[TriLUG] /etc/sysconfig/iptables suddenly gone missing?

Brian Henning bhenning at pineinst.com
Fri Sep 10 11:57:08 EDT 2010


Hi,

I just made a VERY disturbing discovery; I tried posting to Slashdot only to
find their system reporting me having an open proxy.  Proxy, yeah, I'm
running SQUID, but open?...iptables -L...HOLY SMOKES, my firewall is GONE!

So...  As the subject says, I have discovered that my
/etc/sysconfig/iptables file is just gone.  GONE!  And sadly I don't have a
recent backup (I do have an old one, so I'm not starting from scratch, but
I'm gonna have to reconfigure some things...).

Anyway, so I've got it back to a fairly secure state, but I am concerned
that perhaps this is evidence of some sort of successful hack attempt?  I'm
afraid I don't know when the file vanished..  Everything else[1] about my
system seems in order..  Does this sound like something anyone has seen
before?

Could an unsafe shutdown (my power is a little glitchy, and until recently I
had a bad UPS battery) have toasted this one select file?  Seems awfully
unlikely...

I also let yum add and update a bunch of stuff recently, to install kdevelop
(on this system which previously didn't even have X installed)...  Could a
package update / installation have zapped /etc/sysconfig/iptables?

I guess what I'm really looking for is opinions on whether I need to apply
the "better safe than sorry" principle and reformat the thing.  It's not an
exciting prospect.

Oh, and this is my home firewall, so the welfare of some company's network
is not at stake.

Thanks for the input,
~Brian

[1] ...that I've checked so far.  /etc/hosts.allow, /etc/hosts.deny, apache
and postfix/procmail configs...  Last time I discovered I'd been rooted
(several years ago), there were other bits of evidence, like ps had been
replaced with a dummy version that only printed out a few lines.  Iptraf and
netstat aren't showing any unexpected connections from the outside world
(though of course any of these things could be compromised or telling an
incomplete story)...

------------------------------------------------------ 
          Brian Henning, Software Engineer

    /\    Pine Research Instrumentation 
   //\\   5908 Triangle Drive 
  ///\\\  Raleigh, NC 27617 
 ////\\\\ USA 
    || 
    ||    phone: 919.782.8320 
          fax:   919.782.8323 
          email: bhenning at pineinst.com 
------------------------------------------------------ 






More information about the TriLUG mailing list