11.03.01, 13:44
Hallo.
Ich dachte immer mein Router und seine Firewall würdemn mich ganz gut schützen vor Angriffen etc aus Net....
Dem ist aber nicht so.
Ich habe bei www.hackerwhacker.com (http://www.hackerwhacker.com) einen Portscann gemacht.
Auf meinem Router soll ein Trojaner namens Subseven laufen...
udn sowieso sei mein system total offen wie ein scheunentor....
also hier meine firewall [suse]
#!/sbin/sh
/sbin/depmod -a
/sbin/modprobe ip_masq_irc
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_quake 27000,27910,27960,27015,27115,27005,26000
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
/sbin/ipchains -M -S 7200 10 160
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -s 192.168.0.2/24 -j MASQ
if [ -e /proc/sys/net/ip4v/conf/all/rp_filter ] ; then
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 1 > $i
done
fi
#BattleCom-Support
ipmasqadm autofw -A -v -r udp 2300 2400 -h 192.168.0.2/3
ipmasqadm autofw -A -v -r tcp 2300 2400 -h 192.168.0.2/3
ipmasqadm autofw -A -v -r tcp 47624 47624 -h 192.168.0.2/3
ipmasqadm autofw -A -v -r udp 47624 47624 -h 192.168.0.2/3
ipmasqadm autofw -A -v -r udp 28800 28900 -h 192.168.0.2/3
#Napster-Support
ipmasqadm autofw -A -v -r udp 6600 6700 -h 192.168.0.2/3
ipmasqadm autofw -A -v -r tcp 6600 6700 -h 192.168.0.2/3
#Mirc-File-Transmission-Support
ipmasqadm autofw -A -v -r udp 40002 40004 -h 192.168.0.2/3
ipmasqadm autofw -A -v -r tcp 40001 40001 -h 192.168.0.2/3
#BattleCom-Server-Support
FW_TCP_SERVICES_INTERNAL="0:65535"
FW_UDP_SERVICES_INTERNAL="0:65535"
---------------------------------------------
As you'll soon see, this test really works your system. Each packet sent out prints the port it is going to. You may see several attempts on the same port. This is just HackerWhacker (using then nmap program that hackers use) making sure it didn't miss anything. The more heavily protected your system is, the longer this test will take.
If you'd like to speed up the test, tell your firewall to REJECT connections instead of DENYING them. If the terms REJECT or DENY are different for your firewall, REJECT means to send an icmp unreacheable back to the sender. DENY means to simply drop the packet without informing the sender.
Their are both pros and cons to each way. If you DENY packets, then it takes longer for a hacker to scan you, however, a machine with DENY in force is obvious and this tells the hacker you have a firewall present. REJECTING fools the hacker that your ports are not open (even if they are) but it allows scans to be MUCH faster (20 times faster or more).
Port State Protocol Information
21
OPEN tcp ftp FTP or Trojan Horses Doly, Fore, Blade Runner, Larva
FTP has a history of security holes. This test checks for anonymous logins which FTP usually has by default. More Information
Result total 28
drwxr-xr-x 2 root root 4096 Mar 3 00:57 bin
drwxr-xr-x 2 root root 4096 Mar 3 00:57 dev
drwxr-xr-x 2 root root 4096 Mar 3 00:57 etc
drwxr-xr-x 2 root root 4096 Mar 3 00:57 lib
drwxr-xr-x 2 root root 4096 Mar 3 00:57 msgs
drwxr-xr-x 2 root root 4096 Jul 29 2000 pub
drwxr-xr-x 3 root root 4096 Mar 3 00:57 usr
22
OPEN tcp ssh Secure Shell Login
More Information
Result SSH-1.99-OpenSSH_2.1.1
23
OPEN tcp telnet Telnet
Protocols like telnet which send their passwords unencrypted are getting more and more dangerous. Anywhere along the data path, data traffic can be watched and passwords easily stolen. More Information
25
OPEN tcp sendmail Simple Mail Transfer or Some Trojan Horses
Sendmail has its share of security problems but if you have it running, you probably need it and can't just shut it off. The business membership has an additional, in-depth scan for SMTP servers.FixingYour E-Mail server to prevent relaying. More Information
Result 220 neo.local ESMTP Sendmail 8.10.2/8.10.2/SuSE Linux 8.10.0-0.3; Sat, 10 Mar 2001 15:47:52 +0100
37
OPEN tcp time timeserver
Delivers the current time-date to a resolution of 1 second as the standard unix time_t (number of seconds since midnight GMT January 1st 1970) More Information
Result #BET#BD"
79
OPEN tcp finger Finger or Trojan Horse Firehotcker
It should be no one's business who is on your computer. More Information
Result [213.7.134.4]
Welcome to Linux version 2.2.16 at neo.local !
3:48pm up 1:34, 1 user, load average: 0.00, 0.00, 0.00
Login Name Tty Idle Login Time Where
root root pts/0 21 Sat 15:26 192.168.0.2
110
OPEN tcp pop3 PostOffice V.3 or Trojan Horse ProMail
POP3 should not be accessible over the Internet. Users who log in are sending their names and passwords unencrypted and these items can be "sniffed" by anyone who has access to the data channel anywhere along the route the information travels. Often, shutting it off is not an option since your customers need it. A compromise is to make sure that any account accessing POP3 mail does not have any higher privileges such as the ability to log in or connect to file shares. That way, if the password is compromised, only the user's email is endangered and not the entire machine. More Information
111
OPEN tcp portmapper portmapper, rpcbind
This service can reveal locations of other RPC services like NFS. It should not be accessible to strangers. We try to get information out of it here and if you get a "result" it's time to use a firewall to deny access or turn this service off entirely if you don't need it. It is needed by any programs that use RPC (Remote Procedure Call) like NFS. More Information
513
OPEN tcp login BSD rlogind(8)
All the "r" commands are notoriously insecure because of .rhosts files. You should not permit .rhosts files on your computer because users often just allow ANYONE to log in. More Information
514
OPEN tcp shell BSD rshd(8)
All the "r" commands are notoriously insecure because of .rhosts files. You should not permit .rhosts files on your computer because users often just allow ANYONE to log in. More Information
901
OPEN tcp swat SWAT Samba Web Administration Tool
More Information
Result HTTP/1.0 401 Authorization Required
WWW-Authenticate: Basic realm="SWAT"
Connection: close
Content-Type: text/html
<HTML><HEAD><TITLE>401 Authorization Required</TITLE></HEAD><BODY><H1>401 Authorization Required</H1>You must be authenticated to use this service
</BODY></HTML>
6711
OPEN tcp sub7 Sub Seven Trojan Horse
Any Trojan Horse on your computer is the worse security breach you could have. It essentially means your computer is wide open to the Internet for anyone to use as they see fit. Removing this Trojan from your system should be your highest priority.
Ich dachte immer mein Router und seine Firewall würdemn mich ganz gut schützen vor Angriffen etc aus Net....
Dem ist aber nicht so.
Ich habe bei www.hackerwhacker.com (http://www.hackerwhacker.com) einen Portscann gemacht.
Auf meinem Router soll ein Trojaner namens Subseven laufen...
udn sowieso sei mein system total offen wie ein scheunentor....
also hier meine firewall [suse]
#!/sbin/sh
/sbin/depmod -a
/sbin/modprobe ip_masq_irc
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_quake 27000,27910,27960,27015,27115,27005,26000
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
/sbin/ipchains -M -S 7200 10 160
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -s 192.168.0.2/24 -j MASQ
if [ -e /proc/sys/net/ip4v/conf/all/rp_filter ] ; then
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 1 > $i
done
fi
#BattleCom-Support
ipmasqadm autofw -A -v -r udp 2300 2400 -h 192.168.0.2/3
ipmasqadm autofw -A -v -r tcp 2300 2400 -h 192.168.0.2/3
ipmasqadm autofw -A -v -r tcp 47624 47624 -h 192.168.0.2/3
ipmasqadm autofw -A -v -r udp 47624 47624 -h 192.168.0.2/3
ipmasqadm autofw -A -v -r udp 28800 28900 -h 192.168.0.2/3
#Napster-Support
ipmasqadm autofw -A -v -r udp 6600 6700 -h 192.168.0.2/3
ipmasqadm autofw -A -v -r tcp 6600 6700 -h 192.168.0.2/3
#Mirc-File-Transmission-Support
ipmasqadm autofw -A -v -r udp 40002 40004 -h 192.168.0.2/3
ipmasqadm autofw -A -v -r tcp 40001 40001 -h 192.168.0.2/3
#BattleCom-Server-Support
FW_TCP_SERVICES_INTERNAL="0:65535"
FW_UDP_SERVICES_INTERNAL="0:65535"
---------------------------------------------
As you'll soon see, this test really works your system. Each packet sent out prints the port it is going to. You may see several attempts on the same port. This is just HackerWhacker (using then nmap program that hackers use) making sure it didn't miss anything. The more heavily protected your system is, the longer this test will take.
