Re: logcheck thinks that system is under attack, related to ssl problem?
Hi Noah Thanks again for your answer!! On Montag, 06-Okt-03 at 22:13:32, Noah L. Meyerhans wrote: > On Mon, Oct 06, 2003 at 10:07:23PM +0100, Andreas W?st wrote: >> I hope you've got some more ideas. I'm strictly following all the >> security updates, and have a light mix of woody and sid packages. > > run 'shutdown -rF now' > > See if the problem persists after the fsck. If it does, check the > files manually and see if they're really corrupted or something. > Sounds like you've just got a twisted and inconsistant filesystem. Well, I must admit that I've already have rebooted after this message appeared (well, just because I havent read my mail then, and only realised the logcheck message after a second reboot), but the problem didn't "survive" this first reboot, i.e. I've only received this mail once. But this shouln't mean anything, no? I've fscked the disk as you told, and the problem hasn't returned. But hey, shouldn't there be any file corruption when using ext3 (I mean, missing or incomplete files, ok, when the buffers couldn't get flushed anymore, but corrupted?? I thought that's where the journal comes into action.). -- Best wishes, and thanks a lot for your help, Andi
Re: logcheck thinks that system is under attack, related to ssl problem?
Hi Noah Thanks a lot for your fast answer! On Montag, 06-Okt-03 at 17:58:10, Noah L. Meyerhans wrote: > On Mon, Oct 06, 2003 at 05:31:05PM +0100, Andreas W?st wrote: >> Hmmm, so what? Are these problems somehow tied together? Furthermore, >> what is the probability that the system has really been cracked, and >> the logcheck message is not a false positive? I wonder, because it's >> not a server machine, it has no services running, except the dhcp >> client listening on a port. Nothing else. > > It sounds to me, from the symptoms you described, that /var has > somehow been mounted read-only. Check that first. Well, I wished it would be like that, but /var hasn't got its own partition, it gets mounted togehter with all the other stuff except /boot. > You don't have much evidence that it's a security issue at this point. > Logcheck's "active system attack" messages rarely indicate such a > thing. Don't do anything drastic like reinstall the system until > you've got better evidence that you've been cracked. In this case, I > doubt you have. Well, reinstall is the last resort since it always takes hours to get back the normal environment. I hope you've got some more ideas. I'm strictly following all the security updates, and have a light mix of woody and sid packages. Well, I further noticed some error messages from gconf, about not being able to delete some files, because they were not successfuly synced. I am seeing these messages quite often, although yesterday there were quite a lot of them. I've never really researched the topic, but I think it could be related to sleep, and therefore a not perfect flush of the buffers or something. I wonder if this might somehow have affected the logcheck stuff. -- Best wishes, Andi
Re: logcheck thinks that system is under attack, related to ssl problem?
Hi Noah Thanks again for your answer!! On Montag, 06-Okt-03 at 22:13:32, Noah L. Meyerhans wrote: > On Mon, Oct 06, 2003 at 10:07:23PM +0100, Andreas W?st wrote: >> I hope you've got some more ideas. I'm strictly following all the >> security updates, and have a light mix of woody and sid packages. > > run 'shutdown -rF now' > > See if the problem persists after the fsck. If it does, check the > files manually and see if they're really corrupted or something. > Sounds like you've just got a twisted and inconsistant filesystem. Well, I must admit that I've already have rebooted after this message appeared (well, just because I havent read my mail then, and only realised the logcheck message after a second reboot), but the problem didn't "survive" this first reboot, i.e. I've only received this mail once. But this shouln't mean anything, no? I've fscked the disk as you told, and the problem hasn't returned. But hey, shouldn't there be any file corruption when using ext3 (I mean, missing or incomplete files, ok, when the buffers couldn't get flushed anymore, but corrupted?? I thought that's where the journal comes into action.). -- Best wishes, and thanks a lot for your help, Andi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: logcheck thinks that system is under attack, related to ssl problem?
Hi Noah Thanks a lot for your fast answer! On Montag, 06-Okt-03 at 17:58:10, Noah L. Meyerhans wrote: > On Mon, Oct 06, 2003 at 05:31:05PM +0100, Andreas W?st wrote: >> Hmmm, so what? Are these problems somehow tied together? Furthermore, >> what is the probability that the system has really been cracked, and >> the logcheck message is not a false positive? I wonder, because it's >> not a server machine, it has no services running, except the dhcp >> client listening on a port. Nothing else. > > It sounds to me, from the symptoms you described, that /var has > somehow been mounted read-only. Check that first. Well, I wished it would be like that, but /var hasn't got its own partition, it gets mounted togehter with all the other stuff except /boot. > You don't have much evidence that it's a security issue at this point. > Logcheck's "active system attack" messages rarely indicate such a > thing. Don't do anything drastic like reinstall the system until > you've got better evidence that you've been cracked. In this case, I > doubt you have. Well, reinstall is the last resort since it always takes hours to get back the normal environment. I hope you've got some more ideas. I'm strictly following all the security updates, and have a light mix of woody and sid packages. Well, I further noticed some error messages from gconf, about not being able to delete some files, because they were not successfuly synced. I am seeing these messages quite often, although yesterday there were quite a lot of them. I've never really researched the topic, but I think it could be related to sleep, and therefore a not perfect flush of the buffers or something. I wonder if this might somehow have affected the logcheck stuff. -- Best wishes, Andi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
logcheck thinks that system is under attack, related to ssl problem?
Hi I've got a rather wierd problem. Since this morning, I cannot connect anymore to a pop mail server using ssl, evolution complains about a bad signature of the certificate. This is since I've booted my machine today. At the same time, one minute before I got the after-startup report from logcheck, logcheck sent me a mail with an "ACTIVE SYSTEM ATTACK!" subject, saying: "Cleaned rules files exist in /var/lib/logcheck/cleaned directory that cannot be removed. This may be an attempt to spoof the log checker." Hmmm, so what? Are these problems somehow tied together? Furthermore, what is the probability that the system has really been cracked, and the logcheck message is not a false positive? I wonder, because it's not a server machine, it has no services running, except the dhcp client listening on a port. Nothing else. Which steps would you propose to take next? It's very unfortunate, since I am having absolutely no time at the moment, so I think I'll just leave the machine switched off for now. Maybe I should go for a complete reinstall. -- Best wishes, Andi
logcheck thinks that system is under attack, related to ssl problem?
Hi I've got a rather wierd problem. Since this morning, I cannot connect anymore to a pop mail server using ssl, evolution complains about a bad signature of the certificate. This is since I've booted my machine today. At the same time, one minute before I got the after-startup report from logcheck, logcheck sent me a mail with an "ACTIVE SYSTEM ATTACK!" subject, saying: "Cleaned rules files exist in /var/lib/logcheck/cleaned directory that cannot be removed. This may be an attempt to spoof the log checker." Hmmm, so what? Are these problems somehow tied together? Furthermore, what is the probability that the system has really been cracked, and the logcheck message is not a false positive? I wonder, because it's not a server machine, it has no services running, except the dhcp client listening on a port. Nothing else. Which steps would you propose to take next? It's very unfortunate, since I am having absolutely no time at the moment, so I think I'll just leave the machine switched off for now. Maybe I should go for a complete reinstall. -- Best wishes, Andi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: nautilus and portmapper port 111
Hello Chris Thank you for your answer! On Dienstag, 10-Jun-03 at 21:39:47, Chris Caldwell wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Andreas Wüst sent the following message Today: > >> No matter if I try netstat -apn or netstat -atunp as someone >> in private, it gives the same result as netstat -tu -l > -ee -p, apart AW> from the established connections, namely there is > nothing listening in AW> port 111. > > Have you tried "rpcinfo -p localhost" to see if Nautilus is > registering a connection to portmap? No, I haven't yet, but will do! > The newer Gnome installs > (gnomevfs) depend on fam, which depends on portmap. Umm, I thouth woody gnome wouldn't depend on fam, no? > I don't > believe there is a direct dependency from core Nautilus to > portmap, but possibly some of the Nautilus extras or vfs extrase > are causing the dependency. Yeah, it's strange. Even stranger, that nautilus won't start at all, if the connection to port 111 fails!! -- Best wishes, Andi
Re: strange broadcast packets
Hi Phillip On Dienstag, 10-Jun-03 at 19:59:40, Phillip Hofmeister wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On Tue, 10 Jun 2003 at 07:21:25PM +0100, Andreas W?st wrote: >> Hi >> >>> Hello, >>> >>> isn't perhaps 10.208.64.1 your dhcp server and aren't this reply to >>> dhcp requests from clients? >> >> No lan here.. !! > > That IP address might be used by your cable modem service as an > internal management address to hand out IP addresses. Or it might even > be your bridge (cable modem). In either case. This is not something to > be worried about. In fact I made a special rule in my iptables so such > packets don't get logged. Cool, thanks a lot for your help!! So, can I happily block them? As it seems, unfortunately I have to keep udp port 68 stateful open, to renew the dhcp lease, no? -- All the best, and really thanks a lot for your answers, Andi
Re: strange broadcast packets
Hi Phillip On Dienstag, 10-Jun-03 at 19:59:40, Phillip Hofmeister wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On Tue, 10 Jun 2003 at 07:21:25PM +0100, Andreas W?st wrote: >> Hi >> >>> Hello, >>> >>> isn't perhaps 10.208.64.1 your dhcp server and aren't this reply to >>> dhcp requests from clients? >> >> No lan here.. !! > > That IP address might be used by your cable modem service as an > internal management address to hand out IP addresses. Or it might even > be your bridge (cable modem). In either case. This is not something to > be worried about. In fact I made a special rule in my iptables so such > packets don't get logged. Cool, thanks a lot for your help!! So, can I happily block them? As it seems, unfortunately I have to keep udp port 68 stateful open, to renew the dhcp lease, no? -- All the best, and really thanks a lot for your answers, Andi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: nautilus and portmapper port 111
Hello Chris Thank you for your answer! On Dienstag, 10-Jun-03 at 21:39:47, Chris Caldwell wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Andreas Wüst sent the following message Today: > >> No matter if I try netstat -apn or netstat -atunp as someone >> in private, it gives the same result as netstat -tu -l > -ee -p, apart AW> from the established connections, namely there is > nothing listening in AW> port 111. > > Have you tried "rpcinfo -p localhost" to see if Nautilus is > registering a connection to portmap? No, I haven't yet, but will do! > The newer Gnome installs > (gnomevfs) depend on fam, which depends on portmap. Umm, I thouth woody gnome wouldn't depend on fam, no? > I don't > believe there is a direct dependency from core Nautilus to > portmap, but possibly some of the Nautilus extras or vfs extrase > are causing the dependency. Yeah, it's strange. Even stranger, that nautilus won't start at all, if the connection to port 111 fails!! -- Best wishes, Andi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: strange broadcast packets
Hi > Hello, > > isn't perhaps 10.208.64.1 your dhcp server and aren't this reply to > dhcp requests from clients? No lan here.. !! -- Best wishes, Andi
Re: nautilus and portmapper port 111
Hi Phillip On Dienstag, 10-Jun-03 at 01:33:07, Phillip Hofmeister wrote: > On Tue, 10 Jun 2003 at 12:20:10AM +0100, Andreas W?st wrote: >> Hi >> >> Although I can see no evidence for portmapper being run by issuing >> "netstat -tu -l -ee -p", everytime nautilus is started it connects to >> port 111, and even gets an answer from there. And even after this >> connection, I can't see a server listening on port 111 via netstat. >> >> What is going on here? If I block port 111 nautilus wont start. >> >> How can I make sure portmapper is not being run, or at least only in >> a controlled manner, say for nautilus? > > > I usually use a netstat -apn (requires r00t). It will show you all > sockets (listening or otherwise) and what app owns them. The -n makes > it so it does not resolve the port numbers via /etc/service. No matter if I try netstat -apn or netstat -atunp as someone pointed out in private, it gives the same result as netstat -tu -l -ee -p, apart from the established connections, namely there is nothing listening in port 111. Furhtermore, package "portmap" is NOT installed, but there are working connections via 111 when nautilus starts up.. -- Best wishes, Andi
Re: strange broadcast packets
Hi > Hello, > > isn't perhaps 10.208.64.1 your dhcp server and aren't this reply to > dhcp requests from clients? No lan here.. !! -- Best wishes, Andi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: nautilus and portmapper port 111
Hi Phillip On Dienstag, 10-Jun-03 at 01:33:07, Phillip Hofmeister wrote: > On Tue, 10 Jun 2003 at 12:20:10AM +0100, Andreas W?st wrote: >> Hi >> >> Although I can see no evidence for portmapper being run by issuing >> "netstat -tu -l -ee -p", everytime nautilus is started it connects to >> port 111, and even gets an answer from there. And even after this >> connection, I can't see a server listening on port 111 via netstat. >> >> What is going on here? If I block port 111 nautilus wont start. >> >> How can I make sure portmapper is not being run, or at least only in >> a controlled manner, say for nautilus? > > > I usually use a netstat -apn (requires r00t). It will show you all > sockets (listening or otherwise) and what app owns them. The -n makes > it so it does not resolve the port numbers via /etc/service. No matter if I try netstat -apn or netstat -atunp as someone pointed out in private, it gives the same result as netstat -tu -l -ee -p, apart from the established connections, namely there is nothing listening in port 111. Furhtermore, package "portmap" is NOT installed, but there are working connections via 111 when nautilus starts up.. -- Best wishes, Andi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
nautilus and portmapper port 111
Hi Although I can see no evidence for portmapper being run by issuing "netstat -tu -l -ee -p", everytime nautilus is started it connects to port 111, and even gets an answer from there. And even after this connection, I can't see a server listening on port 111 via netstat. What is going on here? If I block port 111 nautilus wont start. How can I make sure portmapper is not being run, or at least only in a controlled manner, say for nautilus? -- Best wishes, Andi
strange broadcast packets
