# Linux-Windows security question - I've been compromised

## GivePeaceAChance

Hi,

Recently, my ISP has been sending me messages like:

 *Quote:*   

> Sat Jun 02 01:55:29 2007  Blocked access attempt from [censored IP in case it matters]:23270 to UDP port 7002

 

 *Quote:*   

> The alleged incident originated from the IP address of [censored IP in case it matters] which, at the time of the incident, was assigned to a device with the unique physical address of ... This address identifies the network adapter or router connected to your ADSL modem.

 

Now since the first report (there has been many) I've added WEP encryption, used Norton Internet Security to block port 7002, gone into the settings of the router and blocked access via the router (I am going to call a local computer store to confirm that I did it properly), and made the SSID only available to those who manually type it in (in this case, I set up the networking for my family).  Presumably, I've got a PC hooked directly to the modem and wireless router, and a wireless PC in the house as well, and then there's my laptop.

My laptop is a different story.  I've got Ubuntu, Gentoo (now) and Windows on it.  I've installed virus-scan software and scanned it in Windows since the incidents have occurred, but nothing is popping up (viruses, spyware).  Ubuntu, on the other hand, has no virus software, and at the moment, neither does Gentoo (which JUST got connected to the internet, so it wouldn't be why this port stuff is happening).

As well, while the main PC connected to the modem was in the shop getting checked out, we got more reports, so I'm guessing it's not going through wired the PC, but through one of the wireless ones.  The problem is that the ip address is seemingly linked to the PC, not my laptop (but perhaps the IP is just for the router itself, so the actual box has nothing to do with it?)

What I'm wondering, is if Ubuntu is compromised (BTW, does anyone have suggestion for free software for Linux I can run on Ubuntu to check?) does it compromise the entire network, Windows and Linux alike?

I've tried everything, and my parents suspect it's my laptop, and I'm thinking the only remedy is to do a fresh install, but I REALLY, really don't want to do that if possible, so I want to rule out my laptop as being the problem.

----------

## Suicidal

That looks like your firewall software is doing its job, as you can see from the log it blocked access from an external IP address, so the external computer was denied from connecting. If these type of messages bother you you should probably get a hardware firewall so that it stops there and not at your computer.

You can install app-forensics/chkrootkit if you are really worried.

----------

## PaulBredbury

Use WPA, not WEP. WEP can be hacked.

What exactly does your ISP have a problem with? Is port 7002 supposed to be evil? Are you confusing "ISP" with the router's firewall?

----------

## GivePeaceAChance

Well no, I'm getting e-mails from my provider saying that my computer "has been utilized to port scan, flood or attempt to gain unauthorized access to another computer."

A rep said it was coming FROM my computer. Except I've got three computers on the network, it's a wireless router, so I'm not entirely sure who could potentially gain access to it (even though I've WEP encrypted it).

I thought WPA was less secure than WEP...?

this app-forensics/chrootkit is just for Linux I'm assuming? Is it a program to see if anything is going on in Linux?  If I install it on Ubuntu, need I install it on Gentoo, since these incidents have nothing to do with Gentoo (whereas Ubuntu was net-accessible when these events occured)?

Again, I am wondering, if Linux is compromised, does it compromise the entire network, including Windows-based systems (or even the Windows partition on the computer running Linux)?

EDIT: OK, appears I have a misconception concerning WEP vs WPA.  I've changed the main PC's router security to reflect that, however Windows manual wireless setup only has two options for encryption. WEP and Disabled.... So what am I supposed to do about Windows internet access? (which all the computers run on except my laptop which is dual-boot)

----------

## Hu

Put Windows on wired only?  :Razz:   Better yet, lock all the Windows machines behind a strict outgoing packet filter, so that any infection on them is confined to the local network.  From your description of the network, I suspect your wireless router has the "public" IP that your ISP is seeing, so they cannot tell you which computer is doing it.  On principle, I would blame the Windows machines.  Linux machines can be compromised, but I have never heard of a Linux desktop (as opposed to a publicly accessible Linux server) being compromised.

Is your router running a decently advanced operating system, so that you can sniff traffic from it?  If so, you could sniff traffic on unusual ports (loosely, anything you expect not to be using) to try to find which internal system is sending the traffic.  What model router are you using?

----------

## GivePeaceAChance

I have never done any packet sniffing, but perhaps this is what I should be doing. Less and less am I seeing any appeal to Windows machines, that's for sure.  Do you know of any free, windows-compatible sniffers?

----------

## lghman

 *GivePeaceAChance wrote:*   

> I have never done any packet sniffing, but perhaps this is what I should be doing. Less and less am I seeing any appeal to Windows machines, that's for sure.  Do you know of any free, windows-compatible sniffers?

 

Wireshark works on both *NIX and Windoze machines.  Great program!

----------

## Hu

For Gentoo machines, emerge net-analyzer/wireshark.  For Windows, grab the Windows installer from http://www.wireshark.org/.

----------

## GivePeaceAChance

With respect to the port sniffing, should I set up the sniffer on the Windows computer connected DIRECTLY to the wireless router? Or does it matter what computer the sniffer is on as long as it's on the network?

EDIT: I've installed it on the main machine, but I'm wondering, how do I track JUST port 7002 (and 60001 while I'm at it)?

EDIT: I made a capture filter with a filter string "port 7002". Is this right?

----------

## godish

Select Capture, then options... (or Control + K)

Under capture filter, type in...

port 7002 and port 60001

To see all the available options, click the button that says Capture Filter.

----------

## GivePeaceAChance

Thanks.  :Smile: 

----------

## Suicidal

 *GivePeaceAChance wrote:*   

> A rep said it was coming FROM my computer. Except I've got three computers on the network, it's a wireless router, so I'm not entirely sure who could potentially gain access to it (even though I've WEP encrypted it).

 

That is probably the issue, if you have three computers which are hidden behind one public IP address it can be seen as a portscan by most IDS's. 

I used to get this alot on snort when I had a site that was proxied through a squid server, all requests from the clients at that site had the source ip address of the squid server. Your router is basically acting as a proxy combining all of your private addresses to one public IP address.

----------

## GivePeaceAChance

Hm... I dunno about that one. Port 7002 is for "users and groups" apparently, so that sounds like a network, but these blocked attempt notices I've received from my ISP state specific times, about 35 attempts within a ten minute timeframe.  I've been running linux all night on my laptop and using the sniffer, and nothing's popped up, so I'll give it another few days (the last couple attacks were in a space of about 3 days) and if nothing shows up, I'll boot into windows on this machine and leave it there for a few days to see if windows on my laptop is the culprit.  I suspect that there won't be any attacks while I'm in linux, but the minute my Windows partition logs in, give it a few days and something will be bound to happen.

----------

## madisonicus

At this point, setting up security while necessary is a bit late.  Using an unprotected wireless network is among the worst personal security risks possible since all traffic on a wireless network is broadcast as far as the signal reaches and requires no skill to collect.  (For a good scare, try flipping on wireshark in an internet cafe once.)  It is trivial to sniff a wifi network to recover bank passwords, email logins, etc sent over the wireless connection.

Just as trivial is a man-in-the-middle attack via ARP spoofing that could then compromise all data transferred over the wired LAN as well.  Any unencrypted traffic that you sent over that network is therefore potentially compromised.  Unless you have specified a trusted DNS server (check into OpenDNS), it's also fairly simple to poison a compromised network's DNS, redirecting otherwise secure SSL connections to phishing sites.

Therefore, given that you have evidence of unauthorized activity using your connection, the first thing I would do is boot from a LiveCD connected directly to the internet and change all your important passwords.

That being said, I can't find any indication of any exploit, virus, or malware that uses port 7002.  It's associated with the Andrew File System which is an old network file system. I'm guessing you're not using AFS though, since your ISP would probably be complaining about the other associated ports too.  Who knows what's going on then.

Something you need to consider is that if your router is running without a strong password, it's possible that it has been compromised as well.  Often routers reject all log in attempts from the WAN, so you can be safe for a while from WAN-based attacks.  However, if someone has access to the LAN then he or she could get then get access to the router.  Also, most routers are controlled via an unencrypted HTTP interface from the LAN.  So, again if someone has access to the LAN, your router password is probably being sent in the clear and easily sniffed.

Therefore, your next step should be to disconnect all but one ethernet-connected machine, boot from a LiveCD again, reset the router to factory defaults, turn off WiFi access, change the password to a long ascii string (a good source is: https://www.grc.com/passwords.htm), give it a different WPA password, and only then activate the wireless.  At that point you should have a relatively secure router.  As security steps, MAC address filtering and hiding your SSID are ineffective.  For more information, there was a recent article in TechNet Magazine that goes into some good detail.

Now, at this point you're going to need to make a decision:  are you savvy enough and committed enough to try to track down the compromise, and are you skilled enough to do anything about it once you find it?

Compromise detection is a tough task even if you had had an intrusion detection system (IDS) in place.  The problem is that with nothing to compare it to, it's difficult to know what's out of the ordinary.  It's likely that your Windows box uses the default admin account and password, so anyone with access to the LAN could log on to it and do whatever they wished to it.  Even a fully patched and properly hardened system is vulnerable to a malicious user who has the password.  Since most decent rootkits conceal themselves very effectively, compromise detection and scrubbing are probably going to be harder than they're worth.  Other difficult to detect concerns are backdoors and programs that only open firewall ports for a few moments to up/download information and then turn off.  Personally, I wouldn't feel comfortable tracking down all the potential holes a user with admin access could implement.  Instead I'd suggest you just burn your important data (no executables) to a CD and reinstall windows--this time securely.

There is a trick to installing pre-Vista Windows, however:  Study after study has shown that Windows machines will be detected and compromised long before critical patches can be installed.  The SANS Institute has a great paper that describes "Surviving the First Day" which I strongly recommend you follow.  

