View previous topic :: View next topic |
Author |
Message |
Gentree Watchman
Joined: 01 Jul 2003 Posts: 5350 Location: France, Old Europe
|
Posted: Tue Oct 29, 2013 8:08 pm Post subject: has this m/c been compromised? |
|
|
re https://forums.gentoo.org/viewtopic.php?p=7427534#7427534
After much chasing, the cause of what has reconfigured the network remains a mystery.
During the period since I last used the LAN in a working state and the day I first noticed the config had changed there was an incident of suspicious disk activity and CPU usage notably more than justified by my activities. I powered off the router and rebooted ( and there has been no repeat of that problem.)
This leads to the question, has the machine been compromised?
Gentoo forum's breast and brightest seem unable to find a cause for the reconfiguration, I did not mess with it, so that raises the possibility someone else did.
Is there anyway to check this possibility or should I just assume the worst and decide what distro I'm going to use for a clean installation?
TIA, Gentree. _________________ Linux, because I'd rather own a free OS than steal one that's not worth paying for.
Gentoo because I'm a masochist
AthlonXP-M on A7N8X. Portage ~x86 |
|
Back to top |
|
|
zeronullity Tux's lil' helper
Joined: 16 Oct 2010 Posts: 103
|
Posted: Wed Oct 30, 2013 12:16 am Post subject: |
|
|
I skimmed through the post however if your running dhcpcd.. all addresses should be consider dynamic.
Even if your ISP assigns static IPs.. for example say if your ISP or modem device has an error it may report
incorrect information to dhcpcd and there for dhcpcd will assign incorrect information.
If your serious about security run a hardened installation if your not already.. check for root kits.. and perhaps
do checksum checking against files for changes. Disable remote access and any other unneeded services.
And run tripewire type programs. In any case is it possible there has been a security breech, YES. However
extremely unlikely based on the information you gave.
Perhaps it might be worth checking your hardware - hdd,memory etc..
And seeing if your ISP has made any recent changes or had any other issues related to dhcp..
firmware updates to devices etc.
Running programs like inotifywait, etc.. will give you a list of files currently being accessed. |
|
Back to top |
|
|
PaulBredbury Watchman
Joined: 14 Jul 2005 Posts: 7310
|
Posted: Wed Oct 30, 2013 12:55 am Post subject: Re: has this m/c been compromised? |
|
|
Gentree wrote: | reconfigured the network |
Why would a hacker do that?
It's far more likely to be e.g. a loose network cable. |
|
Back to top |
|
|
Gentree Watchman
Joined: 01 Jul 2003 Posts: 5350 Location: France, Old Europe
|
Posted: Wed Oct 30, 2013 6:08 am Post subject: |
|
|
Hi Paul,
I don't understand that comment.
I had a NIC configured with a hard coded, fixed IP. That has worked for about the last four or five years with that method. The particular IP used probably last changed about two years back.
How would a cable problem change that? _________________ Linux, because I'd rather own a free OS than steal one that's not worth paying for.
Gentoo because I'm a masochist
AthlonXP-M on A7N8X. Portage ~x86 |
|
Back to top |
|
|
snkmoorthy Guru
Joined: 19 Nov 2002 Posts: 376
|
Posted: Wed Oct 30, 2013 7:24 am Post subject: |
|
|
the 169.x.x.x APIPA address gets assigned by DHCP/Zeroconf... This is a fall back address for whatever reason. |
|
Back to top |
|
|
|