I think I've been hacked

[joegumbo]

Hi Jaymz and marcrblevins,

I woke up. And, I did exactly as you both indicated.. uncommenting the lines for BLOCK SERVICE = ALL, commenting BLOCK SERVICE = sshd, and uncommenting the appropriate line to sync with denyhosts database.

Thank you for your help and advice.

I'm back to bed.

-Joe

[brunson]

Hey Joe,

I don't think you have anything to be worried about...

Quote:

Originally Posted by joegumbo

Hello,

I'm using and eMachine W3503 connected to the internet via Comcast cable. I use an AlphaShield hardware firewall. Between the hardware firewall and the eMachine, I have a NetGear router. I am also using FireStarter firewall. My Os is a several days old reinstall of FC6. I have a perfect rating from "Shields Up." Total stealth.

Over the last several days, I've been getting a flood of hits on Firestarter. They all seem to be coming from the same place. The following is a partial list of the hits I've been getting:

Time:Jun 11 16:47:08 Direction: Inbound In:eth0 Out: Port:34913 Source:77.67.127.26 Destination:192.168.1.4 Length:40 TOS:0x00 Protocol:TCP Service:Unknown
Time:Jun 11 16:47:20 Direction: Inbound In:eth0 Out: Port:34914 Source:77.67.127.26 Destination:192.168.1.4 Length:40 TOS:0x00 Protocol:TCP Service:Unknown
Time:Jun 11 16:48:08 Direction: Inbound In:eth0 Out: Port:38464 Source:77.67.127.35 Destination:192.168.1.4 Length:40 TOS:0x00 Protocol:TCP Service:Unknown
Time:Jun 11 16:48:20 Direction: Inbound In:eth0 Out: Port:38466 Source:77.67.127.35 Destination:192.168.1.4 Length:40 TOS:0x00 Protocol:TCP Service:Unknown
Time:Jun 11 16:48:20 Direction: Inbound In:eth0 Out: Port:38465 Source:77.67.127.35 Destination:192.168.1.4 Length:40 TOS:0x00 Protocol:TCP Service:Unknown
Time:Jun 11 16:48:44 Direction: Inbound In:eth0 Out: Port:38467 Source:77.67.127.35 Destination:192.168.1.4 Length:40 TOS:0x00 Protocol:TCP Service:Unknown
Time:Jun 11 16:50:44 Direction: Inbound In:eth0 Out: Port:36867 Source:77.67.127.0 Destination:192.168.1.4 Length:40 TOS:0x00 Protocol:TCP Service:Unknown
Time:Jun 11 16:51:20 Direction: Inbound In:eth0 Out: Port:38474 Source:77.67.127.35 Destination:192.168.1.4 Length:40 TOS:0x00 Protocol:TCP Service:Unknown
Time:Jun 11 16:52:32 Direction: Inbound In:eth0 Out: Port:50446 Source:77.67.127.42 Destination:192.168.1.4 Length:40 TOS:0x00 Protocol:TCP Service:Unknown

This are just iptables messages about someone portscanning you. It's not even a particularly clever scan, but I question why they're getting through your firewalls to your machine at all. I'm not talking about the firestarter firewall (which is really iptables, firestarter is just a management program, iptables is in the kernel). Do you have a rule on the AlphaShield to forward certain (or all) traffic to your desktop? Did you declare it to be a "DMZ" machine? That's linksys lingo for a default port forward, usually used for a gaming machine or something.

Still, nothing to worry about, iptables is intercepting the traffic.

Quote:

Originally Posted by joegumbo

I also checed my system with chrootkit... all seemed OK. But, when I checked it with rkhunter, I was notified of a problem:

System checks
* Allround tests
Checking hostname... Found. Hostname is localhost.localdomain
Checking for passwordless user accounts... OK
Checking for differences in user accounts... Found differences
Info:
----------------------
< apache:x:48:48:Apache:/var/www:/sbin/nologin
< backuppc:x:102:104::/var/lib/BackupPC:/sbin/nologin
----------------------
Info: Some items have been added (items marked with '<')
Checking for differences in user groups... Found differences
Info:
----------------------
< apache:x:48:
< backuppc:x:104:apache
----------------------
Info: Some items have been added (items marked with '<')

Again, not much to worry about. If I remember correctly, rkhunter keeps sort of a "known good" version of certain files, but if they aren't 100% up to date (either by you updating from rkhunter or by the maintainers being a tiny bit behind a rapidly changing distro like ours) it'll register something like that. It looks like you added the httpd package and something for your backups that modified the password and group file. I have that exact same apache entry.

Quote:

Originally Posted by joegumbo

Also, when I ran "top", it listed 1 zombie process. Now it lists none.

A zombie process is simply a process that has exited, but hasn't been cleared from the kernel process table yet. Again, nothing to worry about.

Quote:

Originally Posted by joegumbo

Notice that all the hits on my fw are from 77.67.127.x. I'm suddenly flooded, and then nothing.

That could be anything. I saw you took the suggestion for denyhosts, that should block them, or you can just block that net range in your AlphaThingy.

Code:

foxtrot(~)$ dig -x 77.67.127.26
; <<>> DiG 9.4.0 <<>> -x 77.67.127.26
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 46824
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;26.127.67.77.in-addr.arpa.     IN      PTR

;; AUTHORITY SECTION:
77.in-addr.arpa.        7200    IN      SOA     ns-pri.ripe.net. ops.ripe.net. 2007061221 3600 7200 1209600 7200

;; Query time: 84 msec
;; SERVER: 172.20.60.20#53(172.20.60.20)
;; WHEN: Mon Jun 11 22:29:40 2007
;; MSG SIZE  rcvd: 98

It's IP space from Europe, RIPE is the european ICANN.

But this is odd....

Code:

foxtrot(~)$ trcrt 77.67.127.26
traceroute to 77.67.127.26 (77.67.127.26), 30 hops max, 40 byte packets
 1  192.168.1.2 (192.168.1.2)  0.957 ms
 2  *
 3  ge-2-1-ur01.arvada.co.denver.comcast.net (68.86.105.153)  14.861 ms
 4  te-9-1-ur02.arvada.co.denver.comcast.net (68.86.103.126)  19.589 ms
 5  te-8-2-ar01.aurora.co.denver.comcast.net (68.86.103.41)  20.370 ms
 6  GE-1-47-ur02.arvada.co.denver.comcast.net (68.86.104.46)  21.206 ms
 7  12.124.157.53 (12.124.157.53)  21.872 ms
 8  br2.dvmco.ip.att.net (12.127.4.158)  51.014 ms
 9  tbr1.dvmco.ip.att.net (12.122.1.30)  55.077 ms
10  tbr2.sffca.ip.att.net (12.122.12.133)  54.101 ms
11  12.122.84.50 (12.122.84.50)  109.452 ms
12  12.126.40.54 (12.126.40.54)  55.800 ms
13  so-1-0-0.lax22.ip.tiscali.net (213.200.80.90)  67.390 ms
14  77.67.127.26 (77.67.127.26)  65.203 ms

It traceroutes to someplace that seems to imply Los Angeles, backed up by the fact that it goes to San Fran on AT&T before the reverse lookups end.

Tiscali.net is an Italian carrier that seems to have facilities in the LA area and that last hop doesn't have nearly the RT time to go from California to Asia where the map on their website shows their trans-pacific link landing. But, that would explain how RIPE ip space got into an LA facility, if they're an international carrier, they can advertise their European IP space into BGP at any peering point.

They probably have a customer in co-lo with a machine (or group of machines) that has been hacked and is being used as a jumping off point to attack other machines.

nmap seems to think it's some flavor of embedded linux, like would run on a router device, but that would probably just be the firewall on that end. It has ssh and http open, but not useful from where I sit.

Quote:

Originally Posted by joegumbo

I'd check
< apache:x:48:
< backuppc:x:104:apache
but, I'm not sure what I'm looking for.

I'd also do a clean install, but I don't see the point if I have some sort of hole that I cannot patch. I've done all I can think of doing. I have a dedicated hardware firewall. Behind that, I have a router. Behind that, I have a software firewall with maximum security. I really don't know what else I could have done.

I've also noticed that sometimes my internet connection sometimes seems slow.

Me, too. It could be your comcast sucking like mine, or it could just be the traffic from the port scan.

Quote:

Originally Posted by joegumbo

If anyone here knows what's going on, I'd really appreciate it.

Thank you for your help.

-Joe G.

I really don't see anything to worry about. Hope that helps put your mind at ease a little.

[joegumbo]

Hi Brunson

I really do appreciate all the help I've been given here tonight. The AlphaShield has only one default setting for GNU/Linux... to stealth everything. Again, in online tests, I'm 100% stealthed. It should be interesting to hear what Akamai has to say. I'll post here when they get back to me. So... your Comcast sucks too.

Btw, I noticed your sig. I'm on the newly added page 11 number 1358.

Thank you,
-Joe G.

[brunson]

Stop waking up to read FedoraForum, it's obsessive and weird.

[joegumbo]

Hi brunson...

You must know me.

Seriously, though... Sometimes I have bouts of insomnia.

I'm off to work for the day.

-Joe

[joegumbo]

Oops... Just checked my email before leaving. I received a response from Akamai:

Hello,

This is in response to the suspicious activity you reported seen on your
computer.

Akamai serves the images and streaming content for many of the most
popular Internet web-sites, including Yahoo!, New Line Cinema, Gomez.com
and over 2800 others.

Akamai's network consists of 15,000+ servers in over 1000 networks
across 66 countries. Our patented "intelligent" algorithms dynamically
map a user request to the closest (network-wise) available Akamai
server.

When you connect to a web-site your browser first contacts the content
provider (i.e. www.yahoo.com) and downloads an html file. This file
contains embedded URLs that tell your browser where to find all the
objects necessary to finish displaying the page. In the case of an
"Akamaized" site, these URLs point to the Akamai Network. Next, your
browser makes connections to the URLs to obtain the images or streaming
content. Again, for an "Akamaized" site, your browser will contact an
Akamai server to obtain the requested items.

Generally a TCP server listens on a well-known port < 1023 (for example
port 80 for HTTP), and a TCP client connects from a port > 1023 assigned
by the operating system. So a connection from port 80 of the Akamai
server to a high numbered port on your machine, is a normal HTTP
transaction.

TCP connections are made this way so that multiple connections can be
made between a well-known port on a server and a client. For example:

1.1.1.1 (you) 2.2.2.2 (Akamai)

port 1787 <-------------+------+----------> port 80 (HTTP)
/ /
port 1788 <-----------/ /
/
port 1789 <----------------/

Each connection is identified by it's source ip, source port,
destination ip, and destination port.

Most likely the traffic you're seeing is the result of a request made
from your computer while you were visiting an Akamai customer's website.

Many programs make HTTP connections that you may not be aware of. These
programs include, email clients, anti-virus software, stock quote
streamers, free ISP ad displays, and the Microsoft Active Desktop. Our
servers will not send any traffic to you without being contacted first.

I'd suggest you take a look at our FAQ
(http://www.akamai.com/en/html/misc/support_faq.html) and see if that
explains the traffic you are seeing.

If you'd like to learn more about Akamai and our service offerings,
please visit our web-site at www.akamai.com. If you have any other
questions or concerns, please feel free to contact me.

Thanks and Regards,

Victor
Akamai Technologies

[joegumbo]

Well, I turned my pc off before leaving for work. When I came home this evening, I cannot get the x server to start. I'm getting messages like
"Fatal Server error: Cannot move old log file ("var/log/Xorg.0.log" to "/var/log/Xorg.0.log.old") I'm only working with the command line now. I tried mv /var/log/Xorg.0.log /var/Xorg.0.log.old, but I'm told this is illegal. I'm going to post to an appropriate FedoraForum that deals with video.

