On Mon, Apr 28, 2003 at 02:16:08PM -0700, Kenward Vaughan wrote: > My firewall/internal mail server/gateway machine choked on something > yesterday and went down for quite a while. I couldn't login at the > console--no response after hitting the return with the name (no printing of > request for password). But C-A-D works from there. > > I can't telnet in. A connection is made, but it hangs without a login > request line. > > I found I could ftp into the box. > > Couldn't get through it to the outside, though. No ping, http, ftp. > > I was able to boot single user into the system. Having seen several > messages about a missing int_LOG module, I surmised that part of the problem > came from iptables/ipmasq, which was surprising as I have been using it for > some time now with a 2.4.20 kernel. After much fooling around including > reinstalling a variety of packages, I removed ipmasq and replaced it with a > simpler script based on the ibm.com/developerWorks tutorial (happened to > have that one printed out). Rebuilt the kernel with its suggested kernel > options and even included an option about logging iptables.. ;-) > > The system nows acts as it should for the LAN as a gateway, but still > doesn't allow a console or telnet login. > > Can anyone suggest a direction for me to search in? Is this an init/getty > issue? It's the stable branch, FWIW, that went through a rough upgrade from > the last stable issue about 1-2 months ago (I'm actually pleased that the > 486 works OK with the 2.4.20 kernel...). Have you ruled out a cracking? Or hardware failure (try memtest86 for a day)? Or disk corruption (debsums -s will help)? It sure sounds like something was seriously broken on there, and I'd bet it's not just a simple package bug or such. Some points to look at: * have you kept up to date with security patches and DSAs? * you mention telnet; you haven't been using that over the Internet, have you? * as above, for ftp. * 2.4.20 (and all earlier ones) have a local root hole. Any person you was given a local user account or broke in as a user could have fairly trivially gained root permissions and done anything they felt like to your box. Also try the 'chkrootkit' tool to give you some indication of whether you've been cracked. If you have, then you really have to go for a reinstall; nothing on the machine can be trusted anymore. -- Rob Weir <rweir@ertius.org> http://www.ertius.org/ GPG keys: 1024D/1E73B7CD, 4096R/3ABDE5EC | Do I look like I want a CC? Words of the day: smuggle Verisign CIA president bootleg FSF JSOFC3IP espionage
Attachment:
pgpiX1GzhIw2G.pgp
Description: PGP signature