Date: Wed, 04 Apr 2001 14:25:41 +1200 From: David Preece <davep@afterswish.com> To: freebsd-questions@freebsd.org Subject: RE: Hacked? - panic over basically. Message-ID: <5.0.2.1.1.20010404142231.0220dd10@pop3.paradise.net.nz>
next in thread | raw e-mail | index | archive | help
Hi, Again, xposted over from nz.comp. I think this more or less explains what happened. Like I said, I will look into what mistake I *really* made in due course. I also appreciate the need to lock down the firewalling some more. Dave :) -------------------------------------------- >Having got used to the 'incoming' light on my cable modem being >bombarded with broadcast traffic, I was less than impressed to the the >'outgoing' light joining in the fun this morning. Okay. The hoped for "I'm such a dimwit" has in fact occurred and no-one managed to hack my box. Thank _GOD_ for that. What was happening was the network address translator was having all the incoming packets directed to it (as it should, just hang on). Realising that I hadn't had anything to do with this packet, and therefore it should do nothing it just re-injected it back, found a plausible looking interface (the external interface) and sent the packet back, causing the xmit light to join in the fun. Hmmm. Adding the -d flag (drop packets without an entry in the translation table) to the natd process fixed that one. Lessons to be learned: This may possibly be a minor problem with the default FreeBSD install, I shall dig into this PROPERLY (not the half assed analysis above) and see if there's anything we can do. Setting up a home gateway with FreeBSD is not as easy as it should be, and I suspect I'm about to find my niche of free software where I can make a difference. Lesson 2: Part of this panic was caused by a lack of security tools on the outside of my cable modem. I have a little too much spare time right now and will try to set up some description of web based security scanner. Currently I think we're looking at an 'nmap by email' service - you connect to a webpage, give it your email address, and the server will nmap (tarty portscan) your IP and email you the results. Comments? Lesson 3: While my BSD box is now "secure", there are literally loads of windows boxes on this network that aren't. Let's have a little look at some of the debug output from the address translator running in verbose mode: bash-2.03# date Mon Apr 4 14:45:37 NZST 1994 bash-2.03# ./natd -v -d -n ep0 natd[312]: Aliasing to 203.79.83.91, mtu 1500 bytes In [UDP] [UDP] 203.79.83.132:138 -> 203.79.83.255:138 dropped. In [UDP] [UDP] 203.79.83.156:138 -> 203.79.83.255:138 dropped. In [UDP] [UDP] 172.20.28.62:138 -> 172.20.31.255:138 dropped. In [UDP] [UDP] 203.79.83.152:137 -> 203.79.83.255:137 dropped. In [UDP] [UDP] 202.0.34.162:137 -> 202.0.34.255:137 dropped. In [UDP] [UDP] 172.20.30.38:137 -> 172.20.31.255:137 dropped. In [UDP] [UDP] 192.168.0.1:1015 -> 255.255.255.255:1015 dropped. In [UDP] [UDP] 192.168.0.1:1015 -> 255.255.255.255:1015 dropped. In [UDP] [UDP] 172.20.30.69:137 -> 172.20.31.255:137 dropped. In [UDP] [UDP] 10.1.10.20:1030 -> 229.55.150.208:1345 dropped. In [UDP] [UDP] 203.97.196.6:138 -> 203.97.196.255:138 dropped. In [UDP] [UDP] 172.20.30.69:138 -> 172.20.31.255:138 dropped. In [UDP] [UDP] 203.79.83.152:137 -> 203.79.83.255:137 dropped. In [UDP] [UDP] 202.0.34.162:137 -> 202.0.34.255:137 dropped. In [UDP] [UDP] 203.79.72.254:520 -> 203.79.72.255:520 dropped. In [UDP] [UDP] 172.20.31.17:137 -> 172.20.31.255:137 dropped. In [UDP] [UDP] 203.79.83.222:138 -> 203.79.83.255:138 dropped. In [UDP] [UDP] 202.0.34.162:137 -> 202.0.34.255:137 dropped. In [UDP] [UDP] 172.20.22.58:137 -> 172.20.31.255:137 dropped. In [UDP] [UDP] 203.96.144.109:138 -> 203.96.144.255:138 dropped. In [UDP] [UDP] 172.20.31.17:137 -> 172.20.31.255:137 dropped. In [UDP] [UDP] 172.20.28.71:137 -> 172.20.31.255:137 dropped. In [UDP] [UDP] 172.20.28.239:137 -> 172.20.31.255:137 dropped. In [UDP] [UDP] 172.20.28.239:137 -> 172.20.31.255:137 dropped. In [UDP] [UDP] 203.79.83.111:137 -> 203.79.83.255:137 dropped. In [UDP] [UDP] 202.0.34.162:137 -> 202.0.34.255:137 dropped. In [UDP] [UDP] 203.79.83.18:138 -> 203.79.83.255:138 dropped. In [UDP] [UDP] 203.97.196.32:138 -> 203.97.196.255:138 dropped. In [UDP] [UDP] 192.168.0.1:1015 -> 255.255.255.255:1015 dropped. In [UDP] [UDP] 192.168.0.1:1015 -> 255.255.255.255:1015 dropped. In [UDP] [UDP] 202.0.34.162:137 -> 202.0.34.255:137 dropped. In [UDP] [UDP] 