LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Strange Mandrake 9.2 behaviour (http://www.linuxquestions.org/questions/linux-security-4/strange-mandrake-9-2-behaviour-162197/)

Erik Kuhlmann 03-25-2004 08:49 AM

Strange Mandrake 9.2 behaviour
 
I installed Mandrake 9.2 november last year on a Medion MD 40100 portable (2.8GHz, 512MByte RAM), and it has been working perfectly until I wanted to download the new Mandrake version 10.0 Community.

As an old computer professional, but a complete newbie to Linux, i have used some time to get used to using Linux and do simple tasks as installing extra programs and plugins.

I have used the computer for surfing and mail with Mozilla 1.3 and later 1.4. Besides of too much troble installing the flash plugin, I am very happy with the Linux system, and have a strong intention of replacing the Windows applications I use with Linux dittos. When this process is finished I scrap Windows.

I have a 512Kbit ADSL connection to the internet.

I joined the Mandrake Club, installed Bittorrent and lowered the firewall security from high to normal.

It took 4 days to get all 5 cd's, so I felt for the guys still needing Iso's.

I left the computer and bittorrnt online and my upload rate was contrary to the download rate close to the ADSL max speed all the time.

After one day the uploading was still running at max speed, but now the CPU was saturated with work. I just clicked on the alsa mixer window, and it took 10 minutes to redraw.

I had no way to regain control. First I removed the network cable and waited for more than 10 minutes, but the CPU was still 100% loaded.

The only option for me was to remove the power supply and the battery.

When i booted the system, my normal logon screen did not appear, I could only start in terminal mode.

From there I activated the Drake tools, and got KDE back on a subsequent boot.

I have both Windows and Linux on the machine, and an extra FAT32 partition for file exchange.

I could not access the FAT partition anymore. The Group name for /mnt was changed from root to adm, and the file permissions was changed also.

If I correct this, it last less than an hour before it is reset so I again loses access rights.

Also the terminal windows disappears without me closing them. and the KDE start menu is reduced to allmost nothing, so programs cannot be started this way. The only surviver is Konqueror, which makes it possible to open a console and then start programs from there.

I obvious have a serious problem, I don't think i'm the only user of my computer now.

This is kind of surprise to me, as Linux has a reputation of being very secure to use.

My questions are:

1. How do I find the malicious processes, what are the "normal" processes.
2. What settings / programs are needed to avoid the same happens again.
3. Are the some hints for a newbie to get information/programs to obtain secure internet acces without being a Linux guru.

I will be very thankful for help on this problem.

Best regards
Erik

unSpawn 03-25-2004 02:37 PM

I obvious have a serious problem, I don't think i'm the only user of my computer now.
There's a lot to do and a lot of tools to use, but first please check your /etc authentication files, last, lastlog, system and application logs for anomalies. The anomalies you listed could also stem from non-cracking problems.


This is kind of surprise to me, as Linux has a reputation of being very secure to use.
More often than not "default" installs (esp. w. ppl who kinda like to install EVERYTHING under the sun w/o checking it they really need it all) run a lot of services you do not need.
So I'd say, secure yes, but only when configured, watched and audited to be secure.


My questions are:
1. How do I find the malicious processes, what are the "normal" processes.

Finding rogue processes is one, eradicating them is another case...
The best way to find 'em would be to power down the box, boot your distro's rescue cdr, Knoppix, FIRE or PSK and use a filesystem integrity scanner to scan the system for changed, new or deleted files. Powering down the box and booting from a cdr is the best option because this completely bypasses any modifications of the kernel. Of course this depends on you having used and configured a filesystem integrity scanner and having a copy of the binary and databases on readonly media. If your package manager can help, you can at least verify system binaries in default locations, but everything not installed using the package manager will be a black area.


The second best way, but with some risk, would be to go to runlevel 1. This cuts off networking and all services, leaving a minimal setup running. If the kernel, /sbin/init, psutils etc etc aren't compromised you could find rogue processes. The risk is you could trigger some "defense" mechanism installed by a cracker to for instance wipe the box.

The third way, and the least trustworthy, would be to reinstall the kernel, glibc, psutils from cdrom, drop to runlevel 1 and then try to find processes. I would not offer that option as advice to anyone sane and it's just listed as a possibility.


2. What settings / programs are needed to avoid the same happens again.
3. Are the some hints for a newbie to get information/programs to obtain secure internet acces without being a Linux guru.

There's a lot to do to harden a box. Please check out the LQ FAQ: Security references, the first part about hardening. Then ask some more questions.

Erik Kuhlmann 03-25-2004 05:43 PM

Thanks for a fast and very competent reply.

In this case there is no alternative to basic knowledge, and after I posted the thread I have read half through a document about internet security from the Danish Linux User Group SSLUG. They have a very nice and useful collection of internet books, but sadly for most of you guys it is in the Danish language.

Some days ago I installed Mandrake 10.0 on a blank PC, completely standard.

It installed without problems, it works without problems, and it has been connected to the internet. But with this newest information I'm going to reinstall it and then do a lot of investigation on how to make it hard for internet use, and also take the time to use a file integrity scanner just in case...

The extra machine is intended for development use. The dammed problem is that during the development work I do a lot of internet surfing, now i'm not sure if it is a good idea to have this machine on the internet or even on a local net where one machine is connected to the internet.

I have been so lucky/prepared that I never have had virus on my computers at home runnning MS-Windows. I just hate the thought of loosing a lot of hours making the right platform for my work. But being watching the way Bill does business outrules Windows for me.

The process of turning your back to Windows is not that easy, although Mandrake has done a very nice job on aiding the installation process. If a much more detailed internet security setup wizard was available to us newbies, I think it could increase the growth rate of the Linux community. I'm a stubborn person, who doesn't like to give up, but I have no problem imagining others with the same Linux history as me giving up at this point where a big effort is needed in order to safely use an internet browser without loosing your working platform.

I think many will return to their well-known world they are familiar with.

The wizard could stretch the need for information over a longer period of time. Time where their loyalty to Linux grows while they are happy users.

Thanks again for all the organised and grouped links, which surely will save me many hours of work, and thanks for offering me more advice with specific questions.

Saying this I have one right now: What mechanism are behind the modification of group and file permissions on the /mnt directory. I have enabled my acces to the FAT32 partition several times, and each time the permissions are returned back within a hour. Can this really be the case in a non hacked system ?

Erik

unSpawn 03-26-2004 01:18 AM

What mechanism are behind the modification of group and file permissions on the /mnt directory.
On modern systems it's PAM, and what you're looking for in terms of permissions is /etc/security/console.perms. If a user is allowed to mount some partition, the first user who mounts the dir will change the perms, logging out will restore it to defaults.

I have enabled my acces to the FAT32 partition several times, and each time the permissions are returned back within a hour. Can this really be the case in a non hacked system ?
Looking at the above, yes. I don't know of any rootkit (of course that doesn't mean it doesn't exist) that tries to reset mount dir permissions. If it's timed like this it could be a cronjob, but I haven't checked out Mandy's security and MSEC stuff too much (for the lame reason of not running Mandy :-]).



after I posted the thread I have read half through a document about internet security from the Danish Linux User Group SSLUG. They have a very nice and useful collection of internet books, but sadly for most of you guys it is in the Danish language
OT remark, I think "giving back to the community" is cool, but making it only avaliable to locals is, well, IMNSHO, quite sad. If you could give 'em a prod to translate to english and post the URI the Linux community would no doubt be grateful...


All times are GMT -5. The time now is 01:14 AM.