Re: Weird Network Manager Problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Mike Dwiggins <mike <at> azdwiggins.com> writes:

> 
>   On 9/25/2010 6:38 AM, JB wrote:
> > some unrelated software package malfunctions ...
> > You have to consider that you have been hacked, I guess. Normally you
> > should
> > take your machine offline until you understand what is the damage.
> >
> > I am only online long enough to test the ping
> 
> > Well, where do you get that info from ?
> System/Administration/Network/
> > Are you auto-configured by dhclient ?
> Not supposed to be eth0 is set to Static IP

Not quite. But read on.

> > Controlled by NetworkManager ?
> Yes

Just a propos.
Enable (check off) the "Activate device when computer starts".

> > Automatically obtain IP address settings with DHCP ?
> Again it is not set to

OK.
If you select for "Statically set IP addresses", then
the "Automatically obtain IP address settings with DHCP" is turned off.

> > Automatically obtain DNS info from provider ?
> No

Not quite. But read on.

> > Also, check:
> > $ ps aux |grep -i dhc
> > jb        6982  0.0  0.0   4360   708 pts/3    S+   15:21   0:00 grep -i
> > dhc
> > root     14415  0.0  0.0   2984   676 ?        S    06:13   0:00
> > /sbin/dhclient
> > -d -4 -sf /usr/libexec/nm-dhcp-client.action -pf /var/run/dhclient-eth0.
> > pid
> > -lf
> > /var/lib/dhclient/dhclient-5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03-eth0.lease
> > -cf
> > /var/run/nm-dhclient-eth0.conf eth0
> >
> > That's response on my system.
> On mine
> 
> # ps aux|grep -i dhc

> root      1047  0.0  0.1   2828  1192 ?        S    08:10   0:00 
> /sbin/dhclient -d -4 -sf
> /usr/libexec/nm-dhcp-client.action -pf
> /var/run/dhclient-eth0.pid -lf 
> /var/lib/dhclient/dhclient-15087fb0-92c7-40fe-ad3e-373bf0997205-eth0.lease 
> -cf
> /var/run/nm-dhclient-eth0.conf eth0
> root      2349  0.0  0.0   4360   736 pts/1    S+   08:26   0:00 grep -i dhc
> #

Here we go !

The entry 'ps aux |grep -i dhc' that there is a dhclient run under control of
NetworkManager.
When it runs, it obtains all default and user requested data from DHCP and DNS
servers and modifies those pesky system files.

Important:
Normally, when you configure your interface as you described (static IP, DNS),
the NetworkManager is run, but without NetworkManager-controlled dhclient.
I just checked that that on my other machine :-)

So, something got screwed up in the past, either during configuration thru
System/Administration/Network/ utility or panel's NetworkManager Applet
utility.
FYI, I had bad experience with the second one some months ago, submitted
report and they did these and other fixes to it.

Let's try to clean up some of this stuff.

Let's save that dhcp-lease file for interrogation later on (it probably
contains lease data that relates to invalid IP addresses, etc; that's what
screwed up your IP data in various system files):
# mv /var/lib/dhclient/dhclient-15087fb0-92c7-40fe-ad3e-373bf0997205-eth0.lease
/var/lib/dhclient/dhclient-15087fb0-92c7-40fe-ad3e-373bf0997205-eth0.lease-
crash

and create an empty file instead:
# touch /var/lib/dhclient/dhclient-15087fb0-92c7-40fe-ad3e-373bf0997205-
eth0.lease

Later on, you should examine that saved file for IP addresses, etc; check them
with some DNS-type entries (dig, nslookup) on the Internet; you may want to
talk to your ISP about them, time of the presumed attack (system downtime),
check with your utilities provider about a time of presumed downtime in
electricity supply, etc.

Let's kill that dhclient that should not run.
# killall /sbin/dhclient
Confirm that it is gone:
# ps aux|grep -i dhc

After that you should restart your desktop (GNOME, etc), but best would be to
verify the entire startup sequence and reboot your machine back to the desktop.
After that verify again as above that dhclient is gone and that lease file
is still empty as it should be.

> 
> > Look at what kind of info you got last time:
> > # less
/var/lib/dhclient/dhclient-5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03-eth0.lease
> >
> > Look at your own config settings:
> > # less /var/run/nm-dhclient-eth0.conf
> > That's perhaps from:
> > # # ls -al /etc/dhclient-*
> > -rw-r--r--. 1 root root 40 Feb 21  2010 /etc/dhclient-eth0.conf
> > -rw-r--r--. 1 root root 40 Feb 21  2010 /etc/dhclient-wlan0.conf
> >
> on mine
> 
> # ls -al /etc/dhclient-*
> ls: cannot access /etc/dhclient-*: No such file or directory
> #
> 
> /etc/sysconfig/network-scripts/ifcfg-eth0  is as follows
> 
> # Intel Corporation 82540EM Gigabit Ethernet Controller
> DEVICE=eth0
> BOOTPROTO=none
> DNS1=68.2.16.30
> GATEWAY=x.x.x.1
> HWADDR=00:C0:9F:20:FF:BA
> IPADDR=x.x.x.12
> NETMASK=255.255.255.240
> ONBOOT=yes
> DNS2=68.1.203.30
> TYPE=Ethernet
> NM_CONTROLLED=yes
> IPV6INIT=no
> USERCTL=no
> PREFIX=28
> DEFROUTE=yes
> IPV4_FAILURE_FATAL=yes
> NAME="System eth0"
> UUID=5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03
> 
> At his point I am thinking about pulling the data for my Bind and Web
> pages and doing a scorched earth recovery.
> 
> If this was as I am beginning to think a hack just waiting for a reboot 
> to pounce< I am not sure if my back-up is clean!
> 

I understand that you have 2 more servers, so I assume that you can take
this one (Fedora) offline without any impact on business you run.
Regardless, do some investigation - you may learn something ...

Do run these security programs.
First install them:
# yum install chkrootkit rkhunter 
Note that some of them are interactive when run, so stand by.

Run this one and see output for any warnings:
# chkrootkit 
Run next one and see output for any warnings:
# rkhunter

Now, regarding what to do next.
Because of that root password hosing I am inclined to believe that your system
has been compromised. This to me would be enough to reinstall the system.

Regardless of any suspicion about shutdown process being compromised by
an attacker, you should test your Fedora under stress condition to verify that
it works correctly with controlled shutdown when AC fails and UPS jumps in.

Good luck and let us know the results.

JB



-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux