Shorewall users - Oct 2012 - Rootkit?

I seem to have picked up a bug, but am unable to trace it.  Lots of
these:

[55415.513723] Shorewall:fw2net:DROP:IN= OUT=wlan0 SRC=192.168.1.1
DST=97.107.134.150 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=28176 DF
PROTO=TCP SPT=55445 DPT=3333 WINDOW=14600 RES=0x00 SYN URGP=0 
[55420.348527] Shorewall:fw2net:DROP:IN= OUT=wlan0 SRC=192.168.1.1
DST=97.107.134.150 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=27353 DF
PROTO=TCP SPT=55447 DPT=3333 WINDOW=14600 RES=0x00 SYN URGP=0 

My shorewall is very tight, only allowing the absolute minimum in/out. 
This destination IP traces to some guy''s home internet account in
Chicago. (I''m in Shoreline, WA)  No idea who he is or what this is
about, but it started yesterday.  It''s possible that this is to do with
one of the many Konqueror browser windows I have open and might be
innocuous, but it does look suspicious.

I ran nmap on this guy''s IP and he has port 80 open (minimal Apache
setup), SSH, 3000, and 3333.  I tried to run openvas, but it''s
currently
busted.

I ran netcat to watch for this port, but it was blind when the next wave
came, I suspect because it listens for the source port rather than the
destination.  Same with Wireshark, which I also had listening.  Now I
have Wireshark listening for the destination IP, but nothing yet.

So far, Shorewall has been the only thing that''s seen these
transactions.  My systems are very tight and are behind three wireless
routers in series.  The only way I can think of that I may have caught
anything is through Konqueror, or email;  I always run Konqi as user and
I''m careful with kmail, opening emails as text and not opening
suspicious attachments. 

Anyone have any idea what''s going on here?

-- 
http://www.fastmail.fm - One of many happy users:
  http://www.fastmail.fm/docs/quotes.html


------------------------------------------------------------------------------
Don''t let slow site performance ruin your business. Deploy New Relic
APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev

Am I on my own?
--
[1]merc1984@f-m.fm


On Mon, Oct 15, 2012, at 08:04, [2]merc1984@f-m.fm wrote:



I seem to have picked up a bug, but am unable to trace it.  Lots of

these:



[55415.513723] Shorewall:fw2net:DROP:IN= OUT=wlan0 SRC=192.168.1.1

DST=97.107.134.150 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=28176 DF

PROTO=TCP SPT=55445 DPT=3333 WINDOW=14600 RES=0x00 SYN URGP=0

[55420.348527] Shorewall:fw2net:DROP:IN= OUT=wlan0 SRC=192.168.1.1

DST=97.107.134.150 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=27353 DF

PROTO=TCP SPT=55447 DPT=3333 WINDOW=14600 RES=0x00 SYN URGP=0



My shorewall is very tight, only allowing the absolute minimum in/out.

This destination IP traces to some guy''s home internet account in

Chicago. (I''m in Shoreline, WA)  No idea who he is or what this is

about, but it started yesterday.  It''s possible that this is to do with

one of the many Konqueror browser windows I have open and might be

innocuous, but it does look suspicious.



I ran nmap on this guy''s IP and he has port 80 open (minimal Apache

setup), SSH, 3000, and 3333.  I tried to run openvas, but it''s
currently

busted.



I ran netcat to watch for this port, but it was blind when the next
wave

came, I suspect because it listens for the source port rather than the

destination.  Same with Wireshark, which I also had listening.  Now I

have Wireshark listening for the destination IP, but nothing yet.



So far, Shorewall has been the only thing that''s seen these

transactions.  My systems are very tight and are behind three wireless

routers in series.  The only way I can think of that I may have caught

anything is through Konqueror, or email;  I always run Konqi as user
and

I''m careful with kmail, opening emails as text and not opening

suspicious attachments.



Anyone have any idea what''s going on here?



--

[3]http://www.fastmail.fm - One of many happy users:

  [4]http://www.fastmail.fm/docs/quotes.html

References

1. mailto:merc1984@f
2. mailto:merc1984@f-m.fm
3. http://www.fastmail.fm/
4. http://www.fastmail.fm/docs/quotes.html

-- 
http://www.fastmail.fm - IMAP accessible web-mail



------------------------------------------------------------------------------
Don''t let slow site performance ruin your business. Deploy New Relic
APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev

On 10/16/2012 09:02 AM, merc1984@f-m.fm wrote:
> Am I on my own?
I''ve had mixed success with something like the following:

watch "netstat -tnap | fgrep 3333 >> 3333.log"

At least it can give you a place to start...

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Don''t let slow site performance ruin your business. Deploy New Relic
APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev

Thanks, but I have tried that, adding -c and monitoring constantly.
netstat is blind to these, as it showed nothing even as Shorewall
blocked more. I suspect netstat monitors -source- port (which is
random), so I set Wireshark to listen for the particular IP, and it was
blind as well, when flurries of hits were blocked by Shorewall.
I can''t believe this network traffic and sockets are invisible!
[1]merc1984@f-m.fm


On Tue, Oct 16, 2012, at 09:26, Tom Eastep wrote:

On 10/16/2012 09:02 AM, [2]merc1984@f-m.fm wrote:

Am I on my own?



I''ve had mixed success with something like the following:



watch "netstat -tnap | fgrep 3333 >> 3333.log"



At least it can give you a place to start...



