Re: Follow up to: Re: [leaf-user] Does this indicate I've been hacked?
Tony wrote: Now, it's just me, but I write protect it after I do any and all backups, then leave it in. If the power fails, or I need to reboot, then I don't have to make a trip over and push the diskette in. One problem with this is the diskette window will be open and it will collect dust on the upper surface. After several months of operation - a reboot will grind the dust into the media and you get a boot failure. Keep backup copies of your LEAF diskettes. Always backup changes to both diskette sets. This is good advice even when you boot from CD and save configuration data on the floppy. I've experienced the frustration of a power failure followed by LEAF not booting because of dust. Victor McAllister --- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: Follow up to: Re: [leaf-user] Does this indicate I've been hacked?
Glad to hear it all worked out OK. I had a feeling it would. >As final replies: >> The disk is write protected isn't it? >I normally just boot the disk and then eject it until it is needed again. Now, it's just me, but I write protect it after I do any and all backups, then leave it in. If the power fails, or I need to reboot, then I don't have to make a trip over and push the diskette in. Later Tony --- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Follow up to: Re: [leaf-user] Does this indicate I've been hacked?
I cast out an awfully short sighted 'Does this indicate I've been hacked' message a while back. Thanks everyone for the quick responses and now I hope to share what I've found. Tony and Lynn were first on the scene and pointed out likely forms of response I'd want to take. Lynn in response to Tony also brought light on the fact that I had sadly left out many details that could help the mailing list readers to assist me. I humbly beg forgiveness for any ensuing misspelling or omissions as I complete the story. So. I have been successfully running a Dachstein LEAF FW on a 486 box with 48MB ram and a single floppy for close to a year now. I started this process on an Eigerstein but switched to Dachstein to be on a bit newer kernel. The only functions it has been performing is as a gateway to my cable modem and passing through a VPN connection. Of course inside the FW I have a hub and two other machines on a 192.168.x.x subnet. My primary workstation requires that I use an employer provided VPN client to access the corporate network. That required a couple of holes in the FW restricted to two specific IPs and the use of ip_masq_ipsec. Other than that I have only tried to keep /etc/network.conf and /etc/ipfilter.conf as tight as possible paying attention to all the helpful comments included in both. Following the suggestions I used lrcfg to back up the ramdisk to a fresh floppy. I choose the backup option "E Everything INCLUDING log". I then went to an internal Linux box, copied all files and even dd and image to a separate directory. I did the same with the boot disk and then pulled down a fresh Dachstein_1.0.2 image and repeated. Ok now I had a complete set of directories to do compares against. I went into the base directory of each of these 'images' and created an 'opened' directory. For each *.lrp file in the copied directory I made a directory of the same name and opened the lrp into it. Using a 'find' with md5sum I created an *.lrp.md5 file. Using grep -f I resolved any files that were different or missing. Using the results of that I ran diff on files that were changed and analyzed any that were orphans or extras. I am pretty confident that the three year record that Lynn stated is still unscathed. The only changes I could find that I could not resolve were /etc/ioctl.save in etc.lrp, a shadow- file in /etc/etc.lrp, which I might consider to be my doing. Then finally a difference between the Dachstein_1.0.2 etc.lrp /etc/issue* files and my files where mine says "Linux Router 4.0.6 \n \l" and the Dach files that say "Linux Router 4.0.5 \n \l" which I take to be a difference of no concern. I did find that not everything turned out as I had hoped and that my biggest worry was unfounded. First the "E Everything INCLUDING log", did not include either the ramlog.lrp or weblet.lrp and I'm not presently sure why. Secondly it was in psentry.lrp in /etc/portsentry.conf file that this line appeared: KILL_RUN_CMD="/root/add2chain $TARGET$ $PORT$" It was the results from that command that had me all scared. Thanks to Sandro for pointing me towards what to look for. As usual that was my glowing idea of a way to keep a list of people I needed to watch out for. Once upon a time, before some reboot and of course before any backup, I can kind of recall a script by that name made by me. Of course that was a long long internet time ago in a place far far away. This whole process got kicked off as I was getting an instance of Oracle running on an internal machine and I was afraid of what that might open up. That caused me to pay some closer attention to log files and I knee jerked when I saw the /root/add2chain. I most certainly feel like chicken little right now. My gut continues to motivate me to react on the side of too scared rather than too smug. Your patience and tolerance is greatly appreciated. As final replies: > The disk is write protected isn't it? I normally just boot the disk and then eject it until it is needed again. Probably how I lost my add2chain script. Go figure. Again much thanks for everyone's time and I hope I was some help to some one. Or at least an example of what not to do, your call. As Always... Dennis S --- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Does this indicate I've been hacked?
On Thursday 09 January 2003 12:30 am, Tony wrote: > Hi Lynn, > > When you say you, you mean the original poster...right? I was responding > to him. Yep, however Sandro uses Portsentry and indicates that this is normal operation of PortSentryso it is not a hack, but rather someone likely trying to hack a system and blocked. > Anyway, I think your approach would be a better one, backup the whole disk > to a blank diskette, reboot the original disk and then you have a snapshot > and can compare while returning to a safe condition. That was my first > thought was to get back to safe ASAP and save the logs for ip addys and > such. I like your approach better. Just as quick, and more complete. Yep, intrusion detection normally can't be done on the compromised box since the utilities that you use to detect it are replaced with ones that won't give it away. A popular way of hiding stuff is use of a "." directory so that it is hard to find even with a non-compromised box. A better idea is to send logs to a remote printer, but this is overkill for most people. -- ~Lynn Avants Linux Embedded Appliance Firewall developer http://leaf.sourceforge.net --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Does this indicate I've been hacked?
Hi Brad, I know, hence my last sentence :-) Later, Tony On Wed, 08 Jan 2003 08:42:33 EST Tony wrote: > Well, my thought is...why not just reboot to be sure. I mean, your LEAF box > is running out of RAM disk right? The disk is write protected isn't it? > Now, that doesn't mean that it can't happen again, so I would continue to > investigate but I would copy all relevant log files to a disk and reboot. The problem with that approach is that it a) erases the logs of the incident (unless you save offline copies first) and b) prevents all further forensic analysis. Granted, in some situations those aren't concerns of the firewall administrator. --Brad --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Does this indicate I've been hacked?
Hi Lynn, When you say you, you mean the original poster...right? I was responding to him. Anyway, I think your approach would be a better one, backup the whole disk to a blank diskette, reboot the original disk and then you have a snapshot and can compare while returning to a safe condition. That was my first thought was to get back to safe ASAP and save the logs for ip addys and such. I like your approach better. Just as quick, and more complete. Later Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Lynn Avants Sent: Wednesday, January 08, 2003 10:26 AM To: leaf-user Subject: Re: [leaf-user] Does this indicate I've been hacked? On Wednesday 08 January 2003 07:42 am, Tony wrote: > Well, my thought is...why not just reboot to be sure. I mean, your LEAF > box is running out of RAM disk right? All LEAF variants do, you haven't stated what you are specifically using. > The disk is write protected isn't it? Only you can answer that, personally I generally use Cd's or CF cards. > Now, that doesn't mean that it can't happen again, so I would continue > to investigate but I would copy all relevant log files to a disk and > reboot. The log files won't generally indicate anything that was _successful_. I would back _everything_ up on another disk and check the packages from another box.definately root.lrp. I haven't heard of a LEAF firewall that has been compromised in over 3 years now, but you haven't given any ideas of what you've actually setup other than it is LEAF. You may be running telnet to the internet for all I know at this point. I wouldn't expect much more help unless you can give us a lot more specific information than what you have. I would tend to think that you possibly have a compromised box on your LAN or someone is attempting to attack your firewall, but I don't know anything about your system. -- ~Lynn Avants Linux Embedded Appliance Firewall developer http://leaf.sourceforge.net --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Does this indicate I've been hacked?
> Saw the following in my syslog > > Jan 3 15:17:12 ardentpursuit portsentry[1120]: attackalert: External > command run for host: 218.156.227.172 using command: "/root/add2chain > 218.156.227.172 12345" > > Did that command actually run, or did portsentry prevent it from running? No, you weren't hacked. This is the normal output of Portsentry when it detects a portscan. You don't have to worry about that! BUT you have to worry about your Portsentry configuration. The "command run for host" is defined in /etc/portsentry.conf with the "KILL_ROUTE" statement. On my Dachstein box, it looks as follows: KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY -l" I don't know if you're using Portsentry 2.0 and probably 2.0 has a "add2chain" script but usually, you use the normal ipchains command to add a "bad" host to the blacklist. If there isn't a file "add2chain" in /root then Portsentry does nothing because the command it executes to block a host is not valid/there. If there IS such a file, I'd check what it does (perhaps it just contents the same line as I have (/sbin/ipchains )) Hope this helps -- Sandro --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Does this indicate I've been hacked?
Judging by the name "add2chain" should be a script which would add the IP of the person who is doing portscan against you into firewall. It doesn't look like a hack to time. Lynn Avants wrote: On Tuesday 07 January 2003 01:08 pm, Dennis Stephens wrote: Saw the following in my syslog Jan 3 15:17:12 ardentpursuit portsentry[1120]: attackalert: External command run for host: 218.156.227.172 using command: "/root/add2chain 218.156.227.172 12345" Did that command actually run, or did portsentry prevent it from running? Well, a Google search didn't come up with anything but Win32 exploits and there are (normally) no services running/listening to port 12345 on a LEAF box. The ip MX is owned by Korea Telecom. I don't run portsentry, so I'm not familiar with the output from it. I would definately take a look in your /root directory, but I would doubt your hackeddepending on what LEAF system and add-on packages you're using/config. In any case, I would do a thorough look at the box to make sure, unless somebody has any better insight into this. -- Best Regards, Vladimir Systems Engineer (RHCE) --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Does this indicate I've been hacked?
