Help - Search - Members - Calendar
Full Version: Another Hacker Question
Linuxhelp > Support > Technical Support
Robert83
Hi ,

it's me again, well today is the BIG day, I get a phonecall that the hacker said that I should turn my computer on [ smile.gif smile.gif smile.gif it's always online smile.gif smile.gif ],

the question is , I know you're experience in this is 100x times better then mine, a sign of a hacker attack is always a portscan? or is there other signs?

I mean when I wach in realtime the messages.log [it's sorta like matrix smile.gif ], I know by now [thanx to www.grc.com] , that when a scan is triggered it runs really fast , same ip adress port numbers changing one by one ...etc..is there another sign of this?

also, do you have experience with Imunnix [was just reading about it, seems that it's designed to be really secure out of the box]

Sincerely
Robert B

ps.: sorry for asking again about this thing smile.gif [please forgive smile.gif ]
Corey
Lol, i never realized it, but your /var/log/messages is like looking at the matrix.

sorry, i have no answer to your question, i just found thatfunny.
hughesjr
Well ... the way it works is normally like this...

The person is going to have to find a vulnerability ... He might just try a couple big ones, but normally a port scanner is used to try and find specific ports or services running. So at least the major ports, like 21, 22, 25, 80, 110, 135, 137,139, 443, 445 will be checked. If they find any of these open (like in your case port 80) then they might see what version your webserver is and try a know expliot for that ... or if they see port 22 open for ssh, they'll try the ssh protocol 1 exploit, etc.

Mostly, they will have their packets dropped with your firewall, except for maybe port 80 to a webserver.

So the only real thing they could try to exploit is the IPTABLES itself with something like a buffer overflow, or the Apache server (if you still have port 80 in forwarded to a web server).

I think you will pass...
hughesjr
How did this turn out?
Robert83
Hi,

I think it was a local guy , who works in a computer store here in my city [the client never told me who he is , I mean the hacker], but there is only one "stupid" guy like this in my city , who thinks he's god. The hacker still says that my computer is not turned on, because he can't ping me ... and he also told my client that once he would be able to ping me, he would be able to hack me... well I'm not a pro in linux , but even I need to laugh at that smile.gif smile.gif smile.gif , I called my client and told him to tell the hacker that "hahahaha, do you wan't me to share my / and write readme files in my /home to what to do with the system in order to change things inside it ".

Just a note this guy [wich I'm 99.99% sure , that this is he], tolde me once [when I was about to begin my journey into the world of linux] , that even win95 is better than any distro of linux, and that win98 is better then winxp etc...

So you know how it is...they hate me , well actualy every guy related to computers [and not selling parts to me], hates me, because I take away clients from them...but I'll try living with it smile.gif

Thanks for you're help! smile.gif

Sincerely
Robert B

ps.: I don't say that my firewall is unbeatable, nor do I think that if I know how to set up a firewall, I know everything about linux, but this guy was just "stupid".
hughesjr
My external IP address is also not pingable from the outside ... but it is there....I get e-mail and webhits all the time...but pings are blocked. (To fool people {like you're hacker} who think ... If I can't ping it , it's not there)!

If your client (and not the hacker) doesn't think your external computer is there ... setup a website with a port 80 open ... tell the client it is there, let him surf to it ... tell the client to have his hacker try to get in .... when the hacker says, hey his computer isn't even on ... tell the client to go back to the website and see that your computer is indeed ON .. and not detectable (much less hackable) by the hacker....should be a sure sell!
Robert83
Okay,

I'll do it

I mean I'll start Apache up, with default settings

should be safe if I forward port 80 to my computer 192.168.0.102 right?

Sincerely
Robert B
Robert83
Hi,

well I've aded a network card to my firewall eth2 so :
eth0 lan eth1 internet eth2 webserver

eth2 at the firewall is 192.168.100.1
and at the webserver site is 192.168.100.2

my nat server is 192.168.10.2
eth0 is 192.168.10.1

here is my iptables rules

CODE
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -A FORWARD -i eth2 -o eth1 -j ACCEPT
iptables -N drop-and-log-it
iptables -A drop-and-log-it -j LOG --log-prefix iptables --log-level info
iptables -A drop-and-log-it -j DROP
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth2 -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s 0/0 -d 0/0 -j drop-and-log-it
iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -i eth2 -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -s 0/0 -d 0/0 -j drop-and-log-it
iptables -A PREROUTING -t nat -p tcp -d xxx.xxx.xxx.xxx --dport 80 -j DNAT --to 192.168.100.2:80
iptables -A POSTROUTING -t nat -s 192.168.10.0/255.255.255.0 -o eth1 -j SNAT --to-source xxx.xxx.xxx.xxx


The problem is that I cannot access the webserver from my computer 192.168.0.102 [wich is going out trough the NAT server] , I type my public ip adress like this in mozilla http://xxx.xxx.xxx.xxx and then on the firewall computer while watching what is droped I get 192.168.10.2 trying to connect to 192.168.100.2 port 80 ... what is wrong here in this firewall ruleset?

Sincerely
Robert B
Robert83
forgot to add the line :

iptables -A FORWARD -i eth0 -o eth2 -j ACCEPT

smile.gif

Sincerely
Robert B
Robert83
Hi,

is the above mentioned iptables ruleset a good one with this DMZ , is this the way to do it properly?

Sincerely
Robert B
Robert83
Hi,
this is how my iptables looks now :

iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -A FORWARD -i eth2 -o eth1 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth2 -j ACCEPT
iptables -A FORWARD -i eth2 -o eth0 -j ACCEPT
iptables -N drop-and-log-it
iptables -A drop-and-log-it -j LOG --log-prefix iptables --log-level info
iptables -A drop-and-log-it -j DROP
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth2 -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s 0/0 -d 0/0 -j drop-and-log-it
iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -i eth2 -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -s 0/0 -d 0/0 -j drop-and-log-it
iptables -A PREROUTING -t nat -p tcp -d xxx.xxx.xxx.xxx --dport 80 -j DNAT --to 192.168.100.2:80
iptables -A POSTROUTING -t nat -s 192.168.10.0/255.255.255.0 -o eth1 -j SNAT --to-source xxx.xxx.xxx.xxx
iptables -A POSTROUTING -t nat -s 192.168.100.0/255.255.255.0 -o eth1 -j SNAT -to-source xxx.xxx.xxx.xxx

the problem is that I can't acces my webpage from the internal lan [I type 217.26.69.17], but I can access it from the outside world...

iptables simply drops outgoing packets from 192.168.100.2 to 192.168.10.2

it writes out a line like this
IptablesIN=eth2 OUT=eth0 SRC=192.168.100.2 DST=192.168.10.2 LEN=60 TOS=0x00 ....
IptablesIN=eth0 OUT=eth2 SRC=192.168.10.2 DST=192.168.100.2 ...

what is the problem?

Sincerely
Robert B
Robert83
please forgive me that I post this again,
but please help me, what did I do wrong, what was the mistake that I made?
I was trying to figure this out, but I just can't...maybe I'm overlooking something...

Sincerely
Robert B
hughesjr
I don't see anything wrong ... try putting the PREROUTING line before the :

iptables -A FORWARD -s 0/0 -d 0/0 -j drop-and-log-it
------------------------------------------
also ... when you get it working ...... change the:

iptables -A FORWARD -i eth2 -o eth0 -j ACCEPT

to

iptables -A FORWARD -i eth2 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

(otherwise if someone beaks into the webserver, they can get into the internal LAN)
Robert83
Thank you for the info
and THANK you for you're advice!

thanx smile.gif

Sincerely
Robert B
Robert83
Hi I did what you told me to do,

and I get the following drop-and-log it now...

iptables IN=eth0 OUT=eth2 SRC=192.168.10.2[nat/proxy/dns-->I'm behind this[192.168.0.102]] DST=192.168.100.2 [webserver]
CODE
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -A FORWARD -i eth2 -o eth1 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth2 -j ACCEPT
iptables -A FORWARD -i eth2 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -N drop-and-log-it
iptables -A drop-and-log-it -j LOG --log-prefix iptables --log-level info
iptables -A drop-and-log-it -j DROP
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth2 -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A PREROUTING -t nat -p tcp -d xxx.xxx.xxx.xxx --dport 80 -j DNAT --to 192.168.100.2:80
iptables -A FORWARD -s 0/0 -d 0/0 -j drop-and-log-it
iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -i eth2 -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -s 0/0 -d 0/0 -j drop-and-log-it
iptables -A POSTROUTING -t nat -s 192.168.10.0/255.255.255.0 -o eth1 -j SNAT --to-source xxx.xxx.xxx.xxx
iptables -A POSTROUTING -t nat -s 192.168.100.0/255.255.255.0 -o eth1 -j SNAT -to-source xxx.xxx.xxx.xxx


Sincerely
Robert B
hughesjr
Try moving the

iptables -A FORWARD -s 0/0 -d 0/0 -j drop-and-log-it

to the bottom of the script...
Robert83
Hi,
it works now, thank you for you're help very-very much! smile.gif


Guess what, as you know Fedora Core 1 [the mythtv test thingie], I just set it up to work as a webserver [using default, no iptables or any security], well I just set by it to check something out, the monitor was blank so I moved the mouse, and I saw at the login the following : Fedora Core Eliminated now this is either a hacker attack or my friend [he is going to get it tomorrow] , I've checked the system with ./chkrootkit found nothing, also checked the log files for apache , noone from the world loged into it , only me from my other cable modem [wich has a private ip adress].

So I don't know to panic or not to...I guess a hacker would normaly not do such a thing since this would reveal him to me, and that's something I hacker would normaly not want right...?


Thank for you're iptables help again, thank you thank you thank you smile.gif

Sincerely
Robert B
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2017 Invision Power Services, Inc.