[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [opensuse-security] System attacked, need help
I am looking at my 12.3 system and ifup is a script and ifdown is a
symlink to ifup. That's normal. Because ifdown is a syslink, those
permissions are normal.
I would be putting one system online at a time and have another system
setup with a packet sniffer(ie wireshark) and restart from there.
On 09/13/14 13:00, Jon Cosby wrote:
I've been under attack recently and need help tracing the source and
locking down. At one point the hacker took full control of my system,
including windows and terminals. I went offline for four days this
week, reinstalled openSUSE 13.1 offline yesterday, turned on the
firewall and ran the patches online. I'm blocking unneeded ports in my
modem-router. The attacks seem to continue almost immediately.
rkhunter gives a very suspicious warning:
[10:19:02] /sbin/ifup [ Warning ]
[10:19:02] Warning: The command '/sbin/ifup' has been replaced by a
script: /sbin/ifup: Bourne-Again shell script, ASCII..
sbin> ls -l ifup
-rwxr-xr-x 1 root root 48711 Apr 10 00:46 ifup
sbin> ls -l ifdown
lrwxrwxrwx 1 root root 4 Sep 12 18:05 ifdown -> ifup
Note the permissions on ifdown. On restarting from suspension, there's
a signal going out. I'm going to have to go down again, but don't have
a clue what I need to do to get this system operating cleanly. Any
tips/suggestions are appreciated. Thanks,
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-security+owner@xxxxxxxxxxxx