| View previous topic :: View next topic |
| Author |
Message |
Centinul
Apprentice
Joined: 28 Jul 2005
Posts: 232
|
 Posted: Mon Sep 12, 2005 2:49 am Post subject: Have I been hacked???!! |
 |
|
I was using my windows based laptop that is behind a gentoo firewall tonight and I got a window that popped up from Symantec firewall that said I had an alert. It seemed I was port scanned (even though I'm not sure I can tell) because there was mention of the "Rat Trojan" and the "GateCrasher Trojan"
My question is that on my firewall I drop all NEW,INVALID and SYN,ACK SYN,ACK packets.
How did this get through my firewall and hit the windows machine?
Should I be concerned? Please help. Thanks! |
|
| Back to top |
|
 |
Dlareh
Advocate
Joined: 06 Aug 2005
Posts: 2102
|
| Posted: Mon Sep 12, 2005 3:51 am Post subject: |
|
|
EDIT: nm, I don't know why symantec would call port-scanning a 'trojan".
_________________
"Mr Thomas Edison has been up on the two previous nights discovering 'a bug' in his phonograph." --Pall Mall Gazette (1889)
Are we THERE yet?
Last edited by Dlareh on Mon Sep 12, 2005 4:04 am; edited 1 time in total |
|
| Back to top |
|
|
Centinul
Apprentice
Joined: 28 Jul 2005
Posts: 232
|
| Posted: Mon Sep 12, 2005 3:59 am Post subject: |
|
|
| Any measures I can take to strengthen my firewall? |
|
| Back to top |
|
|
Kaapeli
Tux's lil' helper
Joined: 27 Dec 2004
Posts: 110
Location: Oulu, Finland
|
| Posted: Mon Sep 12, 2005 6:16 am Post subject: |
|
|
In my firewall I have a rule that allows RELATED and ESTABLISHED packets come in, then I have some port specific rules that allow packets come in from certain ports. At the end I have a rule that drops everything else (tcp and udp). That means I can run services on some ports I've opened and icoming connection attempts to any other port will be dropped, but all traffic that is related to connections that have been established from my end will be passed through.
In principle I would recommend you to keep your firewall script simple and allow only necessary packets in and then block everything else.
_________________
Temperatures |
|
| Back to top |
|
|
Centinul
Apprentice
Joined: 28 Jul 2005
Posts: 232
|
| Posted: Mon Sep 12, 2005 11:35 am Post subject: |
|
|
| That is exactly what I do. I just don't understand how the port scan made it through the firewall when I only allow established and related back in. |
|
| Back to top |
|
|
minskpower
Tux's lil' helper
Joined: 16 Jun 2005
Posts: 94
Location: /dev/null
|
| Posted: Mon Sep 12, 2005 12:04 pm Post subject: |
|
|
Why are you using a symantec firewall if you are behind a linux box? Are there other windows machines in your network?
2nd, is your gentoo firewall blocking invalid packets with spoofed ip's? (coming through the external iface but with source ip matching your internal adress range) |
|
| Back to top |
|
|
Centinul
Apprentice
Joined: 28 Jul 2005
Posts: 232
|
| Posted: Mon Sep 12, 2005 7:29 pm Post subject: |
|
|
I'm running another firewall on my windows machine just for the reason if the firewall by chance it didn't catch something. Plus redundancy doesn't hurt anyways.
I am blocking packets that come through the external interface but say they are the source IP.
Any other ideas? |
|
| Back to top |
|
|
jamapii
l33t
Joined: 16 Sep 2004
Posts: 637
|
| Posted: Mon Sep 12, 2005 11:27 pm Post subject: Re: Have I been hacked???!! |
|
|
| Centinul wrote: | | It seemed I was port scanned |
If that Gentoo firewall is doing SNAT or MASQUERADE for the rest of your network, nothing can really scan your Windows computer (Even without any DROP/REJECT rules.) ... unless you have DNATted some ports to the Windows box. (possibly for IM protocols etc)
So, if it really was a portscan (scanning for the presence of a trojan), the question is, how did it get through? The numeric port number can help determine what happened. There are sites on the net that can scan you on demand. If the Gentoo firewall works correctly, the Symantec firewall should only see what you intended to be forwarded.
After reading the "it seemed"... maybe the message wasn't really clear. You might have got trojans etc. on your computer if you recently installed something new, or if you visited a site with ActiveX (or whatever) on and it sneaked something in, or you don't have the latest Windows security updates...
Well, summary: 1. Check your Gentoo firewall by running a portscan from a site that does these, 2. Check that your Windows is clean with some scan software |
|
| Back to top |
|
|
wokick
Tux's lil' helper
Joined: 27 Sep 2004
Posts: 97
|
| Posted: Tue Sep 13, 2005 12:15 am Post subject: |
|
|
There are too many false positive from Symantec Norton software.
Just forget about it. |
|
| Back to top |
|
|
Dlareh
Advocate
Joined: 06 Aug 2005
Posts: 2102
|
| Posted: Tue Sep 13, 2005 12:28 am Post subject: |
|
|
| wokick wrote: | | There are too many false positive from Symantec Norton software. |
Good for business, eh?
_________________
"Mr Thomas Edison has been up on the two previous nights discovering 'a bug' in his phonograph." --Pall Mall Gazette (1889)
Are we THERE yet? |
|
| Back to top |
|
|
opentaka
l33t
Joined: 18 Feb 2005
Posts: 840
Location: Japan
|
| Posted: Tue Sep 13, 2005 12:58 am Post subject: |
|
|
I 150% hate those symantec firewalls.
they are stupid as hell, iptables are wayyyyyy better.
symantec or windows GUI firewall always changes packets,like one port scanned = ATTACCCKKKKKKK!!!!!!!!
and also ICMP received = ATTAAAAAAAACCCCCCCKKKK!!!
also, all these ftp/ssh worms will worn you too i guess.
_________________
"Being defeated is often a temporary condition. Giving up is what makes it permanent" - Marilyn vos Savant
|
|
| Back to top |
|
|
|
Networking & Security
