The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Reading apf log: outgoing packets, hacked?

Discussion in 'General Discussion' started by Miss Jacky, Oct 6, 2004.

  1. Miss Jacky

    Miss Jacky Well-Known Member

    Joined:
    Mar 4, 2004
    Messages:
    91
    Likes Received:
    0
    Trophy Points:
    6
    Hi,

    Yesterday I installed APF because someone was flooding us with http requests causing maxclients to reach its limit and as such creating problems with the http server. I was able to catch the ip of the attacker in a netstat -an, and added his ip to the deny_hosts list. After this I noticed in /var/log/messages that indeed packets coming from that ip were being blocked. So far so good.

    But now I notice in my latest logwatch mail:

    Dropped 2167 packets on interface eth0
    ...
    From <ourserverip> - 61 packets
    To <attackerip> - 31 packets
    Service: 1656 (tcp/1656) (** OUT_TCP DROP **,none,eth0) - 1 packet
    Service: 1845 (tcp/1845) (** OUT_TCP DROP **,none,eth0) - 6 packets
    Service: 2393 (tcp/2393) (** OUT_TCP DROP **,none,eth0) - 2 packets
    ...
    (To <someotherip> - 6 packets
    Service: 3099 (tcp/3099) (** OUT_TCP DROP **,none,eth0) - 6 packets
    To <someotherip> - 9 packets
    Service: 61006 (tcp/61006) (** OUT_TCP DROP **,none,eth0) - 8 packets
    Service: 61070 (tcp/61070) (** OUT_TCP DROP **,none,eth0) - 1 packet
    To <someotherip> - 6 packets
    Service: 3350 (tcp/3350) (** OUT_TCP DROP **,none,eth0) - 6 packets)​
    It seems as if the firewall blocked outgoing packets -from- our server -to- the ip I blocked earlier. (Also some packets to other ip's)

    But I'm wondering now if this is normal? Or is my server compromised with a trojan or something and sending out stuff? It is obviously possible that <attackerip> still is trying to do something, but do these OUTgoing packets prove he managed to hack us somewhere?

    (Trojan check in WHM already done)

    Thanks a lot, offcourse, to anyone with comments on this.

    Regards,

    Jacky
     
  2. SarcNBit

    SarcNBit Well-Known Member

    Joined:
    Oct 14, 2003
    Messages:
    1,010
    Likes Received:
    3
    Trophy Points:
    38
    That query is relatively worthless.

    Search these forums for information on rkhunter and chkrootkit.
     
  3. Miss Jacky

    Miss Jacky Well-Known Member

    Joined:
    Mar 4, 2004
    Messages:
    91
    Likes Received:
    0
    Trophy Points:
    6
    ok, found this with chkrootkit:

    Checking `bindshell'... INFECTED (PORTS: 465)

    so that's a rootkit huh? *HELP* :)

    is it really a malicious rootkit or is this a false positive?

    what else do I do besides closing port 465 in apf?

    thanks!
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    port 465 is a false-positive (it's ssmtp - SMTP over SSL) and not a problem.

    I'd suspect that it's just an outgoing port from the server initiated form a normal incoming port. Unfortunately, the logwatch report only gives you one port, which is not helpful. You really need to search /var/log/messages to check the iptables log line for those accesses and look at the dst and src port to determine if there might be a problem.

    I would hazard an opinion that it's not a problem, but you should run both the utilities SarcNBit mentioned.
     
  5. Aric1

    Aric1 Well-Known Member

    Joined:
    Oct 15, 2003
    Messages:
    324
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
    rkhunter is a bit more accurate, and certainly updated more often, but any such tool isn't entirely foolproof and does require that the sysadmin take an active role in protecting the server and investigating potential issues to see if they really are.
     
  6. Miss Jacky

    Miss Jacky Well-Known Member

    Joined:
    Mar 4, 2004
    Messages:
    91
    Likes Received:
    0
    Trophy Points:
    6
    Tnx for your reply, (SarcNBit too btw)

    I noticed indeed that port 465 is ssmtp, but is it also normal that does come up with 'bindshell'? (sorry if that's a stupid question)

    I get this warnings with rkhunter:

    /usr/sbin/prelink: /bin/egrep: at least one of file's dependencies has changed since prelinking
    /usr/sbin/prelink: /bin/egrep: at least one of file's dependencies has changed since prelinking
    /bin/egrep [ BAD ]
    /usr/sbin/prelink: /bin/fgrep: at least one of file's dependencies has changed since prelinking
    /usr/sbin/prelink: /bin/fgrep: at least one of file's dependencies has changed since prelinking
    /bin/fgrep [ BAD ]
    /usr/sbin/prelink: /bin/grep: at least one of file's dependencies has changed since prelinking
    /usr/sbin/prelink: /bin/grep: at least one of file's dependencies has changed since prelinking
    /bin/grep [ BAD ]

    and

    * Application version scan
    - Exim MTA 4.41 [ OK ]
    - GnuPG 1.2.3 [ Vulnerable ]
    - Apache [unknown] [ OK ]
    - Bind DNS [unknown] [ OK ]
    - OpenSSL 0.9.7a [ Vulnerable ]
    - PHP 4.3.4 [ Vulnerable ]
    - PHP 4.3.4 [ Vulnerable ]
    - Procmail MTA 3.22 [ OK ]
    - ProFTPd 1.2.9 [ Vulnerable ]
    - OpenSSH 3.6.1p2
    [ Vulnerable ]


    No other things detected.

    The warnings about the /bin/*grep are supposed to be pretty normal, is this so?
    And these 'vulnerable' warnings with the application scan, is this because the versionnumber is old?

    Thanks a lot for your help - sorry for my stupid english now and then ;-)
     
  7. Aric1

    Aric1 Well-Known Member

    Joined:
    Oct 15, 2003
    Messages:
    324
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
    If someone on your server is running bindshell, then that is a potential security risk. You should remove it and track down the user/account that installed it.

    The prelinking errors you mention are not common, and you should check those files, and replace them with fresh copies if needed.

    As for the vulnerable warnings, rkhunter just notes if the version # reported matches one that has had reported security issues. If you are running a RedHat Linux version, RH sometimes takes older versions of some software and backports security fixes, so the reported vulnerability may not be one at all

    I will say that your version of PHP needs to be upgraded, for sure. Upgrade to 4.3.9.
     
  8. SarcNBit

    SarcNBit Well-Known Member

    Joined:
    Oct 14, 2003
    Messages:
    1,010
    Likes Received:
    3
    Trophy Points:
    38
    Check out FAQ #7 on the chkrootkit homepage.
     
  9. SarcNBit

    SarcNBit Well-Known Member

    Joined:
    Oct 14, 2003
    Messages:
    1,010
    Likes Received:
    3
    Trophy Points:
    38
    Check out FAQ #s B8 and E1 from the Rookit Hunter FAQ.
     
  10. Miss Jacky

    Miss Jacky Well-Known Member

    Joined:
    Mar 4, 2004
    Messages:
    91
    Likes Received:
    0
    Trophy Points:
    6
    The FAQ pointers seemed to help.. (RTFF I suppose...)

    - I'm running portsentry, so this would explain the false positive on 465. Should check this portsentry out anyhow, it seems to be an issue running portsentry and APF together

    - /etc/cron.daily/prelink fixed the prelink errors.

    And I will be doing some updating shortly :)

    Thanks for your input guys!
     
  11. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Yup, actually, those prelink problems are very common - on Fedora OS's. Also, despite what Aric1 said, port 465 is a known port and can be safely ignored. AS I said, it's ssmtp which runs by default on all cPanel servers.
     
  12. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Also, if you enable the antidos part of APF there is no need to run portsentry at all and I would suggest disabling it, otherwise you may have problems:

    To disable it:

    service portsentry off
    chkconfig portsentry off
     
  13. SarcNBit

    SarcNBit Well-Known Member

    Joined:
    Oct 14, 2003
    Messages:
    1,010
    Likes Received:
    3
    Trophy Points:
    38
    Always a good idea ;) :)
     
  14. Miss Jacky

    Miss Jacky Well-Known Member

    Joined:
    Mar 4, 2004
    Messages:
    91
    Likes Received:
    0
    Trophy Points:
    6
    Running antidos now, seems like a nice system. Disabled portsentry too, tnx for the instructions.

    (Anyone reading this thread out of interest in APF/antidos:
    I also noticed this (http://www.webhostgear.com/167.html) instructions to seperate drop logs from /var/log/messages to another seperate log. When following these instructions, on editing the apf/firewall, just add the '--log-level debug' , don't remove '--log-prefix..'. Antidos uses these prefixes, see apf/ad/chains.
    You could offcourse also alter antidos itself to not filter on these chains..

    Hope someday, far far away.. someone will be helped with this :rolleyes: )


    But a follow-up question on APF is rising... I read somewhere to check open ports with 'nmap -sT -O localhost' .. but it seems the list of open ports that gives me is still different with the ports I configured in APF..
    Is this normal?

    >>> moving this question to new thread here.
     
    #14 Miss Jacky, Oct 7, 2004
    Last edited: Oct 8, 2004
  15. Aric1

    Aric1 Well-Known Member

    Joined:
    Oct 15, 2003
    Messages:
    324
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
    I didn't say anything about port 465.
     
  16. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Indeed, sorry. However, the bindshell hit from chkrootkit is a well known false-positive if you're running a known service on a port that chkrootkit checks on, i.e. in this case, port 465, and in general, portsentry.
     
Loading...

Share This Page