[TriLUG] /etc/sysconfig/iptables suddenly gone missing?

David M. turnpike420 at gmail.com
Fri Sep 10 12:22:05 EDT 2010


You may want to consider implementing Tripwire which might alert you of such
changes/disappearences.
http://sourceforge.net/projects/tripwire/



On Fri, Sep 10, 2010 at 11:57 AM, Brian Henning <bhenning at pineinst.com>wrote:

> Hi,
>
> I just made a VERY disturbing discovery; I tried posting to Slashdot only
> to
> find their system reporting me having an open proxy.  Proxy, yeah, I'm
> running SQUID, but open?...iptables -L...HOLY SMOKES, my firewall is GONE!
>
> So...  As the subject says, I have discovered that my
> /etc/sysconfig/iptables file is just gone.  GONE!  And sadly I don't have a
> recent backup (I do have an old one, so I'm not starting from scratch, but
> I'm gonna have to reconfigure some things...).
>
> Anyway, so I've got it back to a fairly secure state, but I am concerned
> that perhaps this is evidence of some sort of successful hack attempt?  I'm
> afraid I don't know when the file vanished..  Everything else[1] about my
> system seems in order..  Does this sound like something anyone has seen
> before?
>
> Could an unsafe shutdown (my power is a little glitchy, and until recently
> I
> had a bad UPS battery) have toasted this one select file?  Seems awfully
> unlikely...
>
> I also let yum add and update a bunch of stuff recently, to install
> kdevelop
> (on this system which previously didn't even have X installed)...  Could a
> package update / installation have zapped /etc/sysconfig/iptables?
>
> I guess what I'm really looking for is opinions on whether I need to apply
> the "better safe than sorry" principle and reformat the thing.  It's not an
> exciting prospect.
>
> Oh, and this is my home firewall, so the welfare of some company's network
> is not at stake.
>
> Thanks for the input,
> ~Brian
>
> [1] ...that I've checked so far.  /etc/hosts.allow, /etc/hosts.deny, apache
> and postfix/procmail configs...  Last time I discovered I'd been rooted
> (several years ago), there were other bits of evidence, like ps had been
> replaced with a dummy version that only printed out a few lines.  Iptraf
> and
> netstat aren't showing any unexpected connections from the outside world
> (though of course any of these things could be compromised or telling an
> incomplete story)...
>
> ------------------------------------------------------
>          Brian Henning, Software Engineer
>
>    /\    Pine Research Instrumentation
>   //\\   5908 Triangle Drive
>  ///\\\  Raleigh, NC 27617
>  ////\\\\ USA
>    ||
>    ||    phone: 919.782.8320
>          fax:   919.782.8323
>          email: bhenning at pineinst.com
> ------------------------------------------------------
>
>
>
> --
> This message was sent to: David McDowell <turnpike420 at gmail.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
> address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web  :
> http://www.trilug.org/mailman/options/trilug/turnpike420%40gmail.com
> TriLUG FAQ          :
> http://www.trilug.org/wiki/Frequently_Asked_Questions
>



More information about the TriLUG mailing list