Hello all, I've been having some serious problems with my systems lately, and after my ISP checked out some packet captures etc., I was told essentially someone or something wants me visible on the Internet all the time, and the packets are saying what my new IP address is whenever I get a new one over DHCP.
I was wondering if anyone could help me with this problem. I'm a beginner with firewalls and I don't think I could do this by myself without a good book on iptables (I have some understanding, but normally there's only a couple of pages on iptables in a Linux book of 500 pages or more). I would also like further rules to keep my system really secure and to alert me in some way with an IDS or if something gets through the firewall. (Snort?) I have some malware on my system at the moment, so this is a tricky one. It will have to take care of incoming and outgoing. I am not exactly sure how to get the malware off my computer either: I've tried wiping the discs with LiveCDs but sometimes it works, sometimes it doesn't. I don't know who or what is doing this, but I have seen uploads of traffic to the Internet not from me, I seem to be on multicast (is that normal?), and I've had the usual spammers and fraudsters trying to get my machine. Even after I boot them off, it still continues. I pulled the logs off my modem/router and it happily said how it got in, flushed the firewall rules and put me on a fake DNS proxy. I think I might need some professional help. If there's an expert around here on security which includes firewalls and security software, please send me an email at linux dot user dot au at gmail. Also, I'd like to know if there are security issues with the network or business card installs. I have observed files called passwords.dat, partman.dat and config.dat with passwords in the clear just before I stopped it rebooting after the install, and I do know that these people attacking my systems go through the network and manage to even flash my modem/router firmware or configure it for themselves. Is it a serious security issue to have those files in /var/lib/[cdebconf I think] in the initial RAM disk (not the "in-target" disk partition) for attackers to see? I would also like to know what exactly should be in an initrd.gz: if someone could upload a known good one that hasn't been fiddled with I would appreciate that so I can compare it to those I have. I use Debian GNU/Linux 5.0.4 Lenny AMD64. I also wonder about why it won't allow me security or volatile updates. This makes me think my "updates" are perhaps malicious software coming from elsewhere. -- With thanks, Hamish -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
