 |
Linode Forum
Linode Community Forums
|
| Author |
Message |
Wendel
Joined: 13 Feb 2011
Posts: 2
|
| Posted: Sun Feb 13, 2011 1:29 pm Post subject: Server Probably Hacked, No Traffic allow in! |
|
|
Sorry that a request for help is my first post.
Some background, running CentOs 5.2, usually administrate with with Webmin, and Usermin.
Today I was adding a friends domain, when I was unable to log into webmin.
I opened up the linode console and rebooted my server, before I did this I was able to open websites(tried two different ones), and https gave me the default apache page, which was normal.
Restarted the server, and now I can't access ANYTHING at all, no http, no telnet, no ssh, no ftp.
I was on irc and HoopyCat suggested I run a couple commands, here they are..
netstat -ntlp
Code: Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address Stat
e PID/Program name
tcp 0 0 0.0.0.0:20000 0.0.0.0:* LIST
EN 2914/perl
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LIST
EN 2606/mysqld
tcp 0 0 0.0.0.0:111 0.0.0.0:* LIST
EN 2352/portmap
tcp 0 0 0.0.0.0:10000 0.0.0.0:* LIST
EN 2919/perl
tcp 0 0 127.0.0.1:53 0.0.0.0:* LIST
EN 2332/named
tcp 0 0 127.0.0.1:631 0.0.0.0:* LIST
EN 2521/cupsd
tcp 0 0 127.0.0.1:11000 0.0.0.0:* LIST
EN 2897/lookup-domain-
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LIST
EN 2683/postmaster
tcp 0 0 0.0.0.0:25 0.0.0.0:* LIST
EN 2767/master
tcp 0 0 127.0.0.1:953 0.0.0.0:* LIST
EN 2332/named
tcp 0 0 127.0.0.1:631 0.0.0.0:* LIST
EN 2521/cupsd
tcp 0 0 127.0.0.1:11000 0.0.0.0:* LIST
EN 2897/lookup-domain-
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LIST
EN 2683/postmaster
tcp 0 0 0.0.0.0:25 0.0.0.0:* LIST
EN 2767/master
tcp 0 0 127.0.0.1:953 0.0.0.0:* LIST
EN 2332/named
tcp 0 0 0.0.0.0:861 0.0.0.0:* LIST
EN 2375/rpc.statd
tcp 0 0 :::993 :::* LIST
EN 2694/dovecot
tcp 0 0 :::995 :::* LIST
EN 2694/dovecot
tcp 0 0 :::110 :::* LIST
EN 2694/dovecot
tcp 0 0 :::143 :::* LIST
EN 2694/dovecot
tcp 0 0 :::80 :::* LIST
EN 2792/httpd
tcp 0 0 :::21 :::* LIST
EN 2777/proftpd: (acce
tcp 0 0 :::22 :::* LIST
EN 2513/sshd
tcp 0 0 ::1:953 :::* LIST
EN 2332/named
tcp 0 0 :::443 :::* LIST
EN 2792/httpd
and iptable -F -n
Code: Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:20
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:21
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20000
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:993
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:143
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:995
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTAB
LISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2
2
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-ho
st-prohibited
Hopefully someone can help me, I don't have anything really mission critical, but I would like to get this resolved.
Thanks |
|
| Back to top |
|
hoopycat
Joined: 30 Aug 2008
Posts: 1294
Location: Rochester, New York
|
| Posted: Sun Feb 13, 2011 2:54 pm Post subject: |
|
|
Sorry, I wandered away from the keyboard for a bit there...
It looks like everything should be working OK. A couple more things to check:
1) Make sure 'ip addr' or 'ifconfig' shows the correct public IP on eth0
2) Try, while logged in via lish, 'telnet that.ip.address 80'; if it connects, hit enter a few times. There's a few possibilities for what will happen (I'm using three different IPs in this example, for simplicity):
Code:
$ telnet 192.168.1.103 80 # i do not have a web server running
Trying 192.168.1.103...
telnet: Unable to connect to remote host: Connection refused
$ telnet 97.107.134.213 80 # i have a web server running, and it is fine
Trying 97.107.134.213...
Connected to 97.107.134.213.
Escape character is '^]'.
HTTP/1.0 400 Bad Request
Connection: close
Content-Type: text/html
[...]
$ telnet 192.168.1.112 80 # i have a firewall blocking port 80
Trying 192.168.1.112...
(long wait here -- hit ctrl-C after a few seconds)
3) Try the same from your local computer.
If #3 is tough (e.g. you're running Windows), catch me on IRC and let me know your IP and I'll try it from here. |
|
| Back to top |
|
Wendel
Joined: 13 Feb 2011
Posts: 2
|
| Posted: Sun Feb 13, 2011 3:33 pm Post subject: |
|
|
Well, it turns out eth0 wasn't getting a network address because of a small error in the eth0 config file.
Removed the line referencing the incorrect mac address, restarted eth0 and we are back online.
Thanks for all the help here and in IRC. |
|
| Back to top |
|
glg
Joined: 09 Jan 2009
Posts: 505
|
| Posted: Sun Feb 13, 2011 5:35 pm Post subject: |
|
|
| It's a good idea to at least do ifdown/ifup, if not a reboot after you make network changes (if you can take the downtime). That way you ensure that your config works right away, and don't end up in this situation where it's broken, but that isn't obvious until months later when you finally do reboot. |
|
| Back to top |
|
| |
|