-Tom

--

Tom Eastep        \ When I die, I want to go like my Grandfather who

Shoreline,         \ died peacefully in his sleep. Not screaming like

Washington, USA     \ all of the passengers in his car

[3]http://shorewall.net
\________________________________________________



-----------------------------------------------------------------------
-------

Don''t let slow site performance ruin your business. Deploy New Relic
APM

Deploy New Relic app performance management and know exactly

what is happening inside your Ruby, Python, PHP, Java, and .NET app

Try New Relic at no cost today and get our sweet Data Nerd shirt too!

[4]http://p.sf.net/sfu/newrelic-dev2dev

_______________________________________________

Shorewall-users mailing list

[5]Shorewall-users@lists.sourceforge.net

[6]https://lists.sourceforge.net/lists/listinfo/shorewall-users

References

1. mailto:merc1984@f
2. mailto:merc1984@f-m.fm
3. http://shorewall.net/
4. http://p.sf.net/sfu/newrelic-dev2dev
5. mailto:Shorewall-users@lists.sourceforge.net
6. https://lists.sourceforge.net/lists/listinfo/shorewall-users

-- 
http://www.fastmail.fm - Email service worth paying for. Try it for free



------------------------------------------------------------------------------
Don''t let slow site performance ruin your business. Deploy New Relic
APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev

On 10/16/2012 10:30 AM, merc1984@f-m.fm wrote:
> Thanks, but I have tried that, adding -c and monitoring constantly.
> netstat is blind to these, as it showed nothing even as Shorewall
> blocked more. I suspect netstat monitors -source- port (which is
> random), so I set Wireshark to listen for the particular IP, and it was
> blind as well, when flurries of hits were blocked by Shorewall.
>
>
> I can''t believe this network traffic and sockets are invisible!
They won''t be visible so long as you are blocking the traffic with the 
firewall. You have to temporarily unblock it to be able to track it.

Do you run Squid on your firewall?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Don''t let slow site performance ruin your business. Deploy New Relic
APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev

Oh dear, no wonder. I thought netcat would be watching inside the
firewall.
I really hate to open it as it could leak anything about me to him.
Maybe I could set up a VM with his IP to intercept traffic.
I am just now in the process of setting up Squid, with anonymize
headers. I suspect that if someone got in, it must have been through
Konqueror as my firewall is very tight and I am careful with email.
[1]merc1984@f-m.fm


On Tue, Oct 16, 2012, at 10:40, Tom Eastep wrote:

On 10/16/2012 10:30 AM, [2]merc1984@f-m.fm wrote:

Thanks, but I have tried that, adding -c and monitoring constantly.

netstat is blind to these, as it showed nothing even as Shorewall

blocked more. I suspect netstat monitors -source- port (which is

random), so I set Wireshark to listen for the particular IP, and it was

blind as well, when flurries of hits were blocked by Shorewall.





I can''t believe this network traffic and sockets are invisible!



They won''t be visible so long as you are blocking the traffic with the

firewall. You have to temporarily unblock it to be able to track it.



Do you run Squid on your firewall?



-Tom

--

Tom Eastep        \ When I die, I want to go like my Grandfather who

Shoreline,         \ died peacefully in his sleep. Not screaming like

Washington, USA     \ all of the passengers in his car

[3]http://shorewall.net
\________________________________________________



-----------------------------------------------------------------------
-------

Don''t let slow site performance ruin your business. Deploy New Relic
APM

Deploy New Relic app performance management and know exactly

what is happening inside your Ruby, Python, PHP, Java, and .NET app

Try New Relic at no cost today and get our sweet Data Nerd shirt too!

[4]http://p.sf.net/sfu/newrelic-dev2dev

_______________________________________________

Shorewall-users mailing list

[5]Shorewall-users@lists.sourceforge.net

[6]https://lists.sourceforge.net/lists/listinfo/shorewall-users

References

1. mailto:merc1984@f
2. mailto:merc1984@f-m.fm
3. http://shorewall.net/
4. http://p.sf.net/sfu/newrelic-dev2dev
5. mailto:Shorewall-users@lists.sourceforge.net
6. https://lists.sourceforge.net/lists/listinfo/shorewall-users

-- 
http://www.fastmail.fm - Email service worth paying for. Try it for free



------------------------------------------------------------------------------
Don''t let slow site performance ruin your business. Deploy New Relic
APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 16-10-12 8:40 PM, Tom Eastep wrote:
> On 10/16/2012 10:30 AM, merc1984@f-m.fm wrote:
>> Thanks, but I have tried that, adding -c and monitoring
>> constantly. netstat is blind to these, as it showed nothing even
>> as Shorewall blocked more. I suspect netstat monitors -source-
>> port (which is random), so I set Wireshark to listen for the
>> particular IP, and it was blind as well, when flurries of hits
>> were blocked by Shorewall.
>> 
>> 
>> I can''t believe this network traffic and sockets are
invisible!
> 
> They won''t be visible so long as you are blocking the traffic with
> the firewall. You have to temporarily unblock it to be able to
> track it.
> 
> Do you run Squid on your firewall?
> 
> -Tom
> 
Or you can be "man in the middle" and dump some traffic

''net'' ---> ''you'' --->
''server''

If you suspect that your server is hacked this is the first step.
Second if in your server is a rootkit then system packages and allot
of thinks are changed to cover "the use" of your system.

T. Bogdan
- ----------------
Linux Systems
Network Security
- ----------------
http://www.direkt.ro
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (MingW32)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQEcBAEBAgAGBQJQfaHXAAoJEJpBzyKYZqZ+evgIALQmnmrhQ0JNY4DCQh9Uwn9p
8utt4ogbLX0ecSds5TNttWux1VqBriJU0MbxxwQDdbkWa3LINj9mFZOgCiN93Ino
zJSnNYkvIHdo17UWfpetrWJ9stxcoX+pIw/hy4QA0opACyssYtiSvjg8AbIU2bRX
HSW3T+6nqjt0UfqgQVS9jQXQLerhD3sO91rF5J8sFNuhKwZg65dWhB6jWXVoRWAf
TdfIc7cti9xwqOx6NHbg6Uh5KMTy7981mEknTJFblPJWWTzNc6w+zxyOXhvDbbgD
T+52PzkPgwJvo3e4aDq4aCTzL4R85aV7iAb/ggp0eiQ0+avNglJyQwZ5tJ19iNU=qaeX
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Don''t let slow site performance ruin your business. Deploy New Relic
APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev

Am 16.10.2012 20:01, schrieb merc1984@f-m.fm:

Wouldn''t it be possible to REDIRect the traffic onto your firewall
machine to some other port just in order to record its contents? So you
don''t really open up the port to the other machine again.

> Oh dear, no wonder. I thought netcat would be watching inside the firewall.
> 
> I really hate to open it as it could leak anything about me to him. Maybe I
could set up a VM with his IP to intercept traffic.
> 
> 
> I am just now in the process of setting up Squid, with anonymize headers. I
suspect that if someone got in, it must have been through Konqueror as my
firewall is very tight and I am careful with email.
> merc1984@f <mailto:merc1984@f>-m.fm
>  
>  
> On Tue, Oct 16, 2012, at 10:40, Tom Eastep wrote:
>> On 10/16/2012 10:30 AM, merc1984@f-m.fm <mailto:merc1984@f-m.fm>
wrote:
>>
>>     Thanks, but I have tried that, adding -c and monitoring constantly.
>>     netstat is blind to these, as it showed nothing even as Shorewall
>>     blocked more. I suspect netstat monitors -source- port (which is
>>     random), so I set Wireshark to listen for the particular IP, and it
was
>>     blind as well, when flurries of hits were blocked by Shorewall.
>>      
>>      
>>     I can''t believe this network traffic and sockets are
invisible!
>>
>>  
>> They won''t be visible so long as you are blocking the traffic
with the
>> firewall. You have to temporarily unblock it to be able to track it.
>>  
>> Do you run Squid on your firewall?
>>  


------------------------------------------------------------------------------
Don''t let slow site performance ruin your business. Deploy New Relic
APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev

Wouldn''t it be possible to REDIRect the traffic onto your firewall
machine to some other port just in order to record its contents? So you
don''t really open up the port to the other machine again.
Not sure how to REDIRECT. If I have a second IP on my interface with IP
192.168.11.1 would I:
REDIRECT $FW 192.168.11.1 tcp * - 97.107.134.150
... and then listen on 192.168.11.1 with Wireshark? Would it actually
see any traffic?

-- 
http://www.fastmail.fm - Faster than the air-speed velocity of an
                          unladen european swallow



------------------------------------------------------------------------------
Don''t let slow site performance ruin your business. Deploy New Relic
APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev

Or you can be "man in the middle" and dump some traffic

''net'' ---> ''you'' --->
''server''

Absolutely no idea how to do this. Looks like it would require days of
study.

-- 
http://www.fastmail.fm - Access your email from home and the web



------------------------------------------------------------------------------
Don''t let slow site performance ruin your business. Deploy New Relic
APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev

Am 16.10.2012 20:54, schrieb merc1984@f-m.fm:
>  
> Wouldn''t it be possible to REDIRect the traffic onto your firewall
> machine to some other port just in order to record its contents? So you
> don''t really open up the port to the other machine again.
> 
> 
> Not sure how to REDIRECT. If I have a second IP on my interface with IP
192.168.11.1 would I:
> REDIRECT $FW 192.168.11.1 tcp * - 97.107.134.150
> 
> ... and then listen on 192.168.11.1 with Wireshark? Would it actually see
any traffic?
> 
> -- 
> http://www.fastmail.fm - Faster than the air-speed velocity of an
>                           unladen european swallow
> 
I would try the following

in your shorewall/rules

-----8<---------

DNAT    net     loc:192.168.11.1:3333   tcp     3333
DNAT    net     loc:192.168.11.1:3333   udp     3333

------8<---------
And then try

tcpdump port 3333 -i <your_dsl_if> -vv -A





------------------------------------------------------------------------------
Don''t let slow site performance ruin your business. Deploy New Relic
APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev

--
[1]merc1984@f-m.fm


On Tue, Oct 16, 2012, at 12:02, Florian Piekert wrote:

Am 16.10.2012 20:54, schrieb [2]merc1984@f-m.fm:



Wouldn''t it be possible to REDIRect the traffic onto your firewall

machine to some other port just in order to record its contents? So you

don''t really open up the port to the other machine again.





Not sure how to REDIRECT. If I have a second IP on my interface with IP
192.168.11.1 would I:

REDIRECT $FW 192.168.11.1 tcp * - 97.107.134.150



... and then listen on 192.168.11.1 with Wireshark? Would it actually
see any traffic?



