Date: Tue, 20 Feb 2001 16:12:56 +0100 From: Boris <koester@x-itec.de> To: "Andy Kim" <andy@internetesl.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: ICMP floods Message-ID: <1369319020.20010220161256@x-itec.de> In-Reply-To: <007901c09ab9$77d5c720$7300a8c0@DOMAIN> References: <007901c09ab9$77d5c720$7300a8c0@DOMAIN>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello Andy,
Monday, February 19, 2001, 10:18:12 PM, you wrote:
AK> Some of the servers have been getting hit several times with ICMP floods from our FreeBSD server and we can't figure out why. They believe that someone had hacked in and put a trojan on our box.
AK> Is there any way of finding out what's going on and more importantly, how to fix the problem? Any help would be greatly appreciated
AK> as I am rather new to FreeBSD.
AK> Andy Kim
There are some tools outside like "stacheldraht" and others. Someone
can place an agent on your server (if hacked) and he can remotely
enable or disable this service to attack specific targets with
serveral hacked machines at one time to bring other servers down.
This game is played a lot with older solaris servers as far is I know hhehe.
Such a client needs several commands what to do and when to do it.
Based on a date, time and so on. The command-excange is usually
encrypted with rsa, but the ports for communication are not usual
ports and they can be detected.
To find a possible problem, we look at netstat to see the current
connections (simply enter "netstat").
Here is an example.. netstat:
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 4 bastion.telnet 192.168.0.1.1073 ESTABLISHED
Someone from 192.. is connecting to the BSD-Box to the telnet service,
as example. It could be a break-in or not, this you may decide
yourself depending on your configurations.
To see the data on the wire, use this for example:
"tcpdump -i isp0 -x -X -s 14400"
isp0 is your internet-device, maybe on your server it is ed0, ed1 or
similar.
If you want to break the internet-connection with someone depending on
specific events like special words, try out the package "sudo", not
easy to install because it needs an addintional library for special
things but it can protect you, too.
Usual services are FTP, telnet, www, email-services and so on. If you
see a service that sounds unusual, post it here.
It is not always sure that your attacker enables your icmp-flood while
you are checking the network status, so check the daily time when the
attack is done to see if there is an automation somehwere or between a
specific time-window.
The next point is to limit the icmp sendings and to block them
completely if neccessary with ipfw command for example and you need to
limit the icmp response (infos seen on the list even today how to do
it).
I personally blocked all ICMP ports between 130-140 (they are scanned
a lot in general) as well as some other ports completely.
While analyzing your server, block all not neccessary requests with
ipfw. If you need only www and sendmail, block everything else (for
example). You need "ipfw" commands for this.
while the icmp floods are going on, check the processlist with
"ps ax|more" for example. There are some services usual, some are not
usual.
Here is an example for a "normal" output, nothing looks critical here.
0 ?? DLs 0:00.01 (swapper)
1 ?? ILs 0:00.05 /sbin/init --
2 ?? DL 0:00.01 (pagedaemon)
3 ?? DL 0:00.00 (vmdaemon)
4 ?? DL 0:00.05 (bufdaemon)
5 ?? DL 0:00.17 (syncer)
114 ?? Ss 0:00.23 syslogd -s
117 ?? Is 0:00.00 /usr/sbin/portmap
137 ?? Is 0:00.04 inetd -wW
139 ?? Ss 0:00.05 cron
142 ?? Is 0:00.08 sendmail: accepting connections (sendmail)
146 ?? Is 0:01.13 /usr/sbin/sshd
148 ?? Ss 0:00.02 /usr/sbin/usbd
165 ?? Is 0:00.00 moused -p /dev/psm0 -t auto
355 ?? Ss 0:00.35 telnetd
356 p0 Is 0:00.06 -bash (bash)
358 p0 D 0:00.12 _su (csh)
1189 p0 R+ 0:00.00 ps ax
1190 p0 RV 0:00.00 _su (csh)
272 v0 Is+ 0:00.09 -csh (csh)
273 v1 Is+ 0:00.01 /usr/libexec/getty Pc ttyv1
274 v2 Is+ 0:00.01 /usr/libexec/getty Pc ttyv2
275 v3 Is+ 0:00.02 /usr/libexec/getty Pc ttyv3
276 v4 Is+ 0:00.01 /usr/libexec/getty Pc ttyv4
277 v5 Is+ 0:00.01 /usr/libexec/getty Pc ttyv5
278 v6 Is+ 0:00.01 /usr/libexec/getty Pc ttyv6
279 v7 Is+ 0:00.01 /usr/libexec/getty Pc ttyv7
251 con- I+ 0:00.00 /bin/sh /usr/local/pgsql/bin/pg_ctl -w start
253 con- I+ 0:00.05 /usr/local/pgsql/bin/postmaster -i -o -F (postgres)
The last two processes seems to be started not within a usual path,
but pgsql means "postgresql" and everything is ok at this point.
The magic process in finding something unusual is to "feel" if
something is going strong. Its not easy to explain.
You need time to see what is going on.
Sending ICMP floods takes some processor-time, so enter "top" to see
what process is working at the moment, maybe you can find the bad one.
Check all useraccounts, disable accounts you not really need. Your
attacker (if there is an attacker) has his own backdoor-accound (its
possible). But he not really need (if an intelligent trojan) a
useraccount to login, this is done by the troja. Disable accounts only
if you are really sure what they do or not do.
Normally, you can be happy that there are only ICMP floods on
your machine. You should be happy that your server is still up and
working.
While examining your system, make a plan to (eventually) reinstall
your server completely. First planning, then doing - if you forgot
something to backup then you will start screaming a lot. If you
restore something wrong (the troja) then you can start screaming
again.
But an administrator is no musican as far as i know hhahah.
--
Boris [MCSE, CNA]
...................................................................
X-ITEC : Consulting * Programming * Net-Security * Crypto-Research
........: [PRIVATE ADDRESS:]
: Boris Köster eMail koester@x-itec.de http://www.x-itec.de
: Grüne 33-57368 Lennestadt Germany Tel: +49 (0)2721 989400
: 101 PERFECTION - SECURITY - STABILITY - FUNCTIONALITY
........:..........................................................
Everything I am writing is (c) by Boris Köster and may not be
rewritten or distributed in any way without my permission.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1369319020.20010220161256>