[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: * Newbie and scan attack

DSC Siltec <dscpubl@siltec.lt> wrote:

I have a bit of a problem: I just installed Woody on a dual-boot box, got KDE and all up and running, and very soon found that I was losing my connection.
I inquired as to why, and I was told I was being cut off
because my computer was scan-attacking the ISP proxy server.

One scan attack attacked my proxy server's proxy port, from 1031,1032,
1033,1034, 1035...  and expired about 8 minutes later.

If I understand your setup from previous posts, you are going from one Linux box into another one running Red Hat, and then linking via satellite link to another site. Is this correct? Just WHO is telling you that you are doing a "spam attack" on their proxy server?? Is it the person running the Red Hat box or is it on the other side of the satellite link?? This is important in that the "problem" might NOT reside with you, and you have very little control over the situation. If it is the Red Hat box telling you this, then the sysop should be able to give you some more info and/or help.

Anyhow, I had a bunch of junk on the system that I probably didn't need -- portmap, htdig, roxen, wwwoffled, and apache are a few of the items -- and I went ahead and removed them. Others, like lpd, I
don't know how to remove. When I ran netstat -punta, with my network
disconnected, I found a bunch of reports from htdig (open/close). I'm wondering if that was the source of the problem, or if I have been taken over by a remote operator, and how I can clean, then secure,

This is always a possibility, BUT I would suspect the chances of your WINDOWS OS being "taken over" are MUCH greater than the Linux OS. I would bet the odds are 100 to 1 or greater!! One of the first things I would do is check the logged TIMES of the attacks and see if you were running Linux at the time. Don't automatically assume that the latest changes in your setup are the ones responsible. Prove this point first before you spend a lot of time "fixing" Linux!

Is there anything that hit this particular list server, specifically
(also), because I had been a subscriber -- and every so often a piece of trash
comes through, and it makes me wonder if there was some kind of an
automated virus that hit me.

I don't suscribe to the list because of the sheer volume of traffic, but I do check it several times a day when I am at home. Over the last couple of months, I have seen reports of sever WINDOWS viruses present in messages, but absolutely nothing about a Linux "virus" or "worm". I haven't experienced any problems with my Linux setup either over that period of time.

Aside from that, other things I noticed:  getty runs tty2-tty6 (Bash
runs tty1) whenever I have K running -- and I wonder if that is perhaps
initiating the attack; I also see miniserv.pl, and proftpd; I wonder if
I need those.
klisa and inetd both also make internet accesses.  When I run netstat > When you reply, please cc: me at dscpubl@siltec.lt.  I nominally removed
> myself from the list server -- it doesn't seem to have worked, but it
> might remove me at any time.
-nlp, I see that ksmserver is listening, artsd, and ssh-agent are also
running.  So are my truetype servers Xfs,Xfs-xtt, and the X server, lpd,
and KDEinit.

Klisa is a possibility. It periodically scans for the presence of other machines on the network. If you haven't specifically configured it for your LAN, then it is "possible" the defaults could be interpreted as "spam". It is a program designed to link Windows "shares" to Linux under KDE and provide a "Network Neighborhood" style interface that you can browse. IF there are not any other Windows machines you want to access from Linux then you can safely purge it. You can find some documentation on it in /usr/share/doc/klisa/. They are gziped files so you might have to use the "zless" command to view them or just go there from your "home directory" icon under KDE and click on the files & the y should open up for you to read.

The ttyX sessions are normal for any Linux and are NOT the problem. You need inetd so don't mess with it. They are just sitting there waiting for an incomming connection, and are NOT actively seeking work <grin>. > When you reply, please cc: me at dscpubl@siltec.lt. I nominally removed
> myself from the list server -- it doesn't seem to have worked, but it
> might remove me at any time.
> Same with the others... all are passive.

I also have a windows system -- and, sometimes using the same network
connection [manual plug-over] a macintosh, and it is possible that the
attacks were coming through one of those.  But the Windows system has a
good firewall "ZoneAlarm" that I can use and understand [I don't yet
understand the Linux one] and McAfee antivirus with autoupdate.

Suggest you concentrate on getting a good firewall installed on your linux box. This could be the second step after you confirm that it IS your Linux box causing the "problem" or even if it isn't! These can keep stuff designed for your internal network from getting out as well as keep the bad stuff out of your network. There are several that are relatively simple to install and do a pretty good job "out of the box" with their default settings. There is one package in Debian "testing" but I think you need a 2.4.X series kernel to use it. The one I use is called PMFIREWALL and works quite well with Debian. There are better options if you know what you are doing, but these are probably the easiest to get set up quickly without spending a lot of time on the subject. You WILL have to spend some time and learn a bit to get this going. No one else can do it for you!! Once you gain a little knowledge, you probably will be quite dismayed at how insecure your Windows setup is despite the programs you already have installed!!

Here is a good starting point that I like with LOTS of info: http://www.chebucto.ns.ca/~rakerman/trojan-port-table.html#Trojan-Ports

Cheers & Good Luck!!

-Don Spoon-

To UNSUBSCRIBE, email to debian-user-request@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: