has this m/c been compromised?

Gentree · Posted: Tue Oct 29, 2013 8:08 pm Post subject: has this m/c been compromised?

re https://forums.gentoo.org/viewtopic.php?p=7427534#7427534

After much chasing, the cause of what has reconfigured the network remains a mystery.

During the period since I last used the LAN in a working state and the day I first noticed the config had changed there was an incident of suspicious disk activity and CPU usage notably more than justified by my activities. I powered off the router and rebooted ( and there has been no repeat of that problem.)

This leads to the question, has the machine been compromised?

Gentoo forum's breast and brightest seem unable to find a cause for the reconfiguration, I did not mess with it, so that raises the possibility someone else did.

Is there anyway to check this possibility or should I just assume the worst and decide what distro I'm going to use for a clean installation?

TIA, Gentree.

_________________
Linux, because I'd rather own a free OS than steal one that's not worth paying for.
Gentoo because I'm a masochist
AthlonXP-M on A7N8X. Portage ~x86

zeronullity · Tux's lil' helper Joined: 16 Oct 2010 Posts: 103

I skimmed through the post however if your running dhcpcd.. all addresses should be consider dynamic.
Even if your ISP assigns static IPs.. for example say if your ISP or modem device has an error it may report
incorrect information to dhcpcd and there for dhcpcd will assign incorrect information.
If your serious about security run a hardened installation if your not already.. check for root kits.. and perhaps
do checksum checking against files for changes. Disable remote access and any other unneeded services.
And run tripewire type programs. In any case is it possible there has been a security breech, YES. However
extremely unlikely based on the information you gave.

Perhaps it might be worth checking your hardware - hdd,memory etc..
And seeing if your ISP has made any recent changes or had any other issues related to dhcp..
firmware updates to devices etc.

Running programs like inotifywait, etc.. will give you a list of files currently being accessed.

PaulBredbury · Watchman Joined: 14 Jul 2005 Posts: 7310

Gentree · Posted: Wed Oct 30, 2013 6:08 am Post subject:

Hi Paul,

I don't understand that comment.

I had a NIC configured with a hard coded, fixed IP. That has worked for about the last four or five years with that method. The particular IP used probably last changed about two years back.

How would a cable problem change that?
_________________
Linux, because I'd rather own a free OS than steal one that's not worth paying for.
Gentoo because I'm a masochist
AthlonXP-M on A7N8X. Portage ~x86

snkmoorthy · Guru Joined: 19 Nov 2002 Posts: 376

the 169.x.x.x APIPA address gets assigned by DHCP/Zeroconf... This is a fall back address for whatever reason.