Mailinglist Archive: opensuse-security (51 mails)

< Previous Next >
Re: [opensuse-security] System attacked, need help
I am looking at my 12.3 system and ifup is a script and ifdown is a symlink to ifup. That's normal. Because ifdown is a syslink, those permissions are normal.

I would be putting one system online at a time and have another system setup with a packet sniffer(ie wireshark) and restart from there.

Lyle

On 09/13/14 13:00, Jon Cosby wrote:
I've been under attack recently and need help tracing the source and locking down. At one point the hacker took full control of my system, including windows and terminals. I went offline for four days this week, reinstalled openSUSE 13.1 offline yesterday, turned on the firewall and ran the patches online. I'm blocking unneeded ports in my modem-router. The attacks seem to continue almost immediately. rkhunter gives a very suspicious warning:

<code>
[10:19:02] /sbin/ifup [ Warning ]
[10:19:02] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script, ASCII..

sbin> ls -l ifup
-rwxr-xr-x 1 root root 48711 Apr 10 00:46 ifup
sbin> ls -l ifdown
lrwxrwxrwx 1 root root 4 Sep 12 18:05 ifdown -> ifup
sbin>
</code>

Note the permissions on ifdown. On restarting from suspension, there's a signal going out. I'm going to have to go down again, but don't have a clue what I need to do to get this system operating cleanly. Any tips/suggestions are appreciated. Thanks,


Jon Cosby

--
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-security+owner@xxxxxxxxxxxx

< Previous Next >
References