You'll also need to ask yourself whether the security on your linux boxen has been up to snuff.  Keep in mind that any passwords and such that you sent over your LAN could have been sniffed (is your email login the same as your user login, etc... ).  If you have any concerns at all, then you should probably reinstall your linux systems too, just to be safe.

Security is something that has to be implemented from the ground up for it to be effective.  It's not that difficult for the average user to make a home network secure enough, it's just not something enough people think about soon enough.  The SANS reading room is a great place for security information for Linux as well as Windows.  I suggest reading through their material and checking their top 20 threats list.

HTH,

m

----------

## Mad Merlin

 *PaulBredbury wrote:*   

> Use WPA, not WEP. WEP can be hacked.

 

WPA can be broken too, the important difference is that WEP is *trivially* breakable.

----------

## madisonicus

 *Mad Merlin wrote:*   

>  *PaulBredbury wrote:*   Use WPA, not WEP. WEP can be hacked. 
> 
> WPA can be broken too, the important difference is that WEP is *trivially* breakable.

 Well, any encryption can be broken (with the possible exception of a one time pad, which is theoretically vulnerable since it is so gosh darn hard to make truly random noise).  The trick is to make it take prohibitively long to do so.

The fundamental problem is that WEP is cryptographically weak and subject to several different gaping flaws going back years and culminating in a recent attack that can reveal the key within a minute:

http://www.wi-fiplanet.com/columns/print.php/1443911

http://www.securityfocus.com/infocus/1814

http://www.cdc.informatik.tu-darmstadt.de/aircrack-ptw/

Since WPA passwords can be up to 63 ascii characters long, it can only currently be attacked efficiently via a dictionary attack.  Using a strong password (63 random ascii characters) effectively eliminates the bruteforce avenue of assault by making the crack time so immense as to be impractical.

-m

----------

## GNUtoo

i've got a friend that has got his wpa broken...so mabe they bruteforce it...

so mabe install radius or openvpn on your router

most of the routers run an operating system such as linux or vxwork or other so if they have a security breach it's possible to compromise them

once they are compromised it's easy to compromise the rest of the network...for instance trough:

*web page redirection to specialy crafter webpage that exploits browser flaws

*exploit the non-ssl flaw in the firefox extentions(the non officials extentions do not check for the validity of the update)

*exploit security flaws such as the recent samba flaw that can be exploited...

mabe consider installing openwrt/ddwrt on your router...

if your router wasn't compromised the router firewall was bypassed:

for example if you had yahoo messenger or any things such as browser or things that connect trough the internet with security flaw the attacker could have done the following thing:

->exploit the flaw

->use a reverse connection control thing such...

for instance with metasploit you can:

->exploit the ani flaw trough a specialy crafted web page

->launch reverse-vnc or any reverse tool such as meterprter

normaly you connect trough a server...and the server has a port open...such as when you connect to a website the server of the website has the port 80 open

then the contrary is possible....make the computer automaticaly connect to an open port...that is called a reverse connection

after the windows or the linux system is compromised you could easely mount the hdds of the others system and compromise them

->mount the ntfs hdd in read write withi linux with ntfs3g

->mount the ext3 hdd in windows with ext2fsd

after mounting the hdds you can change some files and make your program execute at startup and you're done....

consider:

->using RECENT linux livecds without the security flaws found here: https://forums.gentoo.org/viewforum-f-16.html

for instance if your router was compromised and that you have an old samba that starts automaticaly the hacker could compromise the livecd...

so(if your router was compromised...check with wireshark):

->use a recent livecd and disable all services running:

```
#netstat -antp
```

 shows you the services running...disable them before having the network

->unconnect your router and connect directly to the net

->download a newer router firmware or install openwrt/ddwrt on your router

->reinstall all your computer with up to date software

->don't connect directly linux or windows to the net..,:you need to download services packs and security update BEFORE within your livecd BEFORE connecting to the net...mabe consider chrooting within linux in order to reinstall....as far as i know wget emerge -F and ubuntu's upgrade manager don't have flaws.windows one has...so be carefull with windows automatic updates

->remove the windows hdd sharing in the register(don't remember how to do that) or remove file sharing 

->you could use snort on your router if you install openwrt

you'll have a problem sharing hdd between gentoo ubuntu and gentoo...consider:

->encryption in ubuntu and gentoo in order to prevent the compromis of windows extend to your linux system

->do you have nx on your cpu? otherwise you could use hardened gentoo

->use selinux at least to monitor your programs...

hardened userspace (glibc and gcc modifications) will soon support gcc 4x

bt the way do you know glsa-check:

#glsa-check -l | grep '\[N\]

'

----------

## pteppic

 *madisonicus wrote:*   

> Therefore, given that you have evidence of unauthorized activity using your connection, the first thing I would do is boot from a LiveCD connected directly to the internet and change all your important passwords.

 

This is by far the best piece of advice I have read in a long time.

----------