203.79.83.111:137 -> 203.79.83.255:137 dropped. In [UDP] [UDP] 172.20.31.149:137 -> 172.20.31.255:137 dropped. In [UDP] [UDP] 202.0.33.132:1024 -> 202.0.33.255:138 dropped. In [UDP] [UDP] 172.20.28.184:137 -> 172.20.31.255:137 dropped. In [UDP] [UDP] 172.20.28.239:137 -> 172.20.31.255:137 dropped. In [UDP] [UDP] 203.79.83.18:138 -> 203.79.83.255:138 dropped. In [UDP] [UDP] 203.79.83.111:137 -> 203.79.83.255:137 dropped. In [UDP] [UDP] 203.79.83.26:138 -> 203.79.83.255:138 dropped. In [UDP] [UDP] 202.0.34.162:137 -> 202.0.34.255:137 dropped. In [UDP] [UDP] 203.96.144.159:138 -> 203.96.144.255:138 dropped. In [UDP] [UDP] 202.0.34.162:137 -> 202.0.34.255:137 dropped. In [UDP] [UDP] 172.20.28.184:137 -> 172.20.31.255:137 dropped. In [UDP] [UDP] 203.79.83.132:138 -> 203.79.83.255:138 dropped. In [UDP] [UDP] 202.0.34.111:520 -> 202.0.34.255:520 dropped. In [UDP] [UDP] 172.20.28.239:137 -> 172.20.31.255:137 dropped. In [UDP] [UDP] 172.20.28.71:137 -> 172.20.31.255:137 dropped. In [UDP] [UDP] 202.0.34.162:137 -> 202.0.34.255:137 dropped. In [UDP] [UDP] 172.20.28.62:137 -> 172.20.31.255:137 dropped. In [UDP] [UDP] 172.20.28.239:137 -> 172.20.31.255:137 dropped. In [UDP] [UDP] 172.20.28.239:137 -> 172.20.31.255:137 dropped. In [UDP] [UDP] 202.0.34.162:137 -> 202.0.34.255:137 dropped. In [UDP] [UDP] 172.20.28.62:137 -> 172.20.31.255:137 dropped. In [UDP] [UDP] 192.168.0.1:1015 -> 255.255.255.255:1015 dropped. In [UDP] [UDP] 192.168.0.1:1015 -> 255.255.255.255:1015 dropped. In [UDP] [UDP] 203.96.144.86:138 -> 203.96.144.255:138 dropped. In [UDP] [UDP] 203.79.83.26:138 -> 203.79.83.255:138 dropped. In [UDP] [UDP] 202.0.34.162:137 -> 202.0.34.255:137 dropped. In [UDP] [UDP] 172.20.30.69:137 -> 172.20.31.255:137 dropped. In [UDP] [UDP] 202.0.35.80:138 -> 202.0.35.255:138 dropped. In [UDP] [UDP] 203.79.83.111:137 -> 203.79.83.255:137 dropped. In [UDP] [UDP] 172.20.30.38:137 -> 172.20.31.255:137 dropped. In [UDP] [UDP] 202.0.34.162:137 -> 202.0.34.255:137 dropped. In [UDP] [UDP] 203.79.83.87:513 -> 203.79.83.255:513 dropped. In [UDP] [UDP] 172.20.28.239:137 -> 172.20.31.255:137 dropped. In [UDP] [UDP] 10.0.0.2:2301 -> 255.255.255.255:2301 dropped. In [UDP] [UDP] 203.79.92.171:138 -> 203.79.92.255:138 dropped. In [UDP] [UDP] 203.79.83.111:137 -> 203.79.83.255:137 dropped. In [UDP] [UDP] 202.0.34.162:137 -> 202.0.34.255:137 dropped. In [UDP] [UDP] 172.20.30.69:137 -> 172.20.31.255:137 dropped. In [UDP] [UDP] 203.79.72.130:138 -> 203.79.72.255:138 dropped. In [UDP] [UDP] 172.20.30.38:137 -> 172.20.31.255:137 dropped. In [UDP] [UDP] 203.97.196.6:138 -> 203.97.196.255:138 dropped. In [UDP] [UDP] 172.20.28.71:137 -> 172.20.31.255:137 dropped. In [UDP] [UDP] 203.79.83.111:137 -> 203.79.83.255:137 dropped. In [UDP] [UDP] 203.79.83.26:138 -> 203.79.83.255:138 dropped. In [UDP] [UDP] 203.96.144.109:138 -> 203.96.144.255:138 dropped. In [UDP] [UDP] 172.20.30.69:137 -> 172.20.31.255:137 dropped. In [UDP] [UDP] 172.20.28.62:137 -> 172.20.31.255:137 dropped. In [UDP] [UDP] 203.96.144.109:1099 -> 255.255.255.255:6666 dropped. In [UDP] [UDP] 172.20.30.38:137 -> 172.20.31.255:137 dropped. In [UDP] [UDP] 202.0.34.141:631 -> 255.255.255.255:631 dropped. In [UDP] [UDP] 192.168.0.1:1015 -> 255.255.255.255:1015 dropped. In [UDP] [UDP] 192.168.0.1:1015 -> 255.255.255.255:1015 dropped. In [UDP] [UDP] 172.20.31.52:137 -> 172.20.31.255:137 dropp^C bash-2.03# date Mon Apr 4 14:45:52 NZST 1994 So, fifteen seconds, and shedloads of Windows browser announcements, or something. From our previous tcpdump output we saw authentications, directories being created, etc. etc. Now, while I know that NT at least uses a challenge/authentication protocol and is therefore secure from that point of view - do we really trust all this? Can 95/98/Me be regarded as secure? Isn't there some nightmare default password on an IPC share going on? Perhaps what I should build is a little daemon process that can sit in the background and make a hall of shame of Windows machines that have gone out without protection :) We can then web enable that - http://www.trousersroundankles.org.nz/ perhaps. Or http://www.rap3myf1l3z.org.nz/ for the kiddies. Oh, and BTW, I know it would all be a lot easier with Windows connection sharing or some other bollocks. But look, at least when something screws up (a) It's almost certainly my fault. (b) At least I can do something about it. Dave To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.0.2.1.1.20010404142231.0220dd10>