I cast out an awfully short sighted 'Does this indicate I've been hacked'
message a while back. Thanks everyone for the quick responses and now I
hope to share what I've found. Tony and Lynn were first on the scene and
pointed out likely forms of response I'd want to take. Lynn in response to
Tony also brought light on the fact that I had sadly left out many details
that could help the mailing list readers to assist me. I humbly beg
forgiveness for any ensuing misspelling or omissions as I complete the story.
So. I have been successfully running a Dachstein LEAF FW on a 486 box
with 48MB ram and a single floppy for close to a year now. I started this
process on an Eigerstein but switched to Dachstein to be on a bit newer
kernel. The only functions it has been performing is as a gateway to my
cable modem and passing through a VPN connection. Of course inside the FW
I have a hub and two other machines on a 192.168.x.x subnet. My primary
workstation requires that I use an employer provided VPN client to access
the corporate network. That required a couple of holes in the FW
restricted to two specific IPs and the use of ip_masq_ipsec. Other than
that I have only tried to keep /etc/network.conf and /etc/ipfilter.conf as
tight as possible paying attention to all the helpful comments included in
both.
Following the suggestions I used lrcfg to back up the ramdisk to a fresh
floppy. I choose the backup option "E Everything INCLUDING log". I then
went to an internal Linux box, copied all files and even dd and image to a
separate directory. I did the same with the boot disk and then pulled down
a fresh Dachstein_1.0.2 image and repeated. Ok now I had a complete set of
directories to do compares against. I went into the base directory of each
of these 'images' and created an 'opened' directory. For each *.lrp file
in the copied directory I made a directory of the same name and opened the
lrp into it. Using a 'find' with md5sum I created an *.lrp.md5 file. Using
grep -f I resolved any files that were different or missing. Using the
results of that I ran diff on files that were changed and analyzed any that
were orphans or extras.
I am pretty confident that the three year record that Lynn stated is still
unscathed. The only changes I could find that I could not resolve were
/etc/ioctl.save in etc.lrp, a shadow- file in /etc/etc.lrp, which I might
consider to be my doing. Then finally a difference between the
Dachstein_1.0.2 etc.lrp /etc/issue* files and my files where mine says
"Linux Router 4.0.6 \n \l" and the Dach files that say "Linux Router 4.0.5
\n \l" which I take to be a difference of no concern. I did find that not
everything turned out as I had hoped and that my biggest worry was
unfounded. First the "E Everything INCLUDING log", did not include either
the ramlog.lrp or weblet.lrp and I'm not presently sure why. Secondly it
was in psentry.lrp in /etc/portsentry.conf file that this line appeared:
KILL_RUN_CMD="/root/add2chain $TARGET$ $PORT$"
It was the results from that command that had me all scared. Thanks to
Sandro for pointing me towards what to look for. As usual that was my
glowing idea of a way to keep a list of people I needed to watch out
for. Once upon a time, before some reboot and of course before any backup,
I can kind of recall a script by that name made by me. Of course that was
a long long internet time ago in a place far far away.
This whole process got kicked off as I was getting an instance of Oracle
running on an internal machine and I was afraid of what that might open
up. That caused me to pay some closer attention to log files and I knee
jerked when I saw the /root/add2chain. I most certainly feel like chicken
little right now. My gut continues to motivate me to react on the side of
too scared rather than too smug. Your patience and tolerance is greatly
appreciated.
As final replies:
> The disk is write protected isn't it?
I normally just boot the disk and then eject it until it is needed again.
Probably how I lost my add2chain script. Go figure.
Again much thanks for everyone's time and I hope I was some help to some
one. Or at least an example of what not to do, your call.
As Always...
Dennis S
-------------------------------------------------------
This SF.NET email is sponsored by: FREE SSL Guide from Thawte
are you planning your Web Server Security? Click here to get a FREE
Thawte SSL guide and find the answers to all your SSL security issues.
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
- [leaf-user] Does this indicate I've been hacked? Dennis Stephens
- Re: [leaf-user] Does this indicate I've been hacked... Lynn Avants
- RE: [leaf-user] Does this indicate I've been ha... Tony
- Re: [leaf-user] Does this indicate I've bee... Lynn Avants
- RE: [leaf-user] Does this indicate I've... Tony
- Re: [leaf-user] Does this indicate... Lynn Avants
- RE: Follow up to: Re: [leaf-us... Dennis Stephens
- RE: Follow up to: Re: [lea... Tony
- Re: Follow up to: Re: [lea... Victor McAllister
- Re: [leaf-user] Does this indicate I've bee... Brad Fritz
- Re: [leaf-user] Does this indicate I've been ha... Vladimir I.
- RE: [leaf-user] Does this indicate I've been hacked... Sandro Minola