[NCLUG] I was hacked!

Michael Dwyer mdwyer at sixthdimension.com
Fri Dec 29 14:41:31 MST 2000


At 08:33 PM 12/29/00 +0000, you wrote:
>Hi,
>
>Maybe this is a little off the current thread, but I was wondering if I
>am safe...
>
>I run portsentry/hostsentry on my server, and I see that regular
>attempts are made on various ports (111/portmapper, 1080, 143/imap).  I
>am not too concerned about this, but I was wondering why they tend to
>hit these particular ports?

There are active exploits against these ports.  1080 is where WinGate 
(SOCKS) lives -- which IRC kiddies use to proxy IRC through. Portmapper and 
imap have both been victims of exploits in the last few months.
Should it concern you?  Kind of.  You have already made the first step of 
watching out for your server.  (Yay!)  These scans are normally made by 
script kiddies out looking for an easy target.  If your portmapper and 
imapd are turned off, or running a non-vulnerable version or config, you 
are safe.  But I would be keep watching the logs.

>Also - I have telnet disabled, but I do have in.ftpd running, and I need
>to leave it on (and without ssh) for a handful of my Windows users.  My
>logs show that FTP gets attacked pretty regularly, but anonymous FTP is
>turned off.  I also have the inetd services running through tcpd, and
>only specific networks are permitted to use FTP according to my
>hosts.allow/hosts.deny.

Most of the FTP explots involve some form of access, so limiting anon ftp 
is a very good step for you to take.  Some of the other exploits do not 
need an auth'd connection, and your tcp wrappers probably protect you in 
that case.

You have taken very good steps to protect yourself.  As far as FTP is 
concerned, you now need only watch for spoofed IPs to get through your 
wrappers (tough, unless they know which IPs to spoof) and making sure your 
users are really your users.   You are also still suceptable to sniffing, 
where someone on your subnet grabs your plain text FTP password off the 
wire, and you are back to square one.  Hopefully, there are no sniffers on 
your subnet -- hopefully, you control your subnet well enough.  (Not a 
cable modem?)

>Is this safe?  Can someone point me to an article which explains the FTP
>bugs and what I might do to make things safer?

I would read the BugTRAQ advisories on it.  I'm afraid I don't have them 
handy right now, though.  I would say you have already done quite a bit to 
make it safe.  Now, just make sure you are running the latest version. 
http://www.sans.org/newlook/digests/SAC/linux.htm is a weekly summary of 
current exploits.  I strongly suggest that you subscribe to it.


>Another thing that seems weird is that I rsync our main server to a
>machine on my DSL network (two different networks), using a root
>.shosts.  When the attackers hit one machine, they tend to hit the other
>as well.  This strikes me as odd; how would they know that I am
>rsyncing?

They may not.  As I kinda hinted above, the recent activity on the internet 
is widespread distributed scanning.  It could just be that they happened to 
scan one then scan the other in IP number order.   Here is the CERT current 
activity summary: http://www.cert.org/current/current_activity.html

>Security is a serious pain in the ass.  It's hard to keep up with
>everything.  I wish they'd go away and leave us alone!!!

Ah, for the good old days of the Internet... when you could trust everyone 
out there...




More information about the NCLUG mailing list