Hacked
Can anyone throw any light on what sort of weakness was exploited to enable this intrusion, and what I might do to prevent a repeat performance when I reinstall my linode?
tia,
4 Replies
@deanswift:
http://www.mynetwatchman.com/ListIncidentActivity.asp IncidentId=206738902
@deanswift:
Is it me, or doesn't this look AN AWFUL LOT like an nmap scan?
Look at the report's fine print. All of these agents are Windows creatures; none of these afaik can live on a linux host. Am I wrong?
"Since the target port includes udp/137 (NetBios Adapter Status), then this host is likely infected with the OpaServ worm.
See:
"Since the target port includes tcp/445 (Microsoft CIFS), then this
host is likely infected with the Sasser or Agobot worm.
See:
"Since the target port includes tcp/135 (Microsoft RPC), then this
host is likely infected with the MSBlast / Lovsan worm.
See:
I did run nmap scans -- with permission of a responsible party at the target host -- a couple of days this month. And, the scans were of a host in the northwestern part of the country, where he.net lives.
@deanswift:
I did run nmap scans – with permission of a responsible party at the target host -- a couple of days this month. And, the scans were of a host in the northwestern part of the country, where he.net lives.
No good deed goes unpunished. I just checked the IP address I scanned WITH PERMISSION against that myNetWatcher report. The first two numbers, 69.1.x.x, are a match. I think that clinches it. I am hoist on my own petard!
Case closed. Sorry to make such a fuss.
@deanswift:
Look at the report's fine print. All of these agents are Windows creatures; none of these afaik can live on a linux host. Am I wrong?
"Since the target port includes udp/137 (NetBios Adapter Status), then this host is likely infected with the OpaServ worm.
See:
http://www.mynetwatchman.com/kb/securit … 17/137.htm">http://www.mynetwatchman.com/kb/security/ports/17/137.htm "Since the target port includes tcp/445 (Microsoft CIFS), then this
host is likely infected with the Sasser or Agobot worm.
See:
http://www.mynetwatchman.com/kb/securit … /6/445.htm">http://www.mynetwatchman.com/kb/security/ports/6/445.htm "Since the target port includes tcp/135 (Microsoft RPC), then this
host is likely infected with the MSBlast / Lovsan worm.
See:
http://www.mynetwatchman.com/kb/securit … /6/135.htm">http://www.mynetwatchman.com/kb/security/ports/6/135.htm I did run nmap scans -- with permission of a responsible party at the target host -- a couple of days this month. And, the scans were of a host in the northwestern part of the country, where he.net lives.
They don't say that the system is infected with these worms, they just say that it is likely, which is true.
Since the sys/networkadmin at the target ip that you nmapped took the time to report your activity, you obviously didn't have permission from somebody that was in a position to grant that permission to you.