l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
October 7: Social gathering
Next Installfest:
TBD
Latest News:
Aug. 18: Discounts to "Velocity" in NY; come to tonight's "Photography" talk
Page last updated:
2001 Dec 30 17:06

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] Attempted access -- I think
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] Attempted access -- I think



jdnewmil@dcn.davis.ca.us wrote:
> 
> On Thu, 14 Jun 2001, Cam Ellison wrote:
> 

> >
> > I agree.  I am running dhcp, of course, but the client, not the server.
> > Should I assume that someone has been messing around in my machine, and
> > that the other host is trying to re-establish connection?
> 
> I don't think so. You haven't said anything about your network connection
> arrangement... cable modem?  Some ISPs use private addresses for their
> internal equipment, so in the widest possible picture it is possible that
> the dhcp server is legitimate.  It could also be some newbie who installed
> "everything" on a new Red Hat box, too.
> 
> It could be some cracker setting themself up to hand out dhcp leases so
> they can intercept communications from dhcp clients in a
> "man-in-the-middle" attack.  However, if you haven't been taking
> precautions like ssh until now, I can't see what benefit that would offer
> them over promiscously monitoring your traffic.
> 

As you said, it is weird.  What I have here is my linux box with a Samba
server for my kids' machine, which my wife also uses, and netatalk for
the Mac Powerbook I use for work.  Yes, I have a cable modem connection
for which I use dhcp.  I have ssh set up, but have not been able to get
the Mac set up in a way that allows me to connect, so I haven't.  I have
proftpd running, but there's only one way in -- through my username and
password.  I get regular hits on that, too, though only recently have I
bothered to sic anyone one them.

> 
> These are service (port) names.  AFAIK netstat doesn't tell you process
> names.
> 
> > netbios-dgm
> > netbios-ns
> 
> Eeek! exposed Samba? are you blocking all tcp/udp ports 137-139 yet?
> 
Yeah.  I had not realized until I ran it that this was happening.  The
Samba conf file is set up tightly -- encrypted passwords and no guests
-- so I think it's been OK.  There is now a rule to deny all input
through the cable (eth1) on those ports.

> > ntalk
> > talk
> > discard
> > sunrpc
> 
I think I will leave sunrpc, but I have taken talk and talkd out.  I can
find no reference to discard.  It is not in the locate db, and is not a
Debian package.  Odd.  Does it ring any bells with you?

> Almost certainly want to disable these... probably in /etc/inetd.conf
> 
> 
> lsof tells you which programs are servicing the ports.  6000 is usually
> the X server, and 7101 is often an X font server.
> 
And that is what is listed.

> > There are some other odd ports in the syslog entries: 1052, 3008, 3033,
> > 3829.  None of these have any referents in /etc/services
> 
> http://www.securityportal.com/firewalls/ports/
> 
> 1052 ddt (dynamic dns tools)
I don't think I like the sound of this -- it links in too nicely with
the dhcp port attempts.
> 3008 midnight technologies
> 3033 pdb (protein data bank?)

I think this is Palm DB, but I like your version

> 3829 ?
> 
<snip>

> 
> Unfortunately, an experienced cracker can cover their tracks pretty well.
> The standard recommendation is to backup everything, disconnect from the
> net, reinstall all binaries from trusted media, turn off all unnecessary
> services, install a good firewall script, and then reconnect to the net.
> 
> Short of that you can install a firewall script (Seawall is pretty
> good, or see freshmeat.net), use ps and/or lsof to identify what all of
> the running processes on your machine are, comb through your logs, use
> find to look for executables with odd permissions, and generally follow
> the advice for hardening a Linux box (search with google) and pray.
> 

Either option is a PITA, for neither of which I have time.  However, the
latter seems the less objectionable, so I shal soldier on. 

Thanks again for the information and advice.

Cheers

Cam



-- 
Cam Ellison Ph.D. R.Psych.
>From Roberts Creek on B.C.'s incomparable Sunshine Coast
camellison@dccnet.com
cam@fleuryassociates.com


LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
EDGE Tech Corp.
For donating some give-aways for our meetings.