Re: Firewall/Port Problem

[Rick Stevens <rstevens vitalstream com>]

Cynthia Blue wrote:
> Thanks for the reply...
> I'm looking in dev for anything odd.. and GNOME is telling me there are more
> files than it can open.  There are a bunch of odd things in there... some
> fd1h1200, 0 bytes block device, but I am not familiar with RH Linux yet to
> know what is okay, and what is not.   Some tty3 files, 0 byte character
> device, last modified today.  A whole bunch of stuff.

Actually, those are fine.  fd1h1200 is the /dev/entry for your second
floppy drive (if you had one), and specifies the 5.25", 1.2MB type
(remember those?)  The tty ones are for the console ports on your
system.  I'm sorry.  I should have warned you about /dev...it can look
odd.

> Can someone hack into a server through port 25?  I don't know if it's
> someone targeting me specifically, or if it was just something random. I had
> a W2K server going and it kept crashing on me after a while... so maybe I
> have someone targeting my IP address... the RH Linux server seemed great and
> secure until I opened port 25 for  ftping some files.  :(

Certainly they can...especially if you have an older version of wu-ftpd
or permit anonymous FTP access.  Your best bet is to NEVER allow telnet
or FTP access.  Use ssh instead.  ssh gives you a telnet-like _secure_
connection.  The daemon also has an sftp _secure_ FTP mode.  If you
need to get at FTP from Windows, then do a google search and find a
copy of "putty".  It contains Windows-based ssh and sftp clients.

First off, UNPLUG YOUR SYSTEM FROM THE NETWORK, just in case you were
hacked.  If you can, get a good copy of "find" or use the installed one
if it hasn't been compromised.  Check that your /usr/bin/find program
looks like this (under 8.0):

[root igor root]# ls -l /usr/bin/find
-rwxr-xr-x    1 root   root   65119    Jul 3  09:30 /usr/bin/find

If so, then your find is probably uncompromised.  In that case, try:

	# find / -daystart -mtime -2 -print

This will display any file anywhere on your system that has been
modified in the last 2 days (use a number that predates when you think
you were hacked).

Files such as /var/log/messages, /var/log/utime, etc. will get updated
often, so you don't need to be too suspicious of them, but ones in /etc,
/bin, /usr/bin, /sbin, /usr/sbin and other system-level directories
should NEVER CHANGE.  If they have, UNPLUG YOUR SYSTEM FROM THE NETWORK
IMMEDIATELY and either re-install Linux or fix the affected files.
You have been hacked.

I wish I could be more help, but detecting and fixing hacks can be
a very tedious job.  As I said, the safest thing is to reinstall
Linux and set up and run something like tripwire to watch any file
changes.  NEVER, EVER permit telnet access to your system.  Use the
newest wu-ftpd daemon (or use something like proFTP...also free).
Do NOT permit anonymous FTP unless you ABSOLUTELY have to (to disable
it, delete the "ftp" user via "userdel ftp").

If I can be of any more help, please don't hesitate to post to the list
or email me directly.

----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer     rstevens vitalstream com -
- VitalStream, Inc.                       http://www.vitalstream.com -
-                                                                    -
-      "Doctor!  My brain hurts!"  "It will have to come out!"       -
----------------------------------------------------------------------