[joegumbo]

I'm upgrading existing installation...reinstalling FC6. I need this computer tonight.

Thanks anyhow.
I will install denyhosts first thing, though.
-Joe

[joegumbo]

Well, I did a complete re-install. I couldn't be helped. Yesterday, after I tried booting in using the old i586 instead of the i585 kernel, I couldn't even get the comand line. The screen just went black. Then I tried booting in using the i686 kernel... now no text there either, just a black screen.

I tried upgrading with FC6 rather than a total re-install, and saving my /home directory, but when I rebooted, the screen was black. I reformatted my hd with Knoppix, then did a complete re-install with FC6 using the security tips I received on this forum, and now all seems to work OK.

Before I even launched my browser or did anything else, but while I was using "Software Updater," I had a "Serious Hit" on Firestarter. The info is as follows:

Time:Jun 13 02:23:01 Direction: Inbound In:eth0 Out: Port:80 Source:131.247.254.5 Destination:192.168.1.4 Length:68 TOS:0x00 Protocol:ICMP Service:HTTP


Using the whois tool I learned about here, I received the following info:

joegum@localhost ~]$ whois 131.247.254.5
[Querying whois.arin.net]
[whois.arin.net]

OrgName: UNIVERSITY OF SOUTH FLORIDA
OrgID: USF
Address: 4202 E Fowler Ave.
City: Tampa
StateProv: FL
PostalCode: 33620
Country: US

NetRange: 131.247.0.0 - 131.247.255.255
CIDR: 131.247.0.0/16
NetName: USF
NetHandle: NET-131-247-0-0-1
Parent: NET-131-0-0-0-0
NetType: Direct Assignment
NameServer: MOTHER.USF.EDU
NameServer: ZIGGY.USF.EDU
NameServer: JUSTINCASE.USF.EDU
Comment:
RegDate: 1989-02-09
Updated: 2005-10-20

RTechHandle: TN32-ARIN
RTechName: Netterfield, Ted
RTechPhone: +1-813-974-1793
RTechEmail: ted@usf.edu

OrgTechHandle: TN32-ARIN
OrgTechName: Netterfield, Ted
OrgTechPhone: +1-813-974-1793
OrgTechEmail: ted@usf.edu

# ARIN WHOIS database, last updated 2007-06-12 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
[joegum@localhost ~]$

When I checked with firestarter, it seemed that my updates were coming from around Washington, DC. , not Florida.

Does anyone here know if USF is involved somehow with RedHat or FedoraCORE or if it's normal to get serious firewall hits from them while trying to update?

Thanks,
-Joe G

[brunson]

Quote:

Time:Jun 13 02:23:01 Direction: Inbound In:eth0 Out: Port:80 Source:131.247.254.5 Destination:192.168.1.4 Length:68 TOS:0x00 Protocol:ICMP Service:HTTP

There's no way for someone to route an RFC 1918 address over the internet, through your firewall and to your computer. You must have port 80 forwarded on your firewall. Can you check that you don't?

It's more likely that there's some student machine at USF port scanning your subnet than a Fedora mirror trying to do a reverse connection to your HTTP port.

[joegumbo]

Hi Brunson,

I have to admit, you're a bit over my head. I thought that a Firestarter automatically does port forwarding so it appears that an outsider is talking to my fw, not my machine. I've done some googling on this, but I don't see the command to verify if a particular port is forwarded. Btw, my other "friend" is back from 77.67.127.26. But, I'm using the "Disable Events from source" option.

I'm also taking the extra precaution of keeping my internet connection closed until FC completely loads when I boot up. I think that there might be a small window of opportunity between when I start up and all the system processes load.

Thanks,
-Joe

[brunson]

Quote:

Originally Posted by joegumbo

Hi Brunson,

I have to admit, you're a bit over my head. I thought that a Firestarter automatically does port forwarding so it appears that an outsider is talking to my fw, not my machine. I've done some googling on this, but I don't see the command to verify if a particular port is forwarded. Btw, my other "friend" is back from 77.67.127.26. But, I'm using the "Disable Events from source" option.

