Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hello
i use Gnu/Linux Mandrake 10 and ADSL provided by Tiscali.
today i kept my home computer on all the day, while i was at work.
and when i came back home, i noticed my ip adress had changed ( i used ifconfig to notice that).
how is it possible?? had my computer been intruded?
i join parts of /var/log/security.log that are stranged.
thanks for your help.
/*Parts of /var/log/security.log*/
Security Warning: the md5 checksum for one of your SUID files has changed,
maybe an intruder modified one of these suid binary in order to put in a backdoor...
- Checksum changed file : /usr/bin/passwd
Security Warning: There are modifications for port listening on your machine :
- Opened ports : tcp 0 0 *:x11 *:* LISTEN 7489/X
- Opened ports : tcp 0 0 *:ipp *:* LISTEN 2721/cupsd
- Closed ports : tcp 0 0 *:32768 *:* LISTEN 2648/X
- Closed ports : tcp 0 0 *:ipp *:* LISTEN 1982/cupsd
(...)
Security Warning: These packages have changed on the system :
(...)
- Newly installed package : passwd-0.68-2.2.100mdk 1094383447
/* result of chkrootkit*/
[root@localhost log]# /usr/local/src/chkrootkit-0.44/chkrootkit passwd
ROOTDIR is `/'
Checking `passwd'... not infected
Well, is chkrootkit really safe? or maybe i am paranoid?
Well, chrootkit is a great tool, not a panacea. You can also try "rootkit hunter".
Anyway, reguarding your logs, they don't look so strange. I mean, they could mean a LOT of bad things, but as far as I can see, it could be the result of an automatic update. If you have automatic updates enabled (I'm not into mandrake so I'm not sure if its possible), maybe it just downloaded the new passwd version.
This is the best case, the worst case may be an intrusion. So my suggestion is, get a safe copy of passwd somewhere and:
keep an eye on the network traffic
install security utilities
don't panic but don't relax too much
PS: reguarding the IP change, i guess your IP is dynamic so maybe you just got disconnected and reconnected with another IP. Nothing to worry about I guess
my broadband internet ip changes often when the machine or interface is shutdown and dchp runs again. (or when the ISP server goes down and is re-started)
i see no reason why an attacker would want to change your IP....
Originally posted by qwijibow you Mean your Internet IP ?
my broadband internet ip changes often when the machine or interface is shutdown and dchp runs again. (or when the ISP server goes down and is re-started)
i see no reason why an attacker would want to change your IP....
yes, my internet IP changed while i was not home.
if my interface shut down, ok, the ip adress can change, but in this case, who bring the interface up again? is it done automatically?
moreover i run snort on my linux box. i didn't notice special in the logs, because snort was stopped. something made it crash or (i hope not), someone?
i know i am a paranoid with security computers, but all this stuff seems strange. and "even paranoiacs have ennemies"
think of it this way... if some1 remotly accessed your internet connection.... then they will have lost there own connection to it by shutting down the network interface and lost the ability to re-start it...
unless they put maybe a cron job or sleep script to startup the interface again for them, thus changing the ip, and still.. they lost there connection to you for not knowing the new IP.
maybe you ISP chnaged you IP... maybe interfaces dont need to be re-set, maybe they do it automatically...
and SOME distro's re-start interfaces that die.... i setup my redhat9 box to do this on my un-stable dial-up.
if i were you, i would hpone the ISP and ask them if they chnaged your IP.. and explain you are concerned about security.... security of the customers is often very important to isp (or important that they give that impression) they should try to be helpfull !
Originally posted by qwijibow think of it this way... if some1 remotly accessed your internet connection.... then they will have lost there own connection to it by shutting down the network interface and lost the ability to re-start it...
unless they put maybe a cron job or sleep script to startup the interface again for them, thus changing the ip, and still.. they lost there connection to you for not knowing the new IP.
maybe you ISP chnaged you IP... maybe interfaces dont need to be re-set, maybe they do it automatically...
and SOME distro's re-start interfaces that die.... i setup my redhat9 box to do this on my un-stable dial-up.
if i were you, i would hpone the ISP and ask them if they chnaged your IP.. and explain you are concerned about security.... security of the customers is often very important to isp (or important that they give that impression) they should try to be helpfull !
yes. i contacted my ISP and asked the question about this ip adress stuff. But...still no response. And, moreover, i have a problem with my ISP ( TISCALI ) : they don't want to hear about linux. They explicitly wrote in the general conditions that linux is not supported. I want to change of ISP but i'm still engaged for one year...well, to resume, don't use Tiscali as ISP.
ok for the ip adress change, it is probably not an intrusion ( unless the cracker wrote a script to restart the interface and send to himself the new ip adress... it is possible i think, but a little bit weird, i admit ).
but i need to test and check the security of my box, i'm still paranoiac
Thank you very much
--
PS : i apologize for my "frenglish"
you dont have to mention Linux....
PHONE them.... (they will never reply to email)
and say that WindowsXP is reporting that your IP has changed... ask them if their customers IP addresses are meant to be Static or Dynamic.. and ask if an ip can be changed on your machine without a shutdown, while unatended.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.