To add to what I've already suggested, you also need to maintain an
up-to-date box. Even with a firewall, if apache is unpatched, you might
have gotten hit with the SSL worm that's been going around for the last
couple of weeks, for instance. Most distros have some sort of mechanism
to synch your box to their current patchlevel. Usually the distro
maintainer will have patches up within days of an exploit.
--Joey
On Thu, 2002-10-17 at 11:17, Joey Kelly wrote:
> Well, let's see. If that is your IP, you don't have a firewall running,
> as evidenced below. Also, you are quite possibly h4z0r3d.
>
> I'd find out, and reinstall from scratch. Before I did that, I'd put up
> a firewall. All it takes is an old 486 and a couple of NICs, running
> either freesco or the netbsd firewall.
>
>
>
> jkelly@octopus:~/programs/> nmap 66.157.2.42
>
> Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )
> Interesting ports on adsl-157-2-42.msy.bellsouth.net (66.157.2.42):
> (The 1538 ports scanned but not shown below are in state: closed)
> Port State Service
> 21/tcp open ftp
> 22/tcp open ssh
> 25/tcp open smtp
> 53/tcp open domain
> 80/tcp open http
> 110/tcp open pop-3
> 139/tcp open netbios-ssn
> 443/tcp open https
> 3306/tcp open mysql
> 5902/tcp open vnc-2
> 6000/tcp open X11
>
>
> Nmap run completed -- 1 IP address (1 host up) scanned in 6 seconds
>
> --Joey
>
>
> On Thu, 2002-10-17 at 16:13, Chuck wrote:
> > I have a Linux machine connected directly to the internet which is
> > running qmail. The other day I got a bounced bounce message to some
> > e-mail address at yahoo.com. I have no idea who this person is. Anyone
> > familiar with how this person got this e-mail message sent and how they
> > managed to insert details about my machine into the e-mail? I don't have
> > an open mail relay.
> >
> > --- Below this line is a copy of the message.
> >
> > Return-Path: <anonymous@michoud.com>
> > Received: (qmail 21624 invoked by uid 48); 13 Oct 2002 23:38:52 -0000
> > Date: 13 Oct 2002 23:38:52 -0000
> > Message-ID: <20021013233852.21622.qmail@michoud.com>
> > From: anonymous@michoud.com
> > To: cinik_worm@yahoo.com
> > Subject: 192.168.0.1
> >
> > PROC
> > processor : 0
> > vendor_id : GenuineIntel
> > cpu family : 6
> > model : 7
> > model name : Pentium III (Katmai)
> > stepping : 3
> > cpu MHz : 598.406
> > cache size : 512 KB
> > fdiv_bug : no
> > hlt_bug : no
> > f00f_bug : no
> > coma_bug : no
> > fpu : yes
> > fpu_exception : yes
> > cpuid level : 2
> > wp : yes
> > flags : fpu vme de pse tsc msr pae mce cx8 sep mtrr pge mca
> > cmov pat pse36 mmx fxsr sse
> > bogomips : 1192.75
> >
> > MEM
> > total used free shared buffers
> > cached
> > Mem: 384468 380912 3556 72 144292
> > 119916
> > -/+ buffers/cache: 116704 267764
> > Swap: 1565376 0 1565376
> > HDD
> > Filesystem Size Used Avail Use% Mounted on
> > /dev/hda2 2.2G 1.5G 668M 69% /
> > /dev/hda1 49M 5.9M 41M 13% /boot
> > /dev/hdb1 15G 6.4G 8.0G 45% /home
> > /dev/hdb2 2.9G 534M 2.2G 20% /var
> > none 188M 0 187M 0% /dev/shm
> > IP
> > eth0 Link encap:Ethernet HWaddr 00:E0:29:06:BC:BF
> > inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
> > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> > RX packets:928799 errors:1 dropped:0 overruns:0 frame:0
> > TX packets:820862 errors:3 dropped:0 overruns:0 carrier:3
> > collisions:0 txqueuelen:100
> > RX bytes:117780318 (112.3 Mb) TX bytes:293833047 (280.2 Mb)
> > Interrupt:9
> >
> > eth1 Link encap:Ethernet HWaddr 00:10:4B:DA:2A:17
> > inet addr:66.157.2.42 Bcast:66.157.3.255 Mask:255.255.252.0
> > UP BROADCAST NOTRAILERS RUNNING MTU:1500 Metric:1
> > RX packets:754829 errors:0 dropped:0 overruns:0 frame:0
> > TX packets:870938 errors:0 dropped:0 overruns:0 carrier:0
> > collisions:67 txqueuelen:100
> > RX bytes:230141475 (219.4 Mb) TX bytes:107115112 (102.1 Mb)
> > Interrupt:5 Base address:0x280 DMA chan:3
> >
> > lo Link encap:Local Loopback
> > inet addr:127.0.0.1 Mask:255.0.0.0
> > UP LOOPBACK RUNNING MTU:16436 Metric:1
> > RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> > collisions:0 txqueuelen:0
> > RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
> >
> > ___________________
> > Nolug mailing list
> > nolug@nolug.org
> --
> Joey Kelly
> Linux consultant in New Orleans, Louisiana, USA
> http://kellynet.dhs.org
>
> ---
> Alcohol and Calculus don't mix. Never drink and derive.
>
> ___________________
> Nolug mailing list
> nolug@nolug.org
-- Joey Kelly Linux consultant in New Orleans, Louisiana, USA http://kellynet.dhs.org --- Alcohol and Calculus don't mix. Never drink and derive. ___________________ Nolug mailing list nolug@nolug.orgReceived on 10/17/02
This archive was generated by hypermail 2.2.0 : 12/19/08 EST