hello, i have a FreeBSD 4.8-PRERELEASE #0 that i use as a gateway / nat box for my home. It also acts as a dns / mail server to the outside world. I'm using ipf and basically filter for bogus networks on the way in and out. I allow everything out keeping state, and allow this in: pass in proto icmp from any to any icmp-type squench group 200 pass in proto icmp from any to any icmp-type timex group 200 pass in proto icmp from any to any icmp-type paramprob group 200 pass in quick proto tcp from any port > 1023 to any port = smtp group 200 pass in quick proto udp from any port > 1023 to any port = domain group 200 on these ports i run qmail and tinydns i was a bit sloppy by leaving these w/out a password figuring they can't login anyway. gtinydns::nnnn:nnnn::0:0:tinydns:/nonexistent:/sbin/nologin gdnslog::nnnn:nnnn::0:0:dns logger:/nonexistent:/sbin/nologin gaxfrdns::nnnn:nnnn::0:0:zone transfer:/nonexistent:/sbin/nologin I've changed this now though i'm still not sure about the implications of this. Also i'm not running tripwire or any other intrusion detection. Here's my problem. When i got up this morning, i noticed that the box rebooted at 0:32 this morning. I have 3 other computers that did not reboot leaving me to believe there was no power failure. I looked through all the logs seeking clues as to what happened. Hardware failure? It is an old p-75 and the hard drive has had issues in udma-2 but has been doing fine for months in pio4 mode. I also have a cron job at 0:30 to move the apache logs to a tmp file restart apache sleep 5 minutes and then move the tmp file somewhere where newsyslog can catch it. According to the logs, apache restarted fine but the tmp files never made it anywhere. Again nothing useful in them either. So if this was a hardware failure (harddrive), then any kernel panic statements probably would not make it to the harddrive. So it would be hard to tell. My question is, what if i got hacked? Would there be anyway to find out despite me being totally unprepared for this? That question really messes with my head. Any pointer and/or clue stick treatments would be greatly appreciated. thanx mario;> --------------------- Do you schmut!? http://www.schmut.com For a real web site try: House Of Sites http://www.HouseOfSites.net Email: mario@HouseOfSites.net
oh, the mod time on the kernel ls -lT -r-xr-xr-x 1 root wheel 4379563 Mar 27 13:37:08 2003 kernel ....> So if this was a hardware failure (harddrive), then any kernel panic > statements probably would not make it to the harddrive. So it would be > hard to tell. My question is, what if i got hacked? Would there be > anyway to find out despite me being totally unprepared for this? >.... mario;> --------------------- Do you schmut!? http://www.schmut.com For a real web site try: House Of Sites http://www.HouseOfSites.net Email: mario@HouseOfSites.net Tel: 415-242-3376
On Fri, 2 May 2003, mario wrote:> So if this was a hardware failure (harddrive), then any kernel panic > statements probably would not make it to the harddrive. So it would be > hard to tell. My question is, what if i got hacked? Would there be anyway > to find out despite me being totally unprepared for this? > > That question really messes with my head. > Any pointer and/or clue stick treatments would be greatly appreciated.Make sure there's enough space on the temp file location for the apache log files. I've had other os machines crash when you fill up the root/tmp filesystems. -- Matt Piechota
Hi Mario, well any strange activity in the system should be taken in consideration so I really think you should audit your system. You said the reboot ocurred at 0:32am, its a good idea to search for files modified around that time. You could use the binary of some trustable system just in case /usr/bin/find got trojaned. You said you did not find anything in the logs, they could have been erased, use chkrootkit to verify if there are wtmp/lastlog entries that may have been erased. Chkrootkit is a pretty nice utility and will be able to tell you if there're hidden processes running on the system (comparing output from ps with /proc entries) and search for well-known rootkits. The tool is not perfect but helps a lot, check it out: http://www.chkrootkit.org Good luck, -- Marcello Azambuja mario wrote: > hello, > i have a FreeBSD 4.8-PRERELEASE #0 that i use as a gateway / nat box for > my home. > It also acts as a dns / mail server to the outside world. > I'm using ipf and basically filter for bogus networks on the way in and out. > I allow everything out keeping state, > and allow this in: > pass in proto icmp from any to any icmp-type squench group 200 > pass in proto icmp from any to any icmp-type timex group 200 > pass in proto icmp from any to any icmp-type paramprob group 200 > pass in quick proto tcp from any port > 1023 to any port = smtp group 200 > pass in quick proto udp from any port > 1023 to any port = domain group 200 > > on these ports i run qmail and tinydns > > i was a bit sloppy by leaving these w/out a password > figuring they can't login anyway. > > gtinydns::nnnn:nnnn::0:0:tinydns:/nonexistent:/sbin/nologin > gdnslog::nnnn:nnnn::0:0:dns logger:/nonexistent:/sbin/nologin > gaxfrdns::nnnn:nnnn::0:0:zone transfer:/nonexistent:/sbin/nologin > > I've changed this now though i'm still not sure about the implications of > this. > Also i'm not running tripwire or any other intrusion detection. > > Here's my problem. When i got up this morning, i noticed that the box > rebooted > at 0:32 this morning. I have 3 other computers that did not reboot leaving me > to believe there was no power failure. I looked through all the logs seeking > clues as to what happened. Hardware failure? It is an old p-75 and the hard > drive has had issues in udma-2 but has been doing fine for months in pio4 > mode. > I also have a cron job at 0:30 to move the apache logs to a tmp file restart > apache sleep 5 minutes and then move the tmp file somewhere where newsyslog > can catch it. According to the logs, apache restarted fine but the tmp files > never made it anywhere. Again nothing useful in them either. > > So if this was a hardware failure (harddrive), then any kernel panic > statements probably would not make it to the harddrive. So it would be > hard to tell. My question is, what if i got hacked? Would there be anyway > to find out despite me being totally unprepared for this? > > That question really messes with my head. > Any pointer and/or clue stick treatments would be greatly appreciated. > > thanx > > mario;> >
i just wanted to follow up on this. Based on replies that i got i ran a find on files modified after midnight and installed and ran chkrootkit from a clean box via nfs. I didn't find any problems, and since this is just a home network am not going worry about this any longer. Maybe i'll look into replacement hardware instead. I also want to thank those who help me on this with their replies. thanx mario;> --------------------- Do you schmut!? http://www.schmut.com For a real web site try: House Of Sites http://www.HouseOfSites.net Email: mario@HouseOfSites.net