Hosts File Violated

[wlfdgcrkz]

I returned to my lan after a 3 day trip out of town to discover I was not able to ping by hostname. This was odd because these xp pro clients recieve internet feed from a natting linux box and internet was up. I looked at the hosts file and discovered that instead of the trusted hosts that had been established there were hundreds of random external ip moast that were porn related. None of the bsd or linux clients or servers on this lan experienced the problem.

I tightened up the firewall and checked permissions for the file and so far so good. However i have no idea what happened. I am 100% confident that the host file was not changed from a local user because there was no one here. As to web browsing i am again quite confident that the 50 yr old woman who works on that client was not viewing porn.

Any insight would be greatly appreciated.

thanks,

jacob

[mark2]

There has recently been an update for XP relating to a RPC security flaw, where a hacker could alter files on a comp remotely, unless the Natting and firewall screwed up I cannot see how this could be the problem. :blink:

[bvw]

Host file backup on Spywareblaster might help you.

[wlfdgcrkz]

thanks for the response. It was my understanding that my internal addresses would be concieled fro the internet my be masquing firewall. Someone would have to access the /etc/hosts file on the nat box in order to locate the client. And i know permissions were all okay.

Were you saying that the address translation screwed up and my internel ip leaked? And why would one meerely add a bunch of commercial porn sites to my hosts. Who benifits? If it was meerely at attempt at delinquincy certainly they could have done more damage than that.

[mark2]

If it was just script kiddies, perhaps they know no more than this equivalent of 'I wuz ere' but i would be changing passwords etc and notifying anybody that matters in case of further developments. ie banking / accounting details.

[wlfdgcrkz]

thank you very much.

[mark2]

Check with windows updates for 821557,823980 & 819696.

[wlfdgcrkz]

Ive been thinking about the about the situation and I am still quite perplexed as to how it happened. I did some poking around accesing that box from various servers. I used smbclient from a freebsd server and saw that the windows directory was displayed as $c default share but was not readable by anyone. It is not listed as s ashared direcory and permisiions are set to allow only adimin r/w/x. Additionally the linux nat box was apparently not tampered with. Telnet is disabled on all boxes and ssh is only accessable on internal interfaces. All external interfaces are set up as untrusted. What happened where did I go wrong. How was the internal address of that m$ box discovered from behind that nating wall? And why windows?

Could it have been something downloaded from the internet from the host and then the script was executed? And wouildnt a process also have to abide by machine permissions? That seem more likely to me although i know very little about security (particularly with windows).

Has anyone ever seen this before?

thanks again,

jacob

[mark2]

wlfdgcrkz

I know very little about servers etc (or anything else :blink: )

but as bvw has said spywareblaster allows you to lock the hosts file.

Script sentry will prevent unauthorised scripts running.

I think I'd be inclined to install these on the windows box as an added layer of security.

[AndySD]

http://www.theregister.co.uk/content/56/31706.html