# Have i gotten hacked?

## gentoonewb39

I have had some problems getting iptables to work but after about a month i have finally gotten them to work and i get granted by a ton of blocked connections on strange ports so I am wondering weather i got hacked, I went to google to see if I could find any command that showed what programs where using the network and the closest i could find was "netstat" (results found below) I also checked my bash history and found no enteries i didn't make.

Part of my firestarter log, the complete log can be posted on request.

 *Quote:*   

> 
> 
> Time:Oct  4 14:39:46 Direction: Unknown In:ath0 Out: Port:40280 Source:24.208.36.15 Destination:192.168.1.23 Length:64 TOS:0x00 Protocol:TCP Service:Unknown
> 
> Time:Oct  4 14:39:46 Direction: Unknown In:ath0 Out: Port:46917 Source:84.48.79.220 Destination:192.168.1.23 Length:52 TOS:0x00 Protocol:TCP Service:Unknown
> ...

 

netstat output

 *Quote:*   

> tux gr # netstat
> 
> Active Internet connections (w/o servers)
> 
> Proto Recv-Q Send-Q Local Address           Foreign Address         State
> ...

 

----------

## adaptr

Where to start ?

1. No, you did not get "hacked", and even if you did, how would you know ?

Certainly not by "checking your bash history"...

2. iptables is working ? call the police! Listen to yourself: they're being *blocked*, right ?

3. use sensible commands to report things, like:

```
netstat -ltpn
```

to show what services you have running (if you don't know that then you shouldn't be thinking these big thoughts, either.)

4. These are all high ports - they're unimportant unless you are running suspicious or unsafe services yourself (see 3.)

Take the trouble to actually read the output - and learn a little about TCP/IP if you expect to understand what anyone tells you.

This is not to brush you off, but network security is really not a beginner's topic.

EDIT: go here for more on this topic https://forums.gentoo.org/viewtopic-t-210585-highlight-.html

----------

## gentoonewb39

1.By seeing that someone has been installing programs like Born2Kill or by looking in my bash history and seeing that someone other then me have been running commands.

2. iptables are working now yes but they havent been working for the last month wich is plenty of time too do stuff to my system

3. As I said I found netstat by googling for 2 minutes and since i'm not yet used to networking in linux I thought that that was all that came built in.

4. High ports can be just as dangerous as low ports since most programs can be told to run on other ports the thire standard port, for example you can run  Born2Kill on a high port.

----------

## adaptr

Who is this "someone" you keep referring to ?

If you allow external users on your system I assume you have taken the appropriate security measures to prevent them from corrupting your system.

----------

## sirtalon42

Try running netstat as root (so you can see all the processes, not just a select few).  Use the command: netstat -tuwaepW

That will include all tcp, udp, raw sockets, the source & destination of the connection, and show information about the program that has opened the connection.

Use ps, top, or kpm (kpm is like top, but is a kde app so it may be easier to use).  There probably will be a lot of different things.

Firestarter is a pretty good front end to iptables, I would recommend setting it to automatically block all incoming connections, white listing ones you want to allow, and allow outgoing, black listing ones you don't want (this is assuming this box is a desktop, not a server).  If your box is exposed to the internet (either directly connected, or in the DMZ of your router) you will get lots of messages in firestarter because there are LOTS of people just randomly scanning systems.

----------

## MrUlterior

I see no direct evidence of compromise in the (scant) information you've provided, however I presume that ath0 is an Atheros based wireless card, so I assume that is connected to an AP & from there directly to the inet with no intervening firewall ? 

The million dollar question is: how are hosts on the inet addressing your 192.168.1.x range? 

If you want help please post your network topology and some sort of commentary on what you're trying to do with it.

----------

## nlindblad

If you're adding ordinary desktop-users, I suggest giving them /bin/false as their shell...

----------

## chrbecke

 *nlindblad wrote:*   

> If you're adding ordinary desktop-users, I suggest giving them /bin/false as their shell...

 

 :Question:  They won't be able to log in if you give them /bin/false as default shell...

----------

## nlindblad

 *chrbecke wrote:*   

>  *nlindblad wrote:*   If you're adding ordinary desktop-users, I suggest giving them /bin/false as their shell... 
> 
>  They won't be able to log in if you give them /bin/false as default shell...

 

Oops   :Embarassed:  , meant the other way around, put /bin/false on accounts you don't want to be able to log in (or simply remove them).

----------

## micmac

 *MrUlterior wrote:*   

> The million dollar question is: how are hosts on the inet addressing your 192.168.1.x range?

 

I'd like that one answered as well!

----------

## Monkeh

 *micmac wrote:*   

>  *MrUlterior wrote:*   The million dollar question is: how are hosts on the inet addressing your 192.168.1.x range? 
> 
> I'd like that one answered as well!

 

Ehem, router perhaps?

----------

## MrUlterior

 *Monkeh wrote:*   

> 
> 
> Ehem, router perhaps?

 

Well the OP mentioned firestarter, so if you look at the rulesets that firestarter generates -- it allows by default related & established connections. In the OP's logs above, you can see these are dropped or related packets implying connections with the state new (most likely). That, IMO, is weird.

----------

