Mailinglist Archive: opensuse-security (51 mails)

< Previous Next >
[opensuse-security] System attacked, need help
I've been under attack recently and need help tracing the source and locking down. At one point the hacker took full control of my system, including windows and terminals. I went offline for four days this week, reinstalled openSUSE 13.1 offline yesterday, turned on the firewall and ran the patches online. I'm blocking unneeded ports in my modem-router. The attacks seem to continue almost immediately. rkhunter gives a very suspicious warning:

<code>
[10:19:02] /sbin/ifup [ Warning ]
[10:19:02] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script, ASCII..

sbin> ls -l ifup
-rwxr-xr-x 1 root root 48711 Apr 10 00:46 ifup
sbin> ls -l ifdown
lrwxrwxrwx 1 root root 4 Sep 12 18:05 ifdown -> ifup
sbin>
</code>

Note the permissions on ifdown. On restarting from suspension, there's a signal going out. I'm going to have to go down again, but don't have a clue what I need to do to get this system operating cleanly. Any tips/suggestions are appreciated. Thanks,


Jon Cosby
--
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-security+owner@xxxxxxxxxxxx

< Previous Next >