[NCLUG] I was hacked!

dobbster dobbster at frii.com
Fri Dec 29 15:08:59 MST 2000 

Thanks for the feedback, Michael - I feel a bit more comfortable now.  I
have a tendency for being PARANOID, which is hopefully an asset.

> There are active exploits against these ports.  1080 is where WinGate
> (SOCKS) lives -- which IRC kiddies use to proxy IRC through. Portmapper and
> imap have both been victims of exploits in the last few months.
> Should it concern you?  Kind of.  You have already made the first step of
> watching out for your server.  (Yay!)  These scans are normally made by
> script kiddies out looking for an easy target.  If your portmapper and
> imapd are turned off, or running a non-vulnerable version or config, you
> are safe.  But I would be keep watching the logs.

imapd is off, but portmapper is on.  Still, it seems that portsentry is
blocking outsiders from hitting it.

> You have taken very good steps to protect yourself.  As far as FTP is
> concerned, you now need only watch for spoofed IPs to get through your
> wrappers (tough, unless they know which IPs to spoof) and making sure your
> users are really your users.   You are also still suceptable to sniffing,
> where someone on your subnet grabs your plain text FTP password off the
> wire, and you are back to square one.  Hopefully, there are no sniffers on
> your subnet -- hopefully, you control your subnet well enough.  (Not a
> cable modem?)

I don't believe there are any sniffers - The subnet for the main server
is colocated at FRII.  My backup (rsync) machine is on DSL, where I have
a subnet of static IPs.

> I would read the BugTRAQ advisories on it.  I'm afraid I don't have them
> handy right now, though.  I would say you have already done quite a bit to
> make it safe.  Now, just make sure you are running the latest version.
> http://www.sans.org/newlook/digests/SAC/linux.htm is a weekly summary of
> current exploits.  I strongly suggest that you subscribe to it.

Ok - Thanks, I have subscribed.  Thank you for making me aware of this!

> They may not.  As I kinda hinted above, the recent activity on the internet
> is widespread distributed scanning.  It could just be that they happened to
> scan one then scan the other in IP number order.   Here is the CERT current
> activity summary: http://www.cert.org/current/current_activity.html

I signed up for this one too.  Thanks again for the tips!  From what
you've said, perhaps I am on the right track.

Mark (dobbster at frii.com)

More information about the NCLUG mailing list