I have a small network 3 windows machines and my Linux box. The windows machines are all running Nortons Firewall. With Linux I set it up with high security tables. All behind a hardware router
It started a couple of days ago when I noticed my zip drive light up. I did a netstat and noticed the Dude was conneted to my box. Now I have a virtual windows on my box with samba networking the zip and a temp directory. I disconnected the network drive and broke the connection. So it looks like he was in through one of my windows machines. As long as I didn't fire up the virtual windows machine my box was shielded. If I start it up he will eventualy connect.
Last night I started scanning myself with nmap tring to figure out how he is getting in (by the way he is on a Linux box). I can't get past the router scanning unless I send ack packets, then I learn Nortons is wide open to someone who knows what they are doing.
This morning he connected direct to my linux box. I shut down all incoming to the eth0 and killed the connection. I started tcpdump and pointed at the router gateway and sure enough he shows up. I am over my head in this.. He/She was sending stuff like "awk whois Ip number" and some stuff about icmb. When I have the machine locked down he can't get in.
I think he is hijacking sessions and cruising past the router at that point.
Thats my sad story, I could use a little advice as to how to approach this. I have been reading about firewall setups and its going to take me awhile get a grip on it.
Wow David :) one thing I would do is change the hardware firewall password and if it has SNMP enabled change it out of the group *PUBLIC to anything else like BOB, *PUBLIC = your hardware password, and if they do a snmp dump and dump the config for yer hardware they could have the passwd in plain text. Learn more about snmp and MIBs by going to the hardware's website. They may be able to upload a new config via TFTP to the hardware
Make sure your hardware is configured properly to not allow incoming connections in except on specific ports to specific machines to figure more about what he is doing.
Theres millions of books on security, its just hard to find the right ones.
Frist I'd go by cert.org and nsa.gov to look at rocketdicing my OS and applications, (all of them, linux and windows), next I would install a third party logging system, to make it hard for the dude to fumble with my OS log withour me knowing about it, then I would look at a firewall switch like zywall 1.
Come back with som info on how you solve this problem. I, for one, would love to hear