System attacked, need help

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

System attacked, need help

Jon Cosby-3
I've been under attack recently and need help tracing the source and
locking down. At one point the hacker took full control of my system,
including windows and terminals. I went offline for four days this week,
reinstalled openSUSE 13.1 offline yesterday, turned on the firewall and
ran the patches online. I'm blocking unneeded ports in my modem-router.
The attacks seem to continue almost immediately. rkhunter gives a very
suspicious warning:

<code>
[10:19:02]   /sbin/ifup                                      [ Warning ]
[10:19:02] Warning: The command '/sbin/ifup' has been replaced by a
script: /sbin/ifup: Bourne-Again shell script, ASCII..

sbin> ls -l ifup
-rwxr-xr-x 1 root root 48711 Apr 10 00:46 ifup
sbin> ls -l ifdown
lrwxrwxrwx 1 root root 4 Sep 12 18:05 ifdown -> ifup
sbin>
</code>

Note the permissions on ifdown. On restarting from suspension, there's a
signal going out. I'm going to have to go down again, but don't have a
clue what I need to do to get this system operating cleanly. Any
tips/suggestions are appreciated. Thanks,


Jon Cosby
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: System attacked, need help

Lyle Giese
I am looking at my 12.3 system and ifup is a script and ifdown is a
symlink to ifup.  That's normal.  Because ifdown is a syslink, those
permissions are normal.

I would be putting one system online at a time and have another system
setup with a packet sniffer(ie wireshark) and restart from there.

Lyle

On 09/13/14 13:00, Jon Cosby wrote:

> I've been under attack recently and need help tracing the source and
> locking down. At one point the hacker took full control of my system,
> including windows and terminals. I went offline for four days this
> week, reinstalled openSUSE 13.1 offline yesterday, turned on the
> firewall and ran the patches online. I'm blocking unneeded ports in my
> modem-router. The attacks seem to continue almost immediately.
> rkhunter gives a very suspicious warning:
>
> <code>
> [10:19:02]   /sbin/ifup                                      [ Warning ]
> [10:19:02] Warning: The command '/sbin/ifup' has been replaced by a
> script: /sbin/ifup: Bourne-Again shell script, ASCII..
>
> sbin> ls -l ifup
> -rwxr-xr-x 1 root root 48711 Apr 10 00:46 ifup
> sbin> ls -l ifdown
> lrwxrwxrwx 1 root root 4 Sep 12 18:05 ifdown -> ifup
> sbin>
> </code>
>
> Note the permissions on ifdown. On restarting from suspension, there's
> a signal going out. I'm going to have to go down again, but don't have
> a clue what I need to do to get this system operating cleanly. Any
> tips/suggestions are appreciated. Thanks,
>
>
> Jon Cosby

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: System attacked, need help

Carlos E. R.-3
In reply to this post by Jon Cosby-3
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2014-09-13 20:00, Jon Cosby wrote:

> The attacks seem to continue almost immediately. rkhunter gives a very
> suspicious warning:
>
> <code>
> [10:19:02]   /sbin/ifup                                      [ Warning ]
> [10:19:02] Warning: The command '/sbin/ifup' has been replaced by a
> script: /sbin/ifup: Bourne-Again shell script, ASCII..

False positive. It *is* a script on openSUSE.

> sbin> ls -l ifup
> -rwxr-xr-x 1 root root 48711 Apr 10 00:46 ifup

cer@Telcontar:~> l /sbin/ifup
- -rwxr-xr-x 1 root root 48711 Apr 10 09:46 /sbin/ifup*
cer@Telcontar:~> file /sbin/ifup
/sbin/ifup: Bourne-Again shell script, ASCII text executable
cer@Telcontar:~> rpm -qf /sbin/ifup
sysconfig-network-0.81.5-30.1.x86_64
cer@Telcontar:~> rpm -V sysconfig-network
cer@Telcontar:~>

- --
Cheers / Saludos,

                Carlos E. R.
                (from 13.1 x86_64 "Bottle" at Telcontar)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlQUixsACgkQtTMYHG2NR9U9pACfUglKv9r1FB5z7AS29lPBdgLc
/1oAn1Uy+5vauxVqkl83cCxLgC/D963f
=VpvG
-----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: System attacked, need help

Jon Cosby-3
On 2014-09-13 11:21, Carlos E. R. wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 2014-09-13 20:00, Jon Cosby wrote:
>
>> The attacks seem to continue almost immediately. rkhunter gives a very
>> suspicious warning:
>>
>> <code>
>> [10:19:02]   /sbin/ifup                                      [ Warning
>> ]
>> [10:19:02] Warning: The command '/sbin/ifup' has been replaced by a
>> script: /sbin/ifup: Bourne-Again shell script, ASCII..
>
> False positive. It *is* a script on openSUSE.
>
>> sbin> ls -l ifup
>> -rwxr-xr-x 1 root root 48711 Apr 10 00:46 ifup
>
> cer@Telcontar:~> l /sbin/ifup
> - -rwxr-xr-x 1 root root 48711 Apr 10 09:46 /sbin/ifup*
> cer@Telcontar:~> file /sbin/ifup
> /sbin/ifup: Bourne-Again shell script, ASCII text executable
> cer@Telcontar:~> rpm -qf /sbin/ifup
> sysconfig-network-0.81.5-30.1.x86_64
> cer@Telcontar:~> rpm -V sysconfig-network
> cer@Telcontar:~>
>

Thanks. What about the universal permissions on ifdown?

sbin> ls -l ifdown
lrwxrwxrwx 1 root root 4 Sep 12 18:05 ifdown -> ifup

And again, there’s a long signal going out when I come back from
suspension. I'm assuming it's coming from ifup.


Jon
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: System attacked, need help

Carlos E. R.-3
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2014-09-13 20:28, Jon Cosby wrote:
> On 2014-09-13 11:21, Carlos E. R. wrote:


> Thanks. What about the universal permissions on ifdown?

It is a symlink. *ALL* symlinks have universal permissions. The real
permissions are those of the link target.

>
> sbin> ls -l ifdown lrwxrwxrwx 1 root root 4 Sep 12 18:05 ifdown ->
> ifup
>
> And again, there’s a long signal going out when I come back from
> suspension. I'm assuming it's coming from ifup.

What's a "signal"? What do you mean?

When the machine awakes, it has to restart the network. Details differ
depending on what network setup you use, but if it is "automatic", ie,
dhcp, it certainly has to probe for a lease (new or renewed). And if
it is wireless, it has to restart it, check what access points are
available, choose one, and attempt to connect... Nothing strange
there. And there may be other activities, like clock sync, mail check,
browswers awakening and checking things, apper checking...

You would have to setup another machine with a sniffer to find out
exactly what network packages are goin in/out.

- --
Cheers / Saludos,

                Carlos E. R.
                (from 13.1 x86_64 "Bottle" at Telcontar)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlQUkEYACgkQtTMYHG2NR9Uw9QCfbKAIx1eZm+0PQF4HEnv2CP43
G+4An0+UGFclMsmqp/3nasrAqz556TMi
=RRZt
-----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: System attacked, need help

Jon Cosby-3
On 2014-09-13 11:43, Carlos E. R. wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 2014-09-13 20:28, Jon Cosby wrote:
>> On 2014-09-13 11:21, Carlos E. R. wrote:
>
>
>> Thanks. What about the universal permissions on ifdown?
>
> It is a symlink. *ALL* symlinks have universal permissions. The real
> permissions are those of the link target.
>
>>
>> sbin> ls -l ifdown lrwxrwxrwx 1 root root 4 Sep 12 18:05 ifdown ->
>> ifup
>>
>> And again, there’s a long signal going out when I come back from
>> suspension. I'm assuming it's coming from ifup.
>
> What's a "signal"? What do you mean?
>
> When the machine awakes, it has to restart the network. Details differ
> depending on what network setup you use, but if it is "automatic", ie,
> dhcp, it certainly has to probe for a lease (new or renewed). And if
> it is wireless, it has to restart it, check what access points are
> available, choose one, and attempt to connect... Nothing strange
> there. And there may be other activities, like clock sync, mail check,
> browswers awakening and checking things, apper checking...
>
> You would have to setup another machine with a sniffer to find out
> exactly what network packages are goin in/out.
>

Maybe I'm paranoid after what happened. I'll have to follow yours and
Lyle's suggestions for some reassurance.


Jon
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: System attacked, need help

Carlos E. R.-3
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2014-09-13 20:52, Jon Cosby wrote:
> On 2014-09-13 11:43, Carlos E. R. wrote:


> Maybe I'm paranoid after what happened. I'll have to follow yours
> and Lyle's suggestions for some reassurance.

That's very understandable. Anyone would be.

- --
Cheers / Saludos,

                Carlos E. R.
                (from 13.1 x86_64 "Bottle" at Telcontar)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEUEARECAAYFAlQUuFEACgkQtTMYHG2NR9XQywCdHuW8LCQ2v6avslgxr0U6H/Rj
JXUAmNHvycPriaJvwSRVl/kyvHVrP7M=
=rG0M
-----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]