I'm also taking the extra precaution of keeping my internet connection closed until FC completely loads when I boot up. I think that there might be a small window of opportunity between when I start up and all the system processes load.

Thanks,
-Joe

Okay, when I refer to your firewall, I mean your AlphaShield. When I mean the packet filtering on your machine that is set up by Firestarter, I'll say "iptables" or "Firestarter".

If your firewall is working correctly (which I assume it is) your 192.168.x.x addresses will never appear on the internet, that would be bad. All connections from behind your firewall appear to come from the IP address assigned to the firewall's WAN interface, so return packets are addressed to it, not to a 192.168 address. The only way for a packet that is not a reply to something you sent to get from your firewall to your linux box is if the firewall is configured to forward new connections to your internal network. You'll need to check the configuration on your AlphaShield to see if that's the case.

[joegumbo]

This is the info from the AlphaShield site:

lphaShield® Home Edition has many advanced features that make it a bulletproof security device such as:

*
Unique “GAP” technology (Trademark: AlphaGAPTM)
*
RPA (Real-time Packet Authorization)
*
IP Stealth Technology (Makes your computer invisible to hackers)
* Stand-alone hardware sentry
*
Manual Mode (Timed connection with a logical disconnect)
*
Auto Mode (Continuous connection with an optional logical disconnect)
*
Lock Mode (Timed connection with a physical disconnect)
* Instant manual connect/disconnect function
*
Auxiliary Port for other IP devices such as VOIP
*
Blocks all 65,536 ports for both TCP-IP and UDP communications
*
Stops most third party pop-ups
*
True plug n' play installation and operation
*
No technical knowledge needed for setup and installation; less than 1 min. setup
*
No future software patches or upgrades required
*
Functions with all operating system platforms
*
Compatible with Cable, xDSL, or ISDN
*
Firmware immune to viruses and alterations
*
No conflicts with existing firewalls or routers or any other security softwares
*
Eliminates DOS (Denial of Service) and DDOS (Distributed Denial of Service) attacks
*
Provides 24/7 online protection

AlphaShield® Home Edition utilizes three technologies to achieve a level of security which surpasses all.
AlphaGAPTM technology is the first of its kind in the security market which allows the user to physically or logically disconnect or reconnect seamlessly.
IP Stealth Technology creates a two-way mirror whereby you can see everyone, but no one can see you. Even if everyone on the internet has your IP address, your computer is invisible or non-existent to everyone. You are only visible to the person whom you are communicating with in real-time.
AlphaShield's Real-time Packet Authorization uses an Artificial Intelligence Infrastructure to determine what is allowed or not allowed in your computer. Blocks all 65,536 ports in your computer, and only opens ports to IP specific destinations.

AlphaShield® Home Edition will create a tunnel between your IP addresses and the destinations' IP addresses and will only allow the requested information to enter your computer through the specified port.

It states specifically on the site...
"No configuration, patches or upgrades ever needed"

In Linux and other non-windows OSes, it has only one default configuration.

It is set to "Auto", so it should only be letting in those things I request from the net. The direction of the connections is correct...
Cable/DSL to Comcast's modem and PC to the Netgear router's WAN and the router's LAN 4 to the PC.

[brunson]

Quote:

It states specifically on the site...
"No configuration, patches or upgrades ever needed"

Hmmm, so I guess it'll just allow incoming packets. I would have reservations about that, but I'm a bit of a control freak.

Well, your firewall seems to be forwarding HTTP traffic to your machine. That won't be an issue if you don't start a web server, plus it looks like Firestarter has an iptables rule to intercept that traffic. You're apparently safe, but there's a lot going on in that alphashield box, that's a case of having to cross your fingers and hope the vendor knows what they're doing.

[joegumbo]

So it's not only passing my AlphaShield, but also my router.

I've reset the AS to Manual ode, so if my pc doesn't initiate any contact with the net, it automatically closes the connection after 15 minutes and needs to be restarted manually.

Thanks for the advice and for your time.

Sorry to be a pain in the neck..

-Joe