Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Server hacked on known port
Special Forums Cybersecurity Server hacked on known port Post 303029964 by anaigini45 on Sunday 3rd of February 2019 11:58:05 PM
Old 02-04-2019
Server hacked on known port
Hi,

There is a recent case whereby it was reported that one of the production servers was hacked on port 1521. However, I am not sure how this was possible, as I checked that the OS firewall (iptables) is on :

Code:
[root@fmsproddb satellite]# /etc/init.d/iptables status
Table: nat
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Port 1521 not open :

Code:
[root@fmsproddb satellite]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW --dport 23 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
[root@fmsproddb satellite]#

However, it is listening on port 1521 :

Code:
[root@fmsproddb satellite]# netstat -tulpn | grep 1521
tcp        0      0 :::1521                     :::*                        LISTEN      27905/tnslsnr
[root@fmsproddb satellite]#

I assume it is listening because the application is turned on, and thus the service related to port 1521 turned on and that is why it is listening on this port?

Even if the network firewall (physical) is open, if the iptables is running in the server, it should not allow port 1521 to be open/listening?
I can't think of any other way how people can hack the server on port 1521. Please help clear my doubt.
 

8 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

which port to write my server application?

I want to write a server application that would accept HTTP requests from client. The server would be on a machine that has no connection to the INTERNET. The clients that would be posting their HTTP requests would be doing so through webbrowser .Thus it would be sort of intranet application.... (0 Replies)
Discussion started by: rraajjiibb
0 Replies

2. Linux

pc hacked

Hi, i think someone has hacked my server, the following rules used to come which i haven't put. Please help me i couldnt find out how this rules are apply, i think someone has put an script which generates enables the rules. But after restarting the iptables everything seems to be working... (0 Replies)
Discussion started by: naik_mit
0 Replies

3. UNIX for Dummies Questions & Answers

Old ATT Server Port Question

Just got old ATT server (10 base T)shipped and want to connect to Windows using com port. Got hardware to connect RJ45 from windows box & serial on ATT. I added XP static ip to host file but get no ping return. Do I have to open unix com port? How? (2 Replies)
Discussion started by: kctech
2 Replies

4. UNIX for Advanced & Expert Users

ssh port forward over three server

Hello there, I have a big problem, and I hope somebody can help me. I try to realize a port forward over three server. Here is a picture... Client Server1 | Server2 ------- ------- | ------- |...... | |...... | | |...... ... (2 Replies)
Discussion started by: Art007
2 Replies

5. Cybersecurity

How to know when you've been hacked

One of the most important ways to keep tou machine secure is to know when it has been broken into. The less time hackers have on your system, the less they can do to it, and the greater you chancens of kicking them off and repairing the damage. The more sophisticated the hacker, the less likely... (8 Replies)
Discussion started by: binhnx2000
8 Replies

6. UNIX for Dummies Questions & Answers

Plesk Server Hacked - How to Backup

Hello! First of all: I am a newbie. :o :( I have a CentOS 64bit server with Plesk Panel 8.6. And have been hacked. :mad: After many tries and support tickets, I am configuring a new server, with Suse 11 and Plesk 9.2. I know that Plesk 8.6 have a backup utility (Parallels Plesk Control... (3 Replies)
Discussion started by: miguelvidal
3 Replies

7. Cybersecurity

Different ssh fingerprints on server vs the one on port 22

Hi Guys, My certificate in /etc/ssh is different to what is on port 22. username@server:~$ ssh-keyscan -p 22 127.0.0.1 > /tmp/rsa.tmp # 127.0.0.1 SSH-1.99-OpenSSH_33.33 username@server:~$ ssh-keygen -lf /tmp/rsa.tmp 1024 46:something..................... 127.0.0.1... (0 Replies)
Discussion started by: mu100
0 Replies

8. Solaris

How to find port number wwn of particular port on dual port HBA,?

please find the below o/p for your reference bash-3.00# fcinfo hba-port HBA Port WWN: 21000024ff295a34 OS Device Name: /dev/cfg/c2 Manufacturer: QLogic Corp. Model: 375-3356-02 Firmware Version: 05.03.02 FCode/BIOS Version: BIOS: 2.02; fcode: 2.01;... (3 Replies)
Discussion started by: sb200
3 Replies

LEARN ABOUT LINUX

iptables-xml

IPTABLES-XML(8) 														   IPTABLES-XML(8)

NAME

       iptables-xml -- Convert iptables-save format to XML

SYNOPSIS

       iptables-xml [-c] [-v]

DESCRIPTION

       iptables-xml  is  used  to convert the output of iptables-save into an easily manipulatable XML format to STDOUT.  Use I/O-redirection pro-
       vided by your shell to write to a file.

       -c, --combine
	      combine consecutive rules with the same matches but different targets. iptables does not currently support more than one target  per
	      match,  so this simulates that by collecting the targets from consecutive iptables rules into one action tag, but only when the rule
	      matches are identical. Terminating actions like RETURN, DROP, ACCEPT and QUEUE are not combined with subsequent targets.

       -v, --verbose
	      Output xml comments containing the iptables line from which the XML is derived

       iptables-xml does a mechanistic conversion to a very expressive xml format; the only semantic considerations are for -g and -j  targets	in
       order to discriminate between <call> <goto> and <nane-of-target> as it helps xml processing scripts if they can tell the difference between
       a target like SNAT and another chain.

       Some sample output is:

       <iptables-rules>
	 <table name="mangle">
	   <chain name="PREROUTING" policy="ACCEPT" packet-count="63436" byte-count="7137573">
	     <rule>
	      <conditions>
	       <match>
		 <p>tcp</p>
	       </match>
	       <tcp>
		 <sport>8443</sport>
	       </tcp>
	      </conditions>
	      <actions>
	       <call>
		 <check_ip/>
	       </call>
	       <ACCEPT/>
	      </actions>
	     </rule>
	   </chain>
	 </table> </iptables-rules>

       Conversion from XML to iptables-save format may be done using the iptables.xslt script and xsltproc, or a custom program using  libxsltproc
       or similar; in this fashion:

       xsltproc iptables.xslt my-iptables.xml | iptables-restore

BUGS

       None known as of iptables-1.3.7 release

AUTHOR

       Sam Liddicott <azez@ufomechanic.net>

SEE ALSO

       iptables-save(8), iptables-restore(8), iptables(8)

								   Jul 16, 2007 						   IPTABLES-XML(8)
All times are GMT -4. The time now is 12:08 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy