Shorewall rules mysteriously changed after system crash
 

Hi,

A Mandriva 2007 box of mine just hung after I tried to SSH to it. This box is always on and is behind a NAT firewall on my ADSL Router and this box also has it's own shorewall firewall.

After I rebooted the box I found that these files have changed:

interfaces (changed but no visible change)
masq (changed but no visible change)
policy (changed the logging used to go to ulogd now has "info")
rules.drakx (some of my old rules stuff ended in here but not all)
shorewall.conf (no visible change)
zones (no visible changes)
rules (my rules are missing it now calls on rules.drakx)
params (changed but my params are still there)


The timestamp has changed for some of these files but nothing visible has changed but for some files like my rules files there is a lot of info missing. The rules file seems to have reverted to the original setting that came with the RPM when I installed Mandriva 2007. Some of my rules are now in the rules.drakx.

I know I didn't install or uninstall shorewall recently. I also checked the rules file 2 days ago and it looked normal. Is it possible that the files were lost in a crash and shorewall rebuilt the rules from scratch?

I'm a bit nervous this box has been compromised.

Thanks

Are you running httpd-naat? Have you updated any packages recently?

From past experience I ran into something similar. I installed shorewall using httpd-naat frontend. Later I went in and manually changed those files you mentioned to fit my needs. At some certain time of the night httpd-naat configurations would overwrite my manual entries...

Do you have rkhunter installed and running to check for any rootkits or file changes?

Deion "Mule" Christopher