Dennis and Tony, On Tuesday 07 January 2003 01:08 pm, Dennis Stephens wrote: > Saw the following in my syslog > > Jan 3 15:17:12 ardentpursuit portsentry[1120]: attackalert: External > command run for host: 218.156.227.172 using command: "/root/add2chain > 218.156.227.172 12345" > > Did that command actually run, or did portsentry prevent it from running? It has been ages since I have used portsentry, but it looks more like portsentry was running (or attempting to run) the /root/add2chain command, presumably to block connections from 218.156.227.172 on port 12345. That's speculation without knowing your portsentry configuruation, so if you really want to know you should do more investigation of the portsentry setup or post it to the list for help. More below... On Wed, 08 Jan 2003 08:42:33 EST Tony wrote: > Well, my thought is...why not just reboot to be sure. I mean, your LEAF box > is running out of RAM disk right? The disk is write protected isn't it? > Now, that doesn't mean that it can't happen again, so I would continue to > investigate but I would copy all relevant log files to a disk and reboot. The problem with that approach is that it a) erases the logs of the incident (unless you save offline copies first) and b) prevents all further forensic analysis. Granted, in some situations those aren't concerns of the firewall administrator. --Brad --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Does this indicate I've been hacked?
On Wednesday 08 January 2003 07:42 am, Tony wrote: > Well, my thought is...why not just reboot to be sure. I mean, your LEAF > box is running out of RAM disk right? All LEAF variants do, you haven't stated what you are specifically using. > The disk is write protected isn't it? Only you can answer that, personally I generally use Cd's or CF cards. > Now, that doesn't mean that it can't happen again, so I would continue > to investigate but I would copy all relevant log files to a disk and > reboot. The log files won't generally indicate anything that was _successful_. I would back _everything_ up on another disk and check the packages from another box.definately root.lrp. I haven't heard of a LEAF firewall that has been compromised in over 3 years now, but you haven't given any ideas of what you've actually setup other than it is LEAF. You may be running telnet to the internet for all I know at this point. I wouldn't expect much more help unless you can give us a lot more specific information than what you have. I would tend to think that you possibly have a compromised box on your LAN or someone is attempting to attack your firewall, but I don't know anything about your system. -- ~Lynn Avants Linux Embedded Appliance Firewall developer http://leaf.sourceforge.net --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Does this indicate I've been hacked?
Well, my thought is...why not just reboot to be sure. I mean, your LEAF box is running out of RAM disk right? The disk is write protected isn't it? Now, that doesn't mean that it can't happen again, so I would continue to investigate but I would copy all relevant log files to a disk and reboot. Later Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Lynn Avants Sent: Tuesday, January 07, 2003 11:46 PM To: leaf-user Subject: Re: [leaf-user] Does this indicate I've been hacked? On Tuesday 07 January 2003 01:08 pm, Dennis Stephens wrote: > Saw the following in my syslog > > Jan 3 15:17:12 ardentpursuit portsentry[1120]: attackalert: External > command run for host: 218.156.227.172 using command: "/root/add2chain > 218.156.227.172 12345" > > Did that command actually run, or did portsentry prevent it from running? Well, a Google search didn't come up with anything but Win32 exploits and there are (normally) no services running/listening to port 12345 on a LEAF box. The ip MX is owned by Korea Telecom. I don't run portsentry, so I'm not familiar with the output from it. I would definately take a look in your /root directory, but I would doubt your hackeddepending on what LEAF system and add-on packages you're using/config. In any case, I would do a thorough look at the box to make sure, unless somebody has any better insight into this. -- ~Lynn Avants Linux Embedded Appliance Firewall developer http://leaf.sourceforge.net --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Does this indicate I've been hacked?
On Tuesday 07 January 2003 01:08 pm, Dennis Stephens wrote: > Saw the following in my syslog > > Jan 3 15:17:12 ardentpursuit portsentry[1120]: attackalert: External > command run for host: 218.156.227.172 using command: "/root/add2chain > 218.156.227.172 12345" > > Did that command actually run, or did portsentry prevent it from running? Well, a Google search didn't come up with anything but Win32 exploits and there are (normally) no services running/listening to port 12345 on a LEAF box. The ip MX is owned by Korea Telecom. I don't run portsentry, so I'm not familiar with the output from it. I would definately take a look in your /root directory, but I would doubt your hackeddepending on what LEAF system and add-on packages you're using/config. In any case, I would do a thorough look at the box to make sure, unless somebody has any better insight into this. -- ~Lynn Avants Linux Embedded Appliance Firewall developer http://leaf.sourceforge.net --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html