I think I've been hacked

[joegumbo]

Hello,

I'm using and eMachine W3503 connected to the internet via Comcast cable. I use an AlphaShield hardware firewall. Between the hardware firewall and the eMachine, I have a NetGear router. I am also using FireStarter firewall. My Os is a several days old reinstall of FC6. I have a perfect rating from "Shields Up." Total stealth.

Over the last several days, I've been getting a flood of hits on Firestarter. They all seem to be coming from the same place. The following is a partial list of the hits I've been getting:

Time:Jun 11 16:47:08 Direction: Inbound In:eth0 Out: Port:34913 Source:77.67.127.26 Destination:192.168.1.4 Length:40 TOS:0x00 Protocol:TCP Service:Unknown
Time:Jun 11 16:47:20 Direction: Inbound In:eth0 Out: Port:34914 Source:77.67.127.26 Destination:192.168.1.4 Length:40 TOS:0x00 Protocol:TCP Service:Unknown
Time:Jun 11 16:48:08 Direction: Inbound In:eth0 Out: Port:38464 Source:77.67.127.35 Destination:192.168.1.4 Length:40 TOS:0x00 Protocol:TCP Service:Unknown
Time:Jun 11 16:48:20 Direction: Inbound In:eth0 Out: Port:38466 Source:77.67.127.35 Destination:192.168.1.4 Length:40 TOS:0x00 Protocol:TCP Service:Unknown
Time:Jun 11 16:48:20 Direction: Inbound In:eth0 Out: Port:38465 Source:77.67.127.35 Destination:192.168.1.4 Length:40 TOS:0x00 Protocol:TCP Service:Unknown
Time:Jun 11 16:48:44 Direction: Inbound In:eth0 Out: Port:38467 Source:77.67.127.35 Destination:192.168.1.4 Length:40 TOS:0x00 Protocol:TCP Service:Unknown
Time:Jun 11 16:50:44 Direction: Inbound In:eth0 Out: Port:36867 Source:77.67.127.0 Destination:192.168.1.4 Length:40 TOS:0x00 Protocol:TCP Service:Unknown
Time:Jun 11 16:51:20 Direction: Inbound In:eth0 Out: Port:38474 Source:77.67.127.35 Destination:192.168.1.4 Length:40 TOS:0x00 Protocol:TCP Service:Unknown
Time:Jun 11 16:52:32 Direction: Inbound In:eth0 Out: Port:50446 Source:77.67.127.42 Destination:192.168.1.4 Length:40 TOS:0x00 Protocol:TCP Service:Unknown


I also checed my system with chrootkit... all seemed OK. But, when I checked it with rkhunter, I was notified of a problem:

System checks
* Allround tests
Checking hostname... Found. Hostname is localhost.localdomain
Checking for passwordless user accounts... OK
Checking for differences in user accounts... Found differences
Info:
----------------------
< apache:x:48:48:Apache:/var/www:/sbin/nologin
< backuppc:x:102:104::/var/lib/BackupPC:/sbin/nologin
----------------------
Info: Some items have been added (items marked with '<')
Checking for differences in user groups... Found differences
Info:
----------------------
< apache:x:48:
< backuppc:x:104:apache
----------------------
Info: Some items have been added (items marked with '<')

Also, when I ran "top", it listed 1 zombie process. Now it lists none.

Notice that all the hits on my fw are from 77.67.127.x. I'm suddenly flooded, and then nothing. I'd check
< apache:x:48:
< backuppc:x:104:apache
but, I'm not sure what I'm looking for.

I'd also do a clean install, but I don't see the point if I have some sort of hole that I cannot patch. I've done all I can think of doing. I have a dedicated hardware firewall. Behind that, I have a router. Behind that, I have a software firewall with maximum security. I really don't know what else I could have done.

I've also noticed that sometimes my internet connection sometimes seems slow.

If anyone here knows what's going on, I'd really appreciate it.

Thank you for your help.

-Joe G.

[joegumbo]

Followup info...

I checked system services. httpd was stopped, but sshd was not. I unchecked sshd. This is simply a home desktop pc.. no servers or LAN to needed communicate with other pcs..No "Trusted Zone." I do have a laptop that I only ocassionally use via wireless to go online. But, I don't need to share resources my printer, etc. Since apache was unchecked, could the changes in apache just be ordinary systerm changes?

Thanks,
-Joe G.

[joegumbo]

More...

I checked /var/log/secure and /var/log/secure.1 and both are blank.

Thanks,
-Joe

[pete_1967]

That IP# is one of Akamai's that provides distributed caching services

Quote:

[01:28:48 ~]$ whois 77.67.127.26
[Querying whois.arin.net]
[Redirected to whois.ripe.net:43]
[Querying whois.ripe.net]
[whois.ripe.net]
% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '77.67.127.0 - 77.67.127.255'

inetnum: 77.67.127.0 - 77.67.127.255
netname: AKAMAI-TINET
descr: Akamai Technologies
country: FR
admin-c: NARA1-RIPE
tech-c: NARA1-RIPE
status: ASSIGNED PA
mnt-by: TISCALI-INT-NET
source: RIPE # Filtered

role: Network Architecture Role Account
address: Akamai Technologies
address: 8 Cambridge Center
address: Cambridge, MA 02142
phone: +1-617-938-3130
e-mail: ip-admin@akamai.com
admin-c: NF1714-RIPE
admin-c: JP1944-RIPE
tech-c: NF1714-RIPE
tech-c: JP1944-RIPE
tech-c: APB15-RIPE
nic-hdl: NARA1-RIPE
mnt-by: AKAM1-RIPE-MNT
source: RIPE # Filtered

% Information related to '77.67.0.0/17AS3257'

route: 77.67.0.0/17
descr: Tiscali International Network
origin: AS3257
mnt-by: TISCALI-INT-ROUTE
source: RIPE # Filtered

Also your log doesn't show any outbound traffic. When you say your secure log is empty, do you mean blank when it shouldn't or empty of anything obvious?

