[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Securite reseau

Bonjour,
Pas de gros problème sauf que ton dhcp est en rade. c'est pour cela que ton ordinateur ne peut pas aller sur internet. 

Arpwatch :


           hostname: platon.local
         ip address: 169.254.214.233
          interface: eth0
Regarde sur ton routeur pour redémarrer le protocol dhcp, et tout devrait bien se passer. 

Pour vérifier sur ta machine tu peux aussi taper la commande ifconfig eth0
la deuxième ligne chez toi doit ressembler à ça :

inet adr:192.168.1.103  Bcast:192.168.1.255  Masque:255.255.255.0

Eddy

Christophe VINCHON a écrit :

Bonjour,

Ce n'est pas à proprement parler une question Debian, mais c'est sous
une Debian Etch que ça m'arrive, et il y a certainement des admin réseau
sur la liste...

Ce midi, au boot la machine va chercher son adresse ip sur le routeur.
Ok, c'est fait. J'ouvre une session x, lance icewiesel... Le site choisi
comme page par défaut ne s'affiche pas. Je tente une requête http sur le
routeur. idem. Le routeur m'est donc inaccessible...

J'ai consulté ma messagerie (voir ci-dessous) et puis évidemment
reconfiguré mon interface réseau pour dans un premier temps me connecter
à mon routeur : rien d'anormal.

Je joins, expugés au maximum, les rapports de mes divers "surveillants".
Vous y verrez sans doute des choses que je n'ai pas vu. Malgré tous mes
efforts sur les sites en anglais, je ne parviens pas à me représenter
les procédures à suivre pour palier les failles dénoncées par chkrootkit
et rkhunter.  Il ne s'agit pas ici d'un logiciel récalcitrant, mais
peut-être de l'avenir à cout terme de mon réseau familial (4 machines)
et de nos données personnelles et professionnelles, en clair j'ai besoin
d'aide.

Cordialement,
Christophe.



Arpwatch :


            hostname: platon.local
          ip address: 169.254.214.233
           interface: eth0
    ethernet address: 0:4f:4e:14:fe:f8
     ethernet vendor: <unknown>
           timestamp: Monday, November 17, 2008 12:11:26 +0100
Ce qui diffère du message envoyé après son installation 
 hostname: platon.excathedra.lan
          ip address: 192.168.1.103
           interface: eth0
    ethernet address: 0:4f:4e:14:fe:f8
     ethernet vendor: <unknown>
           timestamp: Thursday, November 13, 2008 19:01:51 +0100


Logwatch :
################### Logwatch 7.3.1 (09/15/06) #################### Processing Initiated: Mon Nov 17 12:15:58 2008 
        Date Range Processed: yesterday
                              ( 2008-Nov-16 )
                              Period is day.
      Detail Level of Output: 5
              Type of Output: unformatted
           Logfiles for Host: platon
################################################################## --------------------- Cron Begin ------------------------ 
 [...]
---------------------- Cron End ------------------------- --------------------- dpkg status changes Begin ------------------------ Installed: 
    ksh 93r-1
Removed: 
    firestarter 1.0.3-1.3
    winbind 3.0.24-6etch10
Purged: 
    firestarter 1.0.3-1.3
    winbind 3.0.24-6etch10
---------------------- dpkg status changes End ------------------------- --------------------- httpd Begin ------------------------ 0.00 MB transferred in 7 responses (1xx 0, 2xx 2, 3xx 2, 4xx 3, 5xx 0) 3 Images (0.00 MB), 
    4 Content pages (0.00 MB),
Requests with error response codes 
    404 Not Found
       /favicon.ico: 3 Time(s)
---------------------- httpd End ------------------------- --------------------- Kernel Begin ------------------------ 
 [...]
---------------------- Kernel End ------------------------- --------------------- Named Begin ------------------------ 
 [...]
---------------------- Named End ------------------------- --------------------- pam_unix Begin ------------------------ 
 cron:
 [...]

 gdm:
 [...]

 proftpd:
 [...]

 smbd:
 [...]

