Very Computer

Hi,

I did a keyword search for my question with no hits, so please excuse
me if I'm being redundant!

I have a Linux firewall PC between my cable modem and several Windows
98 PCs on my home LAN.  I've been very happy with it but a couple of
days ago I discovered that someone was able to crack my firewall and
install password filtering software (t0rn?), among other things.
Someone has been roaming around it for a while, I guess, apparently
with root permission.

I haven't discovered how the break in was accomplished yet.  I guess
that I'll try to understand HOW it happened before I reinstall Linux
from scratch.

My most immediate worry is how exposed have the Windows PCs been while
this cracking has been going on?  One of the windows PCs has a directly
connected printer that is shared across the LAN with the others.  I
didn't bother to password the share because I was only sharing the
printer and not any of the disk volumes on the PC.  I also assumed that
ipchains would filter out any netbios packets from outside my LAN.  I
didn't think about the possibility of someone trying to access a
windows PC directly from the firewall, though.

Now, having read some articles at linuxsecurity.com, I fear that
sharing the printer may have opened a loophole for the firewall cracker
to get access to the disk volumes on the PC. The first article I read
says that sharing the printer is sufficient to open the loophole. Other
info that I read at CERT only mentions unpassworded disk sharing as
dangerous.

Does anyone have any specific knowledge of the "NetBios over TCP/IP"
loophole.  Would it be easy for a cracker, having gained control of my
firewall, to exploit this loophole?  Is there any evidence that I can
look for that such an exploit has occurred?

Thanks in advance,
FWallNewbie

Sent via Deja.com http://www.deja.com/
Before you buy.

Just a guess and you need to check but they probably only wanted to use
your ex-firewall as a base to 'other excursions' on to the net. If you
are running ipchains and left any ports (at all) open that's where to start.
be sure and remove it from the net as it is now a security hazard to everyone
else. A full rebuild will be in order and then getting all the patchs/updates
for which ever version you are using. Popular exploits are DNS port 53, HTTP
port 80, ftp port 80, telnet port 23, and RPC port 111. more if you were running
xwindows. All of these have known problems.

Quote:> Hi,

> I did a keyword search for my question with no hits, so please excuse
> me if I'm being redundant!

> I have a Linux firewall PC between my cable modem and several Windows
> 98 PCs on my home LAN.  I've been very happy with it but a couple of
> days ago I discovered that someone was able to crack my firewall and
> install password filtering software (t0rn?), among other things.
> Someone has been roaming around it for a while, I guess, apparently
> with root permission.

> I haven't discovered how the break in was accomplished yet.  I guess
> that I'll try to understand HOW it happened before I reinstall Linux
> from scratch.

> My most immediate worry is how exposed have the Windows PCs been while
> this cracking has been going on?  One of the windows PCs has a directly
> connected printer that is shared across the LAN with the others.  I
> didn't bother to password the share because I was only sharing the
> printer and not any of the disk volumes on the PC.  I also assumed that
> ipchains would filter out any netbios packets from outside my LAN.  I
> didn't think about the possibility of someone trying to access a
> windows PC directly from the firewall, though.

> Now, having read some articles at linuxsecurity.com, I fear that
> sharing the printer may have opened a loophole for the firewall cracker
> to get access to the disk volumes on the PC. The first article I read
> says that sharing the printer is sufficient to open the loophole. Other
> info that I read at CERT only mentions unpassworded disk sharing as
> dangerous.

> Does anyone have any specific knowledge of the "NetBios over TCP/IP"
> loophole.  Would it be easy for a cracker, having gained control of my
> firewall, to exploit this loophole?  Is there any evidence that I can
> look for that such an exploit has occurred?

> Thanks in advance,
> FWallNewbie

> Sent via Deja.com http://www.deja.com/
> Before you buy.

Hi,

What may have happened is that having gained root access to the linux
firewall, they could have reconfigured the firewall and hidden their tracks.

As for the netbios over TCP/IP risks, there's a good explaination of MS
risks at www.grc.com (via 'Shields Up' windows vunerable port tests).

As for tracking down what happened, if the firewall is package installed
(rpm, deb etc) then you can try verifying the installed packages to see if
any have been root kitted (replaced by 'trojan' versions). Also study all
the logs closely for any inconsistencies that may indicate alteration,
non-logging etc.

You may not be able to determine what happened but when you reinstall,
consider running remote logging (use a log server) and software that
verifies any changes in the current filesystem.

Steve

Once you get your firewall sorted out, I might suggest installing a
software firewall like ZoneAlarm or Black ICE Defender on your Windows
PCs also.  They add a tiny bit of overhead, but they also add another
layer of protection to your PCs.

The combination of a firewall box as well as software firewalls might
help.

-ehobz

[cut]

Sent via Deja.com
http://www.deja.com/

The above products aren't really firewalls proper, they are primarily
Intrustion Detection Systems, sometimes called "Personal Firewalls".  That
being said, there is such a product for Linux to augment your firewall, it's
called Snort, and can be gotten from http://www.snort.org

Best regards,
Dan.

--
............................................................................

 "The news [of Dinko Sakic's recovery from illness] will come as a relief to
 Jewish groups who were bitterly disappointed at the postponement of the
 trial, fearing that the medical problems were being used to create delays
 and *reduce media interest*."  -Reuters, March 15, 1999

............................................................................

............................................................................

Quote:

>  "The news [of Dinko Sakic's recovery from illness] will come as a relief
to
>  Jewish groups who were bitterly disappointed at the postponement of the
>  trial, fearing that the medical problems were being used to create delays
>  and *reduce media interest*."  -Reuters, March 15, 1999

............................................................................

Quote:> www.geocities.com/pentagon/bunker/1022

One nice advantage of some of these 'personal' firewalls is that some can
base outgoing access rules upon the initiating application - thereby
identify loaded trojans trying to 'phone-home'. Pretty much impossible with
boundary firewalls if the communications follow regular, permitted TCP
protocols. Found this quite useful when a local LAN machine became infected
with one that the virus checkers we use didn't pick it up. We had noticed
the extra traffic to particular remote IP addresses and the source of the
communications, but ZA was useful in identifying the app calling out so we
could investigate further.