Hello, im using shorewall in my linux server and today when i tried to see my webmail a page from a hacker appears, saying only that he rename my index.html to a new index.html.old, and delete all my log files, i only opened this ports to access from outside of my lan, 10000,80,22,443,110,25,143 i heard about a exploit in the ssh deamon but i dont have the time to upgrade ssh, i run nmap localhost and this is the result 21/tcp open ftp 25/tcp open smtp 53/tcp open domain 80/tcp open http 110/tcp open pop-3 111/tcp open sunrpc 143/tcp open imap2 443/tcp open https 1024/tcp open kdm 1025/tcp open listen 3128/tcp open squid-http 3306/tcp open mysql 6000/tcp open X11 22273/tcp open wnn6 22289/tcp open wnn6_Cn 22305/tcp open wnn6_Kr 22321/tcp open wnn6_Tw the last three ports seems to be bad, but i dont know how to close this ports, do you have any idea how this hacker break my system? and what to do? thanks
On Wed, 15 May 2002, edeleon@intra.net.gt wrote:> Hello, > im using shorewall in my linux server and today when i tried to see my webmail > a page from a hacker appears, saying only that he rename my index.html to a > new index.html.old, and delete all my log files, i only opened this ports to > access from outside of my lan, > > 10000,80,22,443,110,25,143Once you install a firewall, the weakest link in your network is the services that you open to the network. In your case, it only takes one buffer overflow exploit in your http/https, ssh, pop3, smtp or IMAP server and the attacker is in. If you run those services as root, you can really be hosed. That is why it is critically important to install security updates IMMEDIATELY WHEN THEY BECOME AVAILABLE.> > i heard about a exploit in the ssh deamon but i dont have the time to upgrade > ssh, i run nmap localhost and this is the result >If you don''t have the time to upgrade to the latest server packages then you must have lots of time to rebuild your servers because that''s what you have to do.> 21/tcp open ftp > 25/tcp open smtp > 53/tcp open domain > 80/tcp open http > 110/tcp open pop-3 > 111/tcp open sunrpc > 143/tcp open imap2 > 443/tcp open https > 1024/tcp open kdm > 1025/tcp open listen > 3128/tcp open squid-http > 3306/tcp open mysql > 6000/tcp open X11 > 22273/tcp open wnn6 > 22289/tcp open wnn6_Cn > 22305/tcp open wnn6_Kr > 22321/tcp open wnn6_Tw >You can see who has them open using "netstat -nap --tcp". Once you''ve been hacked, you must rebuild your server, installing from scratch and install ALL AVAILABLE SECURITY UPDATES; it''s the only way to insure that you haven''t overlooked anything. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On 15 May 2002 at 12:35, edeleon@intra.net.gt wrote:> Hello, > im using shorewall in my linux server and today when i tried to see my > webmail a page from a hacker appears, saying only that he rename my > index.html to a new index.html.old, and delete all my log files, i only > opened this ports to access from outside of my lan, > > 10000,80,22,443,110,25,143 > > i heard about a exploit in the ssh deamon but i dont have the time to > upgrade ssh, i run nmap localhost and this is the resultIt took you longer to write this Email than it does to fetch and install the latest ssh patches. However, the ssh exploit is quite tricky to actually accomplish and its vastly more likely your IMAP server is to blame. ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/
Thanks for your help! you can be sure that im lear my lesson, :-( Mensaje citado por Tom Eastep <teastep@shorewall.net>:> On Wed, 15 May 2002, edeleon@intra.net.gt wrote: > > > Hello, > > im using shorewall in my linux server and today when i tried to see my > webmail > > a page from a hacker appears, saying only that he rename my index.html toa> > > new index.html.old, and delete all my log files, i only opened this ports > to > > access from outside of my lan, > > > > 10000,80,22,443,110,25,143 > > Once you install a firewall, the weakest link in your network is the > services that you open to the network. In your case, it only takes one > buffer overflow exploit in your http/https, ssh, pop3, smtp or IMAP server > and the attacker is in. If you run those services as root, you can really > be hosed. > > That is why it is critically important to install security updates > IMMEDIATELY WHEN THEY BECOME AVAILABLE. > > > > > i heard about a exploit in the ssh deamon but i dont have the time to > upgrade > > ssh, i run nmap localhost and this is the result > > > > If you don''t have the time to upgrade to the latest server packages then > you must have lots of time to rebuild your servers because that''s what you > have to do. > > > 21/tcp open ftp > > 25/tcp open smtp > > 53/tcp open domain > > 80/tcp open http > > 110/tcp open pop-3 > > 111/tcp open sunrpc > > 143/tcp open imap2 > > 443/tcp open https > > 1024/tcp open kdm > > 1025/tcp open listen > > 3128/tcp open squid-http > > 3306/tcp open mysql > > 6000/tcp open X11 > > 22273/tcp open wnn6 > > 22289/tcp open wnn6_Cn > > 22305/tcp open wnn6_Kr > > 22321/tcp open wnn6_Tw > > > > You can see who has them open using "netstat -nap --tcp". > > Once you''ve been hacked, you must rebuild your server, installing from > scratch and install ALL AVAILABLE SECURITY UPDATES; it''s the only way to > insure that you haven''t overlooked anything. > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > AIM: tmeastep \ http://www.shorewall.net > ICQ: #60745924 \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users >