Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
has this m/c been compromised?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Gentree
Watchman
Watchman


Joined: 01 Jul 2003
Posts: 5227
Location: France, Old Europe

PostPosted: Tue Oct 29, 2013 8:08 pm    Post subject: has this m/c been compromised? Reply with quote

re https://forums.gentoo.org/viewtopic.php?p=7427534#7427534

After much chasing, the cause of what has reconfigured the network remains a mystery.

During the period since I last used the LAN in a working state and the day I first noticed the config had changed there was an incident of suspicious disk activity and CPU usage notably more than justified by my activities. I powered off the router and rebooted ( and there has been no repeat of that problem.)

This leads to the question, has the machine been compromised?

Gentoo forum's breast and brightest seem unable to find a cause for the reconfiguration, I did not mess with it, so that raises the possibility someone else did.

Is there anyway to check this possibility or should I just assume the worst and decide what distro I'm going to use for a clean installation?

TIA, Gentree. 8)
_________________
Linux, because I'd rather own a free OS than steal one that's not worth paying for.

AthlonXP-M on A7N8X @ 2.6/2.4GHz (winter/summer)
2.6.32-hh1 : portage ~x86
Back to top
View user's profile Send private message
zeronullity
Tux's lil' helper
Tux's lil' helper


Joined: 16 Oct 2010
Posts: 94

PostPosted: Wed Oct 30, 2013 12:16 am    Post subject: Reply with quote

I skimmed through the post however if your running dhcpcd.. all addresses should be consider dynamic.
Even if your ISP assigns static IPs.. for example say if your ISP or modem device has an error it may report
incorrect information to dhcpcd and there for dhcpcd will assign incorrect information.
If your serious about security run a hardened installation if your not already.. check for root kits.. and perhaps
do checksum checking against files for changes. Disable remote access and any other unneeded services.
And run tripewire type programs. In any case is it possible there has been a security breech, YES. However
extremely unlikely based on the information you gave.

Perhaps it might be worth checking your hardware - hdd,memory etc..
And seeing if your ISP has made any recent changes or had any other issues related to dhcp..
firmware updates to devices etc.

Running programs like inotifywait, etc.. will give you a list of files currently being accessed.
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Wed Oct 30, 2013 12:55 am    Post subject: Re: has this m/c been compromised? Reply with quote

Gentree wrote:
reconfigured the network

Why would a hacker do that?

It's far more likely to be e.g. a loose network cable.
Back to top
View user's profile Send private message
Gentree
Watchman
Watchman


Joined: 01 Jul 2003
Posts: 5227
Location: France, Old Europe

PostPosted: Wed Oct 30, 2013 6:08 am    Post subject: Reply with quote

Hi Paul,

I don't understand that comment.

I had a NIC configured with a hard coded, fixed IP. That has worked for about the last four or five years with that method. The particular IP used probably last changed about two years back.

How would a cable problem change that?
_________________
Linux, because I'd rather own a free OS than steal one that's not worth paying for.

AthlonXP-M on A7N8X @ 2.6/2.4GHz (winter/summer)
2.6.32-hh1 : portage ~x86
Back to top
View user's profile Send private message
snkmoorthy
Guru
Guru


Joined: 19 Nov 2002
Posts: 333

PostPosted: Wed Oct 30, 2013 7:24 am    Post subject: Reply with quote

the 169.x.x.x APIPA address gets assigned by DHCP/Zeroconf... This is a fall back address for whatever reason.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum