profsional guys

hi guys i need your help
my router it has out going traffic even there is no one connected to it
i think the spamer using my ip address or somthing
this is my ip addess
213.209.174.66
guys if you see that i have any opend realy (Dns proxy or any thing let me know) i m waiting for your replys guys

Why not put some firewall rules in blocking things you don’t authorize. You’ve got the best firewall in the world and you’re not using it?

Sam

thanx alot but how

this scan does not look good:

IP Address : 213.209.174.66
HostName : 1117415880.335
MAC : 00-00-00-00-00-00 (probably Dial-Up)
UserName : (No one logged on)
Operating System : probably Unix
Time to live (TTL) : 47 (64) - 17 hop(s) away

NETBIOS names (1)
1117415880.335 - Workstation Service

Open Ports (71)
25 [ Smtp => Simple Mail Transfer Protocol ]
220 AVG ESMTP Proxy Server 7.0.321/7.0.322 [267.3.0]
110 [ Pop3 => Post Office Protocol 3 ]
13 [ Daytime => Time of day ]
22 [ Ssh => Remote Login Protocol ]
42 [ NameServer => WINS Host Name Server ]
53 [ Domain => Domain Name Server ]
79 [ Finger ]
80 [ Http => World Wide Web, HTTP ]
113 [ identd => Authentication Service ]
118 [ SqlServ => SQL Services ]
135 [ epmap => DCE endpoint resolution ]
139 [ Netbios-ssn => NETBIOS Session Service ]
156 [ Sqlsrv => SQL Services ]
161 [ Snmp => Simple Network Management Protocol ]
371 [ Clearcase ]
443 [ HttpS => Secure HTTP ]
512 [ Exec => Remote process execution ]
513 [ Login => Remote login (a la telnet) ]
514 [ Shell => cmd ]
540 [ uucp ]
515 [ printer => Printer Spooler ]
1080 [ Socks ]
1433 [ Microsoft SQL server ]
1494 [ Citrix ICA => Remote Control Software ]
1993 [ Cisco SNMP ]
1999 [ Cisco identd ]
2049 [ NFS => Network File System ]
3128 [ Proxy/Socks ]
3389 [ Terminal Services ]
5631 [ pcANYWHEREdata => Remote Control Software ]
5632 [ pcANYWHEREstat => Remote Control Software ]
6789 [ IBM DB2 ]
9100 [ JetDirect => HP Jetdirect PrintServer ]
8080 [ Http-Proxy ]
43188 [ ReachOut => Remote Control Software ]
25867 [ WebCam32 => WebCam32 Admin ]
5800 [ VNC => Remote Control Software ]
407 [ Timbuktu => Remote Control Software ]
800 [ Remotely Possible / ControlIT => Remote Control Software ]
799 [ Remotely Possible / ControlIT => Remote Control Software ]
2000 [ Remotely Anywhere => Remote Control Software ]
2001 [ Remotely Anywhere => Remote Control Software ]
119 [ News ]
311 [ AppleShare => Web-Admin ]
389 [ LDAP => Light Directory Access Protocol ]
548 [ AFP => Apple File Share ]
4045 [ lockd => NFS File Locking ]
6699 [ Napster ]
6346 [ GNUTella ]
427 [ SLP => Service Location Protocol ]
4001 [ Cisco Virtual Terminal ]
6001 [ Cisco virtual Terminal ]
8888 [ AnswerBook2 ]
9001 [ Cisco XRemote Service ]
12345 [ Netbus ]
20034 [ Netbus Pro ]
27374 [ Subseven ]
6670 [ Deep Throat ]
2583 [ Wincrash2 ]
30999 [ Kuang ]
5400 [ Blade Runner ]
44444 [ Prosiak ]
1015 [ Doly ]
31787 [ Hack'a'tack ]
17300 [ Kuang2 ]
5550 [ Xtcp 2.0x ]
9400 [ InCommand ]
5882 [ Y3k ]
23432 [ Asylum ]
12349 [ Bionet ]
17569 [ Infector ]

Alerts (18) (Legend : - High - Medium - Low - Information)

Backdoors
Netbus (12345)
Netbus Pro (20034)
Subseven (27374)
Deep Throat (6670)
Wincrash2 (2583)
Kuang (30999)
Blade Runner (5400)
Prosiak (44444)
Doly (1015)
Hack'a'tack (31787)
Kuang2 (17300)
Xtcp 2.0x (5550)
InCommand (9400)
Y3k (5882)
Asylum (23432)
Bionet (12349)
Infector (17569)

Misc_Alerts (1)
cfingerd util-c buffer overflow
Description : The cfingerd package versions 1.4.3 and earlier is vulnerable to a buffer overflow in the util.c file
Bugtraq ID : http://xforce.iss.net/static/6744.php

\

Monday, 30 May 2005 - 09:29 PM

Hugh Hartman,

Can I know the name of the tool (scanner) used? nmap by any chance…?

Thanks.

hartman can you repeate your test now i did some rules

engineer—LANguard Network Scanner v (2.0 beta)
taloot–scanning now

yikes:

IP Address : 213.209.174.66
HostName : IP66NET174
Resolved : ip66net174.skylogicnet.it
Operating System : probably Unix
Time to live (TTL) : 47 (64) - 17 hop(s) away


Open Ports (76)
25 [ Smtp => Simple Mail Transfer Protocol ]
220 AVG ESMTP Proxy Server 7.0.321/7.0.322 [267.3.3]
110 [ Pop3 => Post Office Protocol 3 ]
13 [ Daytime => Time of day ]
22 [ Ssh => Remote Login Protocol ]
SSH-1.99-OpenSSH_2.3.0p1
42 [ NameServer => WINS Host Name Server ]
53 [ Domain => Domain Name Server ]
79 [ Finger ]
80 [ Http => World Wide Web, HTTP ]
HTTP/1.0 400 Bad Request
: close
Content-Length: 113
Date: Tue, 31 May 2005 01:01:23 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
98 [ linuxconf ]
109 [ Pop2 => Post Office Protocol 2 ]
111 [ SunRPC => SUN Remote Procedure Call ]
113 [ identd => Authentication Service ]
118 [ SqlServ => SQL Services ]
135 [ epmap => DCE endpoint resolution ]
139 [ Netbios-ssn => NETBIOS Session Service ]
156 [ Sqlsrv => SQL Services ]
161 [ Snmp => Simple Network Management Protocol ]
371 [ Clearcase ]
443 [ HttpS => Secure HTTP ]
445 [ Microsoft-Ds ]
512 [ Exec => Remote process execution ]
514 [ Shell => cmd ]
513 [ Login => Remote login (a la telnet) ]
515 [ printer => Printer Spooler ]
540 [ uucp ]
1080 [ Socks ]
1433 [ Microsoft SQL server ]
1494 [ Citrix ICA => Remote Control Software ]
1993 [ Cisco SNMP ]
1999 [ Cisco identd ]
2049 [ NFS => Network File System ]
3128 [ Proxy/Socks ]
3389 [ Terminal Services ]
5631 [ pcANYWHEREdata => Remote Control Software ]
5632 [ pcANYWHEREstat => Remote Control Software ]
6789 [ IBM DB2 ]
6790 [ IBM DB2 ]
9100 [ JetDirect => HP Jetdirect PrintServer ]
8080 [ Http-Proxy ]
43188 [ ReachOut => Remote Control Software ]
25867 [ WebCam32 => WebCam32 Admin ]
5800 [ VNC => Remote Control Software ]
407 [ Timbuktu => Remote Control Software ]
799 [ Remotely Possible / ControlIT => Remote Control Software ]
2000 [ Remotely Anywhere => Remote Control Software ]

2001 [ Remotely Anywhere => Remote Control Software ]
21 [ Ftp => File Transfer Protocol ]
220 MikroTik FTP server (MikroTik v2.8.26) ready
119 [ News ]
311 [ AppleShare => Web-Admin ]
389 [ LDAP => Light Directory Access Protocol ]
548 [ AFP => Apple File Share ]
4045 [ lockd => NFS File Locking ]
6699 [ Napster ]
6346 [ GNUTella ]
427 [ SLP => Service Location Protocol ]
4001 [ Cisco Virtual Terminal ]
6001 [ Cisco virtual Terminal ]
8888 [ AnswerBook2 ]
9001 [ Cisco XRemote Service ]
12345 [ Netbus ]
20034 [ Netbus Pro ]
31337 [ Back Oriffice ]
27374 [ Subseven ]
6670 [ Deep Throat ]
2583 [ Wincrash2 ]
30999 [ Kuang ]
5400 [ Blade Runner ]
44444 [ Prosiak ]
1015 [ Doly ]
31787 [ Hack'a'tack ]
17300 [ Kuang2 ]
5550 [ Xtcp 2.0x ]
9400 [ InCommand ]
5882 [ Y3k ]
23432 [ Asylum ]
12349 [ Bionet ]

Alerts (18) (Legend : - High - Medium - Low - Information)

Backdoors
Netbus (12345)
Netbus Pro (20034)
Back Oriffice (31337)
Subseven (27374)
Deep Throat (6670)
Wincrash2 (2583)
Kuang (30999)
Blade Runner (5400)
Prosiak (44444)
Doly (1015)
Hack'a'tack (31787)
Kuang2 (17300)
Xtcp 2.0x (5550)
InCommand (9400)
Y3k (5882)
Asylum (23432)
Bionet (12349)

Misc_Alerts (1)
cfingerd util-c buffer overflow
Description : The cfingerd package versions 1.4.3 and earlier is vulnerable to a buffer overflow in the util.c file
Bugtraq ID : http://xforce.iss.net/static/6744.php

\

Tuesday, 31 May 2005 - 09:12 PM

I’m using the following rules in the Input chain on my box to prevent incoming Internet connections:

[admin@Net4501] ip firewall rule input> pr
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Drop TCP Invalid packets
in-interface=Internet connection-state=invalid action=drop log=yes
1 ;;; Drop spoofed packets
src-address=192.168.1.0/24 in-interface=Internet action=drop log=yes

2 ;;; Permit local LAN traffic
in-interface=Internal action=accept

3 ;;; PPTP Tunnel
protocol=gre action=accept

4 ;;; Accept Internet Established
in-interface=Internet connection-state=established action=accept

5 ;;; Accept Internet Related
in-interface=Internet connection-state=related action=accept

6 ;;; PPTP control
dst-address=:1723 protocol=tcp action=accept

7 X ;;; Accept IKE traffic
src-address=:500 in-interface=Internet dst-address=:500 protocol=udp action=accept

8 X ;;; Accept IPSEC traffic
in-interface=Internet protocol=ipsec-esp action=accept

9 ;;; Silent drop for TCP:445
dst-address=:445 protocol=tcp action=drop

10 ;;; Silent drop for UDP 1026-1027
in-interface=Internet dst-address=:1026-1029 protocol=udp action=drop

11 ;;; Drop & log everything else
in-interface=Internet action=drop log=yes


Regards

Andrew

In the future, you should drop everything by default, and accept only traffic you want. I hate to say it, but no firewall is going to help you now. That thing is hosed. It needs some serious work or a reformat.

ohhh man
i did the firewall rule it works fine but
when i add action=drop in the end it works great every thing is block
but after a while its gone i dont know why??

/system history will show if a rule is being removed and by whom.

You can set the default action of the Input chain to Drop.

Change the password ASAP and check that additional accounts haven’t been added.

Regards

Andrew

Because your session was already permitted and is in the state-table.
Your rule-set is probably incomplete

its show that it has removed by admin any clue
sten i think you are right but how can i fix that??!!

Change the admin password.

Regards

Andrew

i change it and it works fine know,
btw no one know my password just me and its littel bit hard this one is veryyyyyyyyyyyy hard heh

It doesn’t matter how complex your password is if someone is logging your keystrokes. I agree with jarosoup, if your administrator password has been compromised, then things have already gone way too far. Best to start over. Once a system has been infiltrated to that degree, it is difficult to correct every compromise and make sure that you have gotten every single one. You only have to leave one tiny backdoor in place to have the whole mess start right back up again…

Hitek

I would normally agree if this were a regular system. However, it’s a router so shouldn’t be vulnerable to having back-doors installed. I doubt that any of those suspicious ports shown as open actually have anything behind them.

Regards

Andrew

Cisco routers get backdoored all the time these days. RouterOS is based on Linux and behind the scenes is still a linux environment. It is not impossible to add backdoors there. I would bet it’s quite easy as soon as you find a way to execute custom code (i.e. find a hole).

However, in this case i would think the user had something misconfigured.

guys here is what happend to me exactly
when i was on my old password the action=drop been removed, But this happend only when i permit port 23 telnet when i block the telnet remining blocked??!! any clue??
with my new password even in open telnet port the Drop=action has not been removed
in another word the hacker from outside and when i block the telnet he cannot do anything