[plug] hacked system

Mon Mar 20 17:19:27 WST 2006

Thanks for that, it's a little too late to get the netstat dump as the server was turned off before I could get to it.  So I now have it in the shop.  I'm going to replace the drives with new ones and rebuild the system to get it back to the client.  Then I'll put on my Sherlock Holmes kit and starting looking for some evidence.

Thanks

>>> mike.benjamin at clarinet.com.au 12:11:46 pm 20/03/2006 >>>

Hi Jon,

Because of the way NAT/NAPT works, the port mapping on the NAT should
reference
not only the port number to hold open, but also the NAT mapping for the
internal 
address it should be held open for.

Therefore an attacker trying to come in on an internally opened port
should only 
be able to reach the infected machine, and a good firewall may apply
other rules 
to prevent this, as the internal machine should be contacting the
attacking machine 
in order for the firewall to see it as a "legitimate" session. A decent
firewall
will assume that the user has opened a SSH 22 session to a trusted host,
and thereby
will allow traffic in from that host, as opposed to letting the whole
world into that
port.

This is not impossible, as the attacker may have access to a compromised
Unix box 
out there on the net for example that his trojan contacts to hold the
NAT mapping open, 
but it is a big glaring arrow as to where the attacks come from if
anyone examines 
the trojan traffic.

Now if the internal PC has a trojan running something like "nc" (netcat)
which 
then forwards to an arbitrary address the attacker can specify on your
internal 
network, then this is entirely possible, with the PC acting as an
attacking proxy
if you like, and holding the NAT port open.

So I would say it's possible. Is it easy to do? No. Would the attacker
have a pretty
advanced understanding by creating the trojan to do this? Definately. 

I doubt you were attacked in this way.

One of the big things when doing forensics on a successful attack, is to
take the machine
off the network ASAP, but not restart it. There can be a lot of good
information gathered
about the attack if it's still in a compromised state, but no longer in
the attackers control.

Before taking it off though, if possible, get a netstat dump of active
(or recently active) 
connections, tcpdump, and lsof output, then take it off the network.

If you reboot the machine, the memory state is lost, and there can be a
lot of good stuff there.

Mike.

-----Original Message-----
From: plug-bounces at plug.org.au [mailto:plug-bounces at plug.org.au] On
Behalf Of Jon Miller
Sent: Monday, March 20, 2006 01:45 AM
To: plug at plug.org.au
Subject: [plug] hacked system

Looking for a procedure/suggesstions to determine how and when a hacked
system was compromised.  I'm currently rebuilding another system and
would like to put in preventive measures to insure this does not happen
again.  I have a feeling that one of the packages was outdated, but not
sure.
Since the only apps the client uses is ssh and mail these should be the
only ports open.  
Just curious is it possbile for an infected computer to make available
an open open port from a clients desktop? By this I mean if a infected
PC is sending information out a socket will open on the firewall, is it
possible for this socket to be compromised and leave open a port?

Thanks

Jon
I will tighten the ssh port to only allow ssh access from certain ip
addresses and only as a user with an account.
_______________________________________________
PLUG discussion list: plug at plug.org.au
http://www.plug.org.au/mailman/listinfo/plug
Committee e-mail: committee at plug.linux.org.au
_______________________________________________
PLUG discussion list: plug at plug.org.au
http://www.plug.org.au/mailman/listinfo/plug
Committee e-mail: committee at plug.linux.org.au
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20060320/47fb7964/attachment.htm>