LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-21-2007, 05:16 PM   #1
eager2no
LQ Newbie
 
Registered: Nov 2007
Posts: 2

Rep: Reputation: 0
Shorewall log - please help interpret


I am getting quite a lot of entries in /var/log/syslog like this one:

Code:
Nov 21 23:58:49 pcl kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:1b:fc:dd:1f:1c:00:15:0c:9e:00:c2:08:00 SRC=<my router, sort of> DST=<my IP> LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=5310 DF PROTO=TCP SPT=3584 DPT=14013 WINDOW=5840 RES=0x00 SYN URGP=0
The first part of the MAC address is my Ethernet port, but the second part (before the 2-byte frame type) does not quite match my router: the last 2 bytes are different.
Who does it come from then?

Also, /var/log/messages has this:
Code:
Nov 21 07:04:46 pcl logger: Security Warning: Change in Suid Root files found :
Nov 21 07:04:46 pcl logger: -       Newly added suid root file : /usr/bin/xscreensaver
Nov 21 07:04:46 pcl logger: Security Warning: the md5 checksum for one of your SUID files has changed,
Nov 21 07:04:46 pcl logger: maybe an intruder modified one of these suid binary in order to put in a backdoor...
Nov 21 07:04:46 pcl logger: - Checksum changed file : /usr/bin/mtink
Nov 21 07:04:46 pcl logger: - Checksum changed file : /usr/bin/sperl5.8.8
Nov 21 07:04:46 pcl logger: - Checksum changed file : /usr/bin/ttink
Sounds a bit scary, so I'd much appreciate the help of more experienced members.

Also, is there a recommended way to harden my PCLinuxOS?

Thank you.

Last edited by eager2no; 11-21-2007 at 05:17 PM.
 
Old 11-23-2007, 03:46 AM   #2
lesleyb
Member
 
Registered: Sep 2003
Distribution: Debian, OpenBSD 3.9 & 3.7
Posts: 79

Rep: Reputation: 17
Quote:
Originally Posted by eager2no View Post
I am getting quite a lot of entries in /var/log/syslog like this one:

Code:
Nov 21 23:58:49 pcl kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:1b:fc:dd:1f:1c:00:15:0c:9e:00:c2:08:00 SRC=<my router, sort of> DST=<my IP> LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=5310 DF PROTO=TCP SPT=3584 DPT=14013 WINDOW=5840 RES=0x00 SYN URGP=0
The first part of the MAC address is my Ethernet port, but the second part (before the 2-byte frame type) does not quite match my router: the last 2 bytes are different.
Who does it come from then?
Without knowing what netmask you have, it is impossible to say what that could be. Neither src nor dst port
helps identify the service raising this packet nor what service it expects to head to. However it is a SYN packet and so it appears to be an attempt by your router to initiate a TCP session on these ports.

Most routers have a firewall in them these days so I suggest you take a look at that to drop any inbound unrelated unestablished connections.

Quote:
Originally Posted by eager2no View Post
Also, /var/log/messages has this:
Code:
Nov 21 07:04:46 pcl logger: Security Warning: Change in Suid Root files found :
Nov 21 07:04:46 pcl logger: -       Newly added suid root file : /usr/bin/xscreensaver
Nov 21 07:04:46 pcl logger: Security Warning: the md5 checksum for one of your SUID files has changed,
Nov 21 07:04:46 pcl logger: maybe an intruder modified one of these suid binary in order to put in a backdoor...
Nov 21 07:04:46 pcl logger: - Checksum changed file : /usr/bin/mtink
Nov 21 07:04:46 pcl logger: - Checksum changed file : /usr/bin/sperl5.8.8
Nov 21 07:04:46 pcl logger: - Checksum changed file : /usr/bin/ttink
Sounds a bit scary, so I'd much appreciate the help of more experienced members.

Also, is there a recommended way to harden my PCLinuxOS?

Thank you.
xscreensaver is a screensaver. Same deal as on Windows but with better graphics. It's fairly normal to have that on a
workstation although a lot of people don't run it preferring to leave the terminal to it's power management system.

I have no idea what sperl5.8.8 is but a quick google indicates that mtink and ttink are ink monitoring programs for an
Epson(?) printers.

Can you recall installing such software about the time these messages started to appear?

Any intrusion detection system merely reports changes to files - via their mtime, checsums or whatever methods they choose to use. It is perfectly legitimate to update and expand your system but an IDS will provide false positives in this situation.

You need to update your IDS database to say these files are okay if you know they are okay. If you suspect they are not okay then you can try removing them.

There is plenty of information out there about hardening various Linux. I am sure most will apply to your distro.

Regards

L.
 
Old 11-24-2007, 08:23 AM   #3
eager2no
LQ Newbie
 
Registered: Nov 2007
Posts: 2

Original Poster
Rep: Reputation: 0
lesleyb,
Thanks a lot for the detailed response.

My router is a Fritz!Box, and it turned out it has SEVEN MAC addresses, the culprit being one of them. So I can relax on that count.

mtink, ttink: I in fact have an Epson printer... I am new to Linux, and just started checking the logs, so these programs may have been reported from the start.

sperl turned out to be suidperl.

Quote:
You need to update your IDS database
I don't know how to; I am using Shorewall.
Quote:
plenty of information...about hardening various Linux
I have read around a bit and Bastille looks good, but I am not sure I can just use it on PCLinuxOS.
 
Old 11-26-2007, 07:52 AM   #4
lesleyb
Member
 
Registered: Sep 2003
Distribution: Debian, OpenBSD 3.9 & 3.7
Posts: 79

Rep: Reputation: 17
Well you need to know what program is reporting those file changes. Shorewall is a netfilter front end so it doesn't log file changes.

If you know you have installed those programs and you know the program that is monitoring your files then you should be able to use that program to update the database it reads from.
That will stop the errors referring to mtink, ttink and sperl appearing in syslog but you need to be sure you added them and expected the changes to appear. The whole idea of an IDS is that it monitors changes to files and reports them to you so that you can decide if the change is okay or needs your attention. Always be careful not to add anything to the IDS database you don't expect to have to add.
IDS's can be tedious when setting up a new system but once the system is stabilised they are less work.

I don't know PCLinuxOS at all but it appears to have an IDS system of some sort running. Perhaps a PCLinux specific forum might help?


Regards

Lesley
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
shorewall config question with /etc/shorewall/rules peter72 Linux - Networking 3 01-01-2007 09:33 PM
Log messages after uninstall of shorewall UnConundrum Linux - General 1 03-06-2006 08:14 PM
How to interpret images using C++? vivekr Programming 8 11-18-2005 08:40 AM
how should i interpret this?? baldmonk Linux - Security 2 06-10-2005 05:32 PM
Interpret ICMP packets SaTaN Linux - Networking 1 01-20-2004 10:23 PM


All times are GMT -5. The time now is 01:25 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration