Reading apf log: outgoing packets, hacked?

Miss Jacky

Well-Known Member
Mar 4, 2004
91
0
156
Hi,

Yesterday I installed APF because someone was flooding us with http requests causing maxclients to reach its limit and as such creating problems with the http server. I was able to catch the ip of the attacker in a netstat -an, and added his ip to the deny_hosts list. After this I noticed in /var/log/messages that indeed packets coming from that ip were being blocked. So far so good.

But now I notice in my latest logwatch mail:

Dropped 2167 packets on interface eth0
...
From <ourserverip> - 61 packets
To <attackerip> - 31 packets
Service: 1656 (tcp/1656) (** OUT_TCP DROP **,none,eth0) - 1 packet
Service: 1845 (tcp/1845) (** OUT_TCP DROP **,none,eth0) - 6 packets
Service: 2393 (tcp/2393) (** OUT_TCP DROP **,none,eth0) - 2 packets
...
(To <someotherip> - 6 packets
Service: 3099 (tcp/3099) (** OUT_TCP DROP **,none,eth0) - 6 packets
To <someotherip> - 9 packets
Service: 61006 (tcp/61006) (** OUT_TCP DROP **,none,eth0) - 8 packets
Service: 61070 (tcp/61070) (** OUT_TCP DROP **,none,eth0) - 1 packet
To <someotherip> - 6 packets
Service: 3350 (tcp/3350) (** OUT_TCP DROP **,none,eth0) - 6 packets)​
It seems as if the firewall blocked outgoing packets -from- our server -to- the ip I blocked earlier. (Also some packets to other ip's)

But I'm wondering now if this is normal? Or is my server compromised with a trojan or something and sending out stuff? It is obviously possible that <attackerip> still is trying to do something, but do these OUTgoing packets prove he managed to hack us somewhere?

(Trojan check in WHM already done)

Thanks a lot, offcourse, to anyone with comments on this.

Regards,

Jacky
 

SarcNBit

Well-Known Member
Oct 14, 2003
1,001
3
168
Miss Jacky said:
(Trojan check in WHM already done)
That query is relatively worthless.

Search these forums for information on rkhunter and chkrootkit.
 

Miss Jacky

Well-Known Member
Mar 4, 2004
91
0
156
ok, found this with chkrootkit:

Checking `bindshell'... INFECTED (PORTS: 465)

so that's a rootkit huh? *HELP* :)

is it really a malicious rootkit or is this a false positive?

what else do I do besides closing port 465 in apf?

thanks!
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
31
473
Go on, have a guess
port 465 is a false-positive (it's ssmtp - SMTP over SSL) and not a problem.

I'd suspect that it's just an outgoing port from the server initiated form a normal incoming port. Unfortunately, the logwatch report only gives you one port, which is not helpful. You really need to search /var/log/messages to check the iptables log line for those accesses and look at the dst and src port to determine if there might be a problem.

I would hazard an opinion that it's not a problem, but you should run both the utilities SarcNBit mentioned.
 

Miss Jacky

Well-Known Member
Mar 4, 2004
91
0
156
Tnx for your reply, (SarcNBit too btw)

I noticed indeed that port 465 is ssmtp, but is it also normal that does come up with 'bindshell'? (sorry if that's a stupid question)

I get this warnings with rkhunter:

/usr/sbin/prelink: /bin/egrep: at least one of file's dependencies has changed since prelinking
/usr/sbin/prelink: /bin/egrep: at least one of file's dependencies has changed since prelinking
/bin/egrep [ BAD ]
/usr/sbin/prelink: /bin/fgrep: at least one of file's dependencies has changed since prelinking
/usr/sbin/prelink: /bin/fgrep: at least one of file's dependencies has changed since prelinking
/bin/fgrep [ BAD ]
/usr/sbin/prelink: /bin/grep: at least one of file's dependencies has changed since prelinking
/usr/sbin/prelink: /bin/grep: at least one of file's dependencies has changed since prelinking
/bin/grep [ BAD ]

and

* Application version scan
- Exim MTA 4.41 [ OK ]
- GnuPG 1.2.3 [ Vulnerable ]
- Apache [unknown] [ OK ]
- Bind DNS [unknown] [ OK ]
- OpenSSL 0.9.7a [ Vulnerable ]
- PHP 4.3.4 [ Vulnerable ]
- PHP 4.3.4 [ Vulnerable ]
- Procmail MTA 3.22 [ OK ]
- ProFTPd 1.2.9 [ Vulnerable ]
- OpenSSH 3.6.1p2
[ Vulnerable ]


No other things detected.

The warnings about the /bin/*grep are supposed to be pretty normal, is this so?
And these 'vulnerable' warnings with the application scan, is this because the versionnumber is old?

Thanks a lot for your help - sorry for my stupid english now and then ;-)
 

Aric1

Well-Known Member
Oct 15, 2003
324
0
166
cPanel Access Level
DataCenter Provider
If someone on your server is running bindshell, then that is a potential security risk. You should remove it and track down the user/account that installed it.

The prelinking errors you mention are not common, and you should check those files, and replace them with fresh copies if needed.

As for the vulnerable warnings, rkhunter just notes if the version # reported matches one that has had reported security issues. If you are running a RedHat Linux version, RH sometimes takes older versions of some software and backports security fixes, so the reported vulnerability may not be one at all

I will say that your version of PHP needs to be upgraded, for sure. Upgrade to 4.3.9.
 

SarcNBit

Well-Known Member
Oct 14, 2003
1,001
3
168
Miss Jacky said:
I get this warnings with rkhunter:

<snip>

The warnings about the /bin/*grep are supposed to be pretty normal, is this so?
And these 'vulnerable' warnings with the application scan, is this because the versionnumber is old?
Check out FAQ #s B8 and E1 from the Rookit Hunter FAQ.
 

Miss Jacky

Well-Known Member
Mar 4, 2004
91
0
156
The FAQ pointers seemed to help.. (RTFF I suppose...)

- I'm running portsentry, so this would explain the false positive on 465. Should check this portsentry out anyhow, it seems to be an issue running portsentry and APF together

- /etc/cron.daily/prelink fixed the prelink errors.

And I will be doing some updating shortly :)

Thanks for your input guys!
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
31
473
Go on, have a guess
Yup, actually, those prelink problems are very common - on Fedora OS's. Also, despite what Aric1 said, port 465 is a known port and can be safely ignored. AS I said, it's ssmtp which runs by default on all cPanel servers.
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
31
473
Go on, have a guess
Also, if you enable the antidos part of APF there is no need to run portsentry at all and I would suggest disabling it, otherwise you may have problems:

To disable it:

service portsentry off
chkconfig portsentry off
 

Miss Jacky

Well-Known Member
Mar 4, 2004
91
0
156
Running antidos now, seems like a nice system. Disabled portsentry too, tnx for the instructions.

(Anyone reading this thread out of interest in APF/antidos:
I also noticed this (http://www.webhostgear.com/167.html) instructions to seperate drop logs from /var/log/messages to another seperate log. When following these instructions, on editing the apf/firewall, just add the '--log-level debug' , don't remove '--log-prefix..'. Antidos uses these prefixes, see apf/ad/chains.
You could offcourse also alter antidos itself to not filter on these chains..

Hope someday, far far away.. someone will be helped with this :rolleyes: )


But a follow-up question on APF is rising... I read somewhere to check open ports with 'nmap -sT -O localhost' .. but it seems the list of open ports that gives me is still different with the ports I configured in APF..
Is this normal?

>>> moving this question to new thread here.
 
Last edited:

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
31
473
Go on, have a guess
Indeed, sorry. However, the bindshell hit from chkrootkit is a well known false-positive if you're running a known service on a port that chkrootkit checks on, i.e. in this case, port 465, and in general, portsentry.