Find the answer to your Linux question:
Results 1 to 9 of 9
Hi, yesterday i set up a Debian box 2.4.18 with nothing much more than a ISDN-Card (hisax, isdn) and a NIC. hosts.deny : ALL: ALL hosts.allow : in.telnetd: x.y.z. wu-ftpd: ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Mar 2004
    Posts
    4

    System hacked ? Is it possible?


    Hi,
    yesterday i set up a Debian box 2.4.18 with nothing much more than a ISDN-Card (hisax, isdn) and a NIC.
    hosts.deny : ALL: ALL
    hosts.allow :
    in.telnetd: x.y.z.
    wu-ftpd: x.y.z.
    where x.y.z. is the beginnig part of the intranet IP
    Before setting up iptables I tried out automatic dialing and
    disconnecting via ISDN to my ISP.
    That doesn´t work within 80sec so I canceld the connection after about 3 min.
    After that I monitored ippp0 with tcpdump -i ippp0:
    Whenever i tried to open a new telnet session to my box the dialer starts to open a connetion to my ISP. (trying to connect to IP 195.20.224.234 which is a DNS of a german ISP but not the one in my resolv.conf)

    Is my System really hacked in 3 min?
    How can I find out ? can I use chkroot?
    Do I need a reinstallation ? (Backup was planned as usual after work
    Are Systems inside also infected?

    Thanks for all help
    vost

  2. #2
    Linux Enthusiast Opnosforatou's Avatar
    Join Date
    Dec 2003
    Location
    Vleuten, The Netherlands
    Posts
    552

    Re: System hacked ? Is it possible?

    Quote Originally Posted by vost
    Hi,
    yesterday i set up a Debian box 2.4.18 with nothing much more than a ISDN-Card (hisax, isdn) and a NIC.
    hosts.deny : ALL: ALL
    hosts.allow :
    in.telnetd: x.y.z.
    wu-ftpd: x.y.z.
    where x.y.z. is the beginnig part of the intranet IP
    Before setting up iptables I tried out automatic dialing and
    disconnecting via ISDN to my ISP.
    That doesn´t work within 80sec so I canceld the connection after about 3 min.
    After that I monitored ippp0 with tcpdump -i ippp0:
    Whenever i tried to open a new telnet session to my box the dialer starts to open a connetion to my ISP. (trying to connect to IP 195.20.224.234 which is a DNS of a german ISP but not the one in my resolv.conf)

    Is my System really hacked in 3 min?
    How can I find out ? can I use chkroot?
    Do I need a reinstallation ? (Backup was planned as usual after work
    Are Systems inside also infected?

    Thanks for all help
    vost
    I don't think your system was hacked.
    U write that when you try to open a telnet session it starts dailing ?
    This is strange.
    does the /etc/hosts file contain : 127.0.0.1 Localhost localhost.localdomain.com ???
    U also write that : in.telnetd: x.y.z where x.y.z is the IP of your internal network.. Are you using the 195.x.x.x range for this ?
    And where did you put that info ? in the /etc/inetd.conf ???
    ---[ MS09-99896 - Vulnerability in All MS Windows OS ; Using Windows Could Allow Remote Code Execution. ]---
    Hardware: Asus P4P800, 1GB, P4-3Ghz, Asus V9950, Maxtor ATA HD\'s, 3Com GBit lan, Audigy ZS Plat.

  3. #3
    Just Joined!
    Join Date
    Mar 2004
    Posts
    4
    the /etc/hosts file contains 127.0.0.1 Localhost
    but not localhost.localdomain.com
    is this necessary?

    My internal net is a private 192.165.123.0
    The service in.telnetd is started by inetd (/etc/inetd.conf)

    the default route ist set to ippp0 so an attempt to connect a server via ISP should be possible.
    but just do open a telnet from my workingplace to that debian box.
    (#telnet foo-box)
    foo-box has a local IP. So it shouldn´t be necessary to invoke ISDN-device

    any ideas to trace which process is starting dialing ?
    (an ps -ef > /tmp/trace in ip-up-Script shows no relevant proc)

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Enthusiast Opnosforatou's Avatar
    Join Date
    Dec 2003
    Location
    Vleuten, The Netherlands
    Posts
    552
    Quote Originally Posted by vost
    the /etc/hosts file contains 127.0.0.1 Localhost
    but not localhost.localdomain.com
    is this necessary?
    No not realy... Some distro's have this...

    My internal net is a private 192.165.123.0
    The service in.telnetd is started by inetd (/etc/inetd.conf)

    the default route ist set to ippp0 so an attempt to connect a server via ISP should be possible.
    Why default route to the ppp0 ?
    For connections to your ISP you don't need to put the ippp0 as default.

    but just do open a telnet from my workingplace to that debian box.
    (#telnet foo-box)
    foo-box has a local IP. So it shouldn´t be necessary to invoke ISDN-device
    Nopes, but you have your ppp0 as default gateway, this will trigger the ISDN to get active...
    Each time a package comes along.
    any ideas to trace which process is starting dialing ?
    (an ps -ef > /tmp/trace in ip-up-Script shows no relevant proc)
    hehehe, Your system is starting the dailing process.
    Change your default gateway to the eth0.
    And enable IP Forwarding.
    If you then need access to an non-internal address it will autoconnect using the ppp0

    Check with route -vn to see the routing tables.
    Here is an example of mine.
    The IP addresses have been changed....
    Code:
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    x.x.x.x          0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
    10.0.0.0         0.0.0.0         255.255.255.0   U     0      0        0 eth1
    172.64.0.0       0.0.0.0         255.255.255.0   U     0      0        0 eth0
    127.0.0.0        0.0.0.0         255.0.0.0       U     0      0        0 lo
    0.0.0.0          x.x.x.x         0.0.0.0         UG    0      0        0 ppp0
    Hence: I use an extra network (eth1) to connect to the PPP0 on the router.
    eth0 is internal network.
    ---[ MS09-99896 - Vulnerability in All MS Windows OS ; Using Windows Could Allow Remote Code Execution. ]---
    Hardware: Asus P4P800, 1GB, P4-3Ghz, Asus V9950, Maxtor ATA HD\'s, 3Com GBit lan, Audigy ZS Plat.

  6. #5
    Linux Enthusiast Opnosforatou's Avatar
    Join Date
    Dec 2003
    Location
    Vleuten, The Netherlands
    Posts
    552
    Some howto:

    LinuxHQ
    and
    LDP
    ---[ MS09-99896 - Vulnerability in All MS Windows OS ; Using Windows Could Allow Remote Code Execution. ]---
    Hardware: Asus P4P800, 1GB, P4-3Ghz, Asus V9950, Maxtor ATA HD\'s, 3Com GBit lan, Audigy ZS Plat.

  7. #6
    Linux Engineer
    Join Date
    Jul 2003
    Location
    Stockholm, Sweden
    Posts
    1,296
    Why use telnet when open-ssh is available for windows and linux It is also more secure!

  8. #7
    Just Joined!
    Join Date
    Mar 2004
    Posts
    4
    Thanks, I´ll try to use the eht0 as default (later at home)
    But i can´t see how the ippp0 is triggered.
    I will read the howto´s first, maybe there is an answer.

    Using telnet is just a relikt to former times (have not set the links to ssh by now)

    Thanks

  9. #8
    Linux Enthusiast Opnosforatou's Avatar
    Join Date
    Dec 2003
    Location
    Vleuten, The Netherlands
    Posts
    552
    Quote Originally Posted by vost
    Thanks, I´ll try to use the eht0 as default (later at home)
    But i can´t see how the ippp0 is triggered.
    I will read the howto´s first, maybe there is an answer.

    Using telnet is just a relikt to former times (have not set the links to ssh by now)

    Thanks
    Search google to for info on how basic routing works.
    I know there are several PDF's available explaining this.
    Have a book at how called : Linux Routers. When I'm home i'll check the ISBN for ya. Very fine ready work.

    To be short.
    When an TCP/IP package is arriving at your Linux box, the system will check to see what to do with it.
    If you configure ppp0 as your primairy gateway, it will first send it through there... That's basicaly why your ppp0 connection starts up all the time.
    There are some FAQ's around on how to configure and install linux dail-in/out servers using modems...I'll look them up when I have the time.. Otherwise try google with keywords: Linux;router or routing;modem ;howto

    SSH is secure and better, no decrease in speed too.
    The use depends on how you configure it.
    Can imagine you want to telnet, sometimes use it myself.

    ---[ MS09-99896 - Vulnerability in All MS Windows OS ; Using Windows Could Allow Remote Code Execution. ]---
    Hardware: Asus P4P800, 1GB, P4-3Ghz, Asus V9950, Maxtor ATA HD\'s, 3Com GBit lan, Audigy ZS Plat.

  10. #9
    Just Joined!
    Join Date
    Mar 2004
    Posts
    4
    I thought routing table is parsed and last entry is default.
    So if there is no previous hit then at last the default is matched

    Thanks for suggesting Literature, i googeled to "Linux Router" seems that there is mass of info.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •