Results 1 to 25 of 32
Thread: PortScanning
-
03-05-2004, 07:55 AM #1Junior Guru Wannabe
- Join Date
- Jan 2004
- Posts
- 57
PortScanning
Hai,
I been very unlucky these few weeks. First I got my first server at nocster.com. And after a few weeks, they have suspended it for reason "Portscanning". I never do portscanning before. And I have no idea how to solve that problem. And after that, I move my server to SM. And after a few days later SM again warn me that will suspend my server within 24 hours if I don't take action. They did not provide any detail information about the portscanning issue.
So until now I don't know what to do. Since I never do portscanning before. I heard my friend told me that the portscanning is caused by some hackers trying to hack into the server.
Anyone have any experience in portscanning and how do you solve the problem? I also tried to searching through the web for linux portscanning software but have no luck in searching for it.
-
03-05-2004, 08:07 AM #2Web Hosting Master
- Join Date
- Nov 2002
- Location
- Hot, hot Michigan...
- Posts
- 3,506
Your server likely has been '0wn3d' if your portscanning everywhere you go. Since you're at SM, chip in some extra cash and have them take a look at it. Normal operation of a server will not include portscanning, so someone else likely already has root access.
Ion Web Services/TronicTech
http://www.ion-web.com or Unsupported webhosting?!?
Shared hosting, Reseller accounts, Dedicated Servers, and More
Proudly hosting since 2002
-
03-05-2004, 08:18 AM #3Junior Guru Wannabe
- Join Date
- Jan 2004
- Posts
- 57
Your server likely has been '0wn3d' if your portscanning everywhere you go. Since you're at SM, chip in some extra cash and have them take a look at it. Normal operation of a server will not include portscanning, so someone else likely already has root access.
-
03-05-2004, 08:20 AM #4Registered User
- Join Date
- Aug 2002
- Posts
- 132
well they have probley installed some other protocol to acces the server. Besure to lock down all other ports etc etc.
1 solution is do an os format...
Or let a good system administrator take a look at the system.
-
03-05-2004, 08:23 AM #5Web Hosting Master
- Join Date
- Nov 2002
- Location
- Hot, hot Michigan...
- Posts
- 3,506
Well, have you been updating the software that runs on the server prior to actually using it? Patching services that have holes, upgrading the kernel, whatever's necessary?
Common things the script kids like to do are use the servers for IRC eggdrops, warez drops, DOS attacks, fraud, and all sorts of other bad stuff. All of that will likely result in the instant termination of your server - so it's very important that you get this taken care of. Think of the portscanning as a symptom, not the root problem.Ion Web Services/TronicTech
http://www.ion-web.com or Unsupported webhosting?!?
Shared hosting, Reseller accounts, Dedicated Servers, and More
Proudly hosting since 2002
-
03-05-2004, 08:26 AM #6Junior Guru Wannabe
- Join Date
- Jan 2004
- Posts
- 57
well they have probley installed some other protocol to acces the server. Besure to lock down all other ports etc etc.
1 solution is do an os format...
Or let a good system administrator take a look at the system.
Well, have you been updating the software that runs on the server prior to actually using it? Patching services that have holes, upgrading the kernel, whatever's necessary?
Common things the script kids like to do are use the servers for IRC eggdrops, warez drops, DOS attacks, fraud, and all sorts of other bad stuff. All of that will likely result in the instant termination of your server - so it's very important that you get this taken care of. Think of the portscanning as a symptom, not the root problem.
Are there any freeware software out there detect account that do portscanning?
-
03-05-2004, 08:30 AM #7Web Hosting Master
- Join Date
- Nov 2002
- Location
- Hot, hot Michigan...
- Posts
- 3,506
Originally posted by radarjammer
Yeah, I have update the apache etc... But not sure about the kernel. Since I don't know how to update it...
Originally posted by radarjammer
Are there any freeware software out there detect account that do portscanning?
<edit> there's also 'chkrootkit', but it's only part of the process..</edit>Last edited by thedavid; 03-05-2004 at 08:34 AM.
Ion Web Services/TronicTech
http://www.ion-web.com or Unsupported webhosting?!?
Shared hosting, Reseller accounts, Dedicated Servers, and More
Proudly hosting since 2002
-
03-05-2004, 08:39 AM #8Web Hosting Evangelist
- Join Date
- Apr 2003
- Location
- Melbourne, AU
- Posts
- 539
you can run 'snort' to detect portscans.
i don't really know how to prevent them, but you can at least limit the scans with some firewall rules.
if you're running linux, you can create some iptables rules that block all outgoing connections to ports other than 80 (i guess some scripts will pull data from rss feeds etc).
then selectively allow users access to outbound ports. e.g. port 25 for user mail..
-
03-05-2004, 08:39 AM #9Junior Guru Wannabe
- Join Date
- Jan 2004
- Posts
- 57
There's nessus (do a search) but it'll just show you holes in the system and warnings. Disinfecting a owned machine is very tricky, they like to hide things all over once they get that access. Easiest and most secure way would be to get some sysadmin time, or get a reload as mentioned earlier.
Also, I forgot to mention that nocster staff "Jeannie" detected one of my site is doing portscanning. Which I think the whole portscanning problem is from that account. After moving to SM, the portscanning problem still exist. So as a solution I have suspended that account after receiving email from SM. Do you think it will solve the problem? Or do I have to terminiate that account?
you can run 'snort' to detect portscans.
i don't really know how to prevent them, but you can at least limit the scans with some firewall rules.
if you're running linux, you can create some iptables rules that block all outgoing connections to ports other than 80 (i guess some scripts will pull data from rss feeds etc).
then selectively allow users access to outbound ports. e.g. port 25 for user mail..
-
03-05-2004, 08:40 AM #10Web Hosting Master
- Join Date
- Nov 2002
- Location
- Hot, hot Michigan...
- Posts
- 3,506
It may solve the problem (by suspending) but it may not. There's no way to know how far deep they're in, given the info that we have.
Ion Web Services/TronicTech
http://www.ion-web.com or Unsupported webhosting?!?
Shared hosting, Reseller accounts, Dedicated Servers, and More
Proudly hosting since 2002
-
03-05-2004, 08:42 AM #11Junior Guru Wannabe
- Join Date
- Jan 2004
- Posts
- 57
It may solve the problem (by suspending) but it may not. There's no way to know how far deep they're in, given the info that we have.
-
03-05-2004, 08:45 AM #12Web Hosting Master
- Join Date
- Nov 2002
- Location
- Hot, hot Michigan...
- Posts
- 3,506
Originally posted by radarjammer
Hmm... do you think terminating the account will be better than suspending the account? Also, usually does SM really suspend your account after 24 hours if no solution taken. I have replied the SM ticket but it seems until now been around 5 hours, no reply from SM.
And yes, theplanet policy enforcement is tough. They will likely shut the server down if not fixed.Ion Web Services/TronicTech
http://www.ion-web.com or Unsupported webhosting?!?
Shared hosting, Reseller accounts, Dedicated Servers, and More
Proudly hosting since 2002
-
03-05-2004, 08:45 AM #13Web Hosting Evangelist
- Join Date
- Apr 2003
- Location
- Melbourne, AU
- Posts
- 539
Originally posted by radarjammer
Firewall... are there effective? I saw SM offer them for $50/month. If I install firewall, do you think it will solve the problem? And is firewall on linux easy to configure?
if you've never written firewall rules on linux before, i guess it could be quite hard.
i'm getting a little paranoid after reading your story. i think i'll put on my thinking cap and write some later tonight. will keep this thread updated if i finish it
-
03-05-2004, 08:47 AM #14Web Hosting Master
- Join Date
- Nov 2002
- Location
- Hot, hot Michigan...
- Posts
- 3,506
A firewall isn't a solution - if you write iptables rules, and they have root access, what's to stop them from typing 'iptables -F' and erasing your firewall rules?
Ion Web Services/TronicTech
http://www.ion-web.com or Unsupported webhosting?!?
Shared hosting, Reseller accounts, Dedicated Servers, and More
Proudly hosting since 2002
-
03-05-2004, 08:51 AM #15Junior Guru Wannabe
- Join Date
- Jan 2004
- Posts
- 57
I don't think there'd be too much of a difference between suspending and terminating, no. Not if they already have access. If they don't, they're the same.
And yes, theplanet policy enforcement is tough. They will likely shut the server down if not fixed.
I already got one serveradmin, but he is not online. What I scare is after 24 hours, SM will suspend my server. If that happen another big downtime will happen again. And cash is flowing out again.
-
03-05-2004, 09:08 AM #16Registered User
- Join Date
- Aug 2002
- Posts
- 132
well if they have root acces they can change everything back in notime.....
Try to read some things on www.hostinglife.com about chkrootkit.
That checks all files, on sniffers and root kits.
-
03-05-2004, 09:26 AM #17Web Hosting Evangelist
- Join Date
- Apr 2003
- Location
- Melbourne, AU
- Posts
- 539
Originally posted by thedavid
A firewall isn't a solution - if you write iptables rules, and they have root access, what's to stop them from typing 'iptables -F' and erasing your firewall rules?
anyway, is it conclusive that his server is rooted?
-
03-05-2004, 09:28 AM #18Web Hosting Master
- Join Date
- Nov 2002
- Location
- Hot, hot Michigan...
- Posts
- 3,506
Never said you did - but this problem followed him.
It looks like spam is being relayed through one of the php scripts - that's all I've found so far.Ion Web Services/TronicTech
http://www.ion-web.com or Unsupported webhosting?!?
Shared hosting, Reseller accounts, Dedicated Servers, and More
Proudly hosting since 2002
-
03-05-2004, 09:35 AM #19Web Hosting Evangelist
- Join Date
- Apr 2003
- Location
- Melbourne, AU
- Posts
- 539
ahh, i assume you're checking his server out now? all the best in finding out the source of the portscans!
-
03-05-2004, 09:42 AM #20Junior Guru Wannabe
- Join Date
- Jan 2004
- Posts
- 57
ahh, i assume you're checking his server out now? all the best in finding out the source of the portscans!
-
03-05-2004, 10:00 AM #21Web Hosting Master
- Join Date
- Nov 2002
- Location
- Hot, hot Michigan...
- Posts
- 3,506
Yup - just got done looking it over. I'll document it here so others can toss in some reccomendations for you too. Looks like (at this time):
Freshly downloaded chkrootkit couldn't find anything (other than the normal cpanel bindshell errors)
kernel version appears to be up to date for redhat 9 (it's a redhat kernel)
/tmp appears to be setup as per default (and thus /var/tmp as well). Consider making /tmp noexec and nosuid. I didn't check the /etc/fstab though. There didn't appear to be anything odd in /tmp or /var/tmp/
.bash_history for the root user showed normal maintainence near the end - might be forged, of course, but might be good.
exim was showing around 14000 mails in the queue - not too large, but if it's a lightly used server it might be. Hard to tell as I don't have 'history' with it.
exim_mainlog was showing the user 'nobody' sending out mass amounts of email - likely a compromised php script. Could be an uploaded phpshell/phpkonsole for the portscan stuff.
Reccomend enabling phpsuexec even if temporarily to see which user is sending the messages. Otherwise it's a PITA to match it up.
/var/log/messages were showing some errors, likely due to misconfig somewhere - didn't look like anything terrible though (bind errors for permissions if I remember correctly)
Reccomend that you 'cat /etc/passwd' to see if there's any user accounts that you don't know of/remember.
Reccomend that you download/install/run nessusd to see if there's any version issues with your daemons and whatnot - I didn't check that.
<edit> forgot to mention... netstat didn't show any wierd connections, looks like someone was scanning you from amsterdam (probably the same folks that've been showing up in our snort logs recently). You could also run an nmap on your own server just to check what ports are open</edit>
That's about all that I got. The above is just a start, of course, but hopefully it'll get you in the right direction.Last edited by thedavid; 03-05-2004 at 10:05 AM.
Ion Web Services/TronicTech
http://www.ion-web.com or Unsupported webhosting?!?
Shared hosting, Reseller accounts, Dedicated Servers, and More
Proudly hosting since 2002
-
03-05-2004, 10:35 AM #22Web Hosting Evangelist
- Join Date
- Apr 2003
- Location
- Melbourne, AU
- Posts
- 539
cooked up some firewall rules to restrict outgoing connections and log whatever's rejected. comments appreciated
Code:#!/bin/sh # Simple firewall rules to restrict outgoing TCP connections # doubleukay -at- doubleukay.com INT_IP="1.2.3.4" # your internal ip OPEN_PORTS="20 21 53 80 443 3306" # ftp-data, ftp, DNS, http, https, mySQL EXCLUDED_USERS="root mail user1 user2" # open access LOGGING="Y" # Y or N # setup new chain for outgoing filter, and add it to the OUTPUT chain iptables -N OUTFILTER iptables -F OUTFILTER iptables -I OUTPUT -j OUTFILTER # permit tracked connections iptables -A OUTFILTER -m state --state ESTABLISHED,RELATED -j ACCEPT # permit connections to local interfaces iptables -A OUTFILTER -p tcp -d 127.0.0.1 -j ACCEPT iptables -A OUTFILTER -p tcp -d $INT_IP -j ACCEPT # permit connections to whitelisted outbound ports for i in $OPEN_PORTS; do iptables -A OUTFILTER -p tcp --dport $i -j ACCEPT done # permit free-for-all access to whitelisted users for i in $EXCLUDED_USERS; do iptables -A OUTFILTER -p tcp -m owner --uid-owner $i -j ACCEPT done # logging if [ "$LOGGING" = "Y" ]; then iptables -A OUTFILTER -p tcp -m limit --limit 30/minute -j LOG --log-prefix "Blocked outgoing " fi # reject everything else iptables -A OUTFILTER -p tcp -j REJECT
-
03-05-2004, 11:06 AM #23Retired Moderator
- Join Date
- Jul 2001
- Location
- Singapore
- Posts
- 1,889
thedavid, what about:
Code:lastlog lsof ps fauwx
Giam Teck Choon
:: Join choon.net Community today to share your tips and tricks on server issues please ::
:: Singapore Dedicated Servers :: Singapore Virtual Private Servers :: Linux/FreeBSD Server Management ::
-
03-05-2004, 11:08 AM #24Web Hosting Master
- Join Date
- Nov 2002
- Location
- Hot, hot Michigan...
- Posts
- 3,506
Process list looked ok as far as I could tell - normal cpanel box, overall. Didn't get to the rest as his admin guy logged in
Ion Web Services/TronicTech
http://www.ion-web.com or Unsupported webhosting?!?
Shared hosting, Reseller accounts, Dedicated Servers, and More
Proudly hosting since 2002
-
03-05-2004, 12:26 PM #25learning is in the doing
- Join Date
- Sep 2000
- Location
- Alberta, Canada
- Posts
- 3,146
Ask SM for the IP address(s) doing the port scan. They will know as that is what they used to trace it back to
your Server.
14,000 eMails in the queue? I smell Spam!!!
To determine if rooted or a PHP script, I would suggest you lockdown PHP, rather than switch to phpsuexec.
safe_mode = ON
open_basedir Restrictions enabled
register_globals = Off
Not sure how heavily used the Server is used and locking down PHP will break some (a lot?) of scripts,
but the plus is that you will know the script being used (presuming it is a PHP script) by simplying tailing
the Apache error log. You can also selectively remove the PHP security from scripts you know are OK.
No doubt the tighter PHP security will cause pain & frustration for accounts on the Server, but the good news
is once all the good scripts have been altered to work, you can leave the tighter PHP security in place and
not have to worry in the future -- again, presuming it is a PHP script causing the problem.
Also, make sure SM is aware of what steps you are taking to remove the problem, and dont' be shy
in asking them for help.• PotentProducts.com - for all your Hosting needs
• Helping people Host, Create and Maintain their Web Site
• ServerAdmin Services also available