Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Server hacked on known port
Special Forums Cybersecurity Server hacked on known port Post 303029964 by anaigini45 on Sunday 3rd of February 2019 11:58:05 PM
Old 02-04-2019
Server hacked on known port
Hi,

There is a recent case whereby it was reported that one of the production servers was hacked on port 1521. However, I am not sure how this was possible, as I checked that the OS firewall (iptables) is on :

Code:
[root@fmsproddb satellite]# /etc/init.d/iptables status
Table: nat
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Port 1521 not open :

Code:
[root@fmsproddb satellite]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW --dport 23 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
[root@fmsproddb satellite]#

However, it is listening on port 1521 :

Code:
[root@fmsproddb satellite]# netstat -tulpn | grep 1521
tcp        0      0 :::1521                     :::*                        LISTEN      27905/tnslsnr
[root@fmsproddb satellite]#

I assume it is listening because the application is turned on, and thus the service related to port 1521 turned on and that is why it is listening on this port?

Even if the network firewall (physical) is open, if the iptables is running in the server, it should not allow port 1521 to be open/listening?
I can't think of any other way how people can hack the server on port 1521. Please help clear my doubt.
 

8 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

which port to write my server application?

I want to write a server application that would accept HTTP requests from client. The server would be on a machine that has no connection to the INTERNET. The clients that would be posting their HTTP requests would be doing so through webbrowser .Thus it would be sort of intranet application.... (0 Replies)
Discussion started by: rraajjiibb
0 Replies

2. Linux

pc hacked

Hi, i think someone has hacked my server, the following rules used to come which i haven't put. Please help me i couldnt find out how this rules are apply, i think someone has put an script which generates enables the rules. But after restarting the iptables everything seems to be working... (0 Replies)
Discussion started by: naik_mit
0 Replies

3. UNIX for Dummies Questions & Answers

Old ATT Server Port Question

Just got old ATT server (10 base T)shipped and want to connect to Windows using com port. Got hardware to connect RJ45 from windows box & serial on ATT. I added XP static ip to host file but get no ping return. Do I have to open unix com port? How? (2 Replies)
Discussion started by: kctech
2 Replies

4. UNIX for Advanced & Expert Users

ssh port forward over three server

Hello there, I have a big problem, and I hope somebody can help me. I try to realize a port forward over three server. Here is a picture... Client Server1 | Server2 ------- ------- | ------- |...... | |...... | | |...... ... (2 Replies)
Discussion started by: Art007
2 Replies

5. Cybersecurity

How to know when you've been hacked

One of the most important ways to keep tou machine secure is to know when it has been broken into. The less time hackers have on your system, the less they can do to it, and the greater you chancens of kicking them off and repairing the damage. The more sophisticated the hacker, the less likely... (8 Replies)
Discussion started by: binhnx2000
8 Replies

6. UNIX for Dummies Questions & Answers

Plesk Server Hacked - How to Backup

Hello! First of all: I am a newbie. :o :( I have a CentOS 64bit server with Plesk Panel 8.6. And have been hacked. :mad: After many tries and support tickets, I am configuring a new server, with Suse 11 and Plesk 9.2. I know that Plesk 8.6 have a backup utility (Parallels Plesk Control... (3 Replies)
Discussion started by: miguelvidal
3 Replies

7. Cybersecurity

Different ssh fingerprints on server vs the one on port 22

Hi Guys, My certificate in /etc/ssh is different to what is on port 22. username@server:~$ ssh-keyscan -p 22 127.0.0.1 > /tmp/rsa.tmp # 127.0.0.1 SSH-1.99-OpenSSH_33.33 username@server:~$ ssh-keygen -lf /tmp/rsa.tmp 1024 46:something..................... 127.0.0.1... (0 Replies)
Discussion started by: mu100
0 Replies

8. Solaris

How to find port number wwn of particular port on dual port HBA,?

please find the below o/p for your reference bash-3.00# fcinfo hba-port HBA Port WWN: 21000024ff295a34 OS Device Name: /dev/cfg/c2 Manufacturer: QLogic Corp. Model: 375-3356-02 Firmware Version: 05.03.02 FCode/BIOS Version: BIOS: 2.02; fcode: 2.01;... (3 Replies)
Discussion started by: sb200
3 Replies

LEARN ABOUT DEBIAN

calendarserver_monitor_notifications

CALENDARSERVER_MONITOR_NOTIFICATIONS(8) 		    BSD System Manager's Manual 		   CALENDARSERVER_MONITOR_NOTIFICATIONS(8)

NAME

     calendarserver_monitor_notifications -- Darwin Calendar Server push notification monitor

SYNOPSIS

     calendarserver_monitor_notifications [--admin username] [--config file] [--host hostname] [--node pubsub-node-name] [--port port-number]
					  [--ssl] [--verbose] [--help] username

DESCRIPTION

     calendarserver_monitor_notifications is a tool for making sure XMPP push notifications are working properly.  Given a username and password
     it will connect to the calendar server and determine which pubsub node(s) correspond to that user's calendar home, as well as those of any
     user which has delegated calendar access.	Next it will subscribe to those nodes and await notifications, printing them to stdout.  An admin-
     istrator can monitor the push notifications for another user by passing the --admin option.  Exit by hitting Control-C.

OPTIONS

     -a, --admin
	   Authenticate using the credentials of the given administrator.

     -h, --help
	   Display usage information.

     -f, --config FILE
	   Use the Calendar Server configuration specified in the given file.  Defaults to /etc/caldavd/caldavd.plist.

     -H, --host HOSTNAME
	   Connect to the specified calendar server.  If not passed on the command line, the host name is looked up in the configuration file.

     -n, --node NODENAME
	   Bypass the auto-discovery of pubsub nodes and specify one explicitly.  Useful on calendar servers which don't support the push-trans-
	   ports DAV property.	When using this option, the host and port options instead refer to the XMPP server host and port numbers.

     -p, --port NUMBER
	   Connect to the specified port number.  If not passed on the command line, the port number is looked up in the configuration file.

     -s, --ssl
	   Use https to connect to calendar server (default is http).

     -v, --verbose
	   Print debugging information.

FILES

     /etc/caldavd/caldavd.plist
	   The Calendar Server configuration file.

SEE ALSO

     caldavd(8)

BSD
								    Feb 3, 2011 							       BSD
All times are GMT -4. The time now is 09:39 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy