[opensuse-security] System attacked, need help
I've been under attack recently and need help tracing the source and locking down. At one point the hacker took full control of my system, including windows and terminals. I went offline for four days this week, reinstalled openSUSE 13.1 offline yesterday, turned on the firewall and ran the patches online. I'm blocking unneeded ports in my modem-router. The attacks seem to continue almost immediately. rkhunter gives a very suspicious warning: <code> [10:19:02] /sbin/ifup [ Warning ] [10:19:02] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script, ASCII.. sbin> ls -l ifup -rwxr-xr-x 1 root root 48711 Apr 10 00:46 ifup sbin> ls -l ifdown lrwxrwxrwx 1 root root 4 Sep 12 18:05 ifdown -> ifup sbin> </code> Note the permissions on ifdown. On restarting from suspension, there's a signal going out. I'm going to have to go down again, but don't have a clue what I need to do to get this system operating cleanly. Any tips/suggestions are appreciated. Thanks, Jon Cosby -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
I am looking at my 12.3 system and ifup is a script and ifdown is a symlink to ifup. That's normal. Because ifdown is a syslink, those permissions are normal. I would be putting one system online at a time and have another system setup with a packet sniffer(ie wireshark) and restart from there. Lyle On 09/13/14 13:00, Jon Cosby wrote:
I've been under attack recently and need help tracing the source and locking down. At one point the hacker took full control of my system, including windows and terminals. I went offline for four days this week, reinstalled openSUSE 13.1 offline yesterday, turned on the firewall and ran the patches online. I'm blocking unneeded ports in my modem-router. The attacks seem to continue almost immediately. rkhunter gives a very suspicious warning:
<code> [10:19:02] /sbin/ifup [ Warning ] [10:19:02] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script, ASCII..
sbin> ls -l ifup -rwxr-xr-x 1 root root 48711 Apr 10 00:46 ifup sbin> ls -l ifdown lrwxrwxrwx 1 root root 4 Sep 12 18:05 ifdown -> ifup sbin> </code>
Note the permissions on ifdown. On restarting from suspension, there's a signal going out. I'm going to have to go down again, but don't have a clue what I need to do to get this system operating cleanly. Any tips/suggestions are appreciated. Thanks,
Jon Cosby
-- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2014-09-13 20:00, Jon Cosby wrote:
The attacks seem to continue almost immediately. rkhunter gives a very suspicious warning:
<code> [10:19:02] /sbin/ifup [ Warning ] [10:19:02] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script, ASCII..
False positive. It *is* a script on openSUSE.
sbin> ls -l ifup -rwxr-xr-x 1 root root 48711 Apr 10 00:46 ifup
cer@Telcontar:~> l /sbin/ifup - -rwxr-xr-x 1 root root 48711 Apr 10 09:46 /sbin/ifup* cer@Telcontar:~> file /sbin/ifup /sbin/ifup: Bourne-Again shell script, ASCII text executable cer@Telcontar:~> rpm -qf /sbin/ifup sysconfig-network-0.81.5-30.1.x86_64 cer@Telcontar:~> rpm -V sysconfig-network cer@Telcontar:~> - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlQUixsACgkQtTMYHG2NR9U9pACfUglKv9r1FB5z7AS29lPBdgLc /1oAn1Uy+5vauxVqkl83cCxLgC/D963f =VpvG -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
On 2014-09-13 11:21, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2014-09-13 20:00, Jon Cosby wrote:
The attacks seem to continue almost immediately. rkhunter gives a very suspicious warning:
<code> [10:19:02] /sbin/ifup [ Warning ] [10:19:02] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script, ASCII..
False positive. It *is* a script on openSUSE.
sbin> ls -l ifup -rwxr-xr-x 1 root root 48711 Apr 10 00:46 ifup
cer@Telcontar:~> l /sbin/ifup - -rwxr-xr-x 1 root root 48711 Apr 10 09:46 /sbin/ifup* cer@Telcontar:~> file /sbin/ifup /sbin/ifup: Bourne-Again shell script, ASCII text executable cer@Telcontar:~> rpm -qf /sbin/ifup sysconfig-network-0.81.5-30.1.x86_64 cer@Telcontar:~> rpm -V sysconfig-network cer@Telcontar:~>
Thanks. What about the universal permissions on ifdown? sbin> ls -l ifdown lrwxrwxrwx 1 root root 4 Sep 12 18:05 ifdown -> ifup And again, there’s a long signal going out when I come back from suspension. I'm assuming it's coming from ifup. Jon -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2014-09-13 20:28, Jon Cosby wrote:
On 2014-09-13 11:21, Carlos E. R. wrote:
Thanks. What about the universal permissions on ifdown?
It is a symlink. *ALL* symlinks have universal permissions. The real permissions are those of the link target.
sbin> ls -l ifdown lrwxrwxrwx 1 root root 4 Sep 12 18:05 ifdown -> ifup
And again, there’s a long signal going out when I come back from suspension. I'm assuming it's coming from ifup.
What's a "signal"? What do you mean? When the machine awakes, it has to restart the network. Details differ depending on what network setup you use, but if it is "automatic", ie, dhcp, it certainly has to probe for a lease (new or renewed). And if it is wireless, it has to restart it, check what access points are available, choose one, and attempt to connect... Nothing strange there. And there may be other activities, like clock sync, mail check, browswers awakening and checking things, apper checking... You would have to setup another machine with a sniffer to find out exactly what network packages are goin in/out. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlQUkEYACgkQtTMYHG2NR9Uw9QCfbKAIx1eZm+0PQF4HEnv2CP43 G+4An0+UGFclMsmqp/3nasrAqz556TMi =RRZt -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
On 2014-09-13 11:43, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2014-09-13 20:28, Jon Cosby wrote:
On 2014-09-13 11:21, Carlos E. R. wrote:
Thanks. What about the universal permissions on ifdown?
It is a symlink. *ALL* symlinks have universal permissions. The real permissions are those of the link target.
sbin> ls -l ifdown lrwxrwxrwx 1 root root 4 Sep 12 18:05 ifdown -> ifup
And again, there’s a long signal going out when I come back from suspension. I'm assuming it's coming from ifup.
What's a "signal"? What do you mean?
When the machine awakes, it has to restart the network. Details differ depending on what network setup you use, but if it is "automatic", ie, dhcp, it certainly has to probe for a lease (new or renewed). And if it is wireless, it has to restart it, check what access points are available, choose one, and attempt to connect... Nothing strange there. And there may be other activities, like clock sync, mail check, browswers awakening and checking things, apper checking...
You would have to setup another machine with a sniffer to find out exactly what network packages are goin in/out.
Maybe I'm paranoid after what happened. I'll have to follow yours and Lyle's suggestions for some reassurance. Jon -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2014-09-13 20:52, Jon Cosby wrote:
On 2014-09-13 11:43, Carlos E. R. wrote:
Maybe I'm paranoid after what happened. I'll have to follow yours and Lyle's suggestions for some reassurance.
That's very understandable. Anyone would be. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEUEARECAAYFAlQUuFEACgkQtTMYHG2NR9XQywCdHuW8LCQ2v6avslgxr0U6H/Rj JXUAmNHvycPriaJvwSRVl/kyvHVrP7M= =rG0M -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
participants (3)
-
Carlos E. R. -
Jon Cosby -
Lyle Giese