HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 28 guests and 1 member online
EH-Net Donations

Enter Amount:
$
Google Ads
EH-Net News Feeds
Latest Additions
Book Recommendations



 
Advertisement

You are here: Home arrow Forum arrow Ethical Hacking Discussions and Related Certificationsarrow Incident Responsearrow Firewall acting strange, got cracked?
Ethical Hacker Community Forums
December 02, 2008, 05:45:20 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: ChicagoCon 2-Day Ethical Hacking Conference with MS Blue Hats Oct 31 - Nov 1. Tickets Only $100! www.chicagocon.com/content/view/103/51/
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Firewall acting strange, got cracked?  (Read 2549 times)
0 Members and 1 Guest are viewing this topic.
steeles
Newbie
*
Offline Offline

Posts: 1


View Profile
« on: April 05, 2007, 10:06:33 PM »
Hi,

I have a suse linux 10.2 as firewall, recently I thought it is acting strange.

1. some of routing got changed, output of "netstat -rn" doesn't match "yast2 lan" routing setup. "yast2 lan" setup is correct.

2. from "dmesg", it seems some correct package has been dropped,

[img=http://img329.imageshack.us/img329/5853/untitledfk2.th.png]


Did I get cracked? I thought it is SuSE Linux 10.2 issue, maybe I am wrong.
How do I verify it?
How can I fix?

Thanks for the help
Logged
dean
Full Member
***
Offline Offline

Posts: 130


View Profile
« Reply #1 on: April 06, 2007, 01:19:32 PM »
The first record looks like traffic on udp/1026 which is used for windows messaging service. Win-rpc is used for windows messenger popup spam.  My firewalls sees thousands of these records too.

As this is UDP it is HIGHLY likely that the source address is forged.

Interestingly a whois on 22.20.228.228 reveals:

OrgName:    DoD Network Information Center
OrgID:      DNIC
Address:    3990 E. Broad Street
City:       Columbus
StateProv:  OH
PostalCode: 43218
Country:    US

NetRange:   22.0.0.0 - 22.255.255.255
CIDR:       22.0.0.0/8
NetName:    DISNET
NetHandle:  NET-22-0-0-0-1
Parent:     
NetType:    Direct Allocation
Comment:    Defense Information Systems Agency
Comment:    7990 Science Applications Court
Comment:    Vienna, VA 22183-7000 US
RegDate:    1989-06-26
Updated:    2001-10-11

RTechHandle: MIL-HSTMST-ARIN
RTechName:   Network DoD
RTechPhone:  +1-800-365-3642
RTechEmail:  **********@nic.mil

OrgTechHandle: MIL-HSTMST-ARIN
OrgTechName:   Network DoD
OrgTechPhone:  +1-800-365-3642
OrgTechEmail:  **********@nic.mil


All destination addresses are based in China, as well as the originating addresses, excluding the DoD address.

The remaining records have a destination of tcp/80.  They are all ACK or FIN/ACKs and are invalid packets.

One reason for a bad/invalid packet is that it is malformed in some way. this could be due to the packet being corrupted in transit. It could also be that the traffic is from out of sequence packets being dropped.

This traffic could be the result of a scan/attack that is attempting to inject a packet by attempting to guess the ISN. This will allow the attacker to take control of the packet stream by completing the 3-way handshake. This could result in compromise. This scenario seems somewhat unlikely though.

This type of attack is common from the location of these IPs BTW.

What services are you running that are open on the firewall?

What exactly has changed in your routing table?

If you think that you have been compromised you might want to look for signs of a rootkit or backdoor.

-dean-
Logged
<script>alert('%52%54%46%4D')</script>
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.7 | SMF © 2006-2008, Simple Machines LLC
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.072 seconds with 22 queries.
 
Sponsors

cwnp_moto__120x90.gif

Polls
During the most recent election, I:
 
Support EH-Net

Support EH-Net by
Buying all of your
Amazon items using
the search bar above.
cbtnuggets_logo_125.jpg
Try CBT Nuggets Free!
Recent Forum Topics
Vote For EH-Net

progenic.com
Click here to Vote!

Sadikhov.com
Top IT Cert Sites

binarica.com
Binarica Logo

Add to Technorati Favorites
technorati fave

 
         
Advertisement

© 2008 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.