Login or Register to Ask a Question and Join Our Community


Cybersecurity

Firewall bypass or stepping stone security question

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Special Forums Cybersecurity Firewall bypass or stepping stone security question
# 1  
Old 03-25-2011
Firewall bypass or stepping stone security question
Hi,

I really do not know how to describe this problem; but, I think it's a firewall
issue. My Distro is Slackware 12.0 (somewhat updated).

My company firewall uses Netfilter and the e-mail server uses Sendmail.
Let's say the firewall's Ext IP = A and Internal DMZ IP = B.
The firewall's name is Flame.

In the DMZ, let's say the e-mail server's IP = C.
Email's server name is Mercury.

In the past, traffic bound for A to port 25 will get forwarded to C.
In the firewall, the DNAT is set to C. In my e-mail log, the following
is shown:

Host connect: <foreign server>
IP Connect: <foreign IP>
Hello From : <some hello string>


Yesterday when I checked my spam e-mail I had like 8000+ (Smilie) spam
in the spambox. I freaked out a bit and did a bit of checking. In my
e-mail logs, I noticed that the logs were now displaying the following:

Host connect: Flame
Ip Connect: B
Hello from: <foreign server> or <junk word>

I looked at my IP rules and didn't see anything out of the
ordinary (that specifically states to change the SNAT to B).

That done, I set Mercury's eth0 to down. and check out Flame's
tcpdump. It was still sending some packets (from B to C), but
since Mercury's down, nothing is replying to the connection.

Switching off the firewall stops the inbound traffic (of course).
Switching it back on starts it again.

So I went to my firewall rules and disabled all SMTP ports
so that they aren't being forwarded to C.

That did nothing.

So my current conclusion is that something has attached
itself to my firewall's process and is forwarding all e-mail
to my e-mail server without even going through the
firewall. So all e-mail goes into Flame and then out
of its B IP and into mercury's C ip. So my tcpdump
would show B:port -> C:25...

IOW, my firewall has been breached. Smilie.

Would someone know how I might be able to find out what
processes is being run that is hidden? I've looked at the
/proc and preliminary don't see anything out of the
ordinary.

telinit 1 stops the traffic.
telinit 3 restarts the traffic.

So something is hooking up to my server's list of
processes.

Any help appreciated
Last edited by pludi; 03-25-2011 at 07:05 PM..
Login or Register to Ask a Question

Previous Thread | Next Thread

5 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

Automated security checks on Sidewinder7 firewall

I have recently been tasked to create a script that will daily check our firewalls for any security issues that might have happened. I am not very strong with Unix so I need a lot of help and dont know where to start. Some things I have thought of so far is I want to search the audit.raw files... (0 Replies)
Discussion started by: soccerfan
0 Replies

2. Solaris

stepping through newfs

On a RAID-5 solaris 9 server, we replaced a bad disk. Upon boot up, a mount point failed: vxvm:vxvol: ERROR: Volume IQ_Staging is not startable; some subdisks are unusable and the parity is stale With Sun tech support, we tried vxvol start and vxvol resync, but it remained... (3 Replies)
Discussion started by: abstractrick
3 Replies

3. Cybersecurity

PF firewall question (new to PF)

Ive been reading for the last week every piece of information on PF that i can find. I am in the process of building a FreeBSD 7.0 Router/Gateway and have been a little stumped by allot of the tutorials/examples out there. Most that I read say that you should always block all! But then I see a... (3 Replies)
Discussion started by: neurosis
3 Replies

4. IP Networking

Question about pf firewall

If I have a redirect ruleset do I need to allow those ports as well? I.e., if I have this: rdr on $ext proto tcp from any to ($ext) port 22 -> 10.0.0.87 port 12345 Do I need this? pass in on $ext proto tcp from any to ($ext) port 22 (1 Reply)
Discussion started by: sporky
1 Replies

5. Linux

Stair stepping

Is there a command line flag to lpr or a utility similar to the Unix 'xtod' command to fix stair stepping when printing? Under Unix I would: # cat textfile | xtod | lp -d lineprinter Anything like that for linux? Thanks (1 Reply)
Discussion started by: lochraven
1 Replies
Login or Register to Ask a Question