[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Ftp/mail-yes. Telnet-no. Direct login-no. ????

On Tue, Apr 29, 2003 at 09:54:30PM +1000, Rob Weir wrote:
> On Mon, Apr 28, 2003 at 02:16:08PM -0700, Kenward Vaughan wrote:
> > My firewall/internal mail server/gateway machine choked on something
> > yesterday and went down for quite a while.  I couldn't login at the
> > console--no response after hitting the return with the name (no printing of
> > request for password).  But C-A-D works from there.
> > 
> > I can't telnet in. A connection is made, but it hangs without a login
> > request line.
> > 
> > I found I could ftp into the box. 
> > 
> > Couldn't get through it to the outside, though. No ping, http, ftp. 
> > 
> > I was able to boot single user into the system.  Having seen several
> > messages about a missing int_LOG module, I surmised that part of the problem
> > came from iptables/ipmasq, which was surprising as I have been using it for
> > some time now with a 2.4.20 kernel.  After much fooling around including
> > reinstalling a variety of packages, I removed ipmasq and replaced it with a
> > simpler script based on the ibm.com/developerWorks tutorial (happened to
> > have that one printed out).  Rebuilt the kernel with its suggested kernel
> > options and even included an option about logging iptables.. ;-)
> > 
> > The system nows acts as it should for the LAN as a gateway, but still
> > doesn't allow a console or telnet login.
> > 
> > Can anyone suggest a direction for me to search in?  Is this an init/getty
> > issue?  It's the stable branch, FWIW, that went through a rough upgrade from
> > the last stable issue about 1-2 months ago (I'm actually pleased that the
> > 486 works OK with the 2.4.20 kernel...).
> 
> Have you ruled out a cracking?  Or hardware failure (try memtest86 for a
> day)?  Or disk corruption (debsums -s will help)?

Not sure how to look for someone cracking in, to be honest.  The box Is
pretty old, so perhaps some HW issues might be there.  I'll try looking
about the logs..


 
> It sure sounds like something was seriously broken on there, and I'd bet
> it's not just a simple package bug or such.  Some points to look at:
> 
> * have you kept up to date with security patches and DSAs?

As well as Debian lets me...  :-)

> * you mention telnet; you haven't been using that over the Internet,
>   have you?
> * as above, for ftp.

Neither for coming into the LAN (I'm dialup and also have no need.). 
Ftp occasionally for going out to certain research sites (chemical modeling
software and my school web site).

> * 2.4.20 (and all earlier ones) have a local root hole.  Any person you
>   was given a local user account or broke in as a user could have fairly
>   trivially gained root permissions and done anything they felt like to
>   your box.

No one here could do that even if they thought about it (my wife has a hard
enough time dealing with Linux, and my oldest kid is 11).


> Also try the 'chkrootkit' tool to give you some indication of whether
> you've been cracked.  If you have, then you really have to go for a
> reinstall; nothing on the machine can be trusted anymore.

OK.  I'll get that and see what happens.

Thanks, Rob.


Kenward
-- 
In a completely rational society, the best of us would aspire to be 
_teachers_ and the rest of us would have to settle for something less, 
because passing civilization along from one generation to the next 
ought to be the highest honor and the highest responsibility anyone 
could have.     - Lee Iacocca
Reply to: