth it for peace of mind.

    Check out the papers and docs in this post of mine and become familiar with them, Testing the security of your Unix box.

    ***Final Thoughts

    Unix is more secure by nature than Windows, however, we need to remember that Unix based systems are much higher on the `todo list' of hackers. It is not
    just more useful to compromise a Unix based system, but it earns more respect (and this is what they want, to make a *name* for themselves). Add to this that certain distributions have hastily placed insecure programs in the default install, and we have some work to do to protect ourselves. Due to it's complexity, I am afraid that Linux may come under fire from those who aim to claim it insecure. Never before have we had so many people using a Unix based system that are not Unix professionals.
    Unix based systems are far more secure than Windows systems, but a lot of that reputation comes from Unix users being more knowledgeable and paranoid about security. Any system can be compromised, but a properly secured Unix based system is perhaps the most difficlut to compromise.

    included screenshot of root-tail, port-sentry, iplog, and nesus in action on my Slackware Linux box.
    Know this..., you may not by thyself in pride claim the Mantle of Wizardry; that way lies only Bogosity without End.

    Rather must you Become, and Become, and Become, until Hackers respect thy Power, and other Wizards hail thee as a Brother or Sister in Wisdom, and you wake up and realize that the Mantle hath lain unknown upon thy Shoulders since you knew not when.


  5. #15
    Senior Member
    Join Date
    Nov 2001
    Posts
    185
    Here is that screenshot I mentioned and somehow left out in the post.
    Know this..., you may not by thyself in pride claim the Mantle of Wizardry; that way lies only Bogosity without End.

    Rather must you Become, and Become, and Become, until Hackers respect thy Power, and other Wizards hail thee as a Brother or Sister in Wisdom, and you wake up and realize that the Mantle hath lain unknown upon thy Shoulders since you knew not when.


  6. #16
    Senior Member
    Join Date
    Jul 2001
    Posts
    138
    Did it "disconnect" you after you had been using it a while, or did it "refuse" the connection? If it refused the connection, (allowed a connect, but not a login) check your config files for sshd. If it refused the connection, (as in couldn't connect at all) check your portsentry.history and see if you maybe forgot to add yourself to portsentry.ignore (assuming you are using portsentry.) If you still think you may have gotten hacked, check out chkrootkit
    It will look for commonly installed root kits. If it finds one, I suggest you reinstall instead of trying to remove everything. Good luck

    Happy Hacking
    -----------------------------------------------------
    Warfare is the Way of deception.
    -Sun Tzu \"The Art of War\"

  7. #17

    I am at home now

    I called my sister at home and had her disconnect it from the internet. UberC0der, I did secure my pc, I followed several documents, "armoring Linux" Securing Linux Part A and B, and a few other docs. When I nmap only x11 shows up, I changed my ssh to an unknown port, that only I know. I am in a state of frustration right now but I do intend to learn from my mistakes and keep on going with linux. Thank you all for your posts.

    Here's the link to the screenshot.

    http://personal.bellsouth.net/jax/j/...nsa/index.html
    __________________________
    Caution: in case of rapture, this computer will be unoccupied!

  8. #18
    PHP/PostgreSQL guy
    Join Date
    Dec 2001
    Posts
    1,164
    Concerning Vorlin's paranoid claim that your "so-called friend" acted in a slightly unfriendly manner, I think it should be taken with a grain of salt.
    Dude, I don't know what you've done with unix administration but being a paranoid mother****er has kept me from losing data, getting services hacked, you name it...know up front that most vendor tools are at least 2 versions behind what's current and they are slow as SIN to update if you leave it up to them.

    Better to err on the side of caution when concerning a machine that's open to the internet by at least one port.

    Security = 1 / convenience (quoted from Unix Systems Administrator's Handbook)
    We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.

  9. #19

    The_JinX

    I apologize for what I said. You were the last person to communicate with my pc before it was hacked. I did not do this trying to hurt your social status. I do know you are NOT a Black-Hat. I know you do not root people or do malicios activities.


    -Jason
    __________________________
    Caution: in case of rapture, this computer will be unoccupied!

  10. #20
    A reply to gax prels, I was connected using putty for about 30 mins then it kicked me off (I suspect the service was stopped, I did not have a win based portscanner to check) I tried to connect again Connection Refused. I pinged the IP, it was still up. Then I tried to telnet the ip on the port for ssh that I setup.

    http://personal.bellsouth.net/jax/j/...nsa/index.html

    I got the result as shown above in a screenshot.


    -Jason
    __________________________
    Caution: in case of rapture, this computer will be unoccupied!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •