[ale] Win2K box got hacked...
Benjamin Scherrey
scherrey at proteus-tech.com
Sat Feb 15 16:53:12 EST 2003
I recently switched my internet server over to RedHat 8 from and old version of RedHat. I
copied my iptables script (attached - and also sets up port forwarding) from the old server to the
new. Apparently I missed something or some options have change because today I discovered a
lot of activity coming out of my print server running Win2000. Switched on the screen and there's a
program called "WarPing - Hemesscript Edition" doing a synflood on port 1839 at ip 66.187.232.56
(redhat.com). Not very subtle and I'm not sure the traffic was actually getting out because my
network server wasn't forwarding any of my traffic from other machines it seemed. Didn't take long
to notice a process running that I didn't recognize, nvnav32g.exe which I found in the
Winnt/FONTS directory (a common place to hide stuff cause the WinExplorer treats is special and
doesn't show executables in there - cygwin does though). There's some other junk in there and I've
simply unplugged the network cable and left everything alone for now. I'd be curious to know if
anyone else on here has been hit with this one.
So... now I'd like to try to figure out how the intruder (clearly a script kiddie) got in and
managed to get his program running on that box. I had planned to blow that machine's hard drive
away and start over anyway so I will do that after I get the network locked up. The version of
iptables that came with RedHat 8 is 1.2.6a. Is my script missing something or wrong? I see some
unsual log traffic. On feb 12 I got 3 invalid operand messages on processes gnome-terminal,
nautilus, and gnome-panel. I don't know if I had exited out of X myself or not - I sometimes run X on
that box. On that same day I got a "fatal: Timeout before authentication for 216.23.179.253." which
is an address that belongs to my dsl carrier, Speakeasy.net and on Feb 4 I was "scanned from
61.218.0.70 with SSH-1.0-SSH_Version_Mapper. Don't panic." RedHat 8 comes with OpenSSH_
3.4p1 using SSH protocols 1.5/2.0, OpenSSL 0x0090602f. Are there known exploits for that one?
Anyway - appreciate any advice/clues you might have...
Ben Scherrey
rc.DHCP.firewall
More information about the Ale
mailing list