If you'd like to speed up the test, tell your firewall to REJECT connections instead of DENYING them. If the terms REJECT or DENY are different for your firewall, REJECT means to send an icmp unreacheable back to the sender. DENY means to simply drop the packet without informing the sender.
Their are both pros and cons to each way. If you DENY packets, then it takes longer for a hacker to scan you, however, a machine with DENY in force is obvious and this tells the hacker you have a firewall present. REJECTING fools the hacker that your ports are not open (even if they are) but it allows scans to be MUCH faster (20 times faster or more).
Port State Protocol Information
21
OPEN tcp ftp FTP or Trojan Horses Doly, Fore, Blade Runner, Larva
FTP has a history of security holes. This test checks for anonymous logins which FTP usually has by default. More Information
Result total 28
drwxr-xr-x 2 root root 4096 Mar 3 00:57 bin
drwxr-xr-x 2 root root 4096 Mar 3 00:57 dev
drwxr-xr-x 2 root root 4096 Mar 3 00:57 etc
drwxr-xr-x 2 root root 4096 Mar 3 00:57 lib
drwxr-xr-x 2 root root 4096 Mar 3 00:57 msgs
drwxr-xr-x 2 root root 4096 Jul 29 2000 pub
drwxr-xr-x 3 root root 4096 Mar 3 00:57 usr
22
OPEN tcp ssh Secure Shell Login
More Information
Result SSH-1.99-OpenSSH_2.1.1
23
OPEN tcp telnet Telnet
Protocols like telnet which send their passwords unencrypted are getting more and more dangerous. Anywhere along the data path, data traffic can be watched and passwords easily stolen. More Information
25
OPEN tcp sendmail Simple Mail Transfer or Some Trojan Horses
Sendmail has its share of security problems but if you have it running, you probably need it and can't just shut it off. The business membership has an additional, in-depth scan for SMTP servers.FixingYour E-Mail server to prevent relaying. More Information
Result 220 neo.local ESMTP Sendmail 8.10.2/8.10.2/SuSE Linux 8.10.0-0.3; Sat, 10 Mar 2001 15:47:52 +0100
37
OPEN tcp time timeserver
Delivers the current time-date to a resolution of 1 second as the standard unix time_t (number of seconds since midnight GMT January 1st 1970) More Information
Result #BET#BD"
79
OPEN tcp finger Finger or Trojan Horse Firehotcker
It should be no one's business who is on your computer. More Information
Result [213.7.134.4]
Welcome to Linux version 2.2.16 at neo.local !
3:48pm up 1:34, 1 user, load average: 0.00, 0.00, 0.00
Login Name Tty Idle Login Time Where
root root pts/0 21 Sat 15:26 192.168.0.2
110
OPEN tcp pop3 PostOffice V.3 or Trojan Horse ProMail
POP3 should not be accessible over the Internet. Users who log in are sending their names and passwords unencrypted and these items can be "sniffed" by anyone who has access to the data channel anywhere along the route the information travels. Often, shutting it off is not an option since your customers need it. A compromise is to make sure that any account accessing POP3 mail does not have any higher privileges such as the ability to log in or connect to file shares. That way, if the password is compromised, only the user's email is endangered and not the entire machine. More Information
111
OPEN tcp portmapper portmapper, rpcbind
This service can reveal locations of other RPC services like NFS. It should not be accessible to strangers. We try to get information out of it here and if you get a "result" it's time to use a firewall to deny access or turn this service off entirely if you don't need it. It is needed by any programs that use RPC (Remote Procedure Call) like NFS. More Information
513
OPEN tcp login BSD rlogind(8)
All the "r" commands are notoriously insecure because of .rhosts files. You should not permit .rhosts files on your computer because users often just allow ANYONE to log in. More Information
514
OPEN tcp shell BSD rshd(8)
All the "r" commands are notoriously insecure because of .rhosts files. You should not permit .rhosts files on your computer because users often just allow ANYONE to log in. More Information
901
OPEN tcp swat SWAT Samba Web Administration Tool
More Information
Result HTTP/1.0 401 Authorization Required
WWW-Authenticate: Basic realm="SWAT"
Connection: close
Content-Type: text/html
<HTML><HEAD><TITLE>401 Authorization Required</TITLE></HEAD><BODY><H1>401 Authorization Required</H1>You must be authenticated to use this service
</BODY></HTML>
6711
OPEN tcp sub7 Sub Seven Trojan Horse
Any Trojan Horse on your computer is the worse security breach you could have. It essentially means your computer is wide open to the Internet for anyone to use as they see fit. Removing this Trojan from your system should be your highest priority.