[TriLUG] /etc/sysconfig/iptables suddenly gone missing?

Matt Flyer matt at noway2.thruhere.net
Fri Sep 10 12:34:05 EDT 2010 

Also, keep in mind that in Linux ports are not open unless an
application opens them.  Having a firewall in place is a good line of
defense, but the lack of it won't in and of itself cause a serious
compromise. 

On Fri, 2010-09-10 at 11:57 -0400, Brian Henning wrote:

> Hi,
> 
> I just made a VERY disturbing discovery; I tried posting to Slashdot only to
> find their system reporting me having an open proxy.  Proxy, yeah, I'm
> running SQUID, but open?...iptables -L...HOLY SMOKES, my firewall is GONE!
> 
> So...  As the subject says, I have discovered that my
> /etc/sysconfig/iptables file is just gone.  GONE!  And sadly I don't have a
> recent backup (I do have an old one, so I'm not starting from scratch, but
> I'm gonna have to reconfigure some things...).
> 
> Anyway, so I've got it back to a fairly secure state, but I am concerned
> that perhaps this is evidence of some sort of successful hack attempt?  I'm
> afraid I don't know when the file vanished..  Everything else[1] about my
> system seems in order..  Does this sound like something anyone has seen
> before?
> 
> Could an unsafe shutdown (my power is a little glitchy, and until recently I
> had a bad UPS battery) have toasted this one select file?  Seems awfully
> unlikely...
> 
> I also let yum add and update a bunch of stuff recently, to install kdevelop
> (on this system which previously didn't even have X installed)...  Could a
> package update / installation have zapped /etc/sysconfig/iptables?
> 
> I guess what I'm really looking for is opinions on whether I need to apply
> the "better safe than sorry" principle and reformat the thing.  It's not an
> exciting prospect.
> 
> Oh, and this is my home firewall, so the welfare of some company's network
> is not at stake.
> 
> Thanks for the input,
> ~Brian
> 
> [1] ...that I've checked so far.  /etc/hosts.allow, /etc/hosts.deny, apache
> and postfix/procmail configs...  Last time I discovered I'd been rooted
> (several years ago), there were other bits of evidence, like ps had been
> replaced with a dummy version that only printed out a few lines.  Iptraf and
> netstat aren't showing any unexpected connections from the outside world
> (though of course any of these things could be compromised or telling an
> incomplete story)...
> 
> ------------------------------------------------------ 
>           Brian Henning, Software Engineer
> 
>     /\    Pine Research Instrumentation 
>    //\\   5908 Triangle Drive 
>   ///\\\  Raleigh, NC 27617 
>  ////\\\\ USA 
>     || 
>     ||    phone: 919.782.8320 
>           fax:   919.782.8323 
>           email: bhenning at pineinst.com 
> ------------------------------------------------------ 
> 
> 
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://www.trilug.org/pipermail/trilug/attachments/20100910/b37447bf/attachment.pgp>

More information about the TriLUG mailing list