--

[3]http://www.fastmail.fm - Faster than the air-speed velocity of an

                        unladen european swallow





I would try the following



in your shorewall/rules



-----8<---------



DNAT    net     loc:192.168.11.1:3333   tcp     3333

DNAT    net     loc:192.168.11.1:3333   udp     3333



------8<---------

And then try



tcpdump port 3333 -i <your_dsl_if> -vv -A





Email had 1 attachment:
  * signature.asc
      1k (application/pgp-signature)

References

1. mailto:merc1984@f
2. mailto:merc1984@f-m.fm
3. http://www.fastmail.fm/

-- 
http://www.fastmail.fm - IMAP accessible web-mail



------------------------------------------------------------------------------
Don''t let slow site performance ruin your business. Deploy New Relic
APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev

On 10/16/2012 12:02 PM, Florian Piekert wrote:
> Am 16.10.2012 20:54, schrieb merc1984@f-m.fm:
>>
>> Wouldn''t it be possible to REDIRect the traffic onto your
firewall
>> machine to some other port just in order to record its contents? So you
>> don''t really open up the port to the other machine again.
>>
>>
>> Not sure how to REDIRECT. If I have a second IP on my interface with IP
192.168.11.1 would I:
>> REDIRECT $FW 192.168.11.1 tcp * - 97.107.134.150
>>
>> ... and then listen on 192.168.11.1 with Wireshark? Would it actually
see any traffic?
>>
>> --
>> http://www.fastmail.fm - Faster than the air-speed velocity of an
>>                            unladen european swallow
>>
>
> I would try the following
>
> in your shorewall/rules
>
> -----8<---------
>
> DNAT    net     loc:192.168.11.1:3333   tcp     3333
> DNAT    net     loc:192.168.11.1:3333   udp     3333

The OP is seeing *outgoing* packets, not incoming.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct

merc1984@f-m.fm wrote:
> I seem to have picked up a bug, but am unable to trace it.  Lots of
> these:
>
> [55415.513723] Shorewall:fw2net:DROP:IN= OUT=wlan0 SRC=192.168.1.1
> DST=97.107.134.150 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=28176 DF
> PROTO=TCP SPT=55445 DPT=3333 WINDOW=14600 RES=0x00 SYN URGP=0 
> [55420.348527] Shorewall:fw2net:DROP:IN= OUT=wlan0 SRC=192.168.1.1
> DST=97.107.134.150 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=27353 DF
> PROTO=TCP SPT=55447 DPT=3333 WINDOW=14600 RES=0x00 SYN URGP=0 
>   
Two possible solutions and a bit of advice:

1. Deploy SELinux in Enforcing mode (if you don''t use it already) and 
then place a rule with the AUDIT target matching any packet which goes 
to destination port 3333, protocol udp. That way, you will be able to 
trace the process, thread and user credentials used to create that packet.

You are "lucky" in a way that the packet originates on your machine - 
that allows you to see process, thread and user credentials - if this 
packet was from the outside you won''t be able to see that. You can
place
this in the NEW section of "rules" or, if you have no joy (i.e. no 
matches), then you have to recreate that same rule in either the "raw"
or "mangle" tables.

Once you do get a match (check the counters when you execute "iptables 
-L -vn" or "shorewall show"), then check your audit.log file
(usually in
/var/log/audit). You can use "ausearch -m NETFILTER_PKT -i" (further 
filtering can be done with the "-ts" option) to see what matches you 
have received and that will give you a hint as to who/what creates that 
packet.

2. If you would like to grab the whole packet (header+payload), then you 
have to use ulogd2 and activate one of its numerous plugins which are 
able to capture and dump whole packets depending on what matches you 
have set up in iptables. To activate ulogd2 use the NFLOG iptables 
target to create the appropriate matching rule - either un "rules" or
in
raw/mangle tables as indicated above.

If you are fairly certain that your Konqueror browser is to blame, or 
you picked up a rogue plug-in, then if you are allowed, try to 
deactivate the various plugins you have in use in this browser - one by 
one - and see whether you get a repeat of the "volley". If not, and
you
are certain what causes it, then just remove the plugin and be done with it.

On a personal note, for this kind of thing I always use Tor, combined 
with Privoxy, both installed separately on one of my dmz machines. They 
are accessed over ssh tunnel from my desktop machines to filter out the 
stuff from "rogue" html page elements I do not need.

That way, the browser *always* uses a proxy (redirected to the ssh 
tunnel port on my desktop machine - i.e. 127.0.0.1:XXXX) and I have 
explicitly blocked in my SELinux policy any "web" traffic (ports 21,
80,
443 and the like). That way, if something misbehaves, SELinux 
immediately raises an alert and I catch the bastard with his pants down 
more or less instantly.

Hope that helps.

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct

On Wed, Oct 17, 2012, at 09:37, Mr Dash Four wrote:
> 1. Deploy SELinux in Enforcing mode (if you don''t use it already)
and
> then place a rule with the AUDIT target matching any packet which goes
> to destination port 3333, protocol udp. That way, you will be able to
> trace the process, thread and user credentials used to create that
> packet.
Good advice, thanks.

I''ve been tempted to set up SELinux over the years.  With Debian
it''s
just ''bolt-on'', as oppsed to Fedora where it''s built
in.  I am not going
to use Fedora because they are going to M$'' proprietary boot system, so
I am staying with Debian for the foreseeable future.  

I used to have a daemon set up that monitored for probes, and when one
was detected it automatically sent out a safe-finger.  One time I caught
a guy red-handed, and he had actually set up and filled out ident!  I
got his name, address, phone, email, etc, all nice and neat, so reported
him to his ISP of course.  That was years ago, and I can''t remember any
longer how I did that.  Now I would set up nmap, openvas, and armitage
scans of his machines on trigger.  If that doesn''t set off alarm bells
for him, he''s just a kiddie.

If this was a penetration of my machine, I am shocked and astounded,
with the attention I put in security.

> If you are fairly certain that your Konqueror browser is to blame, or
> you picked up a rogue plug-in, then if you are allowed, try to
> deactivate the various plugins you have in use in this browser - one by
> one - and see whether you get a repeat of the "volley". If not,
and you
> are certain what causes it, then just remove the plugin and be done
> with it.
I am in the process right now of converting all my machines over to XFCE
(the new default WM for Debian 7), and so am ditching Konqueror,
KOrganizer, and KMail after 14 years of using them exclusively.  KDE4
has just been busted for too long, and there has been absolutely no
progress, and it is behind the times.  That is enough.

So I am moving to XFCE and Iceweasel, and in the process have just set
up Squid as my proxy (after a 3 year hiatus), in
''anonymizer_paranoid''
mode, so it will spoof my source IPs, and to make me appear as a
Googlebot.  In Iceweasel so far I have Add-Ons 
HTTPS Finder - select the https site, whenever possible.
	https://addons.mozilla.org/en-US/firefox/addon/https-finder/
Session Manager, to restore old sessions.
	http://www.makeuseof.com/tag/firefoxs-session-manager/
AdBlock Edge - Does not update automatically or phones home
	https://addons.mozilla.org/en-US/firefox/addon/adblock-edge/
Element Hiding Helper - for those pesky text ads
	https://addons.mozilla.org/en-US/firefox/addon/elemhidehelper/

The only ways he could have possibly penetrated my machine are:
- Vuln in SSH daemon (unlikely)
- Java or Javascript in Konqueror
- Vuln in Flash or PDF
- Email attachment (unlikely, I am careful)

Most likely it was java, javascript. or Flash, so maybe there is some
kind of scanning filter that would chain with Squid. (Kaspersky?)  I''ll
be looking around for that maybe soon.

The port 3333 attempts came in repeated waves Sunday and Monday, but
have stopped now.  It''s enough though to make me very concerned.  I
must
wipe the affected system, and be concerned about the others.  And
seriously consider SELinux.  I need to learn it sooner or later.

> On a personal note, for this kind of thing I always use Tor, combined
> with Privoxy, both installed separately on one of my dmz machines. They
> are accessed over ssh tunnel from my desktop machines to filter out the
> stuff from "rogue" html page elements I do not need.
I tried Tor for a while, but it is terribly slow, at least here in the
Pacific Northwest.  I wanted to set myself up as a Node, but I have vuln
questions that I tried and tried to get answered but was ignored.  It is
just too slow for normal use, not even considering the lightning action
I get now with Squid.

I have Squid set up on my HTPC, listening to localhost only.  Then on my
other machines I set up a reverse SSH tunnel to the HTPC, to make the
daemon show up on them as localhost:3128.  So when my laptop browser
(for example) asks for a webpage, it reaches into its own bellybutton
and comes out with the proxy service on the remote machine, through the
SSH tunnel.  All browser accesses for the LAN are made through
192.168.11.4, which is spoofing its address in headers as 192.168.1.2.
(which has nothing to to with my LAN, for reasons of my own)

I tried setting it up as the system proxy on each, but many things broke
and I don''t have time to bit-twiddle.  Just have browser proxies set up
manually.




-- 
http://www.fastmail.fm - mmm... Fastmail...


------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct

> Good advice, thanks.
>   
No problem, I have been in this situation myself many times in the past, 
so I share your pain.
> I''ve been tempted to set up SELinux over the years.  With Debian
it''s
> just ''bolt-on'', as oppsed to Fedora where it''s
built in.  I am not going
> to use Fedora because they are going to M$'' proprietary boot
system, so
> I am staying with Debian for the foreseeable future.  
>   
This is news to me! When is Fedora planning to do that - is it with F18? 
I have been using Fedora since RH6 days and all my machines are 
Fedora-based.
> If this was a penetration of my machine, I am shocked and astounded,
> with the attention I put in security.
>   
No system is ever 100% secure, no matter what you do. That is why you 
need proper monitoring tools and have as much control of what is going 
on as possible. You need proper eyes and ears.

As for SELinux - about 3-4 years ago I was like you - very pessimistic & 
reluctant, mostly because of the complexity of the setup and the massive 
learning curve it required (it was a huge leap for me). Now, I have all 
of my machines running customised/tailored SELinux policies where 
everything is pretty much locked up.

On the net side - every single interface, node, IP address/range is 
assigned a separate security domain and every single packet that passes 
through/arrives at any of my machines is allocated a secmark (SECMARK 
target) - that way, if a rogue app is using (or attempting to use) any 
sort of a connection/packet, then the SELinux hooks will catch it and I 
will know about it.
> I am in the process right now of converting all my machines over to XFCE
> (the new default WM for Debian 7), and so am ditching Konqueror,
> KOrganizer, and KMail after 14 years of using them exclusively.  KDE4
> has just been busted for too long, and there has been absolutely no
> progress, and it is behind the times.  That is enough.
>   
I have a similar dilemma myself - on all but 2 of my desktop Linux 
machines I have a customised gnome 2.99 (unofficial!) running on F13 
base, but I adapted most of the packages from the latest releases (I 
even have packages that are not yet released by Fedora yet, at least not 
officially). The reason being is that I absolutely can''t stand gnome 3 
and all that crap it comes out with - whoever bright spark invented that 
monstrosity should be shot on site!

