[Wolves] help - think I've been hacked

wolves@mailman.lug.org.uk wolves at mailman.lug.org.uk
Fri Jul 18 17:03:00 2003


I need more information: What hardware have you got
attatched to the box?

Here is my run down of what's going on in these logs:

Jul 17 09:10:56 tabby kernel: uhci.c: e800: host controller
halted. very bad <-- the uhci is the universal host
controller interface, and one of the interface types that
runs USB. Unless you have critical stuff attatched to your
USB ports, (like a usb cable modem) then this is not
important. If it is then it is most likely a hardware
failure either in the uhc itself, or the attatched device.
It is unlikely to be an attack-related problem (note the use
of the word: "Unlikely"). What kernel version do you have?

Jul 17 09:29:54 tabby kernel: SuSE-FW-DROP-DEFAULT IN=ppp0
OUT= MAC=
> SRC=217.56.254.131 DST=217.158.156.143 LEN=48 TOS=0x00
PREC=0x00 TTL=120
> ID=29683 DF PROTO=TCP SPT=1205 DPT=445 WINDOW=16384
RES=0x00 SYN URGP=0
> OPT (020405B401010402) <-- this is your suse firewall
ruleset giving out rediculously verbose information about a
packet it dropped. This packet appears to be a valid tcp
connection request coming in over your modem. It doesn't say
what port the request was on, and this information is
suspicious in it's absence (ie - it was probably this
information that the packet was dropped upon). Messages like
this are usually classed as "attempted reconnaisance" as
someone is trying to poke around to see what you are
running. (probably this packet *should* have been routed
over one of your interfaces to another, but was stopped by
the kernel firewalling - hence the rediculously (and
unnecessarily) cryptic suse name "SuSE-FW-DROP-DEFAULT" -
the default rule of your forwarding table (or chain, or
rule) is to drop the packet.

Jul 17 10:47:29 tabby kernel: SuSE-FW-UNAUTHORIZED-TARGET
IN=ppp0 OUT=
> MAC= SRC=195.8.69.184 DST=217.158.156.151 LEN=60 TOS=0x00
PREC=0x00
> TTL=62 ID=29479 PROTO=TCP SPT=110 DPT=1900 WINDOW=57344
RES=0x00 ACK SYN
> URGP=0 OPT (020405B4010303000101080A7E035B7A016367E8) <--
this is roughly the same kind of thing. Again, stupid suse
does not give a clear reason and we must all guess what
"SuSE-FW-UNAUTHORIZED-TARGET" means. Presumably the
destination address was not allowed to be reached, but it's
difficult to tell without knowing more about your interfaces
what this message is telling us.

You did disconnect and reconnect between the two times of
the firewalling messages, gaining a different IP from the
dhcp pool of your isp. As such these two things are unlikely
to be related (notice use of the word: "unlikely").

Having seen the firewall rules go off, presumably you got
worried and re-installed your firewalling rules from script.
(Jul 17 10:47:30 tabby SuSEfirewall2: Firewall rules
successfully set from /etc/sysconfig/SuSEfirewall2) however,
the timestamps are telling me something different - that
happened one second after the second warning. Now - either
the second warning was a false alert caused by running a
firewalling script on a transceiving interface (when the
firewall is "half-up" (half way through executing the
script) there can be strange false-positives).

So, a firewall rule triggered during a USB host controller
device failure, and a false positive from a half-up firewall
caused by executing a firewall script on a device that was
up at the time? Probably. That's what I would interpret
these logs as.

*However* you need to be more sensitive to things going
wrong now. Don't panic (even if you terminals start printing
"all your dialup accounts are belong to us" repeatedly), but
do try to keep up the good basic awareness that you have
kept up till now.

Please give me:

cat /proc/pci
route -n
netstat -anp
ps aux
ifconfig

and finally

uname -a

but definitely not

rm -rf /

not yet anyway....

And give me your IP when you are next online (in the case of
a modem) and I'll have an ethical (and authorized) poke
around if you think you can trust me. After a short "poke
around" I am in a better position to talk about the
interface you present to the rest of the world (obviously).

Hope this more verbose response helps

bambam

--
There is absolutely no warranty for GDB.  Type "show warranty" for details.

On Thu, 17 Jul 2003, Jayne Heger wrote:

>
> >    what makes you think you have been hacked ?
> >This would give a good place to start looking.
> >
> >
> >
> well, last night when I was looking at my logs, i.e. I press f10 I got
> all this
> I have copied and pasted the bits I think are relevant
> Recently I had been having problems with my Smoothwall box (hardware
> issue) so temporarily disconnected that and instead have been runninng
> an iptables based SuSE's own firewall on my workstation. I do intend to
> fix my Smoothie box and install a Debian server/firewall on it.
> I know if I have been hacked I'll have to re-format and install
> everything from scratch on my workstation.
>
> I am a paranoid person BTW and do get easily spooked. ;)
>
> Jul 17 03:59:00 tabby /USR/SBIN/CRON[29392]: (root) CMD ( rm -f
> /var/spool/cron/lastrun/cron.hourly)
> Jul 17 03:59:00 tabby kernel: uhci.c: e800: host controller halted. very bad
> Jul 17 03:59:31 tabby last message repeated 2299 times
> Jul 17 04:00:32 tabby last message repeated 4576 times etc...... (my
> logs are full of last message repeated so many times)
>
> Jul 17 09:10:56 tabby ip-up: Warning: detected activated samba, enabling
> FW_SERVICE_SMB!
> Jul 17 09:10:56 tabby ip-up: You still have to allow tcp port 139 on
> internal, dmz and/or external.
> Jul 17 09:10:56 tabby kernel: uhci.c: e800: host controller halted. very bad
>
> Jul 17 09:29:54 tabby kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC=
> SRC=217.56.254.131 DST=217.158.156.143 LEN=48 TOS=0x00 PREC=0x00 TTL=120
> ID=29683 DF PROTO=TCP SPT=1205 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0
> OPT (020405B401010402)
> Jul 17 09:29:54 tabby kernel: uhci.c: e800: host controller halted. very bad
> Jul 17 09:29:54 tabby last message repeated 23 times
> Jul 17 10:47:29 tabby kernel: SuSE-FW-UNAUTHORIZED-TARGET IN=ppp0 OUT=
> MAC= SRC=195.8.69.184 DST=217.158.156.151 LEN=60 TOS=0x00 PREC=0x00
> TTL=62 ID=29479 PROTO=TCP SPT=110 DPT=1900 WINDOW=57344 RES=0x00 ACK SYN
> URGP=0 OPT (020405B4010303000101080A7E035B7A016367E8)
> Jul 17 10:47:29 tabby kernel: uhci.c: e800: host controller halted. very bad
> Jul 17 10:47:30 tabby last message repeated 104 times
> Jul 17 10:47:30 tabby SuSEfirewall2: Firewall rules successfully set
> from /etc/sysconfig/SuSEfirewall2
> Jul 17 10:47:31 tabby kernel: uhci.c: e800: host controller halted. very bad
> Jul 17 10:47:31 tabby last message repeated 5 times
>
> thanks
>
> Jayne
>
>
>
>
>
> _______________________________________________
> Wolves mailing list
> Wolves@mailman.lug.org.uk
> http://mailman.lug.org.uk/mailman/listinfo/wolves
>