Your Ad Here

Saved By The Linux

We’ve had a recent rash of new customers at work recently with Windows Boxes that have been hacked into and pwn3d by some 1337 script kiddie out there in the big bad internet. All of which have been boxes with Public IP addresses with no form of firewall protecting them from the badness of the internet.

My most recent personal run in with the hacker occurred last Friday. New customer of ours and I got there extremely early (see: 7AM) and followed their custodian of things computer through the Friday morning routine of maintenance, makes notes on my opinions of the tasks and ideas for improvement. After all that was said and done I made my way through each of their servers (they have 10) going over the event logs, seeing what errors have been cropping up since their previous provider was let go in early February. Everything looks great through the first 9 boxes till I reach the very last box… a little Win2K box acting as the first Router in the network after the T1 Router.

Now granted, I don’t think it’s a very good idea to be using a Win2K box as a router with 4 public IPs and having ALL your internet traffic pass through the box, but this was only our first week with the customer and I didn’t want to overstep my bounds by screaming bloody murder about the box. So I start digging through the logs and come across a Symantec alert about finding HackDefender on the box. First thought through my head, “Oh Fuck, the box is pwn3d”. Enter scramble mode…

Can’t take the box down without taking down their entire operation (they host their mail, and websites), so I had to come up with a solution and pronto. Thankfully the customer had the parts available in the server room to build a new box (pretty nice too, 3.2Ghz P4, 1GB PC3200) and with canabilizing some NICs from some dead boxes I had everything I need to replace the router.

Pulled out a Gentoo 2006.0 install CD and got to work setting up a barebones Linux router. Everything went pretty well with the setup until it was time to stick it in place and testing to ensure that everything was working properly. So I install the box and the internet works great from the Linux box, but two of the three networks behind it can’t see anything! Oh wonderful… I look over all my configuration settings, everything looks good, beat my head on the wall for what seemed like eternity till my saviour arrived and unwittingly gave me the answer. The customer contact came up and asked me how things were going, and I replied that they could be better. I mentioned that I had one of the networks running, but the others were screwed. He asked me if I knew if the NICs were good or not, cause he wasn’t sure why those PCs they were taken from had been decommissioned! In my hurry I had completely forgotten to bother confirming that the used parts were good. Ripped two of the NICs out of the old router and installed them and BAM!… everything worked like a charm!

I got the box home and took a look at it over the weekend, and thankfully it seems the hacker never got fully setup on the box. There are no file repositories on the box, and all the ports that are open and listening crap out when you try and connect to them from any means (even just a Telnet session). So no major harm done, but still it leads you to the most important moral of the story: “Don’t use a Windows box as a router with unprotected Public IPs”.

My next item on the list is to get a long term solution developed and deployed… and next time, I’ll make sure the NICs work first.

Posted: 4/3/2006 in: