Being hacked; Need help

Discussion in 'Ethical hacking' started by jimfix5, Sep 26, 2008.

  1. jimfix5

    jimfix5 New Member

    Joined:
    Sep 26, 2008
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    0
    Found some errors in the configuration and rules. Fixed that. And looks like I'm all set. Want to say a very big Thank You! One last thing: what do you think is the best AV(s) for cleaning up a machine? I use AVG, Prevx and ZA. Is there one you can recommend above all others? Thanks again, spoonwizard.
     
  2. SpOonWiZaRd

    SpOonWiZaRd Know what you can do.

    Joined:
    May 30, 2007
    Messages:
    746
    Likes Received:
    8
    Trophy Points:
    0
    Occupation:
    Network Engineer/Programmer
    Location:
    South Africa
    You can use spam assassin and clam AV to act as a virus filter for your network once you have set up your linux box correctly, and on the personal computer you can use Mcafee 2008 download it from http://www.piratebay.org and just ask me if you need any login information.
     
  3. jimfix5

    jimfix5 New Member

    Joined:
    Sep 26, 2008
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    0
  4. jimfix5

    jimfix5 New Member

    Joined:
    Sep 26, 2008
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    0
    Hey, spoonwizard. My friends hacked in again last night. Finally kicked them out by limiting the number of DHCP leases to 2 (the number of machines behind my Linux firewall) and then quickly acquiring them. But I was really surprised that they got through. Could you take a look at my iptables.up.rules below?

    # Generated by iptables-save v1.3.8 on Mon Oct 6 22:31:42 2008
    *filter
    :FORWARD DROP [0:0]
    :INPUT DROP [0:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -i eth0 -j LOG --log-prefix "BANDWIDTH_IN:" --log-level 7
    -A INPUT -p icmp -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -i eth1 -j ACCEPT
    -A INPUT -m state -i eth0 --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -o eth0 -j LOG --log-prefix "BANDWIDTH_OUT:" --log-level 7
    -A FORWARD -i eth0 -j LOG --log-prefix "BANDWIDTH_IN:" --log-level 7
    -A FORWARD -i eth1 -o eth0 -j ACCEPT
    -A FORWARD -m state -i eth0 -o eth1 --state RELATED,ESTABLISHED -j ACCEPT
    -A OUTPUT -o eth0 -j LOG --log-prefix "BANDWIDTH_OUT:" --log-level 7
    COMMIT
    # Completed on Mon Oct 6 22:31:42 2008
    # Generated by iptables-save v1.3.8 on Mon Oct 6 22:31:42 2008
    *mangle
    :PREROUTING ACCEPT [8032809:4858810232]
    :INPUT ACCEPT [274326:82321712]
    :FORWARD ACCEPT [7758442:4776486176]
    :OUTPUT ACCEPT [188189:57922151]
    :POSTROUTING ACCEPT [7950189:4835227897]
    COMMIT
    # Completed on Mon Oct 6 22:31:42 2008
    # Generated by iptables-save v1.3.8 on Mon Oct 6 22:31:42 2008
    *nat
    :PREROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    -A POSTROUTING -o eth0 -j MASQUERADE
    COMMIT
    # Completed on Mon Oct 6 22:31:42 2008

    I tried installing configserver, but it blocked my two workstations from accessing the Internet.

    Any idea how they got through?
     
  5. jimfix5

    jimfix5 New Member

    Joined:
    Sep 26, 2008
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    0
    Also, is there a log anywhere where I can get their IP address on the net?

    Update - found this:

    Oct 20 02:08:35 remote kernel: [221331.793129] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:80:ad:78:5f:c3:00:1e:be:ff:3d:05:08:00 SRC=60.222.224.134 DST=24.218.151.102 LEN=620 TOS=0x00 PREC=0x20 TTL=48 ID=0 DF PROTO=UDP SPT=55669 DPT=1026 LEN=600
    Oct 20 02:08:35 remote kernel: [221331.793190] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:80:ad:78:5f:c3:00:1e:be:ff:3d:05:08:00 SRC=60.222.224.134 DST=24.218.151.102 LEN=620 TOS=0x00 PREC=0x20 TTL=48 ID=0 DF PROTO=UDP SPT=55669 DPT=1027 LEN=600

    SRC traces to Beijing. Any idea what this means?
     
    Last edited: Oct 22, 2008
  6. SpOonWiZaRd

    SpOonWiZaRd Know what you can do.

    Joined:
    May 30, 2007
    Messages:
    746
    Likes Received:
    8
    Trophy Points:
    0
    Occupation:
    Network Engineer/Programmer
    Location:
    South Africa
    Well you ACCEPT access from both your NIC's, you must only ACCEPT from your internal NIC and DROP all other packets i.e ICMP and so on that comes in from your external NIC. If eth1 is external NIC then iptables must be like this:

    -A INPUT -i eth1 -p icmp -j DROP
    -A INPUT -i eth1 -j DROP
    -A INPUT -i lo -j ACCEPT
    -A INPUT -i eth0 -j ACCEPT

    try that.
     
  7. jimfix5

    jimfix5 New Member

    Joined:
    Sep 26, 2008
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    0
    External is eth0, and internal is eth1; will reconfigure
     
  8. jimfix5

    jimfix5 New Member

    Joined:
    Sep 26, 2008
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    0
    Also, can't get serv-u on win server 2003 behind Linux to accept connection. Really appreciate your expert help.
     
  9. jimfix5

    jimfix5 New Member

    Joined:
    Sep 26, 2008
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    0
    Trying to understand here. If my external NIC is eth0 and my internal is eth1, which they are, then the above rules allow input to the external ONLY if the connection is established and related, and that connection is then allowed to pass through the internal as well. If the external connection is not BOTH established AND related, nothing comes through the external. Is this not what the above rules dictate?
     
  10. kunals

    kunals New Member

    Joined:
    Jul 10, 2008
    Messages:
    51
    Likes Received:
    1
    Trophy Points:
    0
    spoonwizard is a hero
     
  11. jimfix5

    jimfix5 New Member

    Joined:
    Sep 26, 2008
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    0
    Yup, he is.
     
  12. shabbir

    shabbir Administrator Staff Member

    Joined:
    Jul 12, 2004
    Messages:
    15,375
    Likes Received:
    388
    Trophy Points:
    83
  13. jimfix5

    jimfix5 New Member

    Joined:
    Sep 26, 2008
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    0
    Thanks, I did.
     

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice