Page 1 of 2 12 LastLast
Results 1 to 25 of 32

Thread: PortScanning

  1. #1
    Join Date
    Jan 2004
    Posts
    57

    Exclamation PortScanning

    Hai,

    I been very unlucky these few weeks. First I got my first server at nocster.com. And after a few weeks, they have suspended it for reason "Portscanning". I never do portscanning before. And I have no idea how to solve that problem. And after that, I move my server to SM. And after a few days later SM again warn me that will suspend my server within 24 hours if I don't take action. They did not provide any detail information about the portscanning issue.

    So until now I don't know what to do. Since I never do portscanning before. I heard my friend told me that the portscanning is caused by some hackers trying to hack into the server.

    Anyone have any experience in portscanning and how do you solve the problem? I also tried to searching through the web for linux portscanning software but have no luck in searching for it.

  2. #2
    Join Date
    Nov 2002
    Location
    Hot, hot Michigan...
    Posts
    3,506
    Your server likely has been '0wn3d' if your portscanning everywhere you go. Since you're at SM, chip in some extra cash and have them take a look at it. Normal operation of a server will not include portscanning, so someone else likely already has root access.
    Ion Web Services/TronicTech
    http://www.ion-web.com or Unsupported webhosting?!?
    Shared hosting, Reseller accounts, Dedicated Servers, and More
    Proudly hosting since 2002

  3. #3
    Join Date
    Jan 2004
    Posts
    57
    Your server likely has been '0wn3d' if your portscanning everywhere you go. Since you're at SM, chip in some extra cash and have them take a look at it. Normal operation of a server will not include portscanning, so someone else likely already has root access.
    I have the root password changed... Any other solution beside chip some cash to SM. I already got all my credit card cash empty after moving from server to another new server.

  4. #4
    Join Date
    Aug 2002
    Posts
    132
    well they have probley installed some other protocol to acces the server. Besure to lock down all other ports etc etc.

    1 solution is do an os format...

    Or let a good system administrator take a look at the system.

  5. #5
    Join Date
    Nov 2002
    Location
    Hot, hot Michigan...
    Posts
    3,506
    Well, have you been updating the software that runs on the server prior to actually using it? Patching services that have holes, upgrading the kernel, whatever's necessary?

    Common things the script kids like to do are use the servers for IRC eggdrops, warez drops, DOS attacks, fraud, and all sorts of other bad stuff. All of that will likely result in the instant termination of your server - so it's very important that you get this taken care of. Think of the portscanning as a symptom, not the root problem.
    Ion Web Services/TronicTech
    http://www.ion-web.com or Unsupported webhosting?!?
    Shared hosting, Reseller accounts, Dedicated Servers, and More
    Proudly hosting since 2002

  6. #6
    Join Date
    Jan 2004
    Posts
    57
    well they have probley installed some other protocol to acces the server. Besure to lock down all other ports etc etc.

    1 solution is do an os format...

    Or let a good system administrator take a look at the system.
    WOW! I just done that last week. For $75, I can't afford to do another OS Reload...

    Well, have you been updating the software that runs on the server prior to actually using it? Patching services that have holes, upgrading the kernel, whatever's necessary?

    Common things the script kids like to do are use the servers for IRC eggdrops, warez drops, DOS attacks, fraud, and all sorts of other bad stuff. All of that will likely result in the instant termination of your server - so it's very important that you get this taken care of. Think of the portscanning as a symptom, not the root problem.
    Yeah, I have update the apache etc... But not sure about the kernel. Since I don't know how to update it...

    Are there any freeware software out there detect account that do portscanning?

  7. #7
    Join Date
    Nov 2002
    Location
    Hot, hot Michigan...
    Posts
    3,506
    Originally posted by radarjammer

    Yeah, I have update the apache etc... But not sure about the kernel. Since I don't know how to update it...
    Well, then depending on your setup, and what scripts you run if any, it may be as easy to get root on your server as compromising a webpage script. Then run a program to attack a kernel vulnerability (usually using 'wget' to pull a binary from a geocities site or whatever, usually run from /tmp)

    Originally posted by radarjammer

    Are there any freeware software out there detect account that do portscanning?
    There's nessus (do a search) but it'll just show you holes in the system and warnings. Disinfecting a owned machine is very tricky, they like to hide things all over once they get that access. Easiest and most secure way would be to get some sysadmin time, or get a reload as mentioned earlier.

    <edit> there's also 'chkrootkit', but it's only part of the process..</edit>
    Last edited by thedavid; 03-05-2004 at 08:34 AM.
    Ion Web Services/TronicTech
    http://www.ion-web.com or Unsupported webhosting?!?
    Shared hosting, Reseller accounts, Dedicated Servers, and More
    Proudly hosting since 2002

  8. #8
    Join Date
    Apr 2003
    Location
    Melbourne, AU
    Posts
    539
    you can run 'snort' to detect portscans.

    i don't really know how to prevent them, but you can at least limit the scans with some firewall rules.

    if you're running linux, you can create some iptables rules that block all outgoing connections to ports other than 80 (i guess some scripts will pull data from rss feeds etc).

    then selectively allow users access to outbound ports. e.g. port 25 for user mail..

  9. #9
    Join Date
    Jan 2004
    Posts
    57
    There's nessus (do a search) but it'll just show you holes in the system and warnings. Disinfecting a owned machine is very tricky, they like to hide things all over once they get that access. Easiest and most secure way would be to get some sysadmin time, or get a reload as mentioned earlier.
    I don't wish to get an OS Reload because I just spent $75 to do an OS reload last week... And it is really quite hard for me to keep doing OS reload. My site already down for 6 days...

    Also, I forgot to mention that nocster staff "Jeannie" detected one of my site is doing portscanning. Which I think the whole portscanning problem is from that account. After moving to SM, the portscanning problem still exist. So as a solution I have suspended that account after receiving email from SM. Do you think it will solve the problem? Or do I have to terminiate that account?

    you can run 'snort' to detect portscans.

    i don't really know how to prevent them, but you can at least limit the scans with some firewall rules.

    if you're running linux, you can create some iptables rules that block all outgoing connections to ports other than 80 (i guess some scripts will pull data from rss feeds etc).

    then selectively allow users access to outbound ports. e.g. port 25 for user mail..
    Firewall... are there effective? I saw SM offer them for $50/month. If I install firewall, do you think it will solve the problem? And is firewall on linux easy to configure?

  10. #10
    Join Date
    Nov 2002
    Location
    Hot, hot Michigan...
    Posts
    3,506
    It may solve the problem (by suspending) but it may not. There's no way to know how far deep they're in, given the info that we have.
    Ion Web Services/TronicTech
    http://www.ion-web.com or Unsupported webhosting?!?
    Shared hosting, Reseller accounts, Dedicated Servers, and More
    Proudly hosting since 2002

  11. #11
    Join Date
    Jan 2004
    Posts
    57
    It may solve the problem (by suspending) but it may not. There's no way to know how far deep they're in, given the info that we have.
    Hmm... do you think terminating the account will be better than suspending the account? Also, usually does SM really suspend your account after 24 hours if no solution taken. I have replied the SM ticket but it seems until now been around 5 hours, no reply from SM.

  12. #12
    Join Date
    Nov 2002
    Location
    Hot, hot Michigan...
    Posts
    3,506
    Originally posted by radarjammer
    Hmm... do you think terminating the account will be better than suspending the account? Also, usually does SM really suspend your account after 24 hours if no solution taken. I have replied the SM ticket but it seems until now been around 5 hours, no reply from SM.
    I don't think there'd be too much of a difference between suspending and terminating, no. Not if they already have access. If they don't, they're the same.

    And yes, theplanet policy enforcement is tough. They will likely shut the server down if not fixed.
    Ion Web Services/TronicTech
    http://www.ion-web.com or Unsupported webhosting?!?
    Shared hosting, Reseller accounts, Dedicated Servers, and More
    Proudly hosting since 2002

  13. #13
    Join Date
    Apr 2003
    Location
    Melbourne, AU
    Posts
    539
    Originally posted by radarjammer
    Firewall... are there effective? I saw SM offer them for $50/month. If I install firewall, do you think it will solve the problem? And is firewall on linux easy to configure?
    it won't completely solve the problem, but it will at least limit the amount of scanning that can be done.

    if you've never written firewall rules on linux before, i guess it could be quite hard.

    i'm getting a little paranoid after reading your story. i think i'll put on my thinking cap and write some later tonight. will keep this thread updated if i finish it

  14. #14
    Join Date
    Nov 2002
    Location
    Hot, hot Michigan...
    Posts
    3,506
    A firewall isn't a solution - if you write iptables rules, and they have root access, what's to stop them from typing 'iptables -F' and erasing your firewall rules?
    Ion Web Services/TronicTech
    http://www.ion-web.com or Unsupported webhosting?!?
    Shared hosting, Reseller accounts, Dedicated Servers, and More
    Proudly hosting since 2002

  15. #15
    Join Date
    Jan 2004
    Posts
    57
    I don't think there'd be too much of a difference between suspending and terminating, no. Not if they already have access. If they don't, they're the same.

    And yes, theplanet policy enforcement is tough. They will likely shut the server down if not fixed.
    I think im a dead man.... What if I change the account password? I just change it. Hopefully they can access because of the account password...

    I already got one serveradmin, but he is not online. What I scare is after 24 hours, SM will suspend my server. If that happen another big downtime will happen again. And cash is flowing out again.

  16. #16
    Join Date
    Aug 2002
    Posts
    132
    well if they have root acces they can change everything back in notime.....

    Try to read some things on www.hostinglife.com about chkrootkit.

    That checks all files, on sniffers and root kits.

  17. #17
    Join Date
    Apr 2003
    Location
    Melbourne, AU
    Posts
    539
    Originally posted by thedavid
    A firewall isn't a solution - if you write iptables rules, and they have root access, what's to stop them from typing 'iptables -F' and erasing your firewall rules?
    c'mon, with PHP you don't need root access to perform a portscan. that could've been what happened.

    anyway, is it conclusive that his server is rooted?

  18. #18
    Join Date
    Nov 2002
    Location
    Hot, hot Michigan...
    Posts
    3,506
    Never said you did - but this problem followed him.

    It looks like spam is being relayed through one of the php scripts - that's all I've found so far.
    Ion Web Services/TronicTech
    http://www.ion-web.com or Unsupported webhosting?!?
    Shared hosting, Reseller accounts, Dedicated Servers, and More
    Proudly hosting since 2002

  19. #19
    Join Date
    Apr 2003
    Location
    Melbourne, AU
    Posts
    539
    ahh, i assume you're checking his server out now? all the best in finding out the source of the portscans!

  20. #20
    Join Date
    Jan 2004
    Posts
    57
    ahh, i assume you're checking his server out now? all the best in finding out the source of the portscans!
    Yeap, he is helping me out with the server.

  21. #21
    Join Date
    Nov 2002
    Location
    Hot, hot Michigan...
    Posts
    3,506
    Yup - just got done looking it over. I'll document it here so others can toss in some reccomendations for you too. Looks like (at this time):
    Freshly downloaded chkrootkit couldn't find anything (other than the normal cpanel bindshell errors)

    kernel version appears to be up to date for redhat 9 (it's a redhat kernel)

    /tmp appears to be setup as per default (and thus /var/tmp as well). Consider making /tmp noexec and nosuid. I didn't check the /etc/fstab though. There didn't appear to be anything odd in /tmp or /var/tmp/

    .bash_history for the root user showed normal maintainence near the end - might be forged, of course, but might be good.

    exim was showing around 14000 mails in the queue - not too large, but if it's a lightly used server it might be. Hard to tell as I don't have 'history' with it.

    exim_mainlog was showing the user 'nobody' sending out mass amounts of email - likely a compromised php script. Could be an uploaded phpshell/phpkonsole for the portscan stuff.

    Reccomend enabling phpsuexec even if temporarily to see which user is sending the messages. Otherwise it's a PITA to match it up.

    /var/log/messages were showing some errors, likely due to misconfig somewhere - didn't look like anything terrible though (bind errors for permissions if I remember correctly)

    Reccomend that you 'cat /etc/passwd' to see if there's any user accounts that you don't know of/remember.

    Reccomend that you download/install/run nessusd to see if there's any version issues with your daemons and whatnot - I didn't check that.

