In the course of upgrading my site for Google Premium, I found I had been hacked in February of this year. I block all incoming ports except 22 for ssh, 25 for mail, 80 and 443 using an iptables script. Since Google will handle my email now, I could close incoming port 25 in the script and I set out to do so.

I immediately noticed that my iptables shell script had a modify date of Feb 21, 2007. This seemed odd, I didn't remember editing that for a few years. Hmmm. Looking into my script, now there were additionally ports 110, 143 and 995 unblocked, and the following line at the bottom of the script:

iptables -I INPUT -s 194.72.238.62 -j DROP

which traceroute points to the UK.

How they got in I don't know. I've corrected the script and changed all passwords. You might want to check your iptables start scripts.

James

If you feel that you've been hacked, you shouldn't trust anything on your system anymore. Better to format and restore files from backups than it is to just patch a firewall hole.

As far as how they got in, 194.72.238.62 is known for trying to break in through Apache vulnerabilities. http://www.howtoforge.com/forums/showthread.php?t=13774

In progress.

James

I find this a little strange... if someone hacks a computer they invariably put it to work - serving warez, sending spam etc. From your post it looks like they just opened some ports? Or were there more signs of intrusion/abuse?

A quick lookup on the host that was blocked indicates its one of netcraft's servers- they gather statistics on active web servers, and probably also check for vulnerabilities for their own mostly benign purposes...

If that IP did hack you, it wouldn't be very logical to then block themselves out of your machine, would it? This sounds more like a case of late night drunken configuration changes, or just doing things in the wrong terminal window...

But of course, if you're in any doubt as to the security of your system, a rebuild is always the best way to go...

I think TehDan may be right. Are you sure you weren't experimenting with running a POP/IMAP mailserver at one point? I think all those ports are mail ports.

And it makes no sense that a cracker would add a drop rule to iptables.

I watch the box a good bit and saw no excessive cpu or
network usage, so I don't know that it was put to use.
My guess on the block was so that the script kiddie next
door couldn't use it post-brag.

James