Check the timestamps on them and do test root login to see if they are getting wiped. Also run Wireshark and record traffic for analysis.

Does look to me that it's just some website trying to send data for you after you left it (maybe broken logout function or similar - although high ports do seems strange).

You could contect Akamai and Tiscali to find out to whom the IP# belongs to.

[joegumbo]

Hello Pete_1967

When you say your secure log is empty, do you mean blank when it shouldn't or empty of anything obvious?
Sorry about the confusion. Yes, it's blank when I open it in Kate.


Check the timestamps on them and do test root login to see if they are getting wiped.
When I check "Properties,"
/var/log/secure was
Modified: 2007-06-11 20:01
Accessed: 2007-06-11 04:10

/var/log/secure.1
Modified: 2007-06-09 14:05
Accessed: 2007-06-11 04:10

Also run Wireshark and record traffic for analysis.
I just installed Wireshark, but I need to read up on it to figure out how to use it.

Thanks for the info on how to figure out who's hitting my fw. I'll contact Akamai and send them my Firestarter logs and a link to this thread.

Thank you Pete_1967.

-Joe G.

[The_Jaymz]

I would think that if you're behind all of those firewalls, an attacker would have to be extremely skilled and extremely motivated to actually compromise your system. I also think that someone that skilled and motivated would direct their efforts to something more valuable than your desktop machine... unless you have state secrets or something like that and they know it.

As root, use the chattr command to set the attricutes of your log file to Append Only. I think it's chattr +a filename

[joegumbo]

Hi Jaymz

I did as you said. I
chattr +a /var/log/secure
I'll keep an eye on it.

No, I don't have state secrets or anything that valuable. It's probably like Pete_1967 suggested... a site trying to send me data after I leave. Then again, though high port numbers are weird. Maybe "they" have an infected machine?

Thanks,
-Joe

[joegumbo]

Bts, I'll report back when they contact me.

-Joe

[marcrblevins]

Your secure and messages file should not be zero byte after a few days. Its usually zero byte when PC was rebooted.

Install denyhosts to play it safe if you are going to have sshd running.

[code]
su -
yum install denyhosts
chkconfig denyhosts on
service denyhosts start

Then sleep like a baby.

[joegumbo]

Hello marcrblevins,

I unchecked sshd, but i followed your advice and installed denyhosts anyhow.

Thank you for the advice.

Now going to sleep.

Thanks,
-Joe

[The_Jaymz]

you might also want to check out the conf file for denyhosts. there's an option to upload/download a list of known attackers.

[marcrblevins]

The only place I changed on my /etc/denyhosts was:
# To block all services for the offending host:
BLOCK_SERVICE = ALL
# To block only sshd:
#BLOCK_SERVICE = sshd

It originally passed on sshd to hosts.deny, I swapped the BLOCK_SERVICE so now hosts.deny would use ALL. In other words, that hacker can't get on any of my network apps.
Note: your /etc/hosts.deny file intend to grow.

Partial of my copy:
[root@kiriyamablevins ~]# cat /etc/hosts.deny
#
# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow. In particular
# you should know that NFS uses portmap!

# DenyHosts: Thu Jun 7 03:12:37 2007 | sshd: 123.49.32.34
sshd: 123.49.32.34
# DenyHosts: Thu Jun 7 13:18:37 2007 | sshd: 202.146.92.147
sshd: 202.146.92.147
# DenyHosts: Thu Jun 7 14:45:08 2007 | sshd: 81.18.89.154
sshd: 81.18.89.154
# DenyHosts: Thu Jun 7 18:13:15 2007 | sshd: 64.22.77.82
sshd: 64.22.77.82
# DenyHosts: Fri Jun 8 08:14:45 2007 | ALL: 218.75.126.10
ALL: 218.75.126.10
# DenyHosts: Fri Jun 8 14:23:46 2007 | ALL: 209.139.209.104
ALL: 209.139.209.104
# DenyHosts: Sat Jun 9 07:55:28 2007 | ALL: 61.144.243.61
ALL: 61.144.243.61
# DenyHosts: Sat Jun 9 23:00:06 2007 | ALL: 212.241.180.48
ALL: 212.241.180.48

[marcrblevins]

Jaymz
Do you use that option you were referring to?

SYNC_SERVER = http://xmlrpc.denyhosts.net:9911

Thanks for that info, I'm reading it now:
http:/denyhosts.sourceforge.net/faq.html#sync

[The_Jaymz]

Quote:

Originally Posted by marcrblevins

Jaymz
Do you use that option you were referring to?

SYNC_SERVER = http://xmlrpc.denyhosts.net:9911

Thanks for that info, I'm reading it now:
http:/denyhosts.sourceforge.net/faq.html#sync

Yeah, I use it. I like the idea that we can share info on the baddies.

[dysphorichermit]

Quote:

Originally Posted by The_Jaymz

Yeah, I use it. I like the idea that we can share info on the baddies.

Does 9911 need to be opened on the firewall and port forwarded on the router?