Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
strange behavior / machine compromised?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
e3k
Apprentice
Apprentice


Joined: 01 Oct 2007
Posts: 167
Location: Slovakia

PostPosted: Sun Dec 02, 2012 5:49 pm    Post subject: strange behavior / machine compromised? Reply with quote

first the mplayer dropped from fullscreen to window.
then i checked iptables -L with and everything was open.
then i setup a basic iptables but there is some NAT configuration inside /var/lib/iptables/rules-save which i did not add:
Code:

...
*nat
:PREROUTING ACCEPT [389:30114]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [733:75266]
:POSTROUTING ACCEPT [733:75266]
COMMIT
...


oh and also some months i have a message that the hw clock could not be set, but now also that it cant be stopped at shutdown.

any ideas what else i could check?
_________________
---__o__---
Back to top
View user's profile Send private message
e3k
Apprentice
Apprentice


Joined: 01 Oct 2007
Posts: 167
Location: Slovakia

PostPosted: Wed Jan 02, 2013 12:00 pm    Post subject: Reply with quote

the story did go on like this:

suddenly my gcc got broken when i tried to install lsof to check what is writing to my iptables config file.
when trying to repair gcc from tarball, almost all links to usefull commands such as emerge broke.

i decided to reinstall so i booted from an old livecd, but the strange behavour did go on:
when emerging gentoo-sources emerge did pull something like 30 packages besides gentoo-sources.

so i suspected a man in the middle attack on my old router/dsl modem. after replacing the piece i was able to reinstall gentoo and the system now behaves normaly...

the question is how well is gentoo protected if somebody/something takes control of your router. is it possible to redirect the traffic somewhere to fake a portage and then install tempered packages into gentoo during a standard update?
_________________
---__o__---
Back to top
View user's profile Send private message
ulenrich
Veteran
Veteran


Joined: 10 Oct 2010
Posts: 1122

PostPosted: Wed Jan 02, 2013 2:21 pm    Post subject: Reply with quote

emerge-webrsync
... then you will be on the save side.
_________________
fun2gen2
Back to top
View user's profile Send private message
e3k
Apprentice
Apprentice


Joined: 01 Oct 2007
Posts: 167
Location: Slovakia

PostPosted: Wed Jan 02, 2013 4:13 pm    Post subject: Reply with quote

done. no more emerge --sync for me now.
i wonder why there is only a emerge-webrsync/pgp implementation.
thank you.
_________________
---__o__---
Back to top
View user's profile Send private message
Hu
Watchman
Watchman


Joined: 06 Mar 2007
Posts: 8602

PostPosted: Wed Jan 02, 2013 11:44 pm    Post subject: Reply with quote

Note that emerge-webrsync is only safer if you have a way to validate the signature of the downloaded file. To do that, you need to obtain the public portion of the signing key through a secure channel, and trust that your system's ability to validate signatures is not compromised.
Back to top
View user's profile Send private message
kerframil
l33t
l33t


Joined: 19 Apr 2002
Posts: 710
Location: London, UK

PostPosted: Thu Jan 03, 2013 5:49 am    Post subject: Re: strange behavior / machine compromised? Reply with quote

e3k wrote:
then i checked iptables -L with and everything was open.


If you're behind a router performing NAT then that doesn't necessarily matter.

e3k wrote:
then i setup a basic iptables but there is some NAT configuration inside /var/lib/iptables/rules-save which i did not add:
Code:

...
*nat
:PREROUTING ACCEPT [389:30114]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [733:75266]
:POSTROUTING ACCEPT [733:75266]
COMMIT
...


The policy for all built-in chains defaults to ACCEPT. There's nothing unusual about this.
Back to top
View user's profile Send private message
e3k
Apprentice
Apprentice


Joined: 01 Oct 2007
Posts: 167
Location: Slovakia

PostPosted: Thu Jan 03, 2013 7:54 am    Post subject: Re: strange behavior / machine compromised? Reply with quote

kerframil wrote:
e3k wrote:
then i checked iptables -L with and everything was open.


If you're behind a router performing NAT then that doesn't necessarily matter.

The policy for all built-in chains defaults to ACCEPT. There's nothing unusual about this.


it is safer to connect directly than to connect via a compromised router...

and yes the NAT part was false alarm, but the fact that my iptables got overwritten permanetly to ACCEPT everything was strange (and i did save them after edit, even when i edited the config file manualy it got changed)
_________________
---__o__---
Back to top
View user's profile Send private message
e3k
Apprentice
Apprentice


Joined: 01 Oct 2007
Posts: 167
Location: Slovakia

PostPosted: Thu Jan 03, 2013 7:55 am    Post subject: Reply with quote

Hu wrote:
Note that emerge-webrsync is only safer if you have a way to validate the signature of the downloaded file. To do that, you need to obtain the public portion of the signing key through a secure channel, and trust that your system's ability to validate signatures is not compromised.

i changed the router so have now more trust to the channel, or should i book a plane ticket and go with a usb key to download it somewhere :)?
_________________
---__o__---
Back to top
View user's profile Send private message
kerframil
l33t
l33t


Joined: 19 Apr 2002
Posts: 710
Location: London, UK

PostPosted: Thu Jan 03, 2013 8:16 am    Post subject: Re: strange behavior / machine compromised? Reply with quote

e3k wrote:
and yes the NAT part was false alarm, but the fact that my iptables got overwritten permanetly to ACCEPT everything was strange (and i did save them after edit, even when i edited the config file manualy it got changed)

The chances of this being a mistake on your part are vastly greater. Also, if SAVE_ON_STOP is set to "yes" in /etc/conf.d/iptables and you have iptables in your default runlevel, the rules will be saved upon shutdown. This is worth mentioning because it can lead to accidental loss if the tables are not in the desired state.
Back to top
View user's profile Send private message
roravun
Tux's lil' helper
Tux's lil' helper


Joined: 05 Sep 2012
Posts: 82

PostPosted: Thu Jan 03, 2013 8:46 am    Post subject: Reply with quote

e3k,

I too do not think you were under attack. Mildly experienced gentooer could set up fake mirror and portage tree that would not look suspicious at all.
You could hide hostile payloads in thousands of places that would go unnoticed if you didnt take additional precautions. This "attack" just seem so amateur. ;-)
Back to top
View user's profile Send private message
e3k
Apprentice
Apprentice


Joined: 01 Oct 2007
Posts: 167
Location: Slovakia

PostPosted: Thu Jan 03, 2013 9:37 am    Post subject: Reply with quote

roravun wrote:
e3k,

I too do not think you were under attack. Mildly experienced gentooer could set up fake mirror and portage tree that would not look suspicious at all.
You could hide hostile payloads in thousands of places that would go unnoticed if you didnt take additional precautions. This "attack" just seem so amateur. ;-)


i can only guess what it was and my theory is that my router was hacked by a bot which did attack someone outside who did attack then me to force me to reinstall and replace the router.
but of course it could also be that multiple things broke accidentally on my gentoo, but it is hard to believe for me as until now (years) i had no problems with it i did not do anything special with my system last days before the attack or "attack".
_________________
---__o__---
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum