I think I've been 0wn3d...

[NetSec]

droby10:

I'm not quite sure what the point of entry was, but I'm going to make certain that all the apps running are the latest version w/ patches, etc...

I've been looking at some of the logs and am finding some clues perhaps...

Like this:
Sep 14 15:16:51 DHP01103 kernel: mIRKfORCE-glibc uses obsolete (PF_INET,SOCK_PACKET)
Sep 14 15:16:51 DHP01103 kernel: device eth0 entered promiscuous mode
Sep 14 15:18:50 DHP01103 kernel: device eth0 left promiscuous mode
Sep 14 15:19:31 DHP01103 kernel: device eth0 entered promiscuous mode
-- That doesn't look good... Any ideas???

And this:
Sep 14 14:16:30 DHP01103 portsentry[601]: attackalert: Connect from host: 211.121.xxx.xxx/211.121.xxx.xxx to TCP port: 111
Sep 14 14:16:30 DHP01103 portsentry[601]: attackalert: Ignoring TCP response per configuration file setting.
-- That certainly doesn't look good... Dunno why the config file says to just ignore... Any ideas???

I think I had also seen some :443 connect errors, which leads me to believe that it may be the exploit w/ my 0.9.6a OpenSSL... I'll put the latest ver. on new build...

I wish I had the time to figure it all out before I have to rebuild... But unfortunately, that's not an option... I just hope I can fill enough holes to keep it clean & alive while I figure all this out...

Thanks again...

James...

[droby10]

Sep 14 15:16:51 DHP01103 kernel: mIRKfORCE-glibc uses obsolete (PF_INET,SOCK_PACKET)
Sep 14 15:16:51 DHP01103 kernel: device eth0 entered promiscuous mode
Sep 14 15:18:50 DHP01103 kernel: device eth0 left promiscuous mode
Sep 14 15:19:31 DHP01103 kernel: device eth0 entered promiscuous mode
-- That doesn't look good... Any ideas???

the guys hosting your site should have acted quicker...i'd notify them that anyone logging into anywhere in that network segment between now and the time stated above needs to change their password asap - they could have been broadcast to any number of irc boards, or just to a single irc server operated or used by the attacker.

And this:
Sep 14 14:16:30 DHP01103 portsentry[601]: attackalert: Connect from host: 211.121.xxx.xxx/211.121.xxx.xxx to TCP port: 111
Sep 14 14:16:30 DHP01103 portsentry[601]: attackalert: Ignoring TCP response per configuration file setting.
-- That certainly doesn't look good... Dunno why the config file says to just ignore... Any ideas???

could have been an rpc exploit.

but if the timestamps for the ssl attack are between the promiscous and the above, then that is likely the problem. ssl flaws have been publicized greatly over the last few weeks - so it's a hotspot.

[detoxsmurf]

There's a lot of good information provided on this topic already by forum members. One thing I didn't see suggested was a scan of localhost using nmap. If the attacker opened a backdoor on a high number port you would be able to see it. If the attacker got root its hard to recommend a simple solution as all files are suspect including the kernel.

[THEJRC]

eh ftp services arent necessarily bad,

however configuring FTP in the most efficient and secure way can be a pain in the ass!! set up FTP and web services on a bastion host (unsecured host) and well... plan on it getting hacked... that way if it does get whacked... your out nothing.

[NetSec]

You're not going to believe this, but my box has STILL not been taken offline... My incident has "been sent to the provisioning department" and should be addressed this morning... Two days after I asked/told them to take it off the network!!! I've called them many times, and have been hung up on a few times... Their slogan for their hosting side should be "Dude, you're getting a trojan", or something to that effect... I'm not naming names though...

droby10:
I sent them snips of my logs and snips of your comments regarding their network being at risk, and was sent a reply:

"Please be advised that if you want us to do any sort of extra security work on your system, there will be a $175/hr charge."

I haven't spoken to anyone there who would be worth $1.75 an hour, and they do not seem concerned that their network is at risk...

detoxsmurf:
An Nmap currently shows the following... I think they're gonna run out of ports soon...

1/tcp open tcpmux
11/tcp open systat
15/tcp open netstat
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
79/tcp open finger
80/tcp open http
81/tcp open hosts2-ns
110/tcp open pop-3
119/tcp open nntp
143/tcp open imap2
443/tcp open https
540/tcp open uucp
587/tcp open submission
635/tcp open unknown
1080/tcp open socks
1524/tcp open ingreslock
2000/tcp open callbook
3306/tcp open mysql
6006/tcp open X11:6
12345/tcp open NetBus
12346/tcp open NetBus
31337/tcp open Elite
32771/tcp open sometimes-rpc5
32772/tcp open sometimes-rpc7
32773/tcp open sometimes-rpc9
32774/tcp open sometimes-rpc11
54320/tcp open bo2k

Could there be any more reason to take it down???

THEJRC:
By disabling FTP, and only using SFTP over 22 the passwords should never be in clear text, right??? I'm not sure how to set up FTP without sending clear text passwords, but from your post it sounds like that may be difficult... Please let me know if I'm wrong... If any PWs are sent clear text, like through FTP or Telnet, they could be sniffed out from a compromised box in my network segment??? Not sure, but that's what I gathered from droby10's post...

Thanks again for all your help...

James...

[NetSec]

Hey, they finally got my box reloaded... Then I Nmap'd it before I did anything else, and guess what??? I still have 2 NetBus ports and the bo2k port open...

Does this mean that they just reloaded without wiping the drive??? Or are there valid reasons for running services on 12345/6 & 54320??? I read about TrendMicro using 12345 for their virus scanner, but I'm pretty sure this box isn't running that...

Is it possible somebody cracked right back into the fresh box (RH7.3 w/ iptables) in a matter of a few minutes, or is it more likely they just rm -rf /'d it instead of formatting???

I've just started moving some of our accounts off to shared servers w/ another host... Didn't want to do that, but these guys are jackballs...

[detoxsmurf]

NetSec I have to admit that I am concerned by your nmap scans. Did you run these scans from your webserver (behind there firewall) or from your home computer? Sysadmin 101 teaches you to disable stuff like finger. Also I would not have much faith in sysadmins that use an X server to administer your website. I'm afraid to ask what version of bind and sendmail they are running. You may want to ask them what is running on those ports. Perhaps they are running some sort of monitoring or even RAT tool that actually uses those ports.

[guero61]

Not sure how late this is, but there are a few ways you can disconnect [hard] from the net without actually touching the box; in order of increasing desperation (for next time).

1. /etc/rc.d/init.d/network stop (unless hacked, should stop all network resources).
2. use ifconfig to take the ethernet (?) interface down
3. If using lkms (assumed since you're using RH), you may be able to unload the ethernet module using rmmod.

About the x-sessions to administer a system -- forgive my ignorance here, but I was under the impression that if you opened X over a properly encrypted ssh session, X was encrypted too... If not, I guess it's good I only do this over a private subnet!

[NetSec]

Thanks for all your help everyone... I finally gave up on even trying with these guys, and cancelled my contract with them... Had to move a friggin ton of accounts over to shared hosting elsewhere... I don't think this will work out though as the servers I'm on are slowww dogs...

Anyone know of a good source for dedicated servers, where they have some idea about networking/security/etc??? Anyone says "D*llHost" and I'll reach through the screen and strangle you!!!

detoxsmurf: The scans were run from home... Still messed up... Still up... (And from what I can tell, their monitoring consists of FTP connects every 5 mins. No connect = you're down)

guero61: Thanks for the tips... I'll jot those down for next time... I'd prolly get in trouble if I connected to a box I'm no longer paying for and smoked eth0...

Thanks again...

James...

[Ratman2]

Originally posted here by NetSec
Thanks for all your help everyone... I finally gave up on even trying with these guys, and cancelled my contract with them... Had to move a friggin ton of accounts over to shared hosting elsewhere... I don't think this will work out though as the servers I'm on are slowww dogs...

Anyone know of a good source for dedicated servers, where they have some idea about networking/security/etc??? Anyone says "D*llHost" and I'll reach through the screen and strangle you!!!

detoxsmurf: The scans were run from home... Still messed up... Still up... (And from what I can tell, their monitoring consists of FTP connects every 5 mins. No connect = you're down)

guero61: Thanks for the tips... I'll jot those down for next time... I'd prolly get in trouble if I connected to a box I'm no longer paying for and smoked eth0...

Thanks again...

James...

Try these guys....http://www.powweb.com/ I believe they offer dedicated hosting if you ask for it. Give them a call.