Re: [CentOS] Hacking Issue
On Mon, Sep 26, 2011 at 10:10 AM, m.r...@5-cent.us wrote: Theo Band wrote: On 09/26/2011 01:02 PM, Jennifer Botten wrote: I am having an issue with someone accessing our server via a SIP/VOIP connection. I have changed my iptables rules to drop all UDP traffic from and too this IP address, but this traffic seems to still run through my server. These are the iptables rules that I current have on the server. -A INPUT -i eth0 -s 209.61.231.42 -p udp -j DROP -A INPUT -i eth0 -d 209.61.231.42 -p udp -j DROP If your SIP server needs to be accessed from any IP address, consider to use fail2ban. Easy to setup and it will block access to your SIP server after so many false attempts. I started using fail2ban to prevent the logs (Asterisk) from cluttering failed logons. Let me chime in: *yes* to fail2ban. We use it here at work, and it works, and is very good. Not too hard to configure for basic usage, either, but very extensible. mark I use CSF and LFD. Like every other firewall, the backend is always iptables but CSF is so powerful and has a lot of irreplaceable power and functionality. It can be a bit of difficult to configure it for the first time but when you do, you will never look back ;) -Micky. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Files being modified in /bin/
For the binary experts. I have a situation here. Something hideously but continuously is modifying the /bin/ executables as common as coreutils and net-tools. I can verify that from md5sum. First thing I checked was 'ls' and it has a checksum mismatch. So I removed it and reinstalled it. Then I moved the file somewhere else to cross bisect it. I did a hexdump on original ls file and the modified file, and there was some 700 lines of hex code additional in the modified file. Then I set a cron to check and do md5sum on all system files and after half an hour, I go a report back. Files modified. This time when checked the hex dump of newly and earlier modified files, they were the same. Exact same! Because rpm and rpmverify also seemed to have been modified so I cannot trust 'rpm -V' package verification. Already did lsof and process tracing but to no avail. Does anyone have any idea how to find that culprit? -Micky. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Files being modified in /bin/
So apparently prelink was running. I disabled it in /etc/sysconfig/prelink and ran 'prelink -ua' to undo the linking. I just stumbled upon a document (attached) describing how Linux used to have a.out http://en.wikipedia.org/wiki/A.out and now the ELF. Though I never knew that prelink actually modifies the files and thought of it as a cache library or something. Literally modifies!! So, I assume the problem is solved as ls seems to have reverted back but if not then it may be an LKM kit :| On Mon, Sep 26, 2011 at 6:29 AM, Rob Kampen rkam...@kampensonline.comwrote: Jeremy Sanders wrote: Micky L Martin wrote: Because rpm and rpmverify also seemed to have been modified so I cannot trust 'rpm -V' package verification. Already did lsof and process tracing but to no avail. Does anyone have any idea how to find that culprit? Are you sure it's not prelink that's modifying the files? You can google how to disable this. Any comments or thoughts from the list as to the benefit of prelink? does the system performance change if this is disabled? It causes issues with aide also. Boot from a CD to check the checksums or run rpm if you want a clean environment. Jeremy __**_ CentOS mailing list CentOS@centos.org http://lists.centos.org/**mailman/listinfo/centoshttp://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Problems with Intel Ethernet and module e1000e
In our case, it was the driver. Google e1000e-1.6.2.tar.gz On Mon, Sep 26, 2011 at 6:56 AM, m.r...@5-cent.us wrote: Patrick Lists wrote: On 09/23/2011 12:54 PM, Volker Poplawski wrote: Hi all, I'm facing a serious problem with the e100e kernel module for Intel 82574L gigabit nics on Centos 6. I have also had problems with an Intel Gbit nic in a Dell Optiplex 760 using the e1000 module. If it would come up it would come up at 100Mbit speed. Only unplugging the LAN cable en reinserting it in the switch would sometimes result in the proper 1Gb speed. After replacing the 3Com Gbit switch with a DLink Gbit switch things started to work ok. As suggested, you could try out the e1000 kernel module form elrepo (if it works, good for you) but you may want to look into the switch too. Hmmm, we had a problem like that, but in our case, it was the NIC. If someone's already asked this - I didn't read the list over the weekend - ignore the request, but if not, while it's not working, what's the o/p of ethtool ethwhatever mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Files being modified in /bin/
No Jeremy, reformatting is nonsensical, like doing anything without finding cause of the problem is! You have to check out prelink if you still don't know about it, it can be something amazing or ridiculous. In my case, all evidence points to prelink! To the guys using prelink and having experience with it. So I did a further study and found out that it possesses some issues. First it doesn't randomly address the data making applications prone to perl security attacks. Secondly, it way of keeping track of address maps is awkward which becomes a few weeks older till it gets updated. Thirdly, its 'a very old styled' application. It was written back in 90's when computers were slow to make them fast. But with today's extraneous processing age, its effects are long vanishing. Lastly, I see a lot of people remove it in post installation process. Many claim it sucks as it creates more problems than what it is supposed to do. As I occasionally do a minimal install so I am not sure how it got installed on this very box. Seems like 'yum update' or the kickstart did it. But anyhow I disabled it already and I am gonna benchmark the system for performance; needless to day, it will be removed from my desk. It did pop like a jack in a box :P! On Mon, Sep 26, 2011 at 7:11 AM, m.r...@5-cent.us wrote: Jeremy Sanders wrote: Micky L Martin wrote: Because rpm and rpmverify also seemed to have been modified so I cannot trust 'rpm -V' package verification. Already did lsof and process tracing but to no avail. Does anyone have any idea how to find that culprit? Are you sure it's not prelink that's modifying the files? You can google how to disable this. Boot from a CD to check the checksums or run rpm if you want a clean environment. Don't really know about prelink, but I strongly agree with the last suggestion: boot from a CD, or USB key, or something *other* than your hard drive - your comments strongly suggest that you've been infected. You *do* have backups of your configuration and data (and home directories, etc)? If so, you might want to do a reinstall without formatting... and then, and only then, rerun grub-install. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Hacking Issue
I would use an '-I' instead of '-A' if its a case of blocking an intruder. You can use tcpdump and 'ss -l' as well. Check out the application logs, try to see what's the intruder is up to! On Mon, Sep 26, 2011 at 7:14 AM, Keith Roberts ke...@karsites.net wrote: On Mon, 26 Sep 2011, Jennifer Botten wrote: To: centos@centos.org From: Jennifer Botten jenni...@etech.co.za Subject: [CentOS] Hacking Issue Hi, I am having an issue with someone accessing our server via a SIP/VOIP connection. I have changed my iptables rules to drop all UDP traffic from and too this IP address, but this traffic seems to still run through my server. These are the iptables rules that I current have on the server. -A INPUT -i eth0 -s 209.61.231.42 -p udp -j DROP -A INPUT -i eth0 -d 209.61.231.42 -p udp -j DROP You might find it helps to analyse this traffic with a network analyser, like Wireshark. That would allow you to see in almost real time what is happening on the line. Kind Regards, Keith Roberts - Websites: http://www.karsites.net http://www.php-debuggers.net http://www.raised-from-the-dead.org.uk All email addresses are challenge-response protected with TMDA [http://tmda.net] - ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