I have been planning to move to the newest Fedora and XFCE, but it is a 
massive undertaking and I need to dedicate at least a month to do it - 
something I can''t afford at present.
> HTTPS Finder - select the https site, whenever possible.
> 	https://addons.mozilla.org/en-US/firefox/addon/https-finder/
>   
What I''d also do is to wipe out the root certificates store - the one 
supplied by default with most web browsers/email clients. I''d manually 
add only those certificates I trust!
> Session Manager, to restore old sessions.
> 	http://www.makeuseof.com/tag/firefoxs-session-manager/
> AdBlock Edge - Does not update automatically or phones home
> 	https://addons.mozilla.org/en-US/firefox/addon/adblock-edge/
> Element Hiding Helper - for those pesky text ads
> 	https://addons.mozilla.org/en-US/firefox/addon/elemhidehelper/
>   
Privoxy is much better than any of these. It is massive undertaking to 
configure it at first, but once it is done, you hardly touch it and it 
does the job brilliantly.
> The only ways he could have possibly penetrated my machine are:
> - Java or Javascript in Konqueror
> - Vuln in Flash or PDF
>   
About these 2 above you should be worried about. That and a rogue 
plugins/extensions installed.
> The port 3333 attempts came in repeated waves Sunday and Monday, but
> have stopped now.  It''s enough though to make me very concerned. 
I must
> wipe the affected system, and be concerned about the others.  And
> seriously consider SELinux.  I need to learn it sooner or later.
>   
Learning SELinux is no easy task, though once you''ve done it the reward
you get is well worth it.

As I pointed out above, I''ve (re-)written more or less everything from 
the "standard" policy supplied with Fedora as it was 1. too broad (it 
had massive security holes); and 2. did not suit my specific needs. 
Policy writing to me now is like writing a bash script or a C program - 
a dodle!
> I tried Tor for a while, but it is terribly slow, at least here in the
> Pacific Northwest.  I wanted to set myself up as a Node, but I have vuln
> questions that I tried and tried to get answered but was ignored.  It is
> just too slow for normal use, not even considering the lightning action
> I get now with Squid.
>   
That was about 2 years ago - Tor now is very fast and comparable to a 
normal connections, but mileage do vary.
> I have Squid set up on my HTPC, listening to localhost only.  Then on my
> other machines I set up a reverse SSH tunnel to the HTPC, to make the
> daemon show up on them as localhost:3128.  So when my laptop browser
> (for example) asks for a webpage, it reaches into its own bellybutton
> and comes out with the proxy service on the remote machine, through the
> SSH tunnel.  All browser accesses for the LAN are made through
> 192.168.11.4, which is spoofing its address in headers as 192.168.1.2.
> (which has nothing to to with my LAN, for reasons of my own)
>
> I tried setting it up as the system proxy on each, but many things broke
> and I don''t have time to bit-twiddle.  Just have browser proxies
set up
> manually.
>   
You can set up the proxies via a separate file or a url - this is how 
I''ve done it. I also use proxy authentication so that not everyone is 
allowed to access it. The proxy authentication is with client 
certificates as well (no user IDs/password input is allowed), so there 
is usually no input on the client side at all - it is all pre-configured.


------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct

On Wed, Oct 17, 2012, at 15:24, Mr Dash Four wrote:
> This is news to me! When is Fedora planning to do that - is it with
> F18?
I don''t remember.  It''s called "Microsoft Trusted Boot
System" or some
malarky.  It''s intended to prevent boot virus'', but could have
the
effect of rendering open-source systems unbootable on newer hardware
with this.  No more Grub for Fed.

Radically open-source for me, thanks.

> No system is ever 100% secure, no matter what you do. That is why you
> need proper monitoring tools and have as much control of what is going
> on as possible. You need proper eyes and ears.
I need a good IDS, but have proven myself not smart enough to make
Prelude work.

> The reason being is that I absolutely can''t stand gnome 3
> and all that crap it comes out with - whoever bright spark invented
> that monstrosity should be shot on site!
Gnome has always been too limited for me.  KDE was based on the old
''object-oriented'' model, in the mold of Taligent, which is now
only -20-
years ahead of our time, along with object-oriented databases.

> I have been planning to move to the newest Fedora and XFCE, but it is a
> massive undertaking and I need to dedicate at least a month to do it -
> something I can''t afford at present.
Me too.  I have to make an actual living, and these are my personal
machines.  But I''ve converted my two easiest machines to XFCE now, the
backups server and HTPC.  Took a weekend to read all the XFCE docs, and
there''s less there than meets the eye.  Once you read the docs you find
there''s basically no wonderful features hidden, but you can more easily
bend it to your will.  Only problem is I have not been able to make it
save sessions on one of my machines, and why is a mystery to all on the
forums and IRC.

XFCE is certainly simpler than K.

> That was about 2 years ago - Tor now is very fast and comparable to a
> normal connections, but mileage do vary.
I may try Tor again.

> You can set up the proxies via a separate file or a url - this is how
> I''ve done it. I also use proxy authentication so that not everyone
is
> allowed to access it. The proxy authentication is with client
> certificates as well (no user IDs/password input is allowed), so there
> is usually no input on the client side at all - it is all
> pre-configured.
I tried a system setup so apt and MythTV channel updates would use
Squid, but too many things broke.  I have to move on to the next crisis.
 Manual works.

Now here''s a question:  I have a server dedicated entirely to backing
up
the other machines (and the security cameras).  When it''s time to do a
backup it uses its SSH ecdsa certificate to reach out to the target
machine and log in as root to do the rsync backup.

Well it''s a bad idea to not put a password on a cert, so I have to
really protect the backups server because it has easy root access to all
the other machines.  But don''t I, have to do it this way so backups are
automated?  Any idea how else it could it get root access to the other
machines without manual intervention?






-- 
http://www.fastmail.fm - Or how I learned to stop worrying and
                          love email again


------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct

<div>So I am surprised there isn''t a well-known, defined path for
when
something inside your machine is trying to communicate outside without
your permission.  I have no idea what this is, trying to reach out to
some guy''s home machine in Chicago, but it can''t be good.  The
only
thing that''s stopping him is Shorewall. 
<br><br></div>

<div>Is it that everyone else has all outgoing ports open, and are
completely unaware of such attempts?<br><br></div>

<div>I don''t understand why netcat does not pick up these
outgoing
attempts to 3333 when I set it to watch.  It has proven completely blind
when I get waves of them, as has Wireshark.  Are netcat and Wireshark
not listening for both source and destination port traffic?  Here is my
command:<br></div>
<div>netstat -cantup | grep 3333 <br><br> </div>

<div>Of course my intent and my purpose would be to trace these outgoing
attempts to a process number or name in my machine, at the most basic,
so I could know whether this is a cron job or daemon, much less how I
got it.  This seems like the very first and most basic step to take in a
case like this, but it seems I am doing New Science.  It seems my only
option at this point is to wipe and completely reinstall the OS.  How I
got infected is a mystery, as is how to prevent it from happening again,
other than learning everything about SELinux.<br><br> </div>

<div>There has got to be a better way. <br><br> </div>

-- 
http://www.fastmail.fm - A fast, anti-spam email service.


------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct

> <div>Of course my intent and my purpose would be to trace these
outgoing
> attempts to a process number or name in my machine, at the most basic,
> so I could know whether this is a cron job or daemon, much less how I
> got it.  This seems like the very first and most basic step to take in a
> case like this, but it seems I am doing New Science.  It seems my only
> option at this point is to wipe and completely reinstall the OS.
As I already pointed out, you can get all this information by:
1. Activating SELinux in "Enforce" mode  - you just have to install
your
kernel with SELinux-related options activated. If you use "standard" 
kernel (i.e. the one which comes with your distro) at least in Fedora''s
case SELinux hooks are there.
2. Install the auditd daemon package and activate it at startup 
(otherwise all of your security-related alerts will be logged in your 
syslog and you may not be able to "decipher" them).
3. Create a rule - either in Shorewall''s "rules" file (use
the "NEW"
section), or do it manually using the raw or mangle tables - which uses 
the AUDIT target (Shorewall provides 3 such "macros" - A_ACCEPT, 
A_REJECT and A_DROP) that matches the source/destination ports and 
protocol you are interested to inspect, like so:

A_DROP $FW net udp 3333

For that to work though, both your kernel and iptables need the AUDIT 
target/match present - that comes as "standard" with recent kernels 
(3.x+ if I remember correctly).
4. (Optional) Install selinux tools package to include "ausearch" so 
that you would be able to "decipher" your AUDIT logs. If you
don''t do
that, you will get raw values (still readable and you can understand at 
least most of it).
5. Check your syslog (if you don''t have auditd daemon running) or 
/var/log/audit/audit.log to see whether there are any matches. The lines 
you should be looking for should have "NETFILTER_PKT" as the message 
type (if you use ausearch you can specify that as a filter parameter as 
I indicated in one of my previous replies to you).

The end!

The above should enable you to see, at the very least, who/what creates 
that packet by inspecting the AUDIT log properties - executable path, 
uid, pid,tid, ppid etc, *and* drop the said packet (if you used A_DROP).

If you want to dig a bit deeper and inspect the packet contents (useful 
if you are going after that asshole in WA) then you have to use ulogd2 
and activate some of its many plugins available so that you can log the 
packet contents as well. This is a bit more advanced stuff, so it is not 
everyones cup of tea.
>   How I
> got infected is a mystery, as is how to prevent it from happening again,
> other than learning everything about SELinux.<br><br>
</div>
>   
You don''t have to "learn everything about SElinux" - just
follow the
steps above and read what I''ve sent you previously, that''s
all.
> <div>There has got to be a better way. <br><br>
</div>
>   
If you want to find out what process/thread created the packet and get 
the user credentials used, this is the only reliable way I know of. 
Netfilter sometimes gives you that information, but this is obscure and 
incomplete to say the least.

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct

OK. I plan to wipe/reinstall this weekend and will try and get SELinux
set up.

My main concern though is an unforeseen threat. This time it''s port
3333, but next time it might be 2738, or God knows what, so I can''t
manually target anything. Tom recommends fwlogwatch, but the
''current''
version in Debian Testing is non-functional, and I haven''t had time to
figure out how to set up and troubleshoot the latest source. Point is I
need some kind of IDS or alarm monitor, which can either alert me
real-time, or if there''s a high degree of reliability to take automated
measures. I''ve tried to set up Prelude, but do not have the days to
figure out and troubleshoot all the things that are wrong with it.

I just can''t believe there aren''t more
''canned'' or more refined
solutions by now. We all still have to do everything ad hoc.


On Fri, Oct 19, 2012, at 08:22, Mr Dash Four wrote:



<div>Of course my intent and my purpose would be to trace these
outgoing

attempts to a process number or name in my machine, at the most basic,

so I could know whether this is a cron job or daemon, much less how I

got it.  This seems like the very first and most basic step to take in
a

case like this, but it seems I am doing New Science.  It seems my only

option at this point is to wipe and completely reinstall the OS.

As I already pointed out, you can get all this information by:

1. Activating SELinux in "Enforce" mode  - you just have to install
your

kernel with SELinux-related options activated. If you use "standard"

kernel (i.e. the one which comes with your distro) at least in Fedora''s

case SELinux hooks are there.

2. Install the auditd daemon package and activate it at startup

(otherwise all of your security-related alerts will be logged in your

syslog and you may not be able to "decipher" them).

3. Create a rule - either in Shorewall''s "rules" file (use
the "NEW"

section), or do it manually using the raw or mangle tables - which uses

the AUDIT target (Shorewall provides 3 such "macros" - A_ACCEPT,

A_REJECT and A_DROP) that matches the source/destination ports and

protocol you are interested to inspect, like so:



A_DROP $FW net udp 3333



For that to work though, both your kernel and iptables need the AUDIT

target/match present - that comes as "standard" with recent kernels

(3.x+ if I remember correctly).

4. (Optional) Install selinux tools package to include "ausearch" so

that you would be able to "decipher" your AUDIT logs. If you
don''t do

that, you will get raw values (still readable and you can understand at

least most of it).

5. Check your syslog (if you don''t have auditd daemon running) or

/var/log/audit/audit.log to see whether there are any matches. The
lines

you should be looking for should have "NETFILTER_PKT" as the message

type (if you use ausearch you can specify that as a filter parameter as

I indicated in one of my previous replies to you).



The end!



The above should enable you to see, at the very least, who/what creates

that packet by inspecting the AUDIT log properties - executable path,

uid, pid,tid, ppid etc, *and* drop the said packet (if you used
A_DROP).



If you want to dig a bit deeper and inspect the packet contents (useful

if you are going after that asshole in WA) then you have to use ulogd2

and activate some of its many plugins available so that you can log the

packet contents as well. This is a bit more advanced stuff, so it is
not

everyones cup of tea.



How I

got infected is a mystery, as is how to prevent it from happening
again,

other than learning everything about SELinux.<br><br> </div>



You don''t have to "learn everything about SElinux" - just
follow the

steps above and read what I''ve sent you previously, that''s
all.



<div>There has got to be a better way. <br><br> </div>



If you want to find out what process/thread created the packet and get

the user credentials used, this is the only reliable way I know of.

Netfilter sometimes gives you that information, but this is obscure and

incomplete to say the least.



-----------------------------------------------------------------------
-------

Everyone hates slow websites. So do we.

Make your web apps faster with AppDynamics

Download AppDynamics Lite for free today:

[1]http://p.sf.net/sfu/appdyn_sfd2d_oct

_______________________________________________

Shorewall-users mailing list

[2]Shorewall-users@lists.sourceforge.net

[3]https://lists.sourceforge.net/lists/listinfo/shorewall-users

References

1. http://p.sf.net/sfu/appdyn_sfd2d_oct
2. mailto:Shorewall-users@lists.sourceforge.net
3. https://lists.sourceforge.net/lists/listinfo/shorewall-users

-- 
http://www.fastmail.fm - Access all of your messages and folders
                          wherever you are



------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct

> OK. I plan to wipe/reinstall this weekend and will try and get SELinux 
> set up.
Forgot to add something in my previous post, which was pretty obvious 
(at least to me anyway) - along with the SELinux kernel support, you 
need to have a functional SELinux policy installed - selinux-policy + 
selinux-policy-XXX where XXX is the name of the policy packages. I use 
(very-heavily modified) selinux-policy-targeted, but for your needs you 
should be OK with the standard targeted policy supplied by your distro.
 
> My main concern though is an unforeseen threat. This time it''s
port
> 3333, but next time it might be 2738, or God knows what, so I
can''t
> manually target anything. Tom recommends fwlogwatch, but the
''current''
> version in Debian Testing is non-functional, and I haven''t had
time to
> figure out how to set up and troubleshoot the latest source. Point is 
> I need some kind of IDS or alarm monitor, which can either alert me 
> real-time, or if there''s a high degree of reliability to take 
> automated measures. I''ve tried to set up Prelude, but do not have
the
> days to figure out and troubleshoot all the things that are wrong with it.
Having properly installed and functional selinux policy, auditd daemon 
and Shorewall will be perfect fro that. If you wish to make your life a 
bit easier, then add selinux-tools package to that as well.

You don''t need anything else, provided these are all configured 
properly. From top of my head, allow all DROP targets in shorewall.conf 
to be A_DROP to activate the audit logging. Also, if SELinux is in 
Enforce mode (check with "getenforce"), then monitor your audit logs, 
because SElinux will not log only dropped packets or connection 
attempts, but also applications/rogue code misbehaving (web browser 
requesting SSH access for example) and you will be able to catch these 
instantly.

If you are running a GUI (i.e. you have a proper desktop) at least in 
Fedora''s distro there is SELinux GUI tool (the name of which escapes me
right now), which runs together with X and alerts you as soon as 
something misbehaves and you get an audit log. This is usually shown in 
the status line of the screen where you can just click on an icon and 
see what has been going on.

That is, of course, in addition to all the other stuff you have at your 
disposal.
 
> I just can''t believe there aren''t more
''canned'' or more refined
> solutions by now. We all still have to do everything ad hoc.
Define "refined". The system I described in this and my previous posts
is pretty oiled-up and functional even if you don''t make any changes to
it - i.e. install it out of the box. For your individual needs, you have 
to get your hands dirty a bit and do a  bit of tweaking.


------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct