View previous topic :: View next topic |
Author |
Message |
e3k Guru
Joined: 01 Oct 2007 Posts: 513 Location: Inner Space
|
Posted: Sun Dec 02, 2012 5:49 pm Post subject: strange behavior / machine compromised? |
|
|
first the mplayer dropped from fullscreen to window.
then i checked iptables -L with and everything was open.
then i setup a basic iptables but there is some NAT configuration inside /var/lib/iptables/rules-save which i did not add:
Code: |
...
*nat
:PREROUTING ACCEPT [389:30114]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [733:75266]
:POSTROUTING ACCEPT [733:75266]
COMMIT
...
|
oh and also some months i have a message that the hw clock could not be set, but now also that it cant be stopped at shutdown.
any ideas what else i could check? _________________
Flux & Contemplation - Portrait of an Artist in Isolation
|
|
Back to top |
|
|
e3k Guru
Joined: 01 Oct 2007 Posts: 513 Location: Inner Space
|
Posted: Wed Jan 02, 2013 12:00 pm Post subject: |
|
|
the story did go on like this:
suddenly my gcc got broken when i tried to install lsof to check what is writing to my iptables config file.
when trying to repair gcc from tarball, almost all links to usefull commands such as emerge broke.
i decided to reinstall so i booted from an old livecd, but the strange behavour did go on:
when emerging gentoo-sources emerge did pull something like 30 packages besides gentoo-sources.
so i suspected a man in the middle attack on my old router/dsl modem. after replacing the piece i was able to reinstall gentoo and the system now behaves normaly...
the question is how well is gentoo protected if somebody/something takes control of your router. is it possible to redirect the traffic somewhere to fake a portage and then install tempered packages into gentoo during a standard update? _________________
Flux & Contemplation - Portrait of an Artist in Isolation
|
|
Back to top |
|
|
ulenrich Veteran
Joined: 10 Oct 2010 Posts: 1480
|
Posted: Wed Jan 02, 2013 2:21 pm Post subject: |
|
|
emerge-webrsync
... then you will be on the save side. |
|
Back to top |
|
|
e3k Guru
Joined: 01 Oct 2007 Posts: 513 Location: Inner Space
|
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21633
|
Posted: Wed Jan 02, 2013 11:44 pm Post subject: |
|
|
Note that emerge-webrsync is only safer if you have a way to validate the signature of the downloaded file. To do that, you need to obtain the public portion of the signing key through a secure channel, and trust that your system's ability to validate signatures is not compromised. |
|
Back to top |
|
|
474 l33t
Joined: 19 Apr 2002 Posts: 714
|
Posted: Thu Jan 03, 2013 5:49 am Post subject: Re: strange behavior / machine compromised? |
|
|
e3k wrote: | then i checked iptables -L with and everything was open. |
If you're behind a router performing NAT then that doesn't necessarily matter.
e3k wrote: | then i setup a basic iptables but there is some NAT configuration inside /var/lib/iptables/rules-save which i did not add:
Code: |
...
*nat
:PREROUTING ACCEPT [389:30114]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [733:75266]
:POSTROUTING ACCEPT [733:75266]
COMMIT
...
|
|
The policy for all built-in chains defaults to ACCEPT. There's nothing unusual about this. |
|
Back to top |
|
|
e3k Guru
Joined: 01 Oct 2007 Posts: 513 Location: Inner Space
|
Posted: Thu Jan 03, 2013 7:54 am Post subject: Re: strange behavior / machine compromised? |
|
|
kerframil wrote: | e3k wrote: | then i checked iptables -L with and everything was open. |
If you're behind a router performing NAT then that doesn't necessarily matter.
The policy for all built-in chains defaults to ACCEPT. There's nothing unusual about this. |
it is safer to connect directly than to connect via a compromised router...
and yes the NAT part was false alarm, but the fact that my iptables got overwritten permanetly to ACCEPT everything was strange (and i did save them after edit, even when i edited the config file manualy it got changed) _________________
Flux & Contemplation - Portrait of an Artist in Isolation
|
|
Back to top |
|
|
e3k Guru
Joined: 01 Oct 2007 Posts: 513 Location: Inner Space
|
Posted: Thu Jan 03, 2013 7:55 am Post subject: |
|
|
Hu wrote: | Note that emerge-webrsync is only safer if you have a way to validate the signature of the downloaded file. To do that, you need to obtain the public portion of the signing key through a secure channel, and trust that your system's ability to validate signatures is not compromised. |
i changed the router so have now more trust to the channel, or should i book a plane ticket and go with a usb key to download it somewhere ? _________________
Flux & Contemplation - Portrait of an Artist in Isolation
|
|
Back to top |
|
|
474 l33t
Joined: 19 Apr 2002 Posts: 714
|
Posted: Thu Jan 03, 2013 8:16 am Post subject: Re: strange behavior / machine compromised? |
|
|
e3k wrote: | and yes the NAT part was false alarm, but the fact that my iptables got overwritten permanetly to ACCEPT everything was strange (and i did save them after edit, even when i edited the config file manualy it got changed) |
The chances of this being a mistake on your part are vastly greater. Also, if SAVE_ON_STOP is set to "yes" in /etc/conf.d/iptables and you have iptables in your default runlevel, the rules will be saved upon shutdown. This is worth mentioning because it can lead to accidental loss if the tables are not in the desired state. |
|
Back to top |
|
|
roravun Tux's lil' helper
Joined: 05 Sep 2012 Posts: 82
|
Posted: Thu Jan 03, 2013 8:46 am Post subject: |
|
|
e3k,
I too do not think you were under attack. Mildly experienced gentooer could set up fake mirror and portage tree that would not look suspicious at all.
You could hide hostile payloads in thousands of places that would go unnoticed if you didnt take additional precautions. This "attack" just seem so amateur. |
|
Back to top |
|
|
e3k Guru
Joined: 01 Oct 2007 Posts: 513 Location: Inner Space
|
Posted: Thu Jan 03, 2013 9:37 am Post subject: |
|
|
roravun wrote: | e3k,
I too do not think you were under attack. Mildly experienced gentooer could set up fake mirror and portage tree that would not look suspicious at all.
You could hide hostile payloads in thousands of places that would go unnoticed if you didnt take additional precautions. This "attack" just seem so amateur. |
i can only guess what it was and my theory is that my router was hacked by a bot which did attack someone outside who did attack then me to force me to reinstall and replace the router.
but of course it could also be that multiple things broke accidentally on my gentoo, but it is hard to believe for me as until now (years) i had no problems with it i did not do anything special with my system last days before the attack or "attack". _________________
Flux & Contemplation - Portrait of an Artist in Isolation
|
|
Back to top |
|
|
|