I am looking at my 12.3 system and ifup is a script and ifdown is a symlink to ifup. That's normal. Because ifdown is a syslink, those permissions are normal. I would be putting one system online at a time and have another system setup with a packet sniffer(ie wireshark) and restart from there. Lyle On 09/13/14 13:00, Jon Cosby wrote:
I've been under attack recently and need help tracing the source and locking down. At one point the hacker took full control of my system, including windows and terminals. I went offline for four days this week, reinstalled openSUSE 13.1 offline yesterday, turned on the firewall and ran the patches online. I'm blocking unneeded ports in my modem-router. The attacks seem to continue almost immediately. rkhunter gives a very suspicious warning:
<code> [10:19:02] /sbin/ifup [ Warning ] [10:19:02] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script, ASCII..
sbin> ls -l ifup -rwxr-xr-x 1 root root 48711 Apr 10 00:46 ifup sbin> ls -l ifdown lrwxrwxrwx 1 root root 4 Sep 12 18:05 ifdown -> ifup sbin> </code>
Note the permissions on ifdown. On restarting from suspension, there's a signal going out. I'm going to have to go down again, but don't have a clue what I need to do to get this system operating cleanly. Any tips/suggestions are appreciated. Thanks,
Jon Cosby
-- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org