Possible hack?

Possible hack?

Post by Wizar » Tue, 07 Sep 1999 04:00:00



Hello,

I have had some Ip number scanning and probing my machine. I think I had
all
the ipchains correct but I am not sure. So I ran a 'portscan' from a
friendly machine and it reported that port 707 and 777 are open.
I can telnet to it, while it is not logged in de /var/log/warn or
message.
Could it be I am hacked?
Or more precisly: does anyone of you know a hack that opened my ports
707 and
777?
I'm running SuSE 6.1, Linux 2.2.7

Thanks,
Frans

 
 
 

Possible hack?

Post by Jens Hekto » Tue, 07 Sep 1999 04:00:00


Hi,

these are for sure rpc-ports, try "rpcinfo -p localhost".

Jens


> the ipchains correct but I am not sure. So I ran a 'portscan' from a
> friendly machine and it reported that port 707 and 777 are open.
> I can telnet to it, while it is not logged in de /var/log/warn or
> message.
> Could it be I am hacked?
> Or more precisly: does anyone of you know a hack that opened my ports
> 707 and
> 777?
> I'm running SuSE 6.1, Linux 2.2.7

--
Jens Hektor, RWTH Aachen, Rechenzentrum, Seffenter Weg 23, 52074 Aachen
Computing Center Technical University Aachen, firewalls/network security

Private: Rochusstr. 26, D52062 Aachen, Fon: +49 241 29888, Fax: % 29889

 
 
 

Possible hack?

Post by Wizar » Tue, 07 Sep 1999 04:00:00



> Hi,

> these are for sure rpc-ports, try "rpcinfo -p localhost".

> > Could it be I am hacked?
> > Or more precisly: does anyone of you know a hack that opened my ports
> > 707 and
> > 777?

I just did, and my system knows port 707: bwnfsd.
No 777 in this list. So I am a little more confident, still not 100%
;-)

Thanks,
Frans

 
 
 

Possible hack?

Post by Marcu » Tue, 07 Sep 1999 04:00:00



> Hello,

> I have had some Ip number scanning and probing my machine. I think I had
> all
> the ipchains correct but I am not sure. So I ran a 'portscan' from a
> friendly machine and it reported that port 707 and 777 are open.
> I can telnet to it, while it is not logged in de /var/log/warn or
> message.
> Could it be I am hacked?
> Or more precisly: does anyone of you know a hack that opened my ports
> 707 and
> 777?
> I'm running SuSE 6.1, Linux 2.2.7

> Thanks,
> Frans

When I don't know what a port is or what it does, I look in the
/etc/services file. This is a great file for finding out what ports do
(please note that all ports in /etc/services aren't open. Thay are there
go give info)

--

                        // talos / AINT
                        // www:   http://www.algonet.se/~talos

 
 
 

Possible hack?

Post by F.J. Hondema » Tue, 07 Sep 1999 04:00:00



> > Or more precisly: does anyone of you know a hack that opened my ports
> > 707 and
> > 777?

> When I don't know what a port is or what it does, I look in the
> /etc/services file. This is a great file for finding out what ports do
> (please note that all ports in /etc/services aren't open. Thay are there
> go give info)

Hi,

Well, the 707 appears to be for pcnfsd which I DON'T start. The 777 is
nowhere explained.
Some extra info: after every (succesful) login there is a line added in
the
/var/log/messages that says:
Sep  6 21:24:37 blackadder kcheckpass[284]: authentication failure for
user root [uid 0]

(21:24:37 is the actual time I log in, and my machine is called
blackadder).
I feel like there's some program added in the login-chain that sends the
passwords to the hacker; but I cannot get a grip on it.
So I re-installed the full KDE, but that did not help

I also feel (not justified?) better after adding the suspicious IP
number
in both incoming and outgoing ipchains deny-chain.

Frans Hondeman

 
 
 

Possible hack?

Post by Bill Thorsteins » Tue, 07 Sep 1999 04:00:00


On Mon, 06 Sep 1999 21:38:24 +0200, "F.J. Hondeman"



>> > Or more precisly: does anyone of you know a hack that opened my ports
>> > 707 and
>> > 777?

>> When I don't know what a port is or what it does, I look in the
>> /etc/services file. This is a great file for finding out what ports do
>> (please note that all ports in /etc/services aren't open. Thay are there
>> go give info)

>Hi,

>Well, the 707 appears to be for pcnfsd which I DON'T start. The 777 is
>nowhere explained.
>Some extra info: after every (succesful) login there is a line added in
>the
>/var/log/messages that says:
>Sep  6 21:24:37 blackadder kcheckpass[284]: authentication failure for
>user root [uid 0]

>(21:24:37 is the actual time I log in, and my machine is called
>blackadder).
>I feel like there's some program added in the login-chain that sends the
>passwords to the hacker; but I cannot get a grip on it.
>So I re-installed the full KDE, but that did not help

>I also feel (not justified?) better after adding the suspicious IP
>number
>in both incoming and outgoing ipchains deny-chain.

>Frans Hondeman

I found a much larger list of port assignments somewhere on the
net. It runs 360K. This is the listing for 777.


multiling-http  777/tcp    Multiling HTTP
multiling-http  777/udp    Multiling HTTP

kcheckpass could be the kerberos password service.

I hope this helps.

/Bill Thorsteinson

 
 
 

Possible hack?

Post by Anto » Tue, 07 Sep 1999 04:00:00



Quote:>I have had some Ip number scanning and probing my machine. I think I had
>all the ipchains correct but I am not sure. So I ran a 'portscan' from a
>friendly machine and it reported that port 707 and 777 are open.
>I can telnet to it, while it is not logged in de /var/log/warn or
>message.
>Could it be I am hacked?
>Or more precisly: does anyone of you know a hack that opened my ports
>707 and 777?

What you can do is this: telnet to port 707, and while the connection is
open, run this command on another console (as root): 'fuser -n tcp 707'
That should give you back a PID of whatever is using port 707. Then do
'ps PID' to find out what program it actually is. You can do the same
for 777 of course. Use udp instead of tcp, depending on what the
portscan told you (it's probably tcp though).

Anton

--

Ever stop to think, and forget to start again?

 
 
 

1. Possible HACK?? Please help!

Hi there,
I've recently put my linux server online...and lo and behold, two days
later....it appears i've been hacked.

this morning i noticed my server was responding very slowly. Upon checking
the messages log i found numerous lines such as :

Jul 21 09:49:53 NS Kernel: NET: 2370 messages suppressed
Jul 21 09:49:53 NS Kernel: dst cache overflow

there was enough of these to effectively lock up my computer. (SYN Attack??)

from there, i attempted to login to the console machine. The root login
failed repeatedly, as well as all other logins i have created.

I had to shutdown to single user mode in order to access the system. From
there i changed all the passwords for all active accounts and rebooted. I
still could not login with root or any other account. I went back to single
user mode, examined the messages again, and noticed with the root login, the
authenticion failure message stated that /etc/securetty file could not be
read.

I checked the permissions on the file. They were
-rw-------

i changed them to
-rw-r--r--
(i checked another linux box, and it shows securetty set to -rw-------)

after rebooting again, i was able to login with root under the new password.
I STILL cannot login with any other user. I've changed all passwords, and
with each login attempt, i get an authentication failure.

Jul 21 11:05:23 NS Login[1302]: FAILED LOGIN FROM (null) FOR stefanw,
Authentication Failure

i've spent most of the day scanning logs and looking for modified files. All
the files in /etc/pam.d have not been modified lately.

Any suggestions??

-stefan

2. Zipping the files with directory name

3. Possible Hack Attempt?

4. Linux as an anti-virus tool

5. syslogd problem - possible hack

6. effect of economy on admin opportunities

7. Strange netstat output - possible hacking attempt?

8. Check This Out!!!

9. POSSIBLE HACK ATTEMPT... what do I do now?

10. possible Hacking??

11. Possible hack attempt...

12. possible hack attempt?

13. Possible hack attack ?