 sshd:
    Authentication Failures:
       unknown (r028.red.fastwebserver.de): 6 Time(s)
       unknown (24-182-161-69.dhcp.stls.mo.charter.com): 5 Time(s)
       unknown (sd-16247.dedibox.fr): 4 Time(s)
       root (89.163.250.121.static.rdns-uclo.net): 2 Time(s)
       root (sd-16247.dedibox.fr): 2 Time(s)
       unknown (89.163.250.121.static.rdns-uclo.net): 2 Time(s)
       bin (24-182-161-69.dhcp.stls.mo.charter.com): 1 Time(s)
       daemon (24-182-161-69.dhcp.stls.mo.charter.com): 1 Time(s)
       games (24-182-161-69.dhcp.stls.mo.charter.com): 1 Time(s)
       lp (24-182-161-69.dhcp.stls.mo.charter.com): 1 Time(s)
       mail (24-182-161-69.dhcp.stls.mo.charter.com): 1 Time(s)
       news (24-182-161-69.dhcp.stls.mo.charter.com): 1 Time(s)
       root (122.200.102.6): 1 Time(s)
       root (79.170.216.8): 1 Time(s)
       sync (24-182-161-69.dhcp.stls.mo.charter.com): 1 Time(s)
       unknown (79.99.248.4): 1 Time(s)
       uucp (24-182-161-69.dhcp.stls.mo.charter.com): 1 Time(s)
    Invalid Users:
       Unknown Account: 18 Time(s)
su: 
    [...]
    Sessions Opened:
[...] root -> nobody: 3 Time(s) 
      root -> mixmaster: 1 Time(s)
---------------------- pam_unix End ------------------------- --------------------- postfix Begin ------------------------ 
 [...]
---------------------- postfix End ------------------------- --------------------- samba Begin ------------------------ [...] ---------------------- samba End ------------------------- --------------------- SSHD Begin ------------------------ SSHD Killed: 1 Time(s) SSHD Started: 1 Time(s) Failed logins from: 
    24.182.161.69: 8 times
       bin/password: 1 time
       daemon/password: 1 time
       games/password: 1 time
       lp/password: 1 time
       mail/password: 1 time
       news/password: 1 time
       sync/password: 1 time
       uucp/password: 1 time
    79.170.216.8: 1 time
       root/password: 1 time
    88.191.94.148: 2 times
       root/password: 2 times
    89.163.250.121: 2 times
       root/password: 2 times
    122.200.102.6: 1 time
       root/password: 1 time
Illegal users from: 
    24.182.161.69: 5 times
       adm/password: 1 time
       guest/password: 1 time
       halt/password: 1 time
       operator/password: 1 time
       shutdown/password: 1 time
    79.99.248.4: 1 time
       guest/password: 1 time
    88.191.94.148: 4 times
       oracle/password: 1 time
       pgsql/password: 1 time
       postgres/password: 1 time
       test/password: 1 time
    89.163.250.121: 2 times
       mzarza/password: 1 time
       trukulo/password: 1 time
    217.79.190.28: 6 times
       ts/password: 2 times
       friedrich/password: 1 time
       nagios/password: 1 time
       oracle/password: 1 time
       teamspeak/password: 1 time
Refused incoming connections: 
       24-182-161-69.dhcp.stls.mo.charter.com (::ffff:24.182.161.69): 1 Time(s)
       89.163.250.121.static.rdns-uclo.net (::ffff:89.163.250.121): 1 Time(s)
       r028.red.fastwebserver.de (::ffff:217.79.190.28): 1 Time(s)
---------------------- SSHD End ------------------------- --------------------- Disk Space Begin ------------------------ 
 [...]
---------------------- Disk Space End ------------------------- ###################### Logwatch End ######################### chkrootkit : 

/etc/cron.daily/chkrootkit:
The following suspicious files and directories were found:
/usr/lib/iceweasel/.autoreg
/usr/lib/xulrunner/.autoreg
/usr/lib/epiphany/2.14/extensions/.pyversion
/lib/init/rw/.ramfs

COMMENTAIRE : ces fichiers sont vides sauf .pyversion (2.4).

/usr/lib/security
/usr/lib/security/classpath.security
INFECTED (PORTS:  1524 6667 31337)
eth0: PACKET SNIFFER(/usr/sbin/snort[2973], /usr/sbin/arpwatch[3105])
/etc/cron.daily/mixmaster:
/usr/bin/mixmaster-update: Get failed for http://www.noreply.org/echolot/rlist2.txt (500 Can't connect to www.noreply.org:80 (Bad hostname 'www.noreply.org'))
Exiting eval via next at /usr/bin/mixmaster-update line 384.
/usr/bin/mixmaster-update: Get failed for http://www.noreply.org/echolot/mlist2.txt (500 Can't connect to www.noreply.org:80 (Bad hostname 'www.noreply.org'))
Exiting eval via next at /usr/bin/mixmaster-update line 384.
/usr/bin/mixmaster-update: Get failed for http://www.noreply.org/echolot/pubring.mix (500 Can't connect to www.noreply.org:80 (Bad hostname 'www.noreply.org'))
Exiting eval via next at /usr/bin/mixmaster-update line 384.
/usr/bin/mixmaster-update: Get failed for http://www.noreply.org/echolot/rlist.txt (500 Can't connect to www.noreply.org:80 (Bad hostname 'www.noreply.org'))
Exiting eval via next at /usr/bin/mixmaster-update line 384.
/usr/bin/mixmaster-update: Get failed for http://www.noreply.org/echolot/mlist.txt (500 Can't connect to www.noreply.org:80 (Bad hostname 'www.noreply.org'))
Exiting eval via next at /usr/bin/mixmaster-update line 384.
/usr/bin/mixmaster-update: Get failed for http://www.noreply.org/echolot/pgp-all.asc (500 Can't connect to www.noreply.org:80 (Bad hostname 'www.noreply.org'))
Exiting eval via next at /usr/bin/mixmaster-update line 384.
Downloading of mlist and/or mixring failed (do you need a proxy?). Aborting.
run-parts: /etc/cron.daily/mixmaster exited with return code 22

COMMENTAIRE : J'ai viré mixmaster...

# lsof -i:1524,6667,31337
COMMAND    PID USER   FD   TYPE DEVICE SIZE NODE NAME
portsentr 3208 root   10u  IPv4   9227       TCP *:ingreslock (LISTEN)
portsentr 3208 root   13u  IPv4   9233       TCP *:ircd (LISTEN)
portsentr 3208 root   18u  IPv4   9243       TCP *:31337 (LISTEN)
portsentr 3212 root 19u IPv4 9309 UDP *:31337 
rkhunter:

Scanning for hidden files...  [ Warning! ]
-----------------------------------------------------------------

Found warnings:
[12:23:27] WARNING, found: /dev/.static (directory) /dev/.udev (directory) /dev/.initramfs (directory) 
-----------------------------------------------------------------

If you're unsure about the results above, please contact the
Rootkit Hunter team through the Rootkit Hunter mailinglist
at rkhunter-users@lists.sourceforge.net.
Some errors has been found while checking. Please perform a manual check on this machine (platon)
Reply to: