System hacked ? Is it possible?

[vost]

Hi,
yesterday i set up a Debian box 2.4.18 with nothing much more than a ISDN-Card (hisax, isdn) and a NIC.
hosts.deny : ALL: ALL
hosts.allow :
in.telnetd: x.y.z.
wu-ftpd: x.y.z.
where x.y.z. is the beginnig part of the intranet IP
Before setting up iptables I tried out automatic dialing and
disconnecting via ISDN to my ISP.
That doesn´t work within 80sec so I canceld the connection after about 3 min.
After that I monitored ippp0 with tcpdump -i ippp0:
Whenever i tried to open a new telnet session to my box the dialer starts to open a connetion to my ISP. (trying to connect to IP 195.20.224.234 which is a DNS of a german ISP but not the one in my resolv.conf)

Is my System really hacked in 3 min?
How can I find out ? can I use chkroot?
Do I need a reinstallation ? (Backup was planned as usual after work
Are Systems inside also infected?

Thanks for all help
vost

[Opnosforatou]

Hi,
yesterday i set up a Debian box 2.4.18 with nothing much more than a ISDN-Card (hisax, isdn) and a NIC.
hosts.deny : ALL: ALL
hosts.allow :
in.telnetd: x.y.z.
wu-ftpd: x.y.z.
where x.y.z. is the beginnig part of the intranet IP
Before setting up iptables I tried out automatic dialing and
disconnecting via ISDN to my ISP.
That doesn´t work within 80sec so I canceld the connection after about 3 min.
After that I monitored ippp0 with tcpdump -i ippp0:
Whenever i tried to open a new telnet session to my box the dialer starts to open a connetion to my ISP. (trying to connect to IP 195.20.224.234 which is a DNS of a german ISP but not the one in my resolv.conf)

Is my System really hacked in 3 min?
How can I find out ? can I use chkroot?
Do I need a reinstallation ? (Backup was planned as usual after work
Are Systems inside also infected?

Thanks for all help
vost

I don't think your system was hacked.
U write that when you try to open a telnet session it starts dailing ?
This is strange.
does the /etc/hosts file contain : 127.0.0.1 Localhost localhost.localdomain.com ???
U also write that : in.telnetd: x.y.z where x.y.z is the IP of your internal network.. Are you using the 195.x.x.x range for this ?
And where did you put that info ? in the /etc/inetd.conf ???

[vost]

the /etc/hosts file contains 127.0.0.1 Localhost
but not localhost.localdomain.com
is this necessary?

My internal net is a private 192.165.123.0
The service in.telnetd is started by inetd (/etc/inetd.conf)

the default route ist set to ippp0 so an attempt to connect a server via ISP should be possible.
but just do open a telnet from my workingplace to that debian box.
(#telnet foo-box)
foo-box has a local IP. So it shouldn´t be necessary to invoke ISDN-device

any ideas to trace which process is starting dialing ?
(an ps -ef > /tmp/trace in ip-up-Script shows no relevant proc)

[Opnosforatou]

the /etc/hosts file contains 127.0.0.1 Localhost
but not localhost.localdomain.com
is this necessary?

No not realy... Some distro's have this...

My internal net is a private 192.165.123.0
The service in.telnetd is started by inetd (/etc/inetd.conf)

the default route ist set to ippp0 so an attempt to connect a server via ISP should be possible.

Why default route to the ppp0 ?
For connections to your ISP you don't need to put the ippp0 as default.

but just do open a telnet from my workingplace to that debian box.
(#telnet foo-box)
foo-box has a local IP. So it shouldn´t be necessary to invoke ISDN-device

Nopes, but you have your ppp0 as default gateway, this will trigger the ISDN to get active...
Each time a package comes along.

any ideas to trace which process is starting dialing ?
(an ps -ef > /tmp/trace in ip-up-Script shows no relevant proc)

hehehe, Your system is starting the dailing process.
Change your default gateway to the eth0.
And enable IP Forwarding.
If you then need access to an non-internal address it will autoconnect using the ppp0

Check with route -vn to see the routing tables.
Here is an example of mine.
The IP addresses have been changed....

Code:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
x.x.x.x          0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
10.0.0.0         0.0.0.0         255.255.255.0   U     0      0        0 eth1
172.64.0.0       0.0.0.0         255.255.255.0   U     0      0        0 eth0
127.0.0.0        0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0          x.x.x.x         0.0.0.0         UG    0      0        0 ppp0

Hence: I use an extra network (eth1) to connect to the PPP0 on the router.
eth0 is internal network.

[Opnosforatou]

Some howto:

LinuxHQ
and
LDP

[variant]

Why use telnet when open-ssh is available for windows and linux It is also more secure!

[vost]

Thanks, I´ll try to use the eht0 as default (later at home)
But i can´t see how the ippp0 is triggered.
I will read the howto´s first, maybe there is an answer.

Using telnet is just a relikt to former times (have not set the links to ssh by now)

Thanks

[Opnosforatou]

Thanks, I´ll try to use the eht0 as default (later at home)
But i can´t see how the ippp0 is triggered.
I will read the howto´s first, maybe there is an answer.

Using telnet is just a relikt to former times (have not set the links to ssh by now)

Thanks

Search google to for info on how basic routing works.
I know there are several PDF's available explaining this.
Have a book at how called : Linux Routers. When I'm home i'll check the ISBN for ya. Very fine ready work.

To be short.
When an TCP/IP package is arriving at your Linux box, the system will check to see what to do with it.
If you configure ppp0 as your primairy gateway, it will first send it through there... That's basicaly why your ppp0 connection starts up all the time.
There are some FAQ's around on how to configure and install linux dail-in/out servers using modems...I'll look them up when I have the time.. Otherwise try google with keywords: Linux;router or routing;modem ;howto

SSH is secure and better, no decrease in speed too.
The use depends on how you configure it.
Can imagine you want to telnet, sometimes use it myself.

[vost]

I thought routing table is parsed and last entry is default.
So if there is no previous hit then at last the default is matched

Thanks for suggesting Literature, i googeled to "Linux Router" seems that there is mass of info.