Server Probably Hacked, No Traffic allow in!
Some background, running CentOs 5.2, usually administrate with with Webmin, and Usermin.
Today I was adding a friends domain, when I was unable to log into webmin.
I opened up the linode console and rebooted my server, before I did this I was able to open websites(tried two different ones), and https gave me the default apache page, which was normal.
Restarted the server, and now I can't access ANYTHING at all, no http, no telnet, no ssh, no ftp.
I was on irc and HoopyCat suggested I run a couple commands, here they are..
netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address Stat
e PID/Program name
tcp 0 0 0.0.0.0:20000 0.0.0.0:* LIST
EN 2914/perl
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LIST
EN 2606/mysqld
tcp 0 0 0.0.0.0:111 0.0.0.0:* LIST
EN 2352/portmap
tcp 0 0 0.0.0.0:10000 0.0.0.0:* LIST
EN 2919/perl
tcp 0 0 127.0.0.1:53 0.0.0.0:* LIST
EN 2332/named
tcp 0 0 127.0.0.1:631 0.0.0.0:* LIST
EN 2521/cupsd
tcp 0 0 127.0.0.1:11000 0.0.0.0:* LIST
EN 2897/lookup-domain-
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LIST
EN 2683/postmaster
tcp 0 0 0.0.0.0:25 0.0.0.0:* LIST
EN 2767/master
tcp 0 0 127.0.0.1:953 0.0.0.0:* LIST
EN 2332/named
tcp 0 0 127.0.0.1:631 0.0.0.0:* LIST
EN 2521/cupsd
tcp 0 0 127.0.0.1:11000 0.0.0.0:* LIST
EN 2897/lookup-domain-
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LIST
EN 2683/postmaster
tcp 0 0 0.0.0.0:25 0.0.0.0:* LIST
EN 2767/master
tcp 0 0 127.0.0.1:953 0.0.0.0:* LIST
EN 2332/named
tcp 0 0 0.0.0.0:861 0.0.0.0:* LIST
EN 2375/rpc.statd
tcp 0 0 :::993 :::* LIST
EN 2694/dovecot
tcp 0 0 :::995 :::* LIST
EN 2694/dovecot
tcp 0 0 :::110 :::* LIST
EN 2694/dovecot
tcp 0 0 :::143 :::* LIST
EN 2694/dovecot
tcp 0 0 :::80 :::* LIST
EN 2792/httpd
tcp 0 0 :::21 :::* LIST
EN 2777/proftpd: (acce
tcp 0 0 :::22 :::* LIST
EN 2513/sshd
tcp 0 0 ::1:953 :::* LIST
EN 2332/named
tcp 0 0 :::443 :::* LIST
EN 2792/httpd
and iptable -F -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:20
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:21
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20000
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:993
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:143
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:995
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTAB
LISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2
2
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-ho
st-prohibited
Hopefully someone can help me, I don't have anything really mission critical, but I would like to get this resolved.
Thanks
3 Replies
It looks like everything should be working OK. A couple more things to check:
1) Make sure 'ip addr' or 'ifconfig' shows the correct public IP on eth0
2) Try, while logged in via lish, 'telnet that.ip.address 80'; if it connects, hit enter a few times. There's a few possibilities for what will happen (I'm using three different IPs in this example, for simplicity):
$ telnet 192.168.1.103 80 # i do not have a web server running
Trying 192.168.1.103...
telnet: Unable to connect to remote host: Connection refused
$ telnet 97.107.134.213 80 # i have a web server running, and it is fine
Trying 97.107.134.213...
Connected to 97.107.134.213.
Escape character is '^]'.
HTTP/1.0 400 Bad Request
Connection: close
Content-Type: text/html
[...]
$ telnet 192.168.1.112 80 # i have a firewall blocking port 80
Trying 192.168.1.112...
(long wait here -- hit ctrl-C after a few seconds)
3) Try the same from your local computer.
If #3 is tough (e.g. you're running Windows), catch me on IRC and let me know your IP and I'll try it from here.
Removed the line referencing the incorrect mac address, restarted eth0 and we are back online.
Thanks for all the help here and in IRC.
