Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Server hacked on known port
Special Forums Cybersecurity Server hacked on known port Post 303029964 by anaigini45 on Sunday 3rd of February 2019 11:58:05 PM
Old 02-04-2019
Server hacked on known port
Hi,

There is a recent case whereby it was reported that one of the production servers was hacked on port 1521. However, I am not sure how this was possible, as I checked that the OS firewall (iptables) is on :

Code:
[root@fmsproddb satellite]# /etc/init.d/iptables status
Table: nat
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Port 1521 not open :

Code:
[root@fmsproddb satellite]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW --dport 23 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
[root@fmsproddb satellite]#

However, it is listening on port 1521 :

Code:
[root@fmsproddb satellite]# netstat -tulpn | grep 1521
tcp        0      0 :::1521                     :::*                        LISTEN      27905/tnslsnr
[root@fmsproddb satellite]#

I assume it is listening because the application is turned on, and thus the service related to port 1521 turned on and that is why it is listening on this port?

Even if the network firewall (physical) is open, if the iptables is running in the server, it should not allow port 1521 to be open/listening?
I can't think of any other way how people can hack the server on port 1521. Please help clear my doubt.
 

8 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

which port to write my server application?

I want to write a server application that would accept HTTP requests from client. The server would be on a machine that has no connection to the INTERNET. The clients that would be posting their HTTP requests would be doing so through webbrowser .Thus it would be sort of intranet application.... (0 Replies)
Discussion started by: rraajjiibb
0 Replies

2. Linux

pc hacked

Hi, i think someone has hacked my server, the following rules used to come which i haven't put. Please help me i couldnt find out how this rules are apply, i think someone has put an script which generates enables the rules. But after restarting the iptables everything seems to be working... (0 Replies)
Discussion started by: naik_mit
0 Replies

3. UNIX for Dummies Questions & Answers

Old ATT Server Port Question

Just got old ATT server (10 base T)shipped and want to connect to Windows using com port. Got hardware to connect RJ45 from windows box & serial on ATT. I added XP static ip to host file but get no ping return. Do I have to open unix com port? How? (2 Replies)
Discussion started by: kctech
2 Replies

4. UNIX for Advanced & Expert Users

ssh port forward over three server

Hello there, I have a big problem, and I hope somebody can help me. I try to realize a port forward over three server. Here is a picture... Client Server1 | Server2 ------- ------- | ------- |...... | |...... | | |...... ... (2 Replies)
Discussion started by: Art007
2 Replies

5. Cybersecurity

How to know when you've been hacked

One of the most important ways to keep tou machine secure is to know when it has been broken into. The less time hackers have on your system, the less they can do to it, and the greater you chancens of kicking them off and repairing the damage. The more sophisticated the hacker, the less likely... (8 Replies)
Discussion started by: binhnx2000
8 Replies

6. UNIX for Dummies Questions & Answers

Plesk Server Hacked - How to Backup

Hello! First of all: I am a newbie. :o :( I have a CentOS 64bit server with Plesk Panel 8.6. And have been hacked. :mad: After many tries and support tickets, I am configuring a new server, with Suse 11 and Plesk 9.2. I know that Plesk 8.6 have a backup utility (Parallels Plesk Control... (3 Replies)
Discussion started by: miguelvidal
3 Replies

7. Cybersecurity

Different ssh fingerprints on server vs the one on port 22

Hi Guys, My certificate in /etc/ssh is different to what is on port 22. username@server:~$ ssh-keyscan -p 22 127.0.0.1 > /tmp/rsa.tmp # 127.0.0.1 SSH-1.99-OpenSSH_33.33 username@server:~$ ssh-keygen -lf /tmp/rsa.tmp 1024 46:something..................... 127.0.0.1... (0 Replies)
Discussion started by: mu100
0 Replies

8. Solaris

How to find port number wwn of particular port on dual port HBA,?

please find the below o/p for your reference bash-3.00# fcinfo hba-port HBA Port WWN: 21000024ff295a34 OS Device Name: /dev/cfg/c2 Manufacturer: QLogic Corp. Model: 375-3356-02 Firmware Version: 05.03.02 FCode/BIOS Version: BIOS: 2.02; fcode: 2.01;... (3 Replies)
Discussion started by: sb200
3 Replies

LEARN ABOUT OSX

net::server::proto::unix

Net::Server::Proto::UNIX(3)				User Contributed Perl Documentation			       Net::Server::Proto::UNIX(3)

NAME

       Net::Server::Proto::UNIX - Net::Server UNIX protocol.

SYNOPSIS

       See Net::Server::Proto.

DESCRIPTION

       Protocol module for Net::Server.  This module implements the UNIX SOCK_STREAM socket type.  See Net::Server::Proto.

       Any sockets created during startup will be chown'ed to the user and group specified in the starup arguments.

PARAMETERS

       The following paramaters may be specified in addition to normal command line parameters for a Net::Server.  See Net::Server for more
       information on reading arguments.

       unix_type
	   Can be either SOCK_STREAM or SOCK_DGRAM (default is SOCK_STREAM).  This can also be passed on the port line (see Net::Server::Proto).

	   However, this method is deprecated.	If you want SOCK_STREAM - just use proto UNIX without any other arguments.  If you'd like
	   SOCK_DGRAM, use the new proto UNIXDGRAM.

METHODS

       NS_unix_path/NS_unix_type
	   In addition to the standard NS_ methods of Net::Server::Proto classes, the UNIX types also have legacy calls to NS_unix_path and
	   NS_unix_type.

	   Since version 2.000, NS_unix_path is simply an alias to NS_port.  NS_unix_type is now redundant with NS_proto.

	   These methods were missing between version 2.000 and 2.003 but have been returned as legacy bridges.

QUICK PARAMETER LIST

	 Key		   Value		    Default

	 # deprecated UNIX socket parameters
	 unix_type	   (SOCK_STREAM|SOCK_DGRAM) SOCK_STREAM
	 port		   "filename"		    undef

	 # more recent usage
	 port		   "filename / UNIX"
	 port		   "filename / UNIXDGRAM"

LICENCE

       Distributed under the same terms as Net::Server

perl v5.16.2							    2012-06-06					       Net::Server::Proto::UNIX(3)
All times are GMT -4. The time now is 07:48 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy