[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

suspicious problem on firewall

I have a Debian Potato machine running as a firewall/masq gateway on my home
network and I am an AT&T @Home cablemodem subscriber.  I've got a fair
amount of Linux administration experience.  I've turned off all the services
that I don't use.  I have a nice ipchains ruleset and a script that runs
through the packet log each night.  A typical daily report indicates several
attempted connections on various ports (111 and 27374 are the most common)
and the occasional FTP attempt.  It's not a perfect setup, but I think it's
fairly secure -- a nice middle-of-the-road security stance, I guess.

I went to send an email tonight (I use Pine 3.96 compiled from the Potato
source package) and pine caught a signal and aborted every time I moved the
cursor off of the "From" field in the header.  I've been using Pine for
quite some time on this machine so I started looking around with a
suspicious eye.  The copy of pine was compiled on another machine and copied
into place, so I did an md5sum on the two -- they are different.  A binary
compare revealed that the file sizes are identical but four bytes have been
modified.  I copied the original pine over to the machine and it works fine.

I would appreciate thoughts on this situation from people who are more
familiar with system security than I am.  Specifically, does this look like
someone has hacked into my machine or is it more likely that something has
become corrupted (filesystem, hard drive..?)  What is the best way to
convince myself that the system either has or has not been broken into? 
What other steps would people recommend that I take?  It would not be
terribly difficult to wipe the drive and reinstall, but I would prefer to
avoid it of course.


Funny, there's a brightness dial on the monitor, but the users don't get any
        --- Unknown

Reply to: