Hacked

My linode, now offline, was responsible for this report:

http://www.mynetwatchman.com/ListIncide … =206738902">http://www.mynetwatchman.com/ListIncidentActivity.asp?IncidentId=206738902

Can anyone throw any light on what sort of weakness was exploited to enable this intrusion, and what I might do to prevent a repeat performance when I reinstall my linode?

tia,

4 Replies

Is it me, or doesn't this look AN AWFUL LOT like an nmap scan?

@deanswift:

http://www.mynetwatchman.com/ListIncidentActivity.asp IncidentId=206738902

@deanswift:

Is it me, or doesn't this look AN AWFUL LOT like an nmap scan?

Look at the report's fine print. All of these agents are Windows creatures; none of these afaik can live on a linux host. Am I wrong?

"Since the target port includes udp/137 (NetBios Adapter Status), then this host is likely infected with the OpaServ worm.

See: http://www.mynetwatchman.com/kb/securit … 17/137.htm">http://www.mynetwatchman.com/kb/security/ports/17/137.htm

"Since the target port includes tcp/445 (Microsoft CIFS), then this

host is likely infected with the Sasser or Agobot worm.

See: http://www.mynetwatchman.com/kb/securit … /6/445.htm">http://www.mynetwatchman.com/kb/security/ports/6/445.htm

"Since the target port includes tcp/135 (Microsoft RPC), then this

host is likely infected with the MSBlast / Lovsan worm.

See: http://www.mynetwatchman.com/kb/securit … /6/135.htm">http://www.mynetwatchman.com/kb/security/ports/6/135.htm

I did run nmap scans -- with permission of a responsible party at the target host -- a couple of days this month. And, the scans were of a host in the northwestern part of the country, where he.net lives.

@deanswift:

I did run nmap scans – with permission of a responsible party at the target host -- a couple of days this month. And, the scans were of a host in the northwestern part of the country, where he.net lives.

No good deed goes unpunished. I just checked the IP address I scanned WITH PERMISSION against that myNetWatcher report. The first two numbers, 69.1.x.x, are a match. I think that clinches it. I am hoist on my own petard!

Case closed. Sorry to make such a fuss.

@deanswift:

Look at the report's fine print. All of these agents are Windows creatures; none of these afaik can live on a linux host. Am I wrong?

"Since the target port includes udp/137 (NetBios Adapter Status), then this host is likely infected with the OpaServ worm.

See: http://www.mynetwatchman.com/kb/securit … 17/137.htm">http://www.mynetwatchman.com/kb/security/ports/17/137.htm

"Since the target port includes tcp/445 (Microsoft CIFS), then this

host is likely infected with the Sasser or Agobot worm.

See: http://www.mynetwatchman.com/kb/securit … /6/445.htm">http://www.mynetwatchman.com/kb/security/ports/6/445.htm

"Since the target port includes tcp/135 (Microsoft RPC), then this

host is likely infected with the MSBlast / Lovsan worm.

See: http://www.mynetwatchman.com/kb/securit … /6/135.htm">http://www.mynetwatchman.com/kb/security/ports/6/135.htm

I did run nmap scans -- with permission of a responsible party at the target host -- a couple of days this month. And, the scans were of a host in the northwestern part of the country, where he.net lives.

They don't say that the system is infected with these worms, they just say that it is likely, which is true.

Since the sys/networkadmin at the target ip that you nmapped took the time to report your activity, you obviously didn't have permission from somebody that was in a position to grant that permission to you.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct