majorwoo
asked on
Linux system port scanning/probing
I have a redhat 7.2 system which I am guessing was compromised as my firewall on another system detects multiple port scans/probes. I have isolated this system until next week when I have a chance to look at it, but I am wondering if anyone has any ideas what is causing it? Assuming this is a hack of some kind it appers to have done nothing else to the system which otherwise works fine.
If a firewall on one system is detecting port scans from another system it's a good bet that your other system has been compromised in some way. And it's not surprising that your other system appears normal. A really good cracker won't make any changes in a system that they penetrate that would be easily detectable. Without having access to the box I can't say exactly what the cracker might have done.
ASKER
And see that is what I would like to find out -- what happened. I just moved to this company and this machine was behind a firewall which I discovered this morning had a openssh root compromise a few weeks ago - which nobody felt was worthwhile telling me... Hurray for that!
Looks like I have some machines to rebuild.
Looks like I have some machines to rebuild.
If the attacker was any good there won't be any evidence left to tell you how they got in. About all you can do there is to change all passwords, do a full re-install, and apply all RedHat errata. Any data that is saved from the system needs to be carefully examined for trojans or other malicious code before it is restored to the system. If there are any third party or other non-RedHat applications those must also be checked for security updates and later versions installed if necessary.
After the system has been restored to a sane state I'd recommend that you configure and run tripwire. With it in place you'll find out quickly if any changes are made to important system files and you'll have the information necessary to put the system right if there is an attack. Running a host based firewall that is as restrictive as possible, commensurate with server requirements, is also a good thing to do.
Many times about all you can do with a cracked system is to see how many vulnerabilites were present because security updates weren't installed. It's not too difficult to see what the cracker did, but that doesn't tell you anything about how they got in. If the attacker is careless there may be log files still around that might help narrow down the area of vulnerability.
After the system has been restored to a sane state I'd recommend that you configure and run tripwire. With it in place you'll find out quickly if any changes are made to important system files and you'll have the information necessary to put the system right if there is an attack. Running a host based firewall that is as restrictive as possible, commensurate with server requirements, is also a good thing to do.
Many times about all you can do with a cracked system is to see how many vulnerabilites were present because security updates weren't installed. It's not too difficult to see what the cracker did, but that doesn't tell you anything about how they got in. If the attacker is careless there may be log files still around that might help narrow down the area of vulnerability.
ASKER
My situation is complicated because this may have been going on for several weeks, I just got to this office where they previously had no sysadmin of anysort. Is there a way for me to locate what process is doing the port sweep/scan on the machine?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
rpm --verify didn't report anything interesting, other then anumber of /dev/ device/files being modified - but this is of course normal. Runlevel 3 does not seem to have stopped the probes, so a static ps would help me identify processes that should not be running (as replacing ps is a common hack i understand) -- now we are working on the assumption that anything running under a statis ps was not modified because rpm --verify didn't report it as so -- is it possible (well of course it is, but practically speaking) that the person modified the rpm database such that the changes would not show?
Appreciate the info.
Appreciate the info.
Since a verify didn't turn up anything interesting that implies that the port scanner is something that has been added as opposed to something that has been changed. I'd suggest that you get the chkrootkit tool and see if it turns up something.
While it is possible that an attacker could have modified the rpm database I'm not aware of any root kits or other hacker tools that do so.
While it is possible that an attacker could have modified the rpm database I'm not aware of any root kits or other hacker tools that do so.
ASKER
thanks
Hi
In case of portscans there can be 2 things which can be done
1. install iptables/ipchains
2. install portsentry
portsentry checks if there is a portscan and in case it detects that is a portscan then it has the system blocked by adding an ipchain/iptable entry for that
In case of portscans there can be 2 things which can be done
1. install iptables/ipchains
2. install portsentry
portsentry checks if there is a portscan and in case it detects that is a portscan then it has the system blocked by adding an ipchain/iptable entry for that
ASKER
iptables/chains would simply block incoming scans - I was looking to identify the cause of them and remove it, but thanks.