Fedora 7 Compromised by ISP

[Peter_APIIT]

Hello all expert Linux Security administrator,

Hello all, latest news from Peter_APIIT.

My system has been compromised. How i know the system is been compromised.

The iptables firewall rules has changed. My etc/sysconfig/iptables-config has been deleted.

Moreover, my state share object(State library) also been deleted.

How i can block my ISP hacked during netowrk initialization because i realised my ISP always hacked during the initialization of the connection.

I just don't understand how he can remove the files and gain root access to my pc.

I have afick, Bastille, File Integrity checker and AIDE installed.


I think i should beg for any helps.

Please help me. No internet no life.


I think fedora core is not as secure as others distributions.


This is my rules before compromised.

Chain INPUT (policy DROP)
target prot opt source destination
fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST
DROP 0 -- anywhere anywhere state NEW ctstate NEW
DROP 0 -- anywhere anywhere state NEW
DROP 0 -f anywhere anywhere
DROP 0 -- anywhere anywhere ctstate INVALID
ACCEPT 0 -- anywhere anywhere ctstate RELATED,ESTABLISHED state RELATED,ESTABLISHED
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state ESTABLISHED
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp state ESTABLISHED
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT icmp -- anywhere anywhere icmp echo-reply
DROP icmp -- anywhere anywhere
RH-Firewall-1-INPUT 0 -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:31337
DROP tcp -- anywhere anywhere tcp dpt:telnet
DROP 0 -- anywhere anywhere ctstate INVALID
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh recent: SET name: SSH side: source
DROP tcp -- anywhere anywhere tcp dpt:ssh recent: UPDATE seconds: 180 hit_count: 2 name: SSH side: source

Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT 0 -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere ctstate NEW,RELATED,ESTABLISHED state NEW,RELATED,ESTABLISHED
ACCEPT 0 -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp state NEW,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp echo-request

Chain RH-Firewall-1-INPUT (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
REJECT 0 -- anywhere anywhere reject-with icmp-host-prohibited

Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN 0 -- anywhere anywhere

I cannot put into Quote.

I don't know why.

Thanks for your helps.

[Peter_APIIT]

How can i do a system restore in Linux where this function appear in Windows but Linux is far more better ?

How about this toolkit ?
Trinity Rescue Kit

I lazy to reinstall it. A billion thanks to you all.

[a_small_cake]

Honestly if you suspect your ISP you should notify Police about it. If your ISP is hacking your PC this is a crime.

[ibbo]

I do not know whats going on with your machines security but

"Please help me. No internet no life." prmots me to tell you to get out more. Much more!

Hope you resolve your problem though.

Ibbo

[PilotJLR]

The lack of your iptables chains does not, by itself, automatically mean you are hacked... unless you have other evidence.

Do you have an /etc/sysconfig/iptables file? If so, what is its contents?
Also, what output do you get if you do a : service iptables restart?

Lastly... just to cover all bases... when you setup these rules before, did you ever run a "service iptables save" to make them persistent?

[leigh123linux]

Quote:

Originally Posted by Peter_APIIT

Hello all expert Linux Security administrator,

Hello all, latest news from Peter_APIIT.

My system has been compromised. How i know the system is been compromised.

The iptables firewall rules has changed. My etc/sysconfig/iptables-config has been deleted.

Moreover, my state share object(State library) also been deleted.

How i can block my ISP hacked during netowrk initialization because i realised my ISP always hacked during the initialization of the connection.

I just don't understand how he can remove the files and gain root access to my pc.

I have afick, Bastille, File Integrity checker and AIDE installed.


I think i should beg for any helps.

Please help me. No internet no life.


I think fedora core is not as secure as others distributions.


This is my rules before compromised.

Chain INPUT (policy DROP)
target prot opt source destination
fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST
DROP 0 -- anywhere anywhere state NEW ctstate NEW
DROP 0 -- anywhere anywhere state NEW
DROP 0 -f anywhere anywhere
DROP 0 -- anywhere anywhere ctstate INVALID
ACCEPT 0 -- anywhere anywhere ctstate RELATED,ESTABLISHED state RELATED,ESTABLISHED
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state ESTABLISHED
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp state ESTABLISHED
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT icmp -- anywhere anywhere icmp echo-reply
DROP icmp -- anywhere anywhere
RH-Firewall-1-INPUT 0 -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:31337
DROP tcp -- anywhere anywhere tcp dpt:telnet
DROP 0 -- anywhere anywhere ctstate INVALID
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh recent: SET name: SSH side: source
DROP tcp -- anywhere anywhere tcp dpt:ssh recent: UPDATE seconds: 180 hit_count: 2 name: SSH side: source

Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT 0 -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere ctstate NEW,RELATED,ESTABLISHED state NEW,RELATED,ESTABLISHED
ACCEPT 0 -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp state NEW,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp echo-request

Chain RH-Firewall-1-INPUT (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
REJECT 0 -- anywhere anywhere reject-with icmp-host-prohibited

Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN 0 -- anywhere anywhere

I cannot put into Quote.

I don't know why.

Thanks for your helps.

Where is your evidence to back up you claim that you have been hacked ?

[Peter_APIIT]

The iptables firewall rules has changed. My etc/sysconfig/iptables-config has been deleted.

Moreover, my state share object(State library) also been deleted.

I have the /etc/sysconfig/iptbales before i been compromised but after been compromised, the file is no longer exists.

[Peter_APIIT]

When i run service iptables restart, the out is as follow.

/etc/sysconfig/iptables-config: line 23: Save: command not found
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]
Loading additional iptables modules: ip_conntrack_netbios_ns [ OK ]

[Peter_APIIT]

How my ISP can gain the root access ? This is pretty somehting like magic.

I ope you all can help me out.

[leigh123linux]

Quote:

Originally Posted by Peter_APIIT

When i run service iptables restart, the out is as follow.

/etc/sysconfig/iptables-config: line 23: Save: command not found
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]
Loading additional iptables modules: ip_conntrack_netbios_ns [ OK ]

you haven't made the rules persistent and you flush the changes when you reboot

Quote:

Originally Posted by PilotJLR

when you setup these rules before, did you ever run a "service iptables save" to make them persistent?

su -
service iptables save

[leigh123linux]

Quote:

Originally Posted by Peter_APIIT

How my ISP can gain the root access ? This is pretty somehting like magic.

I ope you all can help me out.

You are not hacked , it's just your inability to use iptables properly

[Peter_APIIT]

I 100% sure that i save that rules before i flush it.

I always checked after reboot.

Any idea how to solve this problem ?

A billion thanks to you all.

[marcrblevins]

Change your iptables correctly.

Code:

su -
vi /etc/sysconfig/iptables
service iptables save

Code:

su -
service iptables restart
iptables --list

Does the list show the correct listing?

[larryc06]

I have had it happen to me and I had the evidence. A tech friend of mine was over so he secured the evidence and put it and the program he used on a memory stick. It does happen with some bored ISP workers. If this is what is happening to you have to have more than what you said to teach this person not to play in your playground. On another note I noticed you said that you checked your iptables before you flushed them and all was ok. Think about that. You need to check them after the flush and reinstatement, not before. Good luck

[Peter_APIIT]

Thanks for your help.