Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Hacked ???

from [asterisk] Network Security [Permanent Link]
Subject: Re: Hacked ???
Date: Thu, 28 Jul 2005 06:12:48 +0100 
Hello All,

First of all I'd like to say a big thank you to everyone who provided
information to help me track down this problem.  The good news is that my
box hadn't been compromised ( phew!!! ) but as always it was something I'd
done ( not internationally! ).  To cut a long story short, I have one nic
in this box and the box is a transparent proxy for all internal users.
What I hadn't done with my iptables prerouting was specify the source as
the internal network.  This meant, because of my mistake, that any request
from the net to my site would get the site via my proxy.  Obviously,
someone was scanning for open proxies and came across my site.  I've now
altered my iptables script and everything seems ok now.  Still a lot of
hits but I don't think they are getting what they think.  Shame!


Thanks again!


Phil.






                                                                           
             Fernando Amatte                                               
             <famatte@gmail.co                                             
             m>                                                         To 
                                       "asterisk@marnock.net"              
             26/07/2005 19:45          <asterisk@marnock.net>              
                                                                        cc 
                                       security-basics@securityfocus.com   
             Please respond to                                     Subject 
              Fernando Amatte          Re: Hacked ???                      
             <famatte@gmail.co                                             
                    m>                                                     
                                                                           
                                                                           
                                                                           
                                                                           




Hello

On a Linux Box, you can try to use the   "lsof" command.
Use something like   ..   lsof | grep LISTEN

You will see, users, pids, and other information.
With this information, you can try to verify other things. ( If you
dont have a rootkit installed )

Regards

Fernando


On 7/23/05, asterisk@marnock.net <asterisk@marnock.net> wrote:


Hi List,

I'm seeing some strange things on my box.  Here is a snippit from my

squid

log:  BTW I don't have an icq account.


1122088113.571    308 212.227.83.197 TCP_MISS/200 184 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088114.402    140 220.160.34.238 TCP_HIT/200 482 GET
http://media.adrevolver.com/adrevolver/banner? - NONE/- text/html
1122088116.711    310 212.227.65.104 TCP_MISS/200 186 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088119.769    339 212.227.83.197 TCP_MISS/200 183 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088119.950    367 72.21.34.42 TCP_MISS/200 185 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088120.466    543 200.50.23.115 TCP_MISS/401 417 GET
http://www.bubblebutts.com/members/ - DIRECT/216.15.219.25 text/html
1122088121.618    404 212.227.65.104 TCP_MISS/200 186 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088122.814    885 70.118.81.253 TCP_MISS/200 6085 GET
http://members.yahoo.com/interests? - DIRECT/66.218.75.151 text/html
1122088123.961    620 212.227.83.197 TCP_MISS/200 251 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088125.635    356 72.21.34.42 TCP_MISS/200 185 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088126.101    309 212.227.65.104 TCP_MISS/200 186 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088126.587    309 212.227.83.197 TCP_MISS/200 182 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088129.107    376 212.227.83.197 TCP_MISS/200 184 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088129.404    446 85.138.104.205 TCP_MISS/999 4647 GET
http://216.109.127.60/config/login? - DIRECT/216.109.127.60 text/html
1122088130.415     10 220.160.34.238 TCP_MEM_HIT/200 381 GET
http://ad.yieldmanager.com/imp? - NONE/- image/gif
1122088130.882    385 212.227.65.104 TCP_MISS/200 186 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088132.464    348 212.227.83.197 TCP_MISS/200 185 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088132.587    307 212.227.83.197 TCP_MISS/200 184 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088135.746    391 212.227.83.197 TCP_MISS/200 184 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088135.762    380 72.21.34.42 TCP_MISS/200 182 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -


I've disconected all machines except my main linux box which is used for

a

number of things ( asterisk telephony system / squid proxy / cvs ) etc.
I've also noticed port 32768 is open and others are connecting to it from
the web or an app is connecting to them.  How can I see which app is
connecting to port 32768 ???

Heres the first line from a netstat -an

[root@zeus iptraf]# netstat -an | more
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address
State
tcp        0      0 0.0.0.0:32768               0.0.0.0:*
LISTEN


Thanks in advance.



Phil
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  How to find which cookie in used, Juan B
Next by Date:  RE: CompTIA security+ versus SANS boot camp security essentials..., adrian.joseph
Previous by Thread:  Re: Hacked ???, Fernando Amatte
Next by Thread:  Re: Hacked ???, Jeremy Heslop
Indexes:  [Date] [Thread] [Top] [All Lists]