[Shorewall-users] Help, im hacked!!

Tom Eastep teastep@shorewall.net
Wed, 15 May 2002 11:46:27 -0700 (PDT)


On Wed, 15 May 2002, edeleon@intra.net.gt wrote:

> Hello,  
> im using shorewall in my linux server and today when i tried to see my webmail 
> a page from a hacker appears, saying only that he rename my index.html to a 
> new index.html.old, and delete all my log files, i only opened this ports to 
> access from outside of my lan,  
>  
> 10000,80,22,443,110,25,143

Once you install a firewall, the weakest link in your network is the
services that you open to the network. In your case, it only takes one
buffer overflow exploit in your http/https, ssh, pop3, smtp or IMAP server
and the attacker is in. If you run those services as root, you can really
be hosed.

That is why it is critically important to install security updates 
IMMEDIATELY WHEN THEY BECOME AVAILABLE.
 
>
> i heard about a exploit in the ssh deamon but i dont have the time to upgrade 
> ssh, i run nmap localhost and this is the result 
>

If you don't have the time to upgrade to the latest server packages then
you must have lots of time to rebuild your servers because that's what you 
have to do.
  
> 21/tcp     open        ftp 
> 25/tcp     open        smtp 
> 53/tcp     open        domain 
> 80/tcp     open        http 
> 110/tcp    open        pop-3 
> 111/tcp    open        sunrpc 
> 143/tcp    open        imap2 
> 443/tcp    open        https 
> 1024/tcp   open        kdm 
> 1025/tcp   open        listen 
> 3128/tcp   open        squid-http 
> 3306/tcp   open        mysql 
> 6000/tcp   open        X11 
> 22273/tcp  open        wnn6 
> 22289/tcp  open        wnn6_Cn 
> 22305/tcp  open        wnn6_Kr 
> 22321/tcp  open        wnn6_Tw 
>  

You can see who has them open using "netstat -nap --tcp".

Once you've been hacked, you must rebuild your server, installing from 
scratch and install ALL AVAILABLE SECURITY UPDATES; it's the only way to 
insure that you haven't overlooked anything.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net