Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Server Compromised ?

from [Leif Ericksen] Network Security [Permanent Link]
Subject: Re: Server Compromised ?
Date: Fri, 27 Jan 2006 07:54:29 -0600 
Much snippage will have been done...

On Thu, 2006-01-26 at 15:08 -0300, Daniel Gil wrote:



123.123.123.124) behind my ISP firewall.



You are actually trusting that your ISP is providing a firewall or do
you have your own firewall that you manage between your servers and your
ISP?  What ISP do you use that provides a firewall?  I was once told by
a tech at an ISP I have used that a NAT box i.e my router would be a
decent firewall and I needed no more than that! >shudder<  I balled him
out and asked for there security go to person so I could get my
questions answered.

Now, if your server is responding on a port that you are not
anticipating to be active you seem to have a problem.
1) run a sniffer on the network and see what kind of traffic is going
back and forth.
2) Isolate the 'bad' system from the net and see if it is trying to
generate traffic (does it have a smtp engine sending spam?)

TCP    123.123.123.124:25        85.250.57.67:1278      TIME_WAIT
TCP    123.123.123.124:25        201.25.170.200:4174    TIME_WAIT


should pop be in use?

TCP    123.123.123.124:110       200.59.34.91:1050      TIME_WAIT
TCP    123.123.123.124:110       200.59.34.91:2089      TIME_WAIT
TCP    123.123.123.124:110       200.59.34.91:2090      TIME_WAIT >TCP

123.123.123.124:110       200.59.34.91:2091      TIME_WAIT

3) LOTS of listening ports is always a scary thing...  Do you have a
fresh install Dozer box that you can use to compare netstat info on?

For instance on my *nix system. This is what I have listening.
# lsof -i TCP
COMMAND    PID   USER   FD   TYPE DEVICE SIZE NODE NAME
mDNSRespo 1945 nobody    7u  IPv4   5539       TCP mybox:5335 (LISTEN)
cupsd     1980   root    0u  IPv4   5749       TCP mybox:ipp (LISTEN)
sshd      2012   root    3u  IPv4   5769       TCP X..X.X.X:ssh (LISTEN)
sendmail  2054   root    4u  IPv4   5935       TCP mybox:smtp (LISTEN)
httpd     2100   root    3u  IPv4   6008       TCP X.X.X.X:http (LISTEN)
httpd     2107 apache    3u  IPv4   6008       TCP X.X.X.X:http (LISTEN)
httpd     2108 apache    3u  IPv4   6008       TCP X.X.X.X:http (LISTEN)
httpd     2109 apache    3u  IPv4   6008       TCP X.X.X.X:http (LISTEN)
httpd     2110 apache    3u  IPv4   6008       TCP X.X.X.X:http (LISTEN)
httpd     2111 apache    3u  IPv4   6008       TCP X.X.X.X:http (LISTEN)
httpd     2112 apache    3u  IPv4   6008       TCP X.X.X.X:http (LISTEN)
httpd     2113 apache    3u  IPv4   6008       TCP X.X.X.X:http (LISTEN)
httpd     2114 apache    3u  IPv4   6008       TCP X.X.X.X:http (LISTEN)

4) If in doubt, remove the system form the network and reload the OS
scrub and reload.

--
Leif Ericksen




---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Server Compromised ?, List Spam
Next by Date:  RE: University Degree or CISSP, David Gillett
Previous by Thread:  Re: Server Compromised ?, List Spam
Next by Thread:  Re: Server Compromised ?, xyberpix
Indexes:  [Date] [Thread] [Top] [All Lists]