Hi Since I started to do some excessive logging a few days ago, I noticed some strange broadcasted packets: ... Jun 9 16:06:10 *** kernel: IN=eth0 OUT= MAC=*** SRC=10.208.64.1 DST=255.255.255.255 LEN=368 TOS=0x00 PREC=0x00 TTL=255 ID=26012 PROTO=UDP SPT=67 DPT=68 LEN=348 Jun 9 16:06:13 *** kernel: IN=eth0 OUT= MAC=*** SRC=10.208.64.1 DST=255.255.255.255 LEN=368 TOS=0x00 PREC=0x00 TTL=255 ID=26015 PROTO=UDP SPT=67 DPT=68 LEN=348 Jun 9 16:06:19 *** kernel: IN=eth0 OUT= MAC=*** SRC=10.208.64.1 DST=255.255.255.255 LEN=333 TOS=0x00 PREC=0x00 TTL=255 ID=26033 PROTO=UDP SPT=67 DPT=68 LEN=313 Jun 9 16:06:23 *** kernel: IN=eth0 OUT= MAC=*** SRC=10.208.64.1 DST=255.255.255.255 LEN=333 TOS=0x00 PREC=0x00 TTL=255 ID=26060 PROTO=UDP SPT=67 DPT=68 LEN=313 Jun 9 16:06:28 *** kernel: IN=eth0 OUT= MAC=*** SRC=10.208.64.1 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=26072 PROTO=UDP SPT=67 DPT=68 LEN=308 Jun 9 16:06:28 *** kernel: IN=eth0 OUT= MAC=*** SRC=10.208.64.1 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=26075 PROTO=UDP SPT=67 DPT=68 LEN=308 Jun 9 16:06:30 *** kernel: IN=eth0 OUT= MAC=*** SRC=10.208.64.1 DST=255.255.255.255 LEN=333 TOS=0x00 PREC=0x00 TTL=255 ID=26078 PROTO=UDP SPT=67 DPT=68 LEN=313 Jun 9 16:06:31 *** kernel: IN=eth0 OUT= MAC=*** SRC=10.208.64.1 DST=255.255.255.255 LEN=333 TOS=0x00 PREC=0x00 TTL=255 ID=26081 PROTO=UDP SPT=67 DPT=68 LEN=313 Jun 9 16:06:31 *** kernel: IN=eth0 OUT= MAC=*** SRC=10.208.64.1 DST=255.255.255.255 LEN=333 TOS=0x00 PREC=0x00 TTL=255 ID=26093 PROTO=UDP SPT=67 DPT=68 LEN=313 ... 10.208.64.1 seems to be spoofed anyway.. These packets are received regularly. Something to worry about? Is dhclient vulnerable to this attack? Hope somone can give some insight on this. :) -- Best wishes, Andi
nautilus and portmapper port 111
Hi Although I can see no evidence for portmapper being run by issuing "netstat -tu -l -ee -p", everytime nautilus is started it connects to port 111, and even gets an answer from there. And even after this connection, I can't see a server listening on port 111 via netstat. What is going on here? If I block port 111 nautilus wont start. How can I make sure portmapper is not being run, or at least only in a controlled manner, say for nautilus? -- Best wishes, Andi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
strange broadcast packets
Hi Since I started to do some excessive logging a few days ago, I noticed some strange broadcasted packets: ... Jun 9 16:06:10 *** kernel: IN=eth0 OUT= MAC=*** SRC=10.208.64.1 DST=255.255.255.255 LEN=368 TOS=0x00 PREC=0x00 TTL=255 ID=26012 PROTO=UDP SPT=67 DPT=68 LEN=348 Jun 9 16:06:13 *** kernel: IN=eth0 OUT= MAC=*** SRC=10.208.64.1 DST=255.255.255.255 LEN=368 TOS=0x00 PREC=0x00 TTL=255 ID=26015 PROTO=UDP SPT=67 DPT=68 LEN=348 Jun 9 16:06:19 *** kernel: IN=eth0 OUT= MAC=*** SRC=10.208.64.1 DST=255.255.255.255 LEN=333 TOS=0x00 PREC=0x00 TTL=255 ID=26033 PROTO=UDP SPT=67 DPT=68 LEN=313 Jun 9 16:06:23 *** kernel: IN=eth0 OUT= MAC=*** SRC=10.208.64.1 DST=255.255.255.255 LEN=333 TOS=0x00 PREC=0x00 TTL=255 ID=26060 PROTO=UDP SPT=67 DPT=68 LEN=313 Jun 9 16:06:28 *** kernel: IN=eth0 OUT= MAC=*** SRC=10.208.64.1 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=26072 PROTO=UDP SPT=67 DPT=68 LEN=308 Jun 9 16:06:28 *** kernel: IN=eth0 OUT= MAC=*** SRC=10.208.64.1 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=26075 PROTO=UDP SPT=67 DPT=68 LEN=308 Jun 9 16:06:30 *** kernel: IN=eth0 OUT= MAC=*** SRC=10.208.64.1 DST=255.255.255.255 LEN=333 TOS=0x00 PREC=0x00 TTL=255 ID=26078 PROTO=UDP SPT=67 DPT=68 LEN=313 Jun 9 16:06:31 *** kernel: IN=eth0 OUT= MAC=*** SRC=10.208.64.1 DST=255.255.255.255 LEN=333 TOS=0x00 PREC=0x00 TTL=255 ID=26081 PROTO=UDP SPT=67 DPT=68 LEN=313 Jun 9 16:06:31 *** kernel: IN=eth0 OUT= MAC=*** SRC=10.208.64.1 DST=255.255.255.255 LEN=333 TOS=0x00 PREC=0x00 TTL=255 ID=26093 PROTO=UDP SPT=67 DPT=68 LEN=313 ... 10.208.64.1 seems to be spoofed anyway.. These packets are received regularly. Something to worry about? Is dhclient vulnerable to this attack? Hope somone can give some insight on this. :) -- Best wishes, Andi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
