Author Topic: My DCERouter is attacking other servers!  (Read 9176 times)

robwoodward75

  • Regular Poster
  • **
  • Posts: 48
    • View Profile
My DCERouter is attacking other servers!
« on: July 05, 2011, 05:12:25 pm »
I had a letter from my ISP regarding attacks from my IP address on a server on the net, they didn't give much info, other than it was failed login attempts were made from my IP.  The outgoing ports were: 50495, 50886, 50742, 51300 and 51453.  Helpfully, they included a info sheet on how to get software to remove such a threat on a windows machine, bu oddly, nothing to help a Linux box?!!

Does anyone else have any experience of letters from their ISP using this distro?  I say this because the attack happened at 2:55am, and there would be none of the XP / Vista (sorry for swearing) machines on at that time in our house!

Does anyone know if, and or where there may be a log kept of the network activities I could look at, try to track down what was going on!

Thanks!!

Aviator

  • Veteran
  • ***
  • Posts: 79
    • View Profile
Re: My DCERouter is attacking other servers!
« Reply #1 on: July 05, 2011, 05:20:35 pm »
Just because it came form your IP does not mean that it came from the core. Did you have any other computers running at the time?  Anyway I would start by reviewing your firewall rules and changing all passwords. 

robwoodward75

  • Regular Poster
  • **
  • Posts: 48
    • View Profile
Re: My DCERouter is attacking other servers!
« Reply #2 on: July 05, 2011, 06:26:02 pm »
Quote
I say this because the attack happened at 2:55am, and there would be none of the XP / Vista (sorry for swearing) machines on at that time in our house!

As I said in the original post, it was at 2:55am aparently, and no other machines would be on at that time.

Quote
Anyway I would start by reviewing your firewall rules and changing all passwords

Tonights job!!!  Unfortunately, it also appears my ISP will only inform me, if someone complains?!  So I may never know if this was a one off, or if it ever happens again!  Hence the request for the network log location!!

merkur2k

  • Addicted
  • *
  • Posts: 513
    • View Profile
Re: My DCERouter is attacking other servers!
« Reply #3 on: July 06, 2011, 06:34:22 am »
anyone that knows what they are doing can cover their tracks fairly easily on a linux system. if they were lazy or stupid, you will find whatever they did in history, and they may have left files around such as a rootkit. unfortunately these are usually designed to hide themselves, so the only real sure way to be rid of anything is a complete reinstall.
to prevent it in the future, make sure you do not have standard services running on normal ports (ssh especially) and of course ALWAYS use a firewall (linuxmce includes a good one). And always use strong passwords on system accounts.

grind

  • Veteran
  • ***
  • Posts: 54
    • View Profile
Re: My DCERouter is attacking other servers!
« Reply #4 on: July 06, 2011, 09:09:30 am »
Hey guys,
this is a good point.

At the moment i'm using an IPCop-Firewall which my core has to pass to reach the internet.
Do you think that's too much effort or is the seperate firewall worth it's power consumption?

Thanks!
Nicolai

Rukus

  • Veteran
  • ***
  • Posts: 132
    • View Profile
Re: My DCERouter is attacking other servers!
« Reply #5 on: July 06, 2011, 11:34:39 pm »
I had a letter from my ISP regarding attacks from my IP address on a server on the net, they didn't give much info, other than it was failed login attempts were made from my IP.  The outgoing ports were: 50495, 50886, 50742, 51300 and 51453.  Helpfully, they included a info sheet on how to get software to remove such a threat on a windows machine, bu oddly, nothing to help a Linux box?!!

Does anyone else have any experience of letters from their ISP using this distro?  I say this because the attack happened at 2:55am, and there would be none of the XP / Vista (sorry for swearing) machines on at that time in our house!

Does anyone know if, and or where there may be a log kept of the network activities I could look at, try to track down what was going on!

Thanks!!

Have a look a the "/var/log/auth.log" file to see if anything stands out like an unauthorized login. Also make sure that you don't have SSH running on your external interface (eth0), as there are many automated programs in the wild that scan port 22. The only other way to help avoid this from happening again would be to limit whitelist the firewall on the core to only allow certain ports outbound from your network.

HTH,

Ernesto
« Last Edit: July 06, 2011, 11:38:22 pm by Rukus »
Core/Generic Hybrid MD
Motherboard: ASUS M2N-SLI Deluxe AM2 NVIDIA nForce 570 SLI MCP ATX
CPU: AMD Athlon 64 X2 6000+ Windsor 3.0GHz Socket AM2 125W Dual-Core
GPU: GPU: XFX PVT84GUDF3 GeForce 8600 GTS 256MB 128-bit GDDR3

klovell

  • Guru
  • ****
  • Posts: 205
    • View Profile
Re: My DCERouter is attacking other servers!
« Reply #6 on: July 07, 2011, 12:44:20 am »
Hey guys,
this is a good point.

At the moment i'm using an IPCop-Firewall which my core has to pass to reach the internet.
Do you think that's too much effort or is the seperate firewall worth it's power consumption?

Thanks!
Nicolai

If you ask me, it's completely worth it.   Although the firewall in ipcop and lmce might be all the same.  IN a perfect world i'd say make it so both firewalls are different on a code level. 

I currently use two firewalls also.  It's more work keeping everything stright but totally worth it.

robwoodward75

  • Regular Poster
  • **
  • Posts: 48
    • View Profile
Re: My DCERouter is attacking other servers!
« Reply #7 on: July 07, 2011, 09:57:34 am »
Quote
Have a look a the "/var/log/auth.log" file to see if anything stands out like an unauthorized login. Also make sure that you don't have SSH running on your external interface (eth0), as there are many automated programs in the wild that scan port 22. The only other way to help avoid this from happening again would be to limit whitelist the firewall on the core to only allow certain ports outbound from your network.

HTH,

Ernesto

Thanks Ernesto,

I will look through those logs tonight, I have since disabled the Outside access, and ports 21 to 23 on the Firewall, I was logging onto the server from work for a while, trying to set things up!  But, as this appears to have opened a security can of worms, I've closed off the ports, and removed the outside login ability.

Also, Since the "attempt" I have rebooted my machine, I will look later, as I can no longer log in from work!  But I suspect the logs may well be cleared?!

Rob.

klovell

  • Guru
  • ****
  • Posts: 205
    • View Profile
Re: My DCERouter is attacking other servers!
« Reply #8 on: July 07, 2011, 02:58:56 pm »
Thanks Ernesto,

I will look through those logs tonight, I have since disabled the Outside access, and ports 21 to 23 on the Firewall, I was logging onto the server from work for a while, trying to set things up!  But, as this appears to have opened a security can of worms, I've closed off the ports, and removed the outside login ability.

Also, Since the "attempt" I have rebooted my machine, I will look later, as I can no longer log in from work!  But I suspect the logs may well be cleared?!

Rob.

If you have a windows xp or higher machine you can setup remote desktop.  Passwords and data are encrypted before heading out over the network.  You need windows Pro, Ultimate, Business, and maybe home pro... not 100% sure about home pro.  Basic isn't even worth having, it's a waste of space so this would be a good time to upgrade.  Also, accessing local resources over the Internet using RDP will be quicker that a web browser.  I use a terminal server, but it's the same basic principle and it works great for remote access to your home network. 

All you have to do is setup a port forward rule for the RDP port.  I can't remember what it is, may be 3387 or 3386.  A quick google search will give you the port number.  Make sure your windows user is in the remote desktop group.  A quick google search will help you with that also. 

Do yourself a favor and do not attempt to watch a video or visit flash heavy sites over RDP, especially over a slow Internet connection.

Marie.O

  • Administrator
  • LinuxMCE God
  • *****
  • Posts: 3675
  • Wastes Life On LinuxMCE Since 2007
    • View Profile
    • My Home
Re: My DCERouter is attacking other servers!
« Reply #9 on: July 07, 2011, 03:09:51 pm »
I don't think setting up an RDP connection is more secure than an SSH connection.

merkur2k

  • Addicted
  • *
  • Posts: 513
    • View Profile
Re: My DCERouter is attacking other servers!
« Reply #10 on: July 07, 2011, 04:19:34 pm »
ssh on something other than the default port (22) with strong passwords is enough.
also, there is no reason to use an additional firewall, the one in linuxmce is plenty sufficient.

klovell

  • Guru
  • ****
  • Posts: 205
    • View Profile
Re: My DCERouter is attacking other servers!
« Reply #11 on: July 07, 2011, 04:26:01 pm »
I don't think setting up an RDP connection is more secure than an SSH connection.

Another option... Yes, more secure... I don't think so.

Before windows 7 and maybe vista (I'll have to double check security options) I may have agreed with you.  If you're connecting from a linux client, you're probably right.  If you're talking Windows to windows, that's a debate, and a debate for a different post to avoid a thread jacking.    

Also at the end of the day you also have to consider ease of use and functionality.  An RDP connection puts you on the remote network with ease and speed from basically any OS you can imagine using.  You will also be able to access other network resources.  The RDP "Screen Shots"  sent from the server to the client and the mouse and keyboard inputs from the client to the server, requires much less bandwidth than a web browser and/or VPN connection.  This results in a much faster connection to the remote network since network data isn't really leaving the network (which also add another layer of security).

RDP, SSH, SSl... etc, it's a preference at this point.  What it would take for a 3rd party to crack RDP or SSH is (at least in my option) unrealistic for the unimportant home network.  It would probably take someone who knows you or of you and WANTS to get on your network, not the obscure hacker hanging out on a router some where.

erasmot

  • Making baby steps
  • Posts: 3
    • View Profile
Re: My DCERouter is attacking other servers!
« Reply #12 on: July 07, 2011, 05:40:31 pm »
1.  If you still want to do remote management definitely change your SSH server port from 22 to something random and not in use on your core, such as : 8327 in /etc/ssh/sshd_config.  
2.  Disable password authentication for SSH and use keys instead google ssh keys and make sure to encrypt the key.
3.  Run this on all of your windows machines: "microsoft system sweeper beta" it's an offline ISO CD that will actually detect root kits on your windows machines, just as a precaution, I know you say they were off.
4.  If you really want to get to the bottom of what machine is sending out the attacks install wireshark on windows and your dcerouter "sudo apt-get install wireshark" and sniff all the traffic outbound on those ports on all of the machines.

robwoodward75

  • Regular Poster
  • **
  • Posts: 48
    • View Profile
Re: My DCERouter is attacking other servers!
« Reply #13 on: July 07, 2011, 05:53:28 pm »
Thanks for the info erasmot, I will install Wireshark too, I guess the more the merrier really!!

With regards to RDP'ing, thankfully, I use Kubuntu 11.04 mainly from my laptop, we do have XP and Vista clients (Wife and kids don't do Linux..........until they want DVD's ripping, a machine that can get on the internet in the same month it was powered up etc etc), but there's only me who connect's to the server for maintenance reasons, and I use Kubuntu, or occasionally my Android phone (but not often, viewing the whole desktop is a challenge on a 4" screen!!) to connect to the server, but never the Windows clients!  RDP Password being a mixture of upper case, lower case and numbers.

I have read a few posts on making the HTTP access a secure HTTPS connection, I've been giving some thoughts to making that happen, expecially if I end up re-building the server to stop this from occuring (however I'd rather fix than re-build as I have 4 x 2TB disks on a RAID 5, and don't fancy nursing the data accross to a new build), but, in saying that, it seems a little daft having a internet side server, with no internet because your ISP has cut you off!!  I suspect, or at least hope it will take more than one letter before they get nasty and threaten me with scissors on my connection!

I have heard nothing else from them, so, either no-one else has complained, I've turned off or blocked the method they were using to get in by removing the ports on the Firewall, or it was a glitch in the Matrix, and the problem has gone away with an update.

I know you can set up RDP over SSH, again, I have seen posts about it on the Ubuntu forums I believe, quite a lot of effort for what is now an internal only connection!  If they've hacked my Wi-Fi & network, I've got bigger problems than a server going a bit haywire at 3am in a morning!!

erasmot

  • Making baby steps
  • Posts: 3
    • View Profile
Re: My DCERouter is attacking other servers!
« Reply #14 on: July 07, 2011, 07:14:49 pm »
The only port you need to open up from the outside in to do remote management is your SSH port.  Once you set up your SSH tunnel you can set up a SOCKS5 proxy through it and browse on your remote machine as if you were on the local network.  This way all of your traffic will be AES256 encrypted end to end. You don't need VNC or RDP.  Outside access will be closed unless the tunnel is up.  https will always leave access to your box open and your logon screen open to the world.

In linux:

ssh username@host -P (port#) -D 1090
Open up proxy settings in browser set socks proxy for 127.0.0.1:1090
make 127.0.0.1 address is not exempt from proxy
put 127.0.0.1 in the address bar of your browser and you'll be in your DCE router in an encrypted tunnel

The same can be done with putty in Windows.
just expand connection
expand SSH
click on tunnels
put 1090 under source port
click the "dynamic" radio button
click add
and set up the proxy settings in your browser as previously described.