Yesterday we were hacked via the socks port (1080) used by Wingate. There were 3 sets of IP ranges that made it inside and were trying to send out spam. Luckily Symantec Enterprise AV stopped it. I blackholed the IP ranges for the attackers and the mayhem has stopped for now.
But at this point i am still unsure how the attackers made it inside. How would i determine this? Every attack was on the external adapter of the Wingate machine and all were directed to port 1080. The firewall settings were fairly brief and i saw no more settings to tweak there.
How does Wingate use port 1080? Can i block it altogether if my service ports are mapped (25, 80, 110 etc.)?
Anyone who has to deal with this type of exploit please lend me your observations. I am new to Wingate, so i am still getting used to the ways of a proxy server.
Thanks,
Matt
Hacked!!! Port 1080 Exploit!
Moderator: Qbik Staff
6 posts
• Page 1 of 1
Hacked!!! Port 1080 Exploit!
by mcb » Sep 11 04 2:36 am
- mcb
- Posts: 41
- Joined: Aug 07 04 7:36 am
- Location: NE Tennessee
Hacked!!! Port 1080 Exploit!
by mcb » Sep 11 04 8:28 am
Thanks for your reply. I did go ahead and disable that service. This internal IP is still continuing to try to contact port 1080. I went ahead and blocked port 1080 for all LAN and WAN computers.
I guess what concerns me most is that a machine on our internal network is exhibiting such suspect behaviour. And right around the time we had a documented intrusion. We use Symantec Enterprise AV and nothing has shown up in subsequent scans.
As for Wingate we use 5.2.2. I have been trying to upgrade to 6.0.1, but everytime i do, communication with our mail server gets blocked. We use straight through mapping to accomplish this, so it has been a mystery to techs why we get this problem.
I do think my bases are covered as far as an exploit on this particular port. But i am still uneasy since i don't know how these guys made it in unsolicited past the firewall. Wingate was serving them as if they were internal network machines until I blackholed their IP ranges.
Thanks again for your help.
Matt
I guess what concerns me most is that a machine on our internal network is exhibiting such suspect behaviour. And right around the time we had a documented intrusion. We use Symantec Enterprise AV and nothing has shown up in subsequent scans.
As for Wingate we use 5.2.2. I have been trying to upgrade to 6.0.1, but everytime i do, communication with our mail server gets blocked. We use straight through mapping to accomplish this, so it has been a mystery to techs why we get this problem.
I do think my bases are covered as far as an exploit on this particular port. But i am still uneasy since i don't know how these guys made it in unsolicited past the firewall. Wingate was serving them as if they were internal network machines until I blackholed their IP ranges.
Thanks again for your help.
Matt
- mcb
- Posts: 41
- Joined: Aug 07 04 7:36 am
- Location: NE Tennessee
by labull » Sep 11 04 8:35 am
6.0.2 is out. Here's one of the fixes
Don't know if that fixes your problem but you might give it a try!
Larry
15. Changed the default behavior of adapter detection, so that now an adapter with a private IP and a default gateway will now show as Internal.
Don't know if that fixes your problem but you might give it a try!
Larry
WinGate Lurker
- labull
- WinGate Guru
- Posts: 710
- Joined: Sep 06 03 1:03 am
- Location: Washington, DC - USA
Re: Hacked!!! Port 1080 Exploit!
by controlair » Sep 11 04 12:08 pm
mcb wrote:Thanks for your reply. I did go ahead and disable that service. This internal IP is still continuing to try to contact port 1080. I went ahead and blocked port 1080 for all LAN and WAN computers.
I guess what concerns me most is that a machine on our internal network is exhibiting such suspect behaviour. And right around the time we had a documented intrusion. We use Symantec Enterprise AV and nothing has shown up in subsequent scans.
As for Wingate we use 5.2.2. I have been trying to upgrade to 6.0.1, but everytime i do, communication with our mail server gets blocked. We use straight through mapping to accomplish this, so it has been a mystery to techs why we get this problem.
I do think my bases are covered as far as an exploit on this particular port. But i am still uneasy since i don't know how these guys made it in unsolicited past the firewall. Wingate was serving them as if they were internal network machines until I blackholed their IP ranges.
Thanks again for your help.
Matt
were you able to determine what internal machine it was and what software/service is attempting to remote? could have been a spyware/filesharing app with a backdoor. i doubt its a virus/trojan or your NAVCE would have taken care of business
CACC
- controlair
- Posts: 7
- Joined: Sep 11 04 6:42 am
by adrien » Sep 11 04 12:41 pm
Actually use of port 1080 is quite common, and not necessarily suspicious.
apps like ICQ, or even Internet Explorer (if configured to use a SOCKS server in its proxy configuration) will use SOCKS.
However it would definitely be a really bad idea to have your SOCKS server in WinGate available to users on the Internet.
This must have meant that port 1080 was open for connections from the Internet?
Your SOCKS server logs should show who was connecting.
If it was closed, what type of Internet connection do you use, and how does the WinGate machine connect to it?
Adrien
apps like ICQ, or even Internet Explorer (if configured to use a SOCKS server in its proxy configuration) will use SOCKS.
However it would definitely be a really bad idea to have your SOCKS server in WinGate available to users on the Internet.
This must have meant that port 1080 was open for connections from the Internet?
Your SOCKS server logs should show who was connecting.
If it was closed, what type of Internet connection do you use, and how does the WinGate machine connect to it?
Adrien
- adrien
- Qbik Staff
- Posts: 5448
- Joined: Sep 03 03 2:54 pm
- Location: Auckland
6 posts
• Page 1 of 1
Who is online
Users browsing this forum: Bing [Bot] and 11 guests