[Dshield] Proof of hacker. What do I do?

Patrick Andry pandry at wolverinefreight.ca
Tue Sep 3 16:36:06 GMT 2002


Here's my best shot at this:

1) Use netstat -natu instead of netstat -a to view listening/connected ports
example of output
tcp        0      0 0.0.0.0:23              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:7741            0.0.0.0:*               LISTEN
tcp        0      0 192.0.0.108:4168        192.0.0.1:143           
ESTABLISHED
tcp        0      0 192.0.0.108:139         192.0.0.5:1082          
ESTABLISHED
tcp      780      0 192.0.0.108:4697        192.0.0.1:139           
ESTABLISHED

adding p to the flags will list programs, v will be verbose.  In this 
example, I am listening on ports 23, 25 and 7741 (on all interfaces), 
 and I have connections to two samba shares,  and my IMAP server.

2)  To cut and paste, it is usually done by highlighting text with the 
mouse, then using the 3rd mouse button to paste the highlighted text. 
 Sometimes this works, sometimes you need to ctrl-c and ctrl-v to paste, 
it really depends on the applications.

3) Learn firewalling rules,  and make sure your system is patched to the 
latest!  Many linux installs will enable many services by default, and 
may not be up-to-date.  The latest Apache and SSH vulns are deadly to a 
system on the net.

And my last point, get used to hearing RTFM, but don't let that deter 
you from asking questions

>Hi All,
>
>I am uner a Hacker Attack which has forced me to move from Adv Serv to
>Linux. (I just ask myself if that attack was a bad thing after all).
>
>Well I had my fair share of pain but I am getting there...could any of
>you could explain to me how :(please)
>
>1/ interprete netstat -a on LINUX 
>
>2/ copy and paste the terminal (Gnome terminal) in order to transfer
>the log onto a editor such as gedit or Vi please.
>
>3/ Any tips welcome.
>
>A great thanks to all of you for your knowleedge dedication and
>...humour.
>
>Dominique from Froggy land.
>
>
>
>dominiquefiori at numericable.fr <mailto:dominiquefiori at numericable.fr>
>
>
>(this mail is built under free license without the consent of the
>Redmon Faxctory)
>
>
>
>>>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<
>
>On 8/27/02, 11:46:42 AM, "dominiquefiori"
><dominiquefiori at numericable.fr> wrote regarding RE: [Dshield] Proof of
>hacker. What do I do?:
>
>
>> What is this please ? a news list ? If yes, well we ahd the seme
>problem :
>
>
>> à) When the attack occurs please stop your internet connection
>
>> 1) run a anti virus , anti trojan soft.( use 2 at list as  anti virus
>are
>> not 100 % proof)
>
>> 2) Try to determine what port was open /established
>
>> 3) TCP view looks good but an good old netstat -a (-n to get just IP
>> addresses).
>
>> The philosophy is as follow : get rid of what has established the
>> connection,
>
>> ask yourself :
>> - files shares with to many authorisations on my system ?
>> - no antivirus ?
>> - passwords writen somewhere
>> - internal mystake or vengeance ( reviewx accounts)
>> - did I configure windows right, if I ma using Linuwx am I starting
>to many
>> services.
>
>
>> You understood me I guess analyse how and why the connection was
>accepted.
>
>> On the other hand if it is on port 80 you might only be surfing.
>
>> Warmest regards
>
>> dominique "apologuies for my poor english as I am French" Fiori
>
>> Tel 00 33 6 73 87 32 62
>
>
>
>
>
>
>
>
>
>> -----Original Message-----
>> From: list-admin at dshield.org [mailto:list-admin at dshield.org]On <mailto:list-admin at dshield.org%5DOn> Behalf
>Of
>> Linda
>> Sent: lundi 26 août 2002 17:00
>> To: list at dshield.org
>> Subject: [Dshield] Proof of hacker. What do I do?
>
>
>> TCP d2f2t6:nbsession d2f2t6:0 LISTENING
>>  TCP d2f2t6:2068 d2f2t6:0 LISTENING
>> TCP d2f2t6:2070 d2f2t6:0 LISTENING
>> TCP d2f2t6:2073 d2f2t6:0 LISTENING
>> TCP d2f2t6:2074 d2f2t6:0 LISTENING
>> TCP d2f2t6:2068 unknown.level3.net:80 ESTABLISHED
>> TCP d2f2t6:2070 unknown.level3.net:80 ESTABLISHED
>> TCP d2f2t6:2073 unknown.level3.net:80 ESTABLISHED
>> TCP d2f2t6:2074 unknown.level3.net:80 ESTABLISHED
>> UDP d2f2t6:nbname *:*
>> UDP d2f2t6:nbdatagram *:*
>> UDP d2f2t6:1978 *:*
>> What I did was install TCPVIEW. THen I went into netstat. What I
>think is
>> being stopped at my firewall is not being stopped. They are into dos.
>> Here is my event log that corresponds with this.
>> 2002/08/24 20:50:05 63.210.68.215:80 (unknown.Level3.net)
>66.44.192.178:1074
>> Port 1074 (TCP)
>> 2002/08/24 20:35:48 63.210.68.215:80 (unknown.Level3.net)
>66.44.192.178:1075
>> Port 1075 (TCP)
>
>> I didn't get it all copies over because there are 8 entries on the
>firewall
>> in a row.
>
>> There are also large files showing up that I don't know what they
>are.
>
>> Help!
>
>> _______________________________________________
>> Dshield mailing list
>> Dshield at dshield.org
>> To change your subscription options (or unsubscribe), see:
>> http://www.dshield.org/mailman/listinfo/list
>
>
>
>> _______________________________________________
>> Dshield mailing list
>> Dshield at dshield.org
>> To change your subscription options (or unsubscribe), see:
>http://www.dshield.org/mailman/listinfo/list
>




More information about the list mailing list