RE: suspicious problem on firewall
> I have a Debian Potato machine running as a firewall/masq gateway
> on my home
> network and I am an AT&T @Home cablemodem subscriber. I've got a fair
> amount of Linux administration experience. I've turned off all
> the services
> that I don't use. I have a nice ipchains ruleset and a script that runs
> through the packet log each night. A typical daily report
> indicates several
> attempted connections on various ports (111 and 27374 are the most common)
> and the occasional FTP attempt. It's not a perfect setup, but I
> think it's
> fairly secure -- a nice middle-of-the-road security stance, I guess.
>
> I went to send an email tonight (I use Pine 3.96 compiled from the Potato
> source package) and pine caught a signal and aborted every time I
> moved the
> cursor off of the "From" field in the header. I've been using Pine for
> quite some time on this machine so I started looking around with a
> suspicious eye. The copy of pine was compiled on another machine
> and copied
> into place, so I did an md5sum on the two -- they are different. A binary
> compare revealed that the file sizes are identical but four bytes
> have been
> modified. I copied the original pine over to the machine and it
> works fine.
>
> I would appreciate thoughts on this situation from people who are more
> familiar with system security than I am. Specifically, does this
> look like
> someone has hacked into my machine or is it more likely that something has
> become corrupted (filesystem, hard drive..?) What is the best way to
> convince myself that the system either has or has not been broken into?
> What other steps would people recommend that I take? It would not be
> terribly difficult to wipe the drive and reinstall, but I would prefer to
> avoid it of course.
>
> TIA
27374 connections is sub7 attempts, so those are nothing to worry about
(altho you might want to report it anyway).
as for whether or not you've been hacked into, that's a completely different
matter, and one i can't comment on right now. you probably aren't, but it
can't hurt to make sure. i'd reinstall anyway (i've done that after my linux
box stopped responding to console logins, just to make 100% sure). secondly,
after you've reinstalled debian, i'd suggest you install tripwire, make a
snapshot of your setup, move a copy of triwpire's database offsite, and make
tripwire check the HD like once every day. also, occasionally, md5sum the
database against the offsite copy once in a while. if anything changes, and
you don't remember making any changes ... red alert.
this won't detect the more skilled hackers, but this will catch a fuckload
of them.
(damn mailer sent this privately initially, so i'm re-sending it to
debian-security in case it might be useful to someone else. sorry for the
extra traffic)
-m
When you are having a bad day, and it seems like everybody is trying to piss
you off, remember that it takes 42 muscles to produce a frown, but only 4
muscles to work the trigger of a good sniper rifle.
Reply to: