Linux Forums - Linux Security

Strange Requests On Fedora Server

milonic — Tue, 17 Nov 2009 11:19:20 GMT

Hi Everybody,

This is my first post here so please let me know if I do anything wrong or post in wrong place etc :]

Anyways, I have a Fedora server [Fedora 8 I think] and once per week [it's random days but usually Monday or Tuesday] it makes some very strange requests to what appear to be search engines. My concern is that this box is fully firewalled both at the router and by way of IPTables so NOTHING should be getting in from the outside world. However, something is happening that I'm not happy about, I just can't seem to find it though.

I see quite a few requests from addresses like 72.30.186.25, 78.33.33.80, 209.202.254.14

Has anybody come across this before?

If not, what's the best way of finding out which process this is coming from?

Here's a copy of the logwatch report from yesterday:

--------------------- iptables firewall Begin ------------------------

Quote:

Dropped 203 packets on interface eth0
From 0.0.0.0 - 11 packets
To 255.255.255.255 - 11 packets
Service: bootps [udp/67] [Dropwall:] - 11 packets
From 72.30.186.25 - 1 packet
To 192.168.0.2 - 1 packet
Service: 50801 [tcp/50801] [Dropwall:] - 1 packet
From 78.33.33.80 - 66 packets
To 192.168.0.2 - 66 packets
Service: 35582 [tcp/35582] [Dropwall:] - 1 packet
Service: 35699 [tcp/35699] [Dropwall:] - 1 packet
Service: 35725 [tcp/35725] [Dropwall:] - 1 packet
Service: 35738 [tcp/35738] [Dropwall:] - 1 packet
Service: 36303 [tcp/36303] [Dropwall:] - 1 packet
Service: 36328 [tcp/36328] [Dropwall:] - 1 packet
Service: 36339 [tcp/36339] [Dropwall:] - 1 packet
Service: 36348 [tcp/36348] [Dropwall:] - 1 packet
Service: 36379 [tcp/36379] [Dropwall:] - 1 packet
Service: 36394 [tcp/36394] [Dropwall:] - 1 packet
Service: 37739 [tcp/37739] [Dropwall:] - 1 packet
Service: 37750 [tcp/37750] [Dropwall:] - 1 packet
Service: 38311 [tcp/38311] [Dropwall:] - 1 packet
Service: 39509 [tcp/39509] [Dropwall:] - 1 packet
Service: 40781 [tcp/40781] [Dropwall:] - 1 packet
Service: 41202 [tcp/41202] [Dropwall:] - 1 packet
Service: 41333 [tcp/41333] [Dropwall:] - 1 packet
Service: 41344 [tcp/41344] [Dropwall:] - 1 packet
Service: 41959 [tcp/41959] [Dropwall:] - 1 packet
Service: 42543 [tcp/42543] [Dropwall:] - 1 packet
Service: 42596 [tcp/42596] [Dropwall:] - 1 packet
Service: 43607 [tcp/43607] [Dropwall:] - 1 packet
Service: 43616 [tcp/43616] [Dropwall:] - 1 packet
Service: 44095 [tcp/44095] [Dropwall:] - 1 packet
Service: 45173 [tcp/45173] [Dropwall:] - 1 packet
Service: 45186 [tcp/45186] [Dropwall:] - 1 packet
Service: 45199 [tcp/45199] [Dropwall:] - 1 packet
Service: 45621 [tcp/45621] [Dropwall:] - 1 packet
Service: 46362 [tcp/46362] [Dropwall:] - 1 packet
Service: 46472 [tcp/46472] [Dropwall:] - 1 packet
Service: 47334 [tcp/47334] [Dropwall:] - 1 packet
Service: 47503 [tcp/47503] [Dropwall:] - 1 packet
Service: 48562 [tcp/48562] [Dropwall:] - 1 packet
Service: 48571 [tcp/48571] [Dropwall:] - 1 packet
Service: 48580 [tcp/48580] [Dropwall:] - 1 packet
Service: 49525 [tcp/49525] [Dropwall:] - 1 packet
Service: 49534 [tcp/49534] [Dropwall:] - 1 packet
Service: 49543 [tcp/49543] [Dropwall:] - 1 packet
Service: 49824 [tcp/49824] [Dropwall:] - 1 packet
Service: 49837 [tcp/49837] [Dropwall:] - 1 packet
Service: 50194 [tcp/50194] [Dropwall:] - 1 packet
Service: 50205 [tcp/50205] [Dropwall:] - 1 packet
Service: 50214 [tcp/50214] [Dropwall:] - 1 packet
Service: 50495 [tcp/50495] [Dropwall:] - 1 packet
Service: 51165 [tcp/51165] [Dropwall:] - 1 packet
Service: 51174 [tcp/51174] [Dropwall:] - 1 packet
Service: 51277 [tcp/51277] [Dropwall:] - 1 packet
Service: 51286 [tcp/51286] [Dropwall:] - 1 packet
Service: 52340 [tcp/52340] [Dropwall:] - 1 packet
Service: 52351 [tcp/52351] [Dropwall:] - 1 packet
Service: 52654 [tcp/52654] [Dropwall:] - 1 packet
Service: 53248 [tcp/53248] [Dropwall:] - 1 packet
Service: 53257 [tcp/53257] [Dropwall:] - 1 packet
Service: 53266 [tcp/53266] [Dropwall:] - 1 packet
Service: 53455 [tcp/53455] [Dropwall:] - 1 packet
Service: 53784 [tcp/53784] [Dropwall:] - 1 packet
Service: 54812 [tcp/54812] [Dropwall:] - 1 packet
Service: 55131 [tcp/55131] [Dropwall:] - 1 packet
Service: 58342 [tcp/58342] [Dropwall:] - 1 packet
Service: 58351 [tcp/58351] [Dropwall:] - 1 packet
Service: 58389 [tcp/58389] [Dropwall:] - 1 packet
Service: 58711 [tcp/58711] [Dropwall:] - 1 packet
Service: 60859 [tcp/60859] [Dropwall:] - 1 packet
Service: 60870 [tcp/60870] [Dropwall:] - 1 packet
Service: 60879 [tcp/60879] [Dropwall:] - 1 packet
Service: 60935 [tcp/60935] [Dropwall:] - 1 packet
From 192.168.0.1 - 15 packets
To 255.255.255.255 - 15 packets
Service: bootpc [udp/68] [Dropwall:] - 15 packets
From 192.168.0.11 - 8 packets
To 255.255.255.255 - 8 packets
Service: bootps [udp/67] [Dropwall:] - 8 packets
From 192.168.0.21 - 4 packets
To 255.255.255.255 - 4 packets
Service: bootps [udp/67] [Dropwall:] - 4 packets
From 192.168.0.123 - 5 packets
To 224.0.0.251 - 5 packets
Service: mdns [udp/5353] [Dropwall:] - 5 packets
From 209.202.254.14 - 93 packets
To 192.168.0.2 - 93 packets
Service: 33497 [tcp/33497] [Dropwall:] - 1 packet
Service: 33498 [tcp/33498] [Dropwall:] - 1 packet
Service: 33544 [tcp/33544] [Dropwall:] - 1 packet
Service: 33554 [tcp/33554] [Dropwall:] - 1 packet
Service: 34457 [tcp/34457] [Dropwall:] - 1 packet
Service: 34625 [tcp/34625] [Dropwall:] - 1 packet
Service: 34636 [tcp/34636] [Dropwall:] - 1 packet
Service: 34637 [tcp/34637] [Dropwall:] - 1 packet
Service: 34759 [tcp/34759] [Dropwall:] - 1 packet
Service: 34768 [tcp/34768] [Dropwall:] - 1 packet
Service: 34871 [tcp/34871] [Dropwall:] - 1 packet
Service: 34872 [tcp/34872] [Dropwall:] - 1 packet
Service: 34897 [tcp/34897] [Dropwall:] - 1 packet
Service: 34906 [tcp/34906] [Dropwall:] - 1 packet
Service: 35444 [tcp/35444] [Dropwall:] - 1 packet
Service: 35445 [tcp/35445] [Dropwall:] - 1 packet
Service: 36131 [tcp/36131] [Dropwall:] - 1 packet
Service: 36142 [tcp/36142] [Dropwall:] - 1 packet
Service: 36143 [tcp/36143] [Dropwall:] - 1 packet
Service: 36151 [tcp/36151] [Dropwall:] - 1 packet
Service: 37180 [tcp/37180] [Dropwall:] - 1 packet
Service: 37181 [tcp/37181] [Dropwall:] - 1 packet
Service: 37189 [tcp/37189] [Dropwall:] - 1 packet
Service: 38344 [tcp/38344] [Dropwall:] - 1 packet
Service: 38355 [tcp/38355] [Dropwall:] - 1 packet
Service: 38356 [tcp/38356] [Dropwall:] - 1 packet
Service: 39442 [tcp/39442] [Dropwall:] - 1 packet
Service: 39451 [tcp/39451] [Dropwall:] - 1 packet
Service: 39452 [tcp/39452] [Dropwall:] - 1 packet
Service: 40341 [tcp/40341] [Dropwall:] - 1 packet
Service: 40352 [tcp/40352] [Dropwall:] - 1 packet
Service: 40355 [tcp/40355] [Dropwall:] - 1 packet
Service: 40363 [tcp/40363] [Dropwall:] - 1 packet
Service: 40475 [tcp/40475] [Dropwall:] - 1 packet
Service: 40485 [tcp/40485] [Dropwall:] - 1 packet
Service: 40493 [tcp/40493] [Dropwall:] - 1 packet
Service: 40572 [tcp/40572] [Dropwall:] - 1 packet
Service: 40584 [tcp/40584] [Dropwall:] - 1 packet
Service: 40627 [tcp/40627] [Dropwall:] - 1 packet
Service: 40636 [tcp/40636] [Dropwall:] - 1 packet
Service: 41106 [tcp/41106] [Dropwall:] - 1 packet
Service: 41230 [tcp/41230] [Dropwall:] - 1 packet
Service: 42512 [tcp/42512] [Dropwall:] - 1 packet
Service: 44544 [tcp/44544] [Dropwall:] - 1 packet
Service: 45470 [tcp/45470] [Dropwall:] - 1 packet
Service: 45500 [tcp/45500] [Dropwall:] - 1 packet
Service: 45511 [tcp/45511] [Dropwall:] - 1 packet
Service: 46959 [tcp/46959] [Dropwall:] - 1 packet
Service: 46960 [tcp/46960] [Dropwall:] - 1 packet
Service: 48285 [tcp/48285] [Dropwall:] - 1 packet
Service: 48295 [tcp/48295] [Dropwall:] - 1 packet
Service: 49025 [tcp/49025] [Dropwall:] - 1 packet
Service: 49026 [tcp/49026] [Dropwall:] - 1 packet
Service: 49835 [tcp/49835] [Dropwall:] - 1 packet
Service: 49846 [tcp/49846] [Dropwall:] - 1 packet
Service: 49983 [tcp/49983] [Dropwall:] - 1 packet
Service: 50001 [tcp/50001] [Dropwall:] - 1 packet
Service: 50734 [tcp/50734] [Dropwall:] - 1 packet
Service: 50754 [tcp/50754] [Dropwall:] - 1 packet
Service: 50766 [tcp/50766] [Dropwall:] - 1 packet
Service: 50767 [tcp/50767] [Dropwall:] - 1 packet
Service: 51015 [tcp/51015] [Dropwall:] - 1 packet
Service: 51023 [tcp/51023] [Dropwall:] - 1 packet
Service: 51676 [tcp/51676] [Dropwall:] - 1 packet
Service: 52390 [tcp/52390] [Dropwall:] - 1 packet
Service: 52413 [tcp/52413] [Dropwall:] - 1 packet
Service: 52425 [tcp/52425] [Dropwall:] - 1 packet
Service: 53709 [tcp/53709] [Dropwall:] - 1 packet
Service: 53720 [tcp/53720] [Dropwall:] - 1 packet
Service: 53735 [tcp/53735] [Dropwall:] - 1 packet
Service: 53736 [tcp/53736] [Dropwall:] - 1 packet
Service: 54110 [tcp/54110] [Dropwall:] - 1 packet
Service: 55000 [tcp/55000] [Dropwall:] - 1 packet
Service: 55001 [tcp/55001] [Dropwall:] - 1 packet
Service: 55009 [tcp/55009] [Dropwall:] - 1 packet
Service: 55010 [tcp/55010] [Dropwall:] - 1 packet
Service: 55024 [tcp/55024] [Dropwall:] - 1 packet
Service: 55025 [tcp/55025] [Dropwall:] - 1 packet
Service: 55637 [tcp/55637] [Dropwall:] - 1 packet
Service: 55650 [tcp/55650] [Dropwall:] - 1 packet
Service: 56544 [tcp/56544] [Dropwall:] - 1 packet
Service: 56553 [tcp/56553] [Dropwall:] - 1 packet
Service: 56554 [tcp/56554] [Dropwall:] - 1 packet
Service: 57576 [tcp/57576] [Dropwall:] - 1 packet
Service: 57577 [tcp/57577] [Dropwall:] - 1 packet
Service: 57589 [tcp/57589] [Dropwall:] - 1 packet
Service: 58177 [tcp/58177] [Dropwall:] - 1 packet
Service: 58675 [tcp/58675] [Dropwall:] - 1 packet
Service: 59934 [tcp/59934] [Dropwall:] - 1 packet
Service: 59935 [tcp/59935] [Dropwall:] - 1 packet
Service: 59949 [tcp/59949] [Dropwall:] - 1 packet
Service: 59950 [tcp/59950] [Dropwall:] - 1 packet
Service: 60297 [tcp/60297] [Dropwall:] - 1 packet

---------------------- iptables firewall End -------------------------

Looking forward to any replies,
-- Andy

Have my webserver been compromised?

strelok — Tue, 10 Nov 2009 16:38:55 GMT

Hi,

I'm running a small ecommerce webserver on a debian linux. I'm constantly watching the apache logs using a command like:
tail -f /var/log/apache/*.log | grep --line-buffered -v "[myip]"

(the grep is so I don't see myself navigating on the server).

I just saw something very disturbing in the log :

75.101.250.129 - - [10/Nov/2009:16:26:35 +0100] "GET /robots.txt HTTP/1.0" 301 273 "-" "taptubot [FILE LIST OF MY /home/admin] please read [some url i can't post because i'm new] ***"
75.101.250.129 - - [10/Nov/2009:16:26:35 +0100] "GET /robots.txt HTTP/1.0" 200 296 "-" "taptubot [FILE LIST OF MY /home/admin] please read [some url i can't post because i'm new] ***"

On my tail log, the [FILE LIST OF MY /home/admin] I printed here was a complete 'ls' of my /home/admin directory!
I precise that the webserver root is somewhere else, in another /home subdirectory.

There is something even more strange. The [FILE LIST] only appears on the tail on my terminal. I tried a
grep "75.101.250.129" /var/log/apache2/access.log
And here is what was recorded in the log:

/var/log/apache2/access.log:75.101.250.129 - - [10/Nov/2009:16:26:35 +0100] "GET /robots.txt HTTP/1.0" 301 273 "-" "taptubot *** please read [some url i can't post because i'm new] ***"
/var/log/apache2/access.log:75.101.250.129 - - [10/Nov/2009:16:26:35 +0100] "GET /robots.txt HTTP/1.0" 200 296 "-" "taptubot *** please read [some url i can't post because i'm new] ***"

How is it possible that the lines differ? How could the attacker print the file list of another subdirectory? Can the attacker have had access to anything on my server?

I'm really worried...

Thanks,
Strelok

IP Tables / MySQL

megarock — Sun, 08 Nov 2009 22:07:59 GMT

Ok, I'm a little lost here and could use some help.

Here's the situation - I have a website hosted on a VPS under CentOS. A part of the website connects to a remote MySQL databse to retrieve information. Without iptables engaged it works fine. As soon as I turn on iptables I cannot connect to the remote server at all.

Is there something I am missing as far as opening a port or area in iptables to allow that outbound connection to the remote database server to retrieve information. I have iptables setup to deny all incoming other than the allowed ports which are currently 21, 25, 53, 80, 110 plus some non standard ones 30000 - 50000 for FTP passive connections, 6666 which is the CP and 666 where I moved the SSH server. I even opened an incoming port of 3306 for MySQL even though I want to connect to a server at a remote location and not me connecting to a MySQL server on the machine in question.

I'm sure it's something simple that needs to be open but what? So far I'm taking a noobie approach and blocking blocks of ports until I find what's causing the issue. I'm up to port 10000 and still connecting so for some reason the connection is somewhere between 10000 and 65535. Arrgh!

What SSL is ?

Radhakrishnan_k — Sun, 08 Nov 2009 05:51:29 GMT

What SSL is ? what it does for a web server ?

what it does not do ? ie. what kinds of security problems can still exist on a web server even when SSL is used ?

2.6.31 iptables ignores reply pkt at interface SNAT+VLAN

luispa — Sat, 07 Nov 2009 20:25:24 GMT

Hi, I have a bit complex iptables+nat+mangle+vlan's setup within my box working perfectly with 2.6.30 and previous kernel versions. However, If I boot 2.6.31 then one of the capabilities stops working.

Replay packet's are silently ignored "only" at the interface doing SNAT+vlan. Rest of actions: iptables, nat, mangle's, policy based routing and NAT (no vlan) are working perfectly. To simplify the problem, here is the relevant setup and config:

Code:

 

["uid 1500" wget from 99.0.0.9]

     |

LOCALHOST(10.0.0.1)vlan400  ==== (10.0.0.2)ROUTER ==== "MyPrivate" host(99.0.0.9)

Code:

# echo "100 MyPrivate" >> /etc/iproute2/rt_tables

# ip route add 10.0.0.1/24 dev vlan400 table MyPrivate

# ip route add 99.0.0.0/8 via 10.0.0.2 table MyPrivate

# iptables -A OUTPUT -t mangle -m owner --uid-owner 1500 -j MARK --set-mark 1500

# ip rule add fwmark 1500 table MyPrivate

# iptables -t nat -A POSTROUTING -o vlan400 -j SNAT --to-source 10.0.0.1

# echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter

With this setup, all network traffic originated by user id 1500 should check first the "MyPrivate" table and if destination is 99.0.0.9 then send it out through vlan400 interface and perform source NAT.

Starts ok, traffic goes out on "vlan400" and remote host reply is correct, but then it stops. My localhost is not sending the last ACK, looks like it never sees the reply (SYN, ACK)

Code:

$ (running uid 1500)

$ wget from 99.0.0.9

:

10.0.0.1 SYN -->

                   <-- SYN, ACK 99.0.0.9

Just booting back with 2.6.30 starts working perfect again.

I've made lots of tests, googled, etc. but couldn't find anything, only some references to some issues corrected on 2.6.31 regarding NAT and connection tracking, but none similar to mine. Iptables version is not the problem, used 1.4.2, 1.4.3, 1.4.5 and allways works with kernel < 2.6.31.

Anybody knows if something important has been changed with 2.6.31? any idea?

Thanks in advance,
Luis

Smartcard two factor authentication

yeleek — Wed, 04 Nov 2009 15:19:24 GMT

Hi,

I'd like to setup Smartcard two factor authentication on my my laptop. I'd rather use a card than a usb token but am at a loss as to what to buy. Any recommendations please on card reader/writer and card? Also any pointers on the software to use? For what its worth I'm running Ubuntu 9.10.

Thanks in advance

Buildroot login

tonysonney — Mon, 02 Nov 2009 16:05:30 GMT

I am not sure whether this is the right place to post this. But this seem to
be closest forum. I have built buildroot to be run on ARM based platform. I compiled it and flashed on the board and started it. I want to connect to the board over LAN. So I used telnet to connect. But it asks for username and
password. I have not set any username or password in the config file. I
tried the following combinations but no luck

Username: root
-----------Wrong user name
Username: tony (linux username)
Password:root
------------Wrong combination
Username: tony
Password:(My linux password)
-----------Wrong combination

Does anybody know how to fix it?
Thanks in advance,
Tony

Is it possible in Linux to restrict POP3 or IMAP for some users.

ravis123 — Fri, 30 Oct 2009 06:30:37 GMT

Hi,
Is it possible in Linux to restrict POP3 or IMAP for some users.
I need a confirmation on this, that it is possible or not.
Please reply

Iptable rule set

ahamedoaa — Tue, 27 Oct 2009 11:53:13 GMT

Hi,

I am trying to configure linux iptable firewall in existing lan which includes squid server, web server and mail server

can any one review my rule set and suggest if any changes required.

thanks

Attached Files

iptables_ruleset.txt (2.1 KB)

IPTables - Block IP for x Seconds

umarsa — Mon, 26 Oct 2009 17:18:56 GMT

Hello,

I would like to know how i can ban IP's for a certain amount of seconds via the IPtables firewall.

I hope you can help.

Thanks!

Password security?

arinlares — Sat, 24 Oct 2009 07:07:44 GMT

I'm trying to figure out the best way to update my passwords, but can't think of any one-hundred percent safe way to do so, as far as keeping my passwords documented for me to access. I really need to do this.

So, my idea is as follows, and I want some input on it, for improvements, and maybe stuff I don't need to do: I'm going to use KeepassX to generate a passkey to access my password database, write it down in a notebook I got for computer-related stuff, and then get passwords for every online account I have. The main idea I have is that if I forget to back up my home folder moving distros, my file corrupts, or can't access my computer, I can still access my accounts. Am I being too careful at this point, by backing up my digital password on paper? I'm not entirely comfortable with my computer holding this kind of information, as it could be lost with a drop of water, just about.