You are not logged in.

#1 2005-10-27 20:21:24

tdphys
Member
From: Lower Mainland
Registered: 2005-06-14
Posts: 42

cracked?

So I'm behind a linksys router,and only forwarding ssh to my desktop,  today I logged in remotely and ran netstat -t and found connections to:

tcp        0      1 192.168.15.100:35586    ns.ecole.ensicaen.:6667 SYN_SENT   
tcp        0      0 192.168.15.100:33185    ede.nl.eu.undernet:6668 ESTABLISHED
tcp        0      1 192.168.15.100:35585    Amsterdam2.NL.EU.u:6661 SYN_SENT   
tcp        0      1 192.168.15.100:35578    ircu.bredband.com:6667  SYN_SENT   
tcp        0      1 192.168.15.100:35577    ircu.bredband.com:6666  SYN_SENT   
tcp        0      0 192.168.15.100:33185    ede.nl.eu.undernet:6668 ESTABLISHED

Now I'm a little perplexed here, I'm pretty sure that these are irc connections, which really shouldn't exist, seeing as I never use it.

I've shut down (supposedly) the network...
I would assume I've been cracked, except, doesn't the savvy cracker genereally replace netstat with something not showing him?  Am I missing something here?
Any ideas on how to know if ones been cracked or not?

Thanks

Offline

#2 2005-10-27 20:33:25

lucke
Member
From: Poland
Registered: 2004-11-30
Posts: 4,018

Re: cracked?

You could give chkrootkit a whirl.

Well, sometimes things aren't what they appear to be. I remember when I wondered what the heck is that connection to quite fishy hawaiian host which appeared in netstat. After quite a while of investigating, it turned out that the culprit was ... liquid weather ;-)

Offline

#3 2005-10-28 09:06:51

lanrat
Member
From: Poland
Registered: 2003-10-28
Posts: 1,274

Re: cracked?

Use tcpdump or ethereal or ettercap or some other packet sniffer to find out what kind of transmission is this.

This might be some kind of trojan or spyware:
http://securityresponse.symantec.com/av … rojan.html

Are there any desktop machines with windows behind your router ? (local network).

If you have any windows machines I bet it's the source of these connections :-)

Identify the source and we can try to help you find the tools to get rid of them.

Offline

#4 2005-10-28 11:23:55

Kern
Member
From: UK
Registered: 2005-02-09
Posts: 460

Re: cracked?

agreeing with lanrat re windows etc, run an AV package, someones using your IP / router to spam irc nets. i recognise some of the irc server addresses.

Other thing to check is you login:pass on the router. some routers have a default "admin" as the login which cant be changed. This reduces security dramatically, and therefore the pass needs to be so much more secure.

Its not long before someone will scan and find the pass especially if its "insecure" ie a common word, dictionary or less than 8 chars, and your router uses a popup type of login.

Try going to grc.com and use the Shields Up utility to scan your ports and also check out the "leak test" see if your system protection lets installed packages connect out without checkking them.

failing that, prv msg me if you want your static IP/router scanned and checked or reverse check from irc nets to see if your passively spamming ppl.

Offline

#5 2005-10-29 16:39:48

tdphys
Member
From: Lower Mainland
Registered: 2005-06-14
Posts: 42

Re: cracked?

Hey thanks for the replies. 
I had assumed that the router was only accessible from inside the lan.  Therefore , that could indeed be the problem, seeing as I haven't changed the factory password (ouch!)

I only have my Arch box behind the router, and chkrootkit works out okay.. But I'm pretty sure that those connections weren't originating from anything valid.

If the router was cracked from the outside, than I had X and Cups listening on the lan (thats what netstat says).  If not, than only ssh was being forwarded to my computer, which could have been cracked just by password attempts on some stupidly easy passwords, which i've now disabled, and reset the router to it's factory defaults.  I'm not seeing the irc connections with netstat anymore,  but I'm still left wondering if they had full access to the system, or just a user.

Why spam irc nets? (I'm not a big frequenter of IRC)

Offline

#6 2005-10-29 18:29:42

Kern
Member
From: UK
Registered: 2005-02-09
Posts: 460

Re: cracked?

reset the router to it's factory defaults

and changed the password to something other than the default?

Why spam irc nets?

for profit:

If this is done from a single IP address the channel robots will set a ban on the IP so they cant enter chan. Botnets run zombied PC's to form a kind of proxy, and when done on the scale of hundreds or thousands, makes it unfeasable to ban each address. chanops have to resort to clever scripting or domain bans.

when ppl join a channel they get an onjoin msg, from the zombie, asking them to click the following link for free access to warez/serialz/pr0n/ etc which usually gets cents for clicks for the perpetrator.

Also they can send you to a crafted webpage that will make use of your browsers strengths/weaknesses. IExplorer is particularly prone to this as its quite well integrated into the Windows environment and allows control of other things.

also, malicious IRC users can use hundreds of connections, like yours, to flood other users off the network and genrally be a complete nuisance.

etc blah blah. the list goes on.

Good thing you found it. not many monitor their own system.
Log into your router via the web interface, it should keep logs of connections.

Offline

#7 2005-10-31 18:55:31

TheDoctor
Member
From: Ontario, Canada
Registered: 2005-06-28
Posts: 63
Website

Re: cracked?

tdphys wrote:

Hey thanks for the replies. 
I had assumed that the router was only accessible from inside the lan.  Therefore , that could indeed be the problem, seeing as I haven't changed the factory password (ouch!)

I only have my Arch box behind the router, and chkrootkit works out okay.. But I'm pretty sure that those connections weren't originating from anything valid.

If the router was cracked from the outside, than I had X and Cups listening on the lan (thats what netstat says).  If not, than only ssh was being forwarded to my computer, which could have been cracked just by password attempts on some stupidly easy passwords, which i've now disabled, and reset the router to it's factory defaults.  I'm not seeing the irc connections with netstat anymore,  but I'm still left wondering if they had full access to the system, or just a user.

Another neat thing that I learned early on is that if you don't turn off your DMZ host, you're likely going to get taken over right quickly.  A lot of routers will set the first DHCP lease as a DMZ host, so any traffic sent to the router gets passed to that box.  Not a nice set-up.  Most routers turn off DMZ host by default, but not all of them.

Offline

#8 2005-10-31 19:25:54

vacant
Member
From: downstairs
Registered: 2004-11-05
Posts: 801

Re: cracked?

TheDoctor wrote:

Another neat thing that I learned early on is that if you don't turn off your DMZ host, you're likely going to get taken over right quickly.

If you turn off DMZ host, shouldn't  the router then know is should reply with a "port closed" (RST) if it is RFC-compliant? I set DMZ host to an non-existent private IP so there is never a response, on the basis that giving no information is better than acknowleding that something is there. Just a thought.

Offline

Board footer

Powered by FluxBB