My 'iptables' rules change by itself and add some ip-addresses
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
My 'iptables' rules change by itself and add some ip-addresses
Hey Hello,
First of all - 'cronetab' at every reboot reload iptables rules.
recenty i randlomly ran program >> tcpdump <<
to check whats happening what are connections that performs.
Problem is that my iptables got changed, by some unknown force. Any idea what that could be?
When they are freshly loaded they look like this
Code:
$ sudo iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j LOG
-A INPUT -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -j ACCEPT
however during the check i had this
Code:
$ sudo iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -s 107.150.94.3/32 -i wlan0 -j ACCEPT
-A INPUT -s 107.150.94.3/32 -i eth0 -j ACCEPT
-A INPUT -i wlan0 -j DROP
-A INPUT -i eth0 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j LOG
-A INPUT -j DROP
-A OUTPUT -d 107.150.94.3/32 -o wlan0 -j ACCEPT
-A OUTPUT -d 107.150.94.3/32 -o eth0 -j ACCEPT
-A OUTPUT -o wlan0 -j DROP
-A OUTPUT -o eth0 -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -j ACCEPT
and my tcpdump had a lot of those
Code:
00:13:14.889336 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:14.889373 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:14.889622 IP 107.150.94.3.1216 > mx.52975: UDP, length 1391
00:13:14.889646 IP 107.150.94.3.1216 > mx.52975: UDP, length 1391
00:13:14.889866 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:14.890408 IP 107.150.94.3.1216 > mx.52975: UDP, length 1391
00:13:14.890749 IP 107.150.94.3.1216 > mx.52975: UDP, length 1391
00:13:14.890772 IP 107.150.94.3.1216 > mx.52975: UDP, length 1391
00:13:14.890790 IP 107.150.94.3.1216 > mx.52975: UDP, length 678
00:13:14.891173 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:14.891490 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:14.891620 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:14.994781 IP 107.150.94.3.1216 > mx.52975: UDP, length 77
00:13:15.098738 IP 107.150.94.3.1216 > mx.52975: UDP, length 77
00:13:15.098917 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:15.914889 IP mx.52975 > 107.150.94.3.1216: UDP, length 84
00:13:15.979540 IP 107.150.94.3.1216 > mx.52975: UDP, length 311
00:13:15.981930 IP mx.52975 > 107.150.94.3.1216: UDP, length 85
00:13:16.046333 IP 107.150.94.3.1216 > mx.52975: UDP, length 85
00:13:16.046538 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:16.046584 IP mx.52975 > 107.150.94.3.1216: UDP, length 274
00:13:16.111812 IP 107.150.94.3.1216 > mx.52975: UDP, length 77
00:13:16.397400 IP 107.150.94.3.1216 > mx.52975: UDP, length 221
00:13:16.397589 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:16.400295 IP mx.52975 > 107.150.94.3.1216: UDP, length 84
00:13:16.464656 IP 107.150.94.3.1216 > mx.52975: UDP, length 311
00:13:16.466825 IP mx.52975 > 107.150.94.3.1216: UDP, length 85
00:13:16.531744 IP 107.150.94.3.1216 > mx.52975: UDP, length 85
00:13:16.531937 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:16.543677 IP mx.52975 > 107.150.94.3.1216: UDP, length 594
00:13:16.609471 IP 107.150.94.3.1216 > mx.52975: UDP, length 77
00:13:16.891860 IP 107.150.94.3.1216 > mx.52975: UDP, length 1391
00:13:16.891892 IP 107.150.94.3.1216 > mx.52975: UDP, length 1391
00:13:16.891904 IP 107.150.94.3.1216 > mx.52975: UDP, length 1391
00:13:16.892080 IP 107.150.94.3.1216 > mx.52975: UDP, length 845
00:13:16.892325 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:16.892368 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:16.892395 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:16.892422 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:16.897658 IP mx.52975 > 107.150.94.3.1216: UDP, length 235
00:13:16.961150 IP 107.150.94.3.1216 > mx.52975: UDP, length 77
00:13:17.105790 IP 107.150.94.3.1216 > mx.52975: UDP, length 128
00:13:17.107236 IP mx.52975 > 107.150.94.3.1216: UDP, length 303
00:13:17.172072 IP 107.150.94.3.1216 > mx.52975: UDP, length 77
00:13:17.318467 IP 107.150.94.3.1216 > mx.52975: UDP, length 1391
00:13:17.318739 IP 107.150.94.3.1216 > mx.52975: UDP, length 1391
00:13:17.318820 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:17.319015 IP 107.150.94.3.1216 > mx.52975: UDP, length 1391
00:13:17.319028 IP 107.150.94.3.1216 > mx.52975: UDP, length 1391
00:13:17.319032 IP 107.150.94.3.1216 > mx.52975: UDP, length 557
00:13:17.319146 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:17.319854 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:17.320658 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:17.430676 IP 107.150.94.3.1216 > mx.52975: UDP, length 77
00:13:17.430831 IP 107.150.94.3.1216 > mx.52975: UDP, length 77
00:13:17.526959 IP 107.150.94.3.1216 > mx.52975: UDP, length 77
00:13:17.527097 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:17.528375 IP 107.150.94.3.1216 > mx.52975: UDP, length 77
00:13:17.528493 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:28.061473 IP _gateway > all-systems.mcast.net: igmp query v3
00:13:48.362757 IP _gateway > all-systems.mcast.net: igmp query v3
00:13:51.483950 IP mx.52975 > 107.150.94.3.1216: UDP, length 138
00:13:51.549192 IP 107.150.94.3.1216 > mx.52975: UDP, length 77
00:13:51.677058 IP 107.150.94.3.1216 > mx.52975: UDP, length 230
00:13:51.677253 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:54.365744 IP mx.52975 > 107.150.94.3.1216: UDP, length 101
00:13:54.502097 IP 107.150.94.3.1216 > mx.52975: UDP, length 101
00:13:56.674243 ARP, Request who-has _gateway tell mx, length 28
00:13:56.675275 ARP, Reply _gateway is-at 24:4b:fe:e4:7e:00 (oui Unknown), length 46
00:14:01.381356 IP mx.52975 > 107.150.94.3.1216: UDP, length 138
00:14:01.446102 IP 107.150.94.3.1216 > mx.52975: UDP, length 77
00:14:01.572937 IP 107.150.94.3.1216 > mx.52975: UDP, length 139
00:14:01.573106 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
Recently i made simmilar check, and i got this
Code:
$ sudo iptables -S
[sudo] password for mx:
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -s 5.180.62.164/32 -i wlan0 -j ACCEPT
-A INPUT -s 5.180.62.164/32 -i eth0 -j ACCEPT
-A INPUT -i wlan0 -j DROP
-A INPUT -i eth0 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j LOG
-A INPUT -j DROP
-A OUTPUT -d 5.180.62.164/32 -o wlan0 -j ACCEPT
-A OUTPUT -d 5.180.62.164/32 -o eth0 -j ACCEPT
-A OUTPUT -o wlan0 -j DROP
-A OUTPUT -o eth0 -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -j ACCEPT
Unless those IP addresses mean something to you, I would conclude that the system has been compromised and is likely serving as a node in someone elses botnet (the new owners).
I would immediately remove internet access to the machine, power it off and check any others on the same local network for similar problems.
If you need to save any data from it or want to do some forensic work to try to figure out how it has been compromised, do so in isolation and do not expose that machine to the internet again. If you remove any files from that machine be very selective and validate that they are what you think they are or you just might propagate the problem to another machine.
How to fix it? I would do nothing less than perform a complete fresh install from repartioned and reformatted drive and not restore anything from backups until it was validated.
I found out, that tcpdump shows only ip number happens after connecting to VPN,
before connection takes place, domains have names, and there are few.
It is not the first time when i found such a situation, so i took some measures,
after redoing the system, i always have updates && upgrades, i use vpn, the iptable rules are loaded up again at every boot, i use password managers, have some sandboxes
what else can i do to prevent such a situation? Thanks
If "these things only happen after connecting VPN," obviously we need to know more about this – and, you might need to investigate.
Who is "the VPN server?" Are you connecting publicly in a coffee shop, or are you establishing a VPN tunnel to a remote office or trusted client? Exactly what sort of VPN is it ("OpenSwan == IPSec" or "OpenVPN?") How is it secured? ("PSKs == passwords" or "digital certificates?")
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
