[Wolves] help - think I've been hacked

wolves@mailman.lug.org.uk wolves at mailman.lug.org.uk
Sat Jul 19 19:42:01 2003 

> [IMHO log entries should state facts rather than opinions, and I'm somewhat
> dubious of the merit in including statements like "very bad" at the end of
> the message as above!]

Agreed. Bloody kernel developers.

<snip>

> Actually it does give the info: SPT=Source port, DPT=Destination port. The
> source port is chosen by the connecting machine, specific to the individual
> connection/connection attempt. In this case it could probably be considered
> arbitrary (though there are often identifiable patterns/trends in the port
> numbers a client machine uses). The destination port (DPT) is generally
> specific to a particular service which "listens" for connections to that port
> (called a "well known" port number).

So stupid of me not to see this. Sorry. I must not smoke
crack.. I must not smoke crack.. I must not smoke..........

<snip>

> > Messages like
> > this are usually classed as "attempted reconnaisance" as
> > someone is trying to poke around to see what you are
> > running.
>
> ...or someTHING (ie a worm), automatically looking for new machines to infect
> to. I get quite a few packets to port 445 (which I drop) and I suspect that
> most of them come from worms that have infected Windows machines. I'd
> consider such packets as a hostile action, though not particularly worthy of
> concern unless in conjunction with other activity (as the packets are
> dropped).

In which case, the "attempted reconnaisance" was being
performed by the worm.

> > And give me your IP when you are next online (in the case of
> > a modem) and I'll have an ethical (and authorized) poke
> > around if you think you can trust me. After a short "poke
> > around" I am in a better position to talk about the
> > interface you present to the rest of the world (obviously).

I did this and she seemed fine. (Crazy fool for trusting me)
(!).

<snip>

> with. The log extracts provided seem to contain:
>
>  - One "hostile" packet blocked by the firewall
>  - A packet from a POP3 session with your ISP's mail server. Logged for
> reasons unknown. Not possible to tell whether it's also been blocked.
>  - Hardware fault with USB
>  - Firewall scripts starting up (boot-up or runlevel change???)

(With the port numbers now) Agreed. This is exactly what
happened.

Having spoken to Jayne, I now know that she didn't run the
firewall script manually, so I can't figure out as yet is
what caused the firewall script to run. Surely if one
changes runlevel to go into X, then the *firewall* script
should not be run, there was no other reason to change
runlevel that I can see. Syslogd would have reported if cron
had done it.

This kind of thing annoys me about suse. With slackware you
know that if this happened it happened for a good reason. It
may have been some crazy suze thing. Any suse experts?

As James pointed out, if you had been owned, and the
attacker knew what they were doing, there could be only a
very small footprint (or none at all (eek!)). I guess a lot
of what we do is blind trust. Oh well.

See you all soon.

bambam