We help IT Professionals succeed at work.

Linux system port scanning/probing

3,557 Views
Last Modified: 2013-11-15
I have a redhat 7.2 system which I am guessing was compromised as my firewall on another system detects multiple port scans/probes. I have isolated this system until next week when I have a chance to look at it, but I am wondering if anyone has any ideas what is causing it?  Assuming this is a hack of some kind it appers to have done nothing else to the system which otherwise works fine.
Comment
Watch Question

Top Expert 2005

Commented:
If a firewall on one system is detecting port scans from another system it's a good bet that your other system has been compromised in some way. And it's not surprising that your other system appears normal. A really good cracker won't make any changes in a system that they penetrate that would be easily detectable. Without having access to the box I can't say exactly what the cracker might have done.

Author

Commented:
And see that is what I would like to find out -- what happened.  I just moved to this company and this machine was behind a firewall which I discovered this morning had a openssh root compromise a few weeks ago - which nobody felt was worthwhile telling me...   Hurray for that!

Looks like I have some machines to rebuild.
Top Expert 2005

Commented:
If the attacker was any good there won't be any evidence left to tell you how they got in. About all you can do there is to change all passwords, do a full re-install, and apply all RedHat errata. Any data that is saved from the system needs to be carefully examined for trojans or other malicious code before it is restored to the system.  If there are any third party or other non-RedHat applications those must also be checked for security updates and later versions installed if necessary.

After the system has been restored to a sane state I'd recommend that you configure and run tripwire. With it in place you'll find out quickly if any changes are made to important system files and you'll have the information necessary to put the system right if there is an attack. Running a host based firewall that is as restrictive as possible, commensurate with server requirements, is also a good thing to do.

Many times about all you can do with a cracked system is to see how many vulnerabilites were present because security updates weren't installed. It's not too difficult to see what the cracker did, but that doesn't tell you anything about how they got in. If the attacker is careless there may be log files still around that might help narrow down the area of vulnerability.

Author

Commented:
My situation is complicated because this may have been going on for several weeks, I just got to this office where they previously had no sysadmin of anysort.  Is there a way for me to locate what process is doing the port sweep/scan on the machine?
Top Expert 2005
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
rpm --verify didn't report anything interesting, other then anumber of /dev/ device/files being modified - but this is of course normal.  Runlevel 3 does not seem to have stopped the probes, so a static ps would help me identify processes that should not be running (as replacing ps is a common hack i understand) -- now we are working on the assumption that anything running under a statis ps was not modified because rpm --verify didn't report it as so -- is it possible (well of course it is, but practically speaking) that the person modified the rpm database such that the changes would not show?  

Appreciate the info.
Top Expert 2005

Commented:
Since a verify didn't turn up anything interesting that implies that the port scanner is something that has been added as opposed to something that has been changed. I'd suggest that you get the chkrootkit tool and see if it turns up something.

While it is possible that an attacker could have modified the rpm database I'm not aware of any root kits or other hacker tools that do so.

Author

Commented:
thanks
Hi

 In case of portscans there can be 2 things which can be done

1. install iptables/ipchains
2. install portsentry

  portsentry checks if there is a portscan and in case it detects that is a portscan then it has the system blocked by adding an ipchain/iptable entry for that

 

Author

Commented:
iptables/chains would simply block incoming scans - I was looking to identify the cause of them and remove it, but thanks.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.