    <edit> forgot to mention... netstat didn't show any wierd connections, looks like someone was scanning you from amsterdam (probably the same folks that've been showing up in our snort logs recently). You could also run an nmap on your own server just to check what ports are open</edit>

    That's about all that I got. The above is just a start, of course, but hopefully it'll get you in the right direction.
    Last edited by thedavid; 03-05-2004 at 10:05 AM.
    Ion Web Services/TronicTech
    http://www.ion-web.com or Unsupported webhosting?!?
    Shared hosting, Reseller accounts, Dedicated Servers, and More
    Proudly hosting since 2002

  22. #22
    Join Date
    Apr 2003
    Location
    Melbourne, AU
    Posts
    539
    cooked up some firewall rules to restrict outgoing connections and log whatever's rejected. comments appreciated

    Code:
    #!/bin/sh
    # Simple firewall rules to restrict outgoing TCP connections
    # doubleukay -at- doubleukay.com
    
    INT_IP="1.2.3.4" # your internal ip
    OPEN_PORTS="20 21 53 80 443 3306" # ftp-data, ftp, DNS, http, https, mySQL
    EXCLUDED_USERS="root mail user1 user2" # open access
    LOGGING="Y" # Y or N
    
    # setup new chain for outgoing filter, and add it to the OUTPUT chain
    iptables -N OUTFILTER
    iptables -F OUTFILTER
    iptables -I OUTPUT -j OUTFILTER
    
    # permit tracked connections
    iptables -A OUTFILTER -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    # permit connections to local interfaces
    iptables -A OUTFILTER -p tcp -d 127.0.0.1 -j ACCEPT
    iptables -A OUTFILTER -p tcp -d $INT_IP -j ACCEPT
    
    # permit connections to whitelisted outbound ports
    for i in $OPEN_PORTS; do
    	iptables -A OUTFILTER -p tcp --dport $i -j ACCEPT
    done
    
    # permit free-for-all access to whitelisted users
    for i in $EXCLUDED_USERS; do
    	iptables -A OUTFILTER -p tcp -m owner --uid-owner $i -j ACCEPT
    done
    
    # logging
    if [ "$LOGGING" = "Y" ]; then
    	iptables -A OUTFILTER -p tcp -m limit --limit 30/minute -j LOG --log-prefix "Blocked outgoing "
    fi
    
    # reject everything else
    iptables -A OUTFILTER -p tcp -j REJECT
    however, i found its use to be strictly for early warning and prevention, as the logs don't show the packet owner. if they came from a php script, i'd have to co-relate the packet logs with the webserver logs to find out the offending script :\

  23. #23
    Join Date
    Jul 2001
    Location
    Singapore
    Posts
    1,889
    thedavid, what about:
    Code:
    lastlog
    lsof
    ps fauwx
    Just curious
    Giam Teck Choon
    :: Join choon.net Community today to share your tips and tricks on server issues please ::
    :: Singapore Dedicated Servers :: Singapore Virtual Private Servers :: Linux/FreeBSD Server Management ::

  24. #24
    Join Date
    Nov 2002
    Location
    Hot, hot Michigan...
    Posts
    3,506
    Process list looked ok as far as I could tell - normal cpanel box, overall. Didn't get to the rest as his admin guy logged in
    Ion Web Services/TronicTech
    http://www.ion-web.com or Unsupported webhosting?!?
    Shared hosting, Reseller accounts, Dedicated Servers, and More
    Proudly hosting since 2002

  25. #25
    Join Date
    Sep 2000
    Location
    Alberta, Canada
    Posts
    3,146
    Ask SM for the IP address(s) doing the port scan. They will know as that is what they used to trace it back to
    your Server.

    14,000 eMails in the queue? I smell Spam!!!

    To determine if rooted or a PHP script, I would suggest you lockdown PHP, rather than switch to phpsuexec.
    safe_mode = ON
    open_basedir Restrictions enabled
    register_globals = Off

    Not sure how heavily used the Server is used and locking down PHP will break some (a lot?) of scripts,
    but the plus is that you will know the script being used (presuming it is a PHP script) by simplying tailing
    the Apache error log. You can also selectively remove the PHP security from scripts you know are OK.

    No doubt the tighter PHP security will cause pain & frustration for accounts on the Server, but the good news
    is once all the good scripts have been altered to work, you can leave the tighter PHP security in place and
    not have to worry in the future -- again, presuming it is a PHP script causing the problem.

    Also, make sure SM is aware of what steps you are taking to remove the problem, and dont' be shy
    in asking them for help.
    PotentProducts.com - for all your Hosting needs
    Helping people Host, Create and Maintain their Web Site
    ServerAdmin Services also available

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •