Mike Dwiggins <mike <at> azdwiggins.com> writes: > > On 9/25/2010 6:38 AM, JB wrote: > > some unrelated software package malfunctions ... > > You have to consider that you have been hacked, I guess. Normally you > > should > > take your machine offline until you understand what is the damage. > > > > I am only online long enough to test the ping > > > Well, where do you get that info from ? > System/Administration/Network/ > > Are you auto-configured by dhclient ? > Not supposed to be eth0 is set to Static IP Not quite. But read on. > > Controlled by NetworkManager ? > Yes Just a propos. Enable (check off) the "Activate device when computer starts". > > Automatically obtain IP address settings with DHCP ? > Again it is not set to OK. If you select for "Statically set IP addresses", then the "Automatically obtain IP address settings with DHCP" is turned off. > > Automatically obtain DNS info from provider ? > No Not quite. But read on. > > Also, check: > > $ ps aux |grep -i dhc > > jb 6982 0.0 0.0 4360 708 pts/3 S+ 15:21 0:00 grep -i > > dhc > > root 14415 0.0 0.0 2984 676 ? S 06:13 0:00 > > /sbin/dhclient > > -d -4 -sf /usr/libexec/nm-dhcp-client.action -pf /var/run/dhclient-eth0. > > pid > > -lf > > /var/lib/dhclient/dhclient-5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03-eth0.lease > > -cf > > /var/run/nm-dhclient-eth0.conf eth0 > > > > That's response on my system. > On mine > > # ps aux|grep -i dhc > root 1047 0.0 0.1 2828 1192 ? S 08:10 0:00 > /sbin/dhclient -d -4 -sf > /usr/libexec/nm-dhcp-client.action -pf > /var/run/dhclient-eth0.pid -lf > /var/lib/dhclient/dhclient-15087fb0-92c7-40fe-ad3e-373bf0997205-eth0.lease > -cf > /var/run/nm-dhclient-eth0.conf eth0 > root 2349 0.0 0.0 4360 736 pts/1 S+ 08:26 0:00 grep -i dhc > # Here we go ! The entry 'ps aux |grep -i dhc' that there is a dhclient run under control of NetworkManager. When it runs, it obtains all default and user requested data from DHCP and DNS servers and modifies those pesky system files. Important: Normally, when you configure your interface as you described (static IP, DNS), the NetworkManager is run, but without NetworkManager-controlled dhclient. I just checked that that on my other machine :-) So, something got screwed up in the past, either during configuration thru System/Administration/Network/ utility or panel's NetworkManager Applet utility. FYI, I had bad experience with the second one some months ago, submitted report and they did these and other fixes to it. Let's try to clean up some of this stuff. Let's save that dhcp-lease file for interrogation later on (it probably contains lease data that relates to invalid IP addresses, etc; that's what screwed up your IP data in various system files): # mv /var/lib/dhclient/dhclient-15087fb0-92c7-40fe-ad3e-373bf0997205-eth0.lease /var/lib/dhclient/dhclient-15087fb0-92c7-40fe-ad3e-373bf0997205-eth0.lease- crash and create an empty file instead: # touch /var/lib/dhclient/dhclient-15087fb0-92c7-40fe-ad3e-373bf0997205- eth0.lease Later on, you should examine that saved file for IP addresses, etc; check them with some DNS-type entries (dig, nslookup) on the Internet; you may want to talk to your ISP about them, time of the presumed attack (system downtime), check with your utilities provider about a time of presumed downtime in electricity supply, etc. Let's kill that dhclient that should not run. # killall /sbin/dhclient Confirm that it is gone: # ps aux|grep -i dhc After that you should restart your desktop (GNOME, etc), but best would be to verify the entire startup sequence and reboot your machine back to the desktop. After that verify again as above that dhclient is gone and that lease file is still empty as it should be. > > > Look at what kind of info you got last time: > > # less /var/lib/dhclient/dhclient-5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03-eth0.lease > > > > Look at your own config settings: > > # less /var/run/nm-dhclient-eth0.conf > > That's perhaps from: > > # # ls -al /etc/dhclient-* > > -rw-r--r--. 1 root root 40 Feb 21 2010 /etc/dhclient-eth0.conf > > -rw-r--r--. 1 root root 40 Feb 21 2010 /etc/dhclient-wlan0.conf > > > on mine > > # ls -al /etc/dhclient-* > ls: cannot access /etc/dhclient-*: No such file or directory > # > > /etc/sysconfig/network-scripts/ifcfg-eth0 is as follows > > # Intel Corporation 82540EM Gigabit Ethernet Controller > DEVICE=eth0 > BOOTPROTO=none > DNS1=68.2.16.30 > GATEWAY=x.x.x.1 > HWADDR=00:C0:9F:20:FF:BA > IPADDR=x.x.x.12 > NETMASK=255.255.255.240 > ONBOOT=yes > DNS2=68.1.203.30 > TYPE=Ethernet > NM_CONTROLLED=yes > IPV6INIT=no > USERCTL=no > PREFIX=28 > DEFROUTE=yes > IPV4_FAILURE_FATAL=yes > NAME="System eth0" > UUID=5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03 > > At his point I am thinking about pulling the data for my Bind and Web > pages and doing a scorched earth recovery. > > If this was as I am beginning to think a hack just waiting for a reboot > to pounce< I am not sure if my back-up is clean! > I understand that you have 2 more servers, so I assume that you can take this one (Fedora) offline without any impact on business you run. Regardless, do some investigation - you may learn something ... Do run these security programs. First install them: # yum install chkrootkit rkhunter Note that some of them are interactive when run, so stand by. Run this one and see output for any warnings: # chkrootkit Run next one and see output for any warnings: # rkhunter Now, regarding what to do next. Because of that root password hosing I am inclined to believe that your system has been compromised. This to me would be enough to reinstall the system. Regardless of any suspicion about shutdown process being compromised by an attacker, you should test your Fedora under stress condition to verify that it works correctly with controlled shutdown when AC fails and UPS jumps in. Good luck and let us know the results. JB -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
