Re: [cobalt-users] Cobalt DNS Problems

["Rodolfo J. Paiz" <rpaiz@xxxxxxxxxxxxxx>]

At 4/22/01 03:45 PM +0100, you wrote:
> Also someone sent me the following email (where their computer is
> trying to be accessed by my RAQ3):
>
> "The firewall has blocked Internet access to your computer (TCP Port 515)
> from XXX.XX.XX.X (TCP Port 2405)", where the X's represent my IP address
> (suddenly I'm very paranoid!).

Never hurts to be paranoid... especially if your server has no Earthly 
reason to go looking for a print server on the other guy's computer. Port 
515 is used for printing. Is there any reason why your server would want to 
print on that guy's computer?

Generally speaking, I'd assume this is *abnormal* behavior and thus be very 
suspicious of a hack. There have been several well-publicized security 
holes in the printing system that uses 515 recently and it's a common 
target for hack attempts.

* Do a netstat -lenp and see what processes are listening on what ports.

* Check http://www.nohack.net/ports.html to see if any of the ports 
listening are known virii. The page has *not* been updated in a while, so 
something not being listed does *NOT* mean it's not evil.

* Your RaQ should pretty much only be listening on 20-21 (FTP), 22 (SSH), 
not 23 (disable telnet, use SSH), 25 (SMTP), 53 (DNS), 80 (HTTP), 81 (HTTP 
admin), 110 (POP3), 143 (IMAP), 443 (S-HTTP), and 587 (SMTP). Anything else 
is very suspect.

* Read through your /etc/inetd.conf (or /etc/xinetd.conf and the files in 
/etc/xinetd.d/), and see if there's anything strange in there. Particularly 
things that run a shell...

* Find and install chkrootkit, lionfind, and adorefind, all of which will 
help you see if you've already been hacked. Note that chkrootkit will 
report an infected bindshell somewhere if you've got PortSentry installed.

These are just initial suggestions... but there are many more possibilities 
to look for.


--
Rodolfo J. Paiz
rpaiz@xxxxxxxxxxxxxx