1. We have moved from vBulletin to XenForo and you are viewing the site in the middle of the move. Though the functional aspect of everything is working fine, we are still working on other changes including the new design on Xenforo.
    Dismiss Notice

Being hacked; Need help

Discussion in 'Ethical hacking' started by jimfix5, Sep 26, 2008.

  1. jimfix5

    jimfix5 New Member

    Found some errors in the configuration and rules. Fixed that. And looks like I'm all set. Want to say a very big Thank You! One last thing: what do you think is the best AV(s) for cleaning up a machine? I use AVG, Prevx and ZA. Is there one you can recommend above all others? Thanks again, spoonwizard.
     
  2. SpOonWiZaRd

    SpOonWiZaRd Know what you can do.

    You can use spam assassin and clam AV to act as a virus filter for your network once you have set up your linux box correctly, and on the personal computer you can use Mcafee 2008 download it from http://www.piratebay.org and just ask me if you need any login information.
     
  3. jimfix5

    jimfix5 New Member

  4. jimfix5

    jimfix5 New Member

    Hey, spoonwizard. My friends hacked in again last night. Finally kicked them out by limiting the number of DHCP leases to 2 (the number of machines behind my Linux firewall) and then quickly acquiring them. But I was really surprised that they got through. Could you take a look at my iptables.up.rules below?

    # Generated by iptables-save v1.3.8 on Mon Oct 6 22:31:42 2008
    *filter
    :FORWARD DROP [0:0]
    :INPUT DROP [0:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -i eth0 -j LOG --log-prefix "BANDWIDTH_IN:" --log-level 7
    -A INPUT -p icmp -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -i eth1 -j ACCEPT
    -A INPUT -m state -i eth0 --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -o eth0 -j LOG --log-prefix "BANDWIDTH_OUT:" --log-level 7
    -A FORWARD -i eth0 -j LOG --log-prefix "BANDWIDTH_IN:" --log-level 7
    -A FORWARD -i eth1 -o eth0 -j ACCEPT
    -A FORWARD -m state -i eth0 -o eth1 --state RELATED,ESTABLISHED -j ACCEPT
    -A OUTPUT -o eth0 -j LOG --log-prefix "BANDWIDTH_OUT:" --log-level 7
    COMMIT
    # Completed on Mon Oct 6 22:31:42 2008
    # Generated by iptables-save v1.3.8 on Mon Oct 6 22:31:42 2008
    *mangle
    :pREROUTING ACCEPT [8032809:4858810232]
    :INPUT ACCEPT [274326:82321712]
    :FORWARD ACCEPT [7758442:4776486176]
    :OUTPUT ACCEPT [188189:57922151]
    :pOSTROUTING ACCEPT [7950189:4835227897]
    COMMIT
    # Completed on Mon Oct 6 22:31:42 2008
    # Generated by iptables-save v1.3.8 on Mon Oct 6 22:31:42 2008
    *nat
    :pREROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :pOSTROUTING ACCEPT [0:0]
    -A POSTROUTING -o eth0 -j MASQUERADE
    COMMIT
    # Completed on Mon Oct 6 22:31:42 2008

    I tried installing configserver, but it blocked my two workstations from accessing the Internet.

    Any idea how they got through?
     
  5. jimfix5

    jimfix5 New Member

    Also, is there a log anywhere where I can get their IP address on the net?

    Update - found this:

    Oct 20 02:08:35 remote kernel: [221331.793129] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:80:ad:78:5f:c3:00:1e:be:ff:3d:05:08:00 SRC=60.222.224.134 DST=24.218.151.102 LEN=620 TOS=0x00 PREC=0x20 TTL=48 ID=0 DF PROTO=UDP SPT=55669 DPT=1026 LEN=600
    Oct 20 02:08:35 remote kernel: [221331.793190] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:80:ad:78:5f:c3:00:1e:be:ff:3d:05:08:00 SRC=60.222.224.134 DST=24.218.151.102 LEN=620 TOS=0x00 PREC=0x20 TTL=48 ID=0 DF PROTO=UDP SPT=55669 DPT=1027 LEN=600

    SRC traces to Beijing. Any idea what this means?
     
    Last edited: Oct 22, 2008
  6. SpOonWiZaRd

    SpOonWiZaRd Know what you can do.

    Well you ACCEPT access from both your NIC's, you must only ACCEPT from your internal NIC and DROP all other packets i.e ICMP and so on that comes in from your external NIC. If eth1 is external NIC then iptables must be like this:

    -A INPUT -i eth1 -p icmp -j DROP
    -A INPUT -i eth1 -j DROP
    -A INPUT -i lo -j ACCEPT
    -A INPUT -i eth0 -j ACCEPT

    try that.
     
  7. jimfix5

    jimfix5 New Member

    External is eth0, and internal is eth1; will reconfigure
     
  8. jimfix5

    jimfix5 New Member

    Also, can't get serv-u on win server 2003 behind Linux to accept connection. Really appreciate your expert help.
     
  9. jimfix5

    jimfix5 New Member

    Trying to understand here. If my external NIC is eth0 and my internal is eth1, which they are, then the above rules allow input to the external ONLY if the connection is established and related, and that connection is then allowed to pass through the internal as well. If the external connection is not BOTH established AND related, nothing comes through the external. Is this not what the above rules dictate?
     
  10. kunals

    kunals New Member

    spoonwizard is a hero
     
  11. jimfix5

    jimfix5 New Member

    Yup, he is.
     
  12. shabbir

    shabbir Administrator Staff Member

  13. jimfix5

    jimfix5 New Member

    Thanks, I did.
     

Share This Page