# Find the hacker

## InsaneHamster

so i am under the circumstance to belive there is currently a hacker in my computer.

```

1stline snort: [1:2182:3] BACKDOOR typot trojan traffic

[Classification: A Network Trojan was detected] [Priority: 1]: {TCP}

xxx.xxx.xxx.xxx:xxxx(always a random proxy connection) -> xxx.xxx.xxx.xxx:5900 (always my ip,always same port)

```

basically this comes up randomly through the day. now i looked into it and found its basically a payload error so i sat on it a week incase it was. but now snort is reporting random VNC scans pings and host denies from same ips that connect to this in sequence which makes me belive this is already an issue.

now behind this firewall box i have a switch which routes traffic to 3 different computers which all have th ability to from within the network request connections to the outside (so i can play online games download p2p and what not, i stopped network traffic for a couple of days inorder to just be sure)

so now how would i go about tracing it back to a certain computer within my network ? (one other has snort also gentoo, it reports nothing of the sorts) ones a mac (which does get bombarded with if not hundreds spam messages a week with images ?!?! which i belive is the source of this attack)

the firewall is now to drop incoming tcp connections on that port and reject any outgoing. i just pretty much want to know peoples ideas and comments on tracing it back to a certain computer so i can isolate the problem and see what the damage it.Last edited by InsaneHamster on Tue Jan 23, 2007 1:04 am; edited 2 times in total

----------

## think4urs11

a simple tcpdump -i eth1 port 5900 on your firewall should be sufficent here, where eth1 is your firewall internal interface towards your LAN.

Should show you which internal machine gets hit by that.

----------

## InsaneHamster

 *Think4UrS11 wrote:*   

> a simple tcpdump -i eth1 port 5900 on your firewall should be sufficent here, where eth1 is your firewall internal interface towards your LAN.
> 
> Should show you which internal machine gets hit by that.

 

hmm but that would mean i would have to run run the program sit and wait i (hopefully) already disabled their vnc connection via manual firewall rules. would u argee at this point its best to sit and wait for another connection as is log it to a file . or undo the changes (which temporarily bar them) and let them in while i watch.

(also i would have to run this program on my swtich would i not cause my firewall box points to it.

----------

## Dralnu

hmm. Blacklist the IP for awhile, and see what happens?

I think there is a website that tells you where an IP is located, too. If its from the outside, and you don't need it, then blacklist it and if something keeps up, look for a better solution

----------

## InsaneHamster

 *Dralnu wrote:*   

> hmm. Blacklist the IP for awhile, and see what happens?
> 
> I think there is a website that tells you where an IP is located, too. If its from the outside, and you don't need it, then blacklist it and if something keeps up, look for a better solution

 

no can do on a blacklist the ip is proxied on each use unless a sequence of connections are made. time will pass. random ip again. u know u see ip address from poland neitherlands and randomly scattered through the usa i just jumped to the conclusion. however they are persistent once caught by snort ping host unreachable vnc scan typot . then nothing untill it happens again randomly usually at nite.

----------

## InsaneHamster

im starting on leaning towards the conclusion my mac os x is the cause of this. cause two gentoo box's with snort dont report (other then amsn file requests accepts outgoing file but once i blocked that msn wouldnt continue so i assumed its a false reading plus its always with microsoft server)

tcpdump normally on firewall gives me connections from email servers which i belive are not what i have written in my mac os x. its not what my isp assigned me by domain name name unless they secretly send it through a different one but i use what have have assigned me to write in the mail program.

----------

## Dralnu

 *InsaneHamster wrote:*   

> im starting on leaning towards the conclusion my mac os x is the cause of this. cause two gentoo box's with snort dont report (other then amsn file requests accepts outgoing file but once i blocked that msn wouldnt continue so i assumed its a false reading plus its always with microsoft server)
> 
> tcpdump normally on firewall gives me connections from email servers which i belive are not what i have written in my mac os x. its not what my isp assigned me by domain name name unless they secretly send it through a different one but i use what have have assigned me to write in the mail program.

 

Hmm, interesting.

----------

## InsaneHamster

 *Dralnu wrote:*   

>  *InsaneHamster wrote:*   im starting on leaning towards the conclusion my mac os x is the cause of this. cause two gentoo box's with snort dont report (other then amsn file requests accepts outgoing file but once i blocked that msn wouldnt continue so i assumed its a false reading plus its always with microsoft server)
> 
> tcpdump normally on firewall gives me connections from email servers which i belive are not what i have written in my mac os x. its not what my isp assigned me by domain name name unless they secretly send it through a different one but i use what have have assigned me to write in the mail program. 
> 
> Hmm, interesting.

 

iv had problems with hackers before they spam my email accounts and enjoy tearing appart my networks. its sort of a personal vendetta to say. i can tell u right now its not random.

----------

## steveL

Umm, I'm guessing you've checked your logs and so on.

I think you're right, you definitely have an intruder. If you want to track them, set up a dmz with a sacrificial lamb. Make sure you've got IP spoofing protection in the kernel and don't forget traceroute. You definitely need to take the compromised machine off the network, save its logs and reinstall it.

Think of it as a fun exercise, and start getting in touch with the ISPs where the attacks are coming from. Of course, it's likely to be windoze boxes that have been compromised already, but there's no way you're going to get proper info without the ISPs' help. abuse@domain.com is a good place to start, with snippets from logfiles and traceroute proving that some of the attacks are coming from one of their users' machines. You're only after their cooperation in tracking the attacks, and they should have logs (I think it's a legal requirement in the UK and US.) I would take the mail server thing with a pinch of salt- sounds like compromised boxen to me. Be aware it could take months to track these people, and might actually never happen depending on how smart they are.

Congratulations on actually having some security set up.

Hopefully others can give you more pointers on tools. (It's been a while since I had any open ports.) AIDE is a good one, though it won't help in this situation, and needs to be set up with write-once data like a CD-R, or put its files on a USB stick (not so secure). Make sure you do this on a clean install (for the future.)

----------

## Dralnu

 *steveL wrote:*   

> Umm, I'm guessing you've checked your logs and so on.
> 
> I think you're right, you definitely have an intruder. If you want to track them, set up a dmz with a sacrificial lamb. Make sure you've got IP spoofing protection in the kernel and don't forget traceroute. You definitely need to take the compromised machine off the network, save its logs and reinstall it.
> 
> Think of it as a fun exercise, and start getting in touch with the ISPs where the attacks are coming from. Of course, it's likely to be windoze boxes that have been compromised already, but there's no way you're going to get proper info without the ISPs' help. abuse@domain.com is a good place to start, with snippets from logfiles and traceroute proving that some of the attacks are coming from one of their users' machines. You're only after their cooperation in tracking the attacks, and they should have logs (I think it's a legal requirement in the UK and US.) I would take the mail server thing with a pinch of salt- sounds like compromised boxen to me. Be aware it could take months to track these people, and might actually never happen depending on how smart they are.
> ...

 

kind of off-topic - How do you close down ports? I think I have one from SSL open (I'll need to re-run nmap to find out for sure). This is the one thing that has been bugging me for ages...

----------

## InsaneHamster

 *steveL wrote:*   

> Umm, I'm guessing you've checked your logs and so on.
> 
> I think you're right, you definitely have an intruder. If you want to track them, set up a dmz with a sacrificial lamb. Make sure you've got IP spoofing protection in the kernel and don't forget traceroute. You definitely need to take the compromised machine off the network, save its logs and reinstall it.
> 
> Think of it as a fun exercise, and start getting in touch with the ISPs where the attacks are coming from. Of course, it's likely to be windoze boxes that have been compromised already, but there's no way you're going to get proper info without the ISPs' help. abuse@domain.com is a good place to start, with snippets from logfiles and traceroute proving that some of the attacks are coming from one of their users' machines. You're only after their cooperation in tracking the attacks, and they should have logs (I think it's a legal requirement in the UK and US.) I would take the mail server thing with a pinch of salt- sounds like compromised boxen to me. Be aware it could take months to track these people, and might actually never happen depending on how smart they are.
> ...

 

very through out response thank you. I have excellent logs rkhunter, tripwire daily(aide for 50-60gb takes too long), logwatch, log rotate,. gentoo security handbook was followed through almost down to the tea, logs of course are on everything machine. kern.log is unfortunatly flooded by my iptables on the firewall box i still have to get on that but its rotated so i can search through it and compare later in detail to what i already have. i used to run ntop but i quickly found errors would come up days after install and network mapping was sketchy it would restart so i figured it was a security risk.  so dmz i have not setup or even looked into. thats on the list from here . ip spoofing not specifically i know of i will look into now to make sure it is enabled and configured via iptables properly. 

i think another problem here is also the way my network is setup. for example i have dnsmasq and dhcpcd going into my switch from my firewall box which could of been setup more nicer. logs are machine specific no shh or log in is allowed on anyone. i check one by one everyday (thank god i have ocd)  so i guess i could clean it up a little there and NAT i guess needs to be setup specific no more allowing internal networks request and connect to out networks without some sort of specific port configuration on firewall iptables. . and routing i guess if thats possible to move for example port 80(firewall) to 82(switch) to 83(desktop machine) when surfing the internet (if thats possible)

i also get SNMP public access udp, request in snort on firewall box but i assume its normal (even tough i dont have it installed or use it)

and thank you if anyone has comments or questions let me knowLast edited by InsaneHamster on Tue Jan 23, 2007 2:49 am; edited 1 time in total

----------

## InsaneHamster

 *Quote:*   

> kind of off-topic - How do you close down ports? I think I have one from SSL open (I'll need to re-run nmap to find out for sure). This is the one thing that has been bugging me for ages...

 

how come u cannot specify in iptables to drop or reject connection on that port (outbound or inbound) 

lol also on another note when i do network audits with nmap i think this is good but it states port 53(dns) is open when from my desktop i scan my iptables ( i assume this is normal)

but when i do online scans to double check it says im clean.

----------

## Dralnu

 *InsaneHamster wrote:*   

>  *Quote:*   kind of off-topic - How do you close down ports? I think I have one from SSL open (I'll need to re-run nmap to find out for sure). This is the one thing that has been bugging me for ages... 
> 
> how come u cannot specify in iptables to drop or reject connection on that port (outbound or inbound) 
> 
> lol also on another note when i do network audits with nmap i think this is good but it states port 53(dns) is open when from my desktop i scan my iptables ( i assume this is normal)
> ...

 

Well, I guess I shouldn't be too worried. Got a hardware firewall on the router (plus I don't mess with iptables, lol. Don't know enough about them to trust my self to mess with them without a good guide to them).

Thanks for the info, though. I'll look into that in a moment

----------

## InsaneHamster

 *Dralnu wrote:*   

>  *InsaneHamster wrote:*    *Quote:*   kind of off-topic - How do you close down ports? I think I have one from SSL open (I'll need to re-run nmap to find out for sure). This is the one thing that has been bugging me for ages... 
> 
> how come u cannot specify in iptables to drop or reject connection on that port (outbound or inbound) 
> 
> lol also on another note when i do network audits with nmap i think this is good but it states port 53(dns) is open when from my desktop i scan my iptables ( i assume this is normal)
> ...

 

how is a firewall any good when u can visit a site or someone sends u an image or a link that creates a connection between u and them ? thats how i get hit. i mean its not like they brute force through 3 iptables 3 snort configurations with inline and other various security precausions. then again i am specifically targeted...

----------

## Dralnu

 *InsaneHamster wrote:*   

>  *Dralnu wrote:*    *InsaneHamster wrote:*    *Quote:*   kind of off-topic - How do you close down ports? I think I have one from SSL open (I'll need to re-run nmap to find out for sure). This is the one thing that has been bugging me for ages... 
> 
> how come u cannot specify in iptables to drop or reject connection on that port (outbound or inbound) 
> 
> lol also on another note when i do network audits with nmap i think this is good but it states port 53(dns) is open when from my desktop i scan my iptables ( i assume this is normal)
> ...

 

I've got a firewall router (netgear websafe, actually). It has a built-in hardware and software firewall in it, so I'm not too worried.

I'd love to find a hardware firewall that is built inline to an ethernet cable, or something along those lines. Doesn't make much sense for them not to...

----------

## madisonicus

 *InsaneHamster wrote:*   

> so i am under the circumstance to belive there is currently a hacker in my computer.
> 
> ```
> 
> 1stline snort: [1:2182:3] BACKDOOR typot trojan traffic
> ...

 

I'm not great with snort, but that doesn't look like someone in your network.  Rather it looks like someone on a random comp is attempting to make a connection to port 5900 on your machine.  (This is happening on the WAN interface of your firewall, right?)  If that's what the log means, it's not anything to worry about.  I get a dozen or so of those bouncing off my firewall every hour.  It's just someone's bot network randomly looking for exploitable computers. See the SANS page on port 5900.

Looking more technically, there may be a couple things going on. The snort rule that seems to be triggered is one that looks for packets with a certain window size, which belong to the typot trojan.  The triggered rule, rule 2128, even mentions this spurious warning: *Quote:*   

> Current information based on binary analysis of the Typot Trojan shows that network traffic is generated with a TCP window size of 55808 bytes. Whilst this Trojan does not appear to contain any malicious payload it will generate spurious network scanning activity.

 

However, the consistent connections to port 5900 strongly suggests that it's a botnet probing for this authentication vulnerability in RealVNC.  The probes to 5900 are probably constantly happening (to no avail unless you're running a vulnerable RealVNC server) but only get noticed by snort when they happen to have typot trojan's signature window size.

You could run wireshark on the WAN interface to try to grab these packets as they come in to see exactly what what they contain.  But again, if they're just bouncing against your firewall, then there's nothing at all to be concerned about.

HTH,

m

----------

## InsaneHamster

 *Dralnu wrote:*   

>  *InsaneHamster wrote:*    *Dralnu wrote:*    *InsaneHamster wrote:*    *Quote:*   kind of off-topic - How do you close down ports? I think I have one from SSL open (I'll need to re-run nmap to find out for sure). This is the one thing that has been bugging me for ages... 
> 
> how come u cannot specify in iptables to drop or reject connection on that port (outbound or inbound) 
> 
> lol also on another note when i do network audits with nmap i think this is good but it states port 53(dns) is open when from my desktop i scan my iptables ( i assume this is normal)
> ...

 

quite an idea first iv ever heard of such but if u think about it a firewall is there to securely keep intruders out but sometimes false readings may make it unintentionally lock you out of a feature when needed. if a entry point to change edit or view settings in this idea were possible id say patent it and go nuts. however the way technology is going home users wireless frequencies are dominating. man im not gona lie to you i used to think i was secure too at one point. but now i know we will never be secure. anything is hackable.

might as well add in iv never ran a vnc nore do i have vnc installed or any ms boxes in the house.Last edited by InsaneHamster on Tue Jan 23, 2007 5:15 am; edited 1 time in total

----------

## InsaneHamster

 *madisonicus wrote:*   

>  *InsaneHamster wrote:*   so i am under the circumstance to belive there is currently a hacker in my computer.
> 
> ```
> 
> 1stline snort: [1:2182:3] BACKDOOR typot trojan traffic
> ...

 

well thats what i tought at first i tought nothing of it as i did read the same quote from snort archives about what the typot message means. but as i said it did look shady. i had ground i belive to suspect foul play. now with the firewall having that port disabled in pretty much every single way tcpdump eth0 (internet) reports 2 readings (one 800km away another (2) tried connections by someone who is locally using the same isp as me) eth1(WAN) tcpdump is being ran now and ill run it all nite to see if it gets through into the switchLast edited by InsaneHamster on Tue Jan 23, 2007 5:28 am; edited 3 times in total

----------

## Dralnu

 *InsaneHamster wrote:*   

>  *Dralnu wrote:*    *InsaneHamster wrote:*    *Dralnu wrote:*    *InsaneHamster wrote:*    *Quote:*   kind of off-topic - How do you close down ports? I think I have one from SSL open (I'll need to re-run nmap to find out for sure). This is the one thing that has been bugging me for ages... 
> 
> how come u cannot specify in iptables to drop or reject connection on that port (outbound or inbound) 
> 
> lol also on another note when i do network audits with nmap i think this is good but it states port 53(dns) is open when from my desktop i scan my iptables ( i assume this is normal)
> ...

 

Of course it is all hackable. I'm more worried about keeping mid and low-level hackers out of my system. The people who know what they are doing are almost impossible to keep out.

Right now, besides the router, I've got securetty set so that root can only be logged into from a tty. I'd love to do the same for su and sudo, as well, which would lock people out of my root account.

I'd probably mess with iptables some if I knew what I was doing, but I don't, and like you said, you can screw yourself up with a bad setup. Right now I compile everything with the hardened USE flag (helps a little I think).

I also try to stay out of my root account for a good portion of the time, and sudo when I need to do something.

----------

## InsaneHamster

 *Dralnu wrote:*   

>  *InsaneHamster wrote:*    *Dralnu wrote:*    *InsaneHamster wrote:*    *Dralnu wrote:*    *InsaneHamster wrote:*    *Quote:*   kind of off-topic - How do you close down ports? I think I have one from SSL open (I'll need to re-run nmap to find out for sure). This is the one thing that has been bugging me for ages... 
> 
> how come u cannot specify in iptables to drop or reject connection on that port (outbound or inbound) 
> 
> lol also on another note when i do network audits with nmap i think this is good but it states port 53(dns) is open when from my desktop i scan my iptables ( i assume this is normal)
> ...

 

i ran hardened before it was very good for testing on shady forums where people would exploit firefox flaws and try to gain entry into memory. but it does drop production if ur doing certain things or need certain programs to specially operate. iv stayed away from any type of policies too up to this point its a hassle. you are right they are almost near impossible to keep out but its not like your going to let a homeless man sleep in your house just cause he keeps coming back.

----------

## Dralnu

Point taken. I take it you've looked into SELiux? I know there is a book out over it, and a few sites on it. I've been tempted to look into it as a fix (if I went that route I'd also start digging into iptables).

The book has a lightsaber on the cover with "Linux Inside" on the side of it. Written by the guys who started the whole project. Interesting read.

----------

## InsaneHamster

btw whats the command to run tcpdump on every port other then 80

can i just go tcpump -i eth1 port !80

? i only have console btw

----------

## madisonicus

 *InsaneHamster wrote:*   

> well thats what i tought at first i tought nothing of it as i did read the same quote from snort archives about what the typot message means. but as i said it did look shady. i had ground i belive to suspect foul play. now with the firewall having that port disabled in pretty much every single way tcpdump eth0 (internet) reports 2 readings (one 800km away another (2) tried connections by someone who is locally using the same isp as me) eth1(WAN) tcpdump is being ran now and ill run it all nite to see if it gets through into the switch

 How would a packet get though the firewall?  What would it do if it did?  Are you running a vulnerable RealVNC server on your Linux or Mac boxes?

What "foul play"?  What about random, shotgun attacks (SANS alone records over a hundred thousand a day) makes you think that there's a compromise of your system?

----------

## InsaneHamster

 *Dralnu wrote:*   

> Point taken. I take it you've looked into SELiux? I know there is a book out over it, and a few sites on it. I've been tempted to look into it as a fix (if I went that route I'd also start digging into iptables).
> 
> The book has a lightsaber on the cover with "Linux Inside" on the side of it. Written by the guys who started the whole project. Interesting read.

 

not good into reading books i work by trial and error personally i dont use documents or help files unless exclusively neccesary the way i see it its all plug n play software anyways plus i learn by mistake and mistake only. once it runs after the fact i know how not to go into that area again. i tried RBACS policy it was good except for the fact it tried it on a desktop which rendered it useless even with its learning module SElinux havnt touched it. im not a fan on policies id rather use a kernel-userspace configuration once there isnt as much overhead with the double kernels n all.

----------

## InsaneHamster

 *madisonicus wrote:*   

>  *InsaneHamster wrote:*   well thats what i tought at first i tought nothing of it as i did read the same quote from snort archives about what the typot message means. but as i said it did look shady. i had ground i belive to suspect foul play. now with the firewall having that port disabled in pretty much every single way tcpdump eth0 (internet) reports 2 readings (one 800km away another (2) tried connections by someone who is locally using the same isp as me) eth1(WAN) tcpdump is being ran now and ill run it all nite to see if it gets through into the switch How would a packet get though the firewall?  What would it do if it did?  Are you running a vulnerable RealVNC server on your Linux or Mac boxes?
> 
> What "foul play"?  What about random, shotgun attacks (SANS alone records over a hundred thousand a day) makes you think that there's a compromise of your system?

 

drives me crazy i look into each and every single one once im confident its normal behaviour i let it pass. as i mentioned amsn file requests and accepts  tcpdump is running on a console now so i can watch for anything other then a microsoft connction. i always assume worse case scenario. iv been hacked so many times before i know it will happen again if its not already in play. my firewall box belive it or not is a simple powerbook with usb eth card.

----------

## madisonicus

 *Dralnu wrote:*   

> Of course it is all hackable. I'm more worried about keeping mid and low-level hackers out of my system. The people who know what they are doing are almost impossible to keep out.
> 
> Right now, besides the router, I've got securetty set so that root can only be logged into from a tty. I'd love to do the same for su and sudo, as well, which would lock people out of my root account.
> 
> I'd probably mess with iptables some if I knew what I was doing, but I don't, and like you said, you can screw yourself up with a bad setup. Right now I compile everything with the hardened USE flag (helps a little I think).
> ...

 Turning on the hardened USE flag with GCC 4.1.1 or GLIBC 2.4 does nothing yet.  You have to use GCC 3.4 and GLIBC 2.3 for now to get the benefits of hardened or PIC.

SELINUX can be hard to set up but it's gotten easier now that there are some learning options.  There are decent Gentoo guides for doing a PAX/GRSECURITY kernel with hardened toolchain though, available here.

I've found that iptables is actually pretty simple when you figure out what's going on.  Here's a simple but reasonable example.  I'd also recommend net-firewall/firestarter or net-firewall/shorewall for someone just starting out.  There are also several iptables script generators on the web (here for instance).

----------

## Moji

If you want to use iptables to drop a specific port. 

```
/sbin/iptables -I INPUT -p udp --dport [Your Port Here] -j DROP

/sbin/iptables -I INPUT -p tcp --dport [Your Port Here] -j DROP

/sbin/iptables -I OUTPUT -p udp --dport [Your Port Here] -j DROP

/sbin/iptables -I OUTPUT -p tcp --dport [Your Port Here] -j DROP

```

That should ammend two rules on the top of your INPUT chain and two on the top of your OUTPUT chain. you can also do a port range with the colon, ie 1024:65535

-MJ

----------

## InsaneHamster

what i dont understand is according to various tests and online analyzers my computer does not exist on the internet so how and why are people trying to scan or connect to it and how come this didnt happen before ?

cause it be like limewire or bts i used (i stopped) and well the after math ?

----------

## madisonicus

 *InsaneHamster wrote:*   

> what i dont understand is according to various tests and online analyzers my computer does not exist on the internet so how and why are people trying to scan or connect to it and how come this didnt happen before ?
> 
> cause it be like limewire or bts i used (i stopped) and well the after math ?

 They're not targeting you.  They're randomly or sequentially probing ip addresses.  It's the IP version of War Dialing.  It's the same way you get spam, even if you've never given out your email address.  Or the way junk mailers send things to you, but have to put "Resident" or "Dear Neighbor".

----------

## InsaneHamster

 *madisonicus wrote:*   

>  *InsaneHamster wrote:*   what i dont understand is according to various tests and online analyzers my computer does not exist on the internet so how and why are people trying to scan or connect to it and how come this didnt happen before ?
> 
> cause it be like limewire or bts i used (i stopped) and well the after math ? They're not targeting you.  They're randomly or sequentially probing ip addresses.  It's the IP version of War Dialing.  It's the same way you get spam, even if you've never given out your email address.  Or the way junk mailers send things to you, but have to put "Resident" or "Dear Neighbor".

 

i knew that before but i guess i didnt know how large of a scale it would be once u log every single one. so i guess these ping cyber kits towards my computer should be fine since i am techniqually invisible but sometimes i see my computer sending out back to them

----------

