Re: * Newbie and scan attack
DSC Siltec <dscpubl@siltec.lt> wrote:
I have a bit of a problem: I just installed Woody on
a dual-boot box, got KDE and all up and running, and
very soon found that I was losing my connection.
I inquired as to why, and I was told I was being cut off
because my computer was scan-attacking the ISP proxy server.
One scan attack attacked my proxy server's proxy port, from 1031,1032,
1033,1034, 1035... and expired about 8 minutes later.
If I understand your setup from previous posts, you are going from one
Linux box into another one running Red Hat, and then linking via
satellite link to another site. Is this correct? Just WHO is telling
you that you are doing a "spam attack" on their proxy server?? Is it
the person running the Red Hat box or is it on the other side of the
satellite link?? This is important in that the "problem" might NOT
reside with you, and you have very little control over the situation.
If it is the Red Hat box telling you this, then the sysop should be able
to give you some more info and/or help.
Anyhow, I had a bunch of junk on the system that I probably
didn't need -- portmap, htdig, roxen, wwwoffled, and apache are a few
of the items -- and I went ahead and removed them. Others, like lpd, I
don't know how to remove. When I ran netstat -punta, with my network
disconnected,
I found a bunch of reports from htdig (open/close).
I'm wondering if that was the source of the problem, or if I have
been taken over by a remote operator, and how I can clean, then secure,
my
system.
This is always a possibility, BUT I would suspect the chances of your
WINDOWS OS being "taken over" are MUCH greater than the Linux OS. I
would bet the odds are 100 to 1 or greater!! One of the first things I
would do is check the logged TIMES of the attacks and see if you were
running Linux at the time. Don't automatically assume that the latest
changes in your setup are the ones responsible. Prove this point first
before you spend a lot of time "fixing" Linux!
Is there anything that hit this particular list server, specifically
(also),
because I had been a subscriber -- and every so often a piece of trash
mail
comes through, and it makes me wonder if there was some kind of an
automated
virus that hit me.
I don't suscribe to the list because of the sheer volume of traffic, but
I do check it several times a day when I am at home. Over the last
couple of months, I have seen reports of sever WINDOWS viruses present
in messages, but absolutely nothing about a Linux "virus" or "worm". I
haven't experienced any problems with my Linux setup either over that
period of time.
Aside from that, other things I noticed: getty runs tty2-tty6 (Bash
runs tty1) whenever I have K running -- and I wonder if that is perhaps
initiating the attack; I also see miniserv.pl, and proftpd; I wonder if
I need those.
klisa and inetd both also make internet accesses. When I run netstat > When you reply, please cc: me at dscpubl@siltec.lt. I nominally removed
> myself from the list server -- it doesn't seem to have worked, but it
> might remove me at any time.
>
>
>
-nlp, I see that ksmserver is listening, artsd, and ssh-agent are also
running. So are my truetype servers Xfs,Xfs-xtt, and the X server, lpd,
and KDEinit.
Klisa is a possibility. It periodically scans for the presence of other
machines on the network. If you haven't specifically configured it for
your LAN, then it is "possible" the defaults could be interpreted as
"spam". It is a program designed to link Windows "shares" to Linux
under KDE and provide a "Network Neighborhood" style interface that you
can browse. IF there are not any other Windows machines you want to
access from Linux then you can safely purge it. You can find some
documentation on it in /usr/share/doc/klisa/. They are gziped files so
you might have to use the "zless" command to view them or just go there
from your "home directory" icon under KDE and click on the files & the y
should open up for you to read.
The ttyX sessions are normal for any Linux and are NOT the problem. You
need inetd so don't mess with it. They are just sitting there waiting
for an incomming connection, and are NOT actively seeking work <grin>.
> When you reply, please cc: me at dscpubl@siltec.lt. I nominally removed
> myself from the list server -- it doesn't seem to have worked, but it
> might remove me at any time.
>
>
> Same with the others... all are passive.
I also have a windows system -- and, sometimes using the same network
connection [manual plug-over] a macintosh, and it is possible that the
attacks were coming through one of those. But the Windows system has a
good firewall "ZoneAlarm" that I can use and understand [I don't yet
understand the Linux one] and McAfee antivirus with autoupdate.
Suggest you concentrate on getting a good firewall installed on your
linux box. This could be the second step after you confirm that it IS
your Linux box causing the "problem" or even if it isn't! These can
keep stuff designed for your internal network from getting out as well
as keep the bad stuff out of your network. There are several that are
relatively simple to install and do a pretty good job "out of the box"
with their default settings. There is one package in Debian "testing"
but I think you need a 2.4.X series kernel to use it. The one I use is
called PMFIREWALL and works quite well with Debian. There are better
options if you know what you are doing, but these are probably the
easiest to get set up quickly without spending a lot of time on the
subject. You WILL have to spend some time and learn a bit to get this
going. No one else can do it for you!! Once you gain a little
knowledge, you probably will be quite dismayed at how insecure your
Windows setup is despite the programs you already have installed!!
Here is a good starting point that I like with LOTS of info:
http://www.chebucto.ns.ca/~rakerman/trojan-port-table.html#Trojan-Ports
Cheers & Good Luck!!
-Don Spoon-
--
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: