euler_fan
July 16th, 2007, 08:14 PM
NOTE: Sorry if this is more a "Servers and Security" thing, but the "before you post" there said they were pretty much servers only. If it should be there, please move it there. END NOTE
Should I be worried about this . . .
The long and short of it is that the other day I had Firestarter in the system tray and it was reporting a number of hits from various IP addresses against port 5900. They were coming in once every 5-20 minutes (about 40 hits total though the afternoon). I was noticing some hits against SAMBA on port 137 most times I sent an email through my school's servers and a second one on port (based on what was returned from looking up the host names of the ip addresses reported). This behavior from the school's servers has continued, but the hits against VNC have stopped (or at least, they are not appearing in the log file as shown by Firestarter over the next several days).
I don't use VNC, Firestarter has been told to configure my firewall to log everything and let nothing in and drop all rejected packets silently. I run Thunderbird and connect to my school's servers using regular imap/smtp on the default ports.
So, I sent my logs and a summary of what I know and my setup (basically what I have written above) to my school's tech people (I was curious about the SAMBA thing anyway) and their response is that (1) their servers should not be pinging port 137 for any reason they can think of. (2) I'm probably acting as a relay for spam, and (3) I should probably re-image my hard drive.
My uni is pretty much a Windows only world, no support outside of their IT program (at as far as I know only the graduate level no less) for *nix/Solaris and little enough for Mac.
I was thinking about burning a Knoppix disk or using my Fesity live CD to go in on a live CD and clamscan and rootkit scan my machine to see if there's anything there.
Rkhunter (as of time of posting) says to check these out . . .
/etc/.pwd.lock
/etc/.java /dev/.static
/dev/.udev
/dev/.initramfs
/dev/.initramfs-tools
chkrootkit found this
Searching for suspicious files and dirs, it may take a while...
/usr/lib/firefox/.autoreg
/usr/lib/jvm/.java-gcj.jinfo
/usr/lib/jvm/java-1.5.0-sun-1.5.0.08/.systemPrefs
/usr/lib/jvm/.java-1.5.0-sun.jinfo
/usr/lib/j2se/1.4/jre/.systemPrefs
/usr/lib/j2se/1.4/jre/.systemPrefs/.systemRootModFile
/usr/lib/j2se/1.4/jre/.systemPrefs/.system.lock
/lib/modules/2.6.17-11-386/volatile/.mounted
/usr/lib/j2se/1.4/jre/.systemPrefs
OBSD rk v1... /usr/lib/security
/usr/lib/security/classpath.security
I am more than willing to post them all as attachments upon request.
Since it looks like there might be one, does anyone have a suggestion about how to remove it?
Thanks much.
Euler_fan
Their response is below:
******************************************
It is our opinion that your computer could likely be compromised, and
could possibly be being used as a relay server (probably for spam).
Here's why we think you may be compromised:
-Our mail servers do not connect via a SMB share (in fact no known mail
servers use SMB connections for mail traffic). The traffic you are
seeing through port 137 on your machine does not correspond with any of
our conventions for mail at UST. Port 137 is used for NetBIOS traffic,
and you would normally see these types of log entries when you connect
to your "My Storage" drive (it is possible, but not likely, that using
Outlook Web Access might also generate these log entries. The fact
that you're using Thunderbird would seem to preclude this as an option).
The fact that you are also getting so much traffic through port 5900
from non-UST IP addresses also indicates that your machine is being
scanned for vulnerabilities (or is already compromised).
My best advice to you would be to re-image your machine, and establish
stronger security protocols for your administrative accounts (i.e.
strong password, fewer accounts with admin access, etc...). If you are
using VNC for any particular reason, it is strongly recommend that you
configure it to not use ports 5900, 5800, 5850, or 5901 for connections
(these are the default ports for VNC and are frequent targets for hack
attempts). It is also our recommendation to be certain you are using
the most current, upgraded version of VNC and always be sure you are
using an encrypted VNC session.
Before you try re-imaging your machine or using your firewall to close
all of your ports, please keep in mind that there is also a possibility
that these log entries are completely innocuous. Please consult Google,
or your hardware and software vendors for additional information. And
if you have further problems, please be advised that you may need to
seek a professional repair service.
*************************************************
Should I be worried about this . . .
The long and short of it is that the other day I had Firestarter in the system tray and it was reporting a number of hits from various IP addresses against port 5900. They were coming in once every 5-20 minutes (about 40 hits total though the afternoon). I was noticing some hits against SAMBA on port 137 most times I sent an email through my school's servers and a second one on port (based on what was returned from looking up the host names of the ip addresses reported). This behavior from the school's servers has continued, but the hits against VNC have stopped (or at least, they are not appearing in the log file as shown by Firestarter over the next several days).
I don't use VNC, Firestarter has been told to configure my firewall to log everything and let nothing in and drop all rejected packets silently. I run Thunderbird and connect to my school's servers using regular imap/smtp on the default ports.
So, I sent my logs and a summary of what I know and my setup (basically what I have written above) to my school's tech people (I was curious about the SAMBA thing anyway) and their response is that (1) their servers should not be pinging port 137 for any reason they can think of. (2) I'm probably acting as a relay for spam, and (3) I should probably re-image my hard drive.
My uni is pretty much a Windows only world, no support outside of their IT program (at as far as I know only the graduate level no less) for *nix/Solaris and little enough for Mac.
I was thinking about burning a Knoppix disk or using my Fesity live CD to go in on a live CD and clamscan and rootkit scan my machine to see if there's anything there.
Rkhunter (as of time of posting) says to check these out . . .
/etc/.pwd.lock
/etc/.java /dev/.static
/dev/.udev
/dev/.initramfs
/dev/.initramfs-tools
chkrootkit found this
Searching for suspicious files and dirs, it may take a while...
/usr/lib/firefox/.autoreg
/usr/lib/jvm/.java-gcj.jinfo
/usr/lib/jvm/java-1.5.0-sun-1.5.0.08/.systemPrefs
/usr/lib/jvm/.java-1.5.0-sun.jinfo
/usr/lib/j2se/1.4/jre/.systemPrefs
/usr/lib/j2se/1.4/jre/.systemPrefs/.systemRootModFile
/usr/lib/j2se/1.4/jre/.systemPrefs/.system.lock
/lib/modules/2.6.17-11-386/volatile/.mounted
/usr/lib/j2se/1.4/jre/.systemPrefs
OBSD rk v1... /usr/lib/security
/usr/lib/security/classpath.security
I am more than willing to post them all as attachments upon request.
Since it looks like there might be one, does anyone have a suggestion about how to remove it?
Thanks much.
Euler_fan
Their response is below:
******************************************
It is our opinion that your computer could likely be compromised, and
could possibly be being used as a relay server (probably for spam).
Here's why we think you may be compromised:
-Our mail servers do not connect via a SMB share (in fact no known mail
servers use SMB connections for mail traffic). The traffic you are
seeing through port 137 on your machine does not correspond with any of
our conventions for mail at UST. Port 137 is used for NetBIOS traffic,
and you would normally see these types of log entries when you connect
to your "My Storage" drive (it is possible, but not likely, that using
Outlook Web Access might also generate these log entries. The fact
that you're using Thunderbird would seem to preclude this as an option).
The fact that you are also getting so much traffic through port 5900
from non-UST IP addresses also indicates that your machine is being
scanned for vulnerabilities (or is already compromised).
My best advice to you would be to re-image your machine, and establish
stronger security protocols for your administrative accounts (i.e.
strong password, fewer accounts with admin access, etc...). If you are
using VNC for any particular reason, it is strongly recommend that you
configure it to not use ports 5900, 5800, 5850, or 5901 for connections
(these are the default ports for VNC and are frequent targets for hack
attempts). It is also our recommendation to be certain you are using
the most current, upgraded version of VNC and always be sure you are
using an encrypted VNC session.
Before you try re-imaging your machine or using your firewall to close
all of your ports, please keep in mind that there is also a possibility
that these log entries are completely innocuous. Please consult Google,
or your hardware and software vendors for additional information. And
if you have further problems, please be advised that you may need to
seek a professional repair service.
*************************************************