From owner-freebsd-security Sun Dec 20 09:52:59 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA02629 for freebsd-security-outgoing; Sun, 20 Dec 1998 09:52:59 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from servidor.exsocom.com.mx (servidor.exsocom.com.mx [200.34.46.130]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA02622 for ; Sun, 20 Dec 1998 09:52:55 -0800 (PST) (envelope-from agalindo@servidor.exsocom.com.mx) Received: from servidor.exsocom.com.mx (servidor.exsocom.com.mx [200.34.46.130]) by servidor.exsocom.com.mx (8.8.8/8.8.8) with SMTP id LAA02799 for ; Sun, 20 Dec 1998 11:59:30 GMT (envelope-from agalindo@servidor.exsocom.com.mx) Date: Sun, 20 Dec 1998 11:59:30 +0000 (GMT) From: Alejandro Galindo Chairez AGALINDO To: freebsd-security@FreeBSD.ORG Subject: Re: udp security (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ---------- Forwarded message ---------- Date: Sun, 20 Dec 1998 11:20:12 +0000 (GMT) From: Alejandro Galindo Chairez AGALINDO To: Karl Pielorz Cc: questions@FreeBSD.ORG Subject: Re: udp security Thanks Karl i was doing exactly like your suggestions, but in my mind the big problem is dont know how they access the servers, and how they did it across udp. when i reesinstalled the operating system of course i close all the back doors instelled from them but this morning i have the next monitoring: ----------------- Click here ----------------- >From Address To Address Proto Bytes CPS ================================================================================ pegasus.mobil.com..domain www.computercenter.c..domain udp 1250238 462 servidor.exsocom.com..domain pegasus.mobil.com..domain udp 1207960 368 pegasus2.mobil.com..domain www.computercenter.c..domain udp 1168200 765 servidor.exsocom.com..domain pegasus2.mobil.com..domain udp 1153864 331 www.computercenter.com.mx pegasus.mobil.com icmp 1052016 392 www.computercenter.com.mx pegasus2.mobil.com icmp 984648 672 servidor.exsocom.com..telnet desarrollo00.exsocom.c..1043 tcp 565621 240 pegasus.mobil.com..domain servidor.exsocom.com..domain udp 437580 118 pegasus2.mobil.com..domain servidor.exsocom.com..domain udp 417978 132 A ------------------ cut here ------------------- if you see here they are attacking from mobil.com servers (in this case), exactly like this i have many references becouse they change the attack from diferent servers and dialup connections. Of course here i supouse that like i close the back doors they are sending a lot of packets for win access one more time, and the important here is know how to block their attacks. Regards Alejandro On Sun, 20 Dec 1998, Karl Pielorz wrote: > > Alejandro Galindo Chairez AGALINDO wrote: > > > i need help, i need to know how to protect my servers, but the most > > important in my mind is to know how they are accessing the servers, i > > buyed the Firewalls book from Oreally & associates and i was using the > > firewall with ipfw, but this dont stop the hackers. > > > > thanks for your help > > This isn't really FreeBSD related... Do you know for 100% that you have > removed the hackers, and all their equipment from your compromised system? > It's not uncommon for hackers once they have a connection to leave numerous > back doors in the system - so they can get in again... > > Even your firewall won't help with that... The only way you can be 100% sure > you have got rid of them is probably to either reinstall the machine, or break > out the backups form a time you are _certain_ you weren't hacked... > > Once you have the new machine up, follow all the security guidelines (i.e. use > a firewall like your doing, make sure the machine only runs the services you > need - e.g. disable everything you don't need from inetd etc.) > > Only then will you stand a chance of keeping them out... > > As for attacks via UDP - this is certainly possible, though I've not seen any > exploits for FreeBSD and UDP for as long as I can remember... :) > > -Kp > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message