[TriLUG] /etc/sysconfig/iptables suddenly gone missing?

Fri Sep 10 12:43:20 EDT 2010

I would recommend the following actions: (Note: this is a resend of an
earlier post that got tagged for being too long with the original
message included)

1 - Using IP tables, put a firewall in place to isolate the machine
while you investigate.  You should probably keep an SSH port open for
your own usage and use key based access only.  In case you were
compromised, this should cut things off without destroying evidence to
investigate.

2 - Look at the outputs of the following: lsof -Pwn, netstat -pane and
ps -axfwwwe.  See if there are any suspicious entries as far as open
files, attempted or active connections, or processes running.  Also look
very closely at the user logs and note if your passwd file has been
changed.

3 - The CERT checklist is pretty good for things to check:
http://web.archive.org/web/20080109214340/http://www.cert.org/tech_tips/intruder_detection_checklist.html

A lot of the above comes from Linuxquestions.org and between those guys
and this list you should be able to get a thorough analysis of the
output of these files as far as whether or not anything is suspicious.

You will want to examine all of the logs carefully, consider checking
them with logwatch.  You will want to check which files have the setuid
bits set for root.  Also change all of your passwords.  Run a verify
against the package repositories of your key applications like ssh,
apache, etc to see if any of them have been modified.  Run root kit
checks.

If all seems well, then I would say put the system back on line since
you don't really have evidence of a compromise.  You would probably want
to watch things closely and possibly install Snort or another tool that
will look for suspicious behavior.

On Fri, 2010-09-10 at 12:37 -0400, John Broome wrote:

> On Fri, Sep 10, 2010 at 12:34, Matt Flyer <matt at noway2.thruhere.net> wrote:
> > Also, keep in mind that in Linux ports are not open unless an
> > application opens them.  Having a firewall in place is a good line of
> > defense, but the lack of it won't in and of itself cause a serious
> > compromise.
> 
> 
> Yes, he had squid running, but the FW was blocking outside access to
> it.  FW gone, squid open to outside world.
> 
> This wasn't a mystery port that suddenly appeared.
> -- 
> This message was sent to: Matt Flyer <matt at noway2.thruhere.net>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web	: http://www.trilug.org/mailman/options/trilug/matt%40noway2.thruhere.net
> TriLUG FAQ          : http://www.trilug.org/wiki/Frequently_Asked_Questions

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://www.trilug.org/pipermail/trilug/attachments/20100910/6b758d34/attachment.pgp>