Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am running Centos 5.2 final. 5.1.9.6
After approx. 2 minutes of booting, I bring up
the 'setroubleshoot' window. At first, it is
communicating with the server. Then about a few
minutes later, it fails with the message at the
bottom,(in red), 'communication lost to /var/run/setroubleshoot/setroubleshoot_server. Then, if I open a terminal window,(in root),
my root prompt has changed. Seems that the isp
provider has my system. How is it they can disable this on my system being logged in as root?
I have even rebooted in 'single-user' mode, deactivating both eth0 & .bak, and when the system is rebooting, physically disconnecting the cat5 cable, then after the system reboots, I change my root's
password, reboot with init 3, then do a 'startx'. Once the system brings up the window manager, make active my 'setroubleshoot', bring up the 'networktools', then physically reconnect the cat5 cable, then I activate the two interfaces, (eth0, etho.bak). I see the 'avc denial box' pop up and then quickly go away. At the bottom
of the setroubleshoot window, it changes its status communicating to the server. New password & all, firewall enabled, this still takes place.
Yes, my 'root's prompt' changes to the dsl port being used. Also, have seen my 'key-strokes' being mapped with a single ' right next
to my blinking / prompt.
Last edited by warnold; 02-16-2011 at 01:17 AM.
Reason: more info
So you are saying that you really believe your ISP is doing this?
Yes I do. This never has happened in past. This showed itself just after changing ISP
provider service. Also, have seen my keypad strokes being 'mapped'. My / prompt has a
' right next to it (|') without the space.
Where are you from and who is your ISP? Do they have access to your machine? Honestly to say, I really do not believe it is your ISP.... If anything, you may have a rootkit, or something else is happening that you don't see going on.
Where are you from and who is your ISP? Do they have access to your machine? Honestly to say, I really do not believe it is your ISP.... If anything, you may have a rootkit, or something else is happening that you don't see going on.
Colorado. This took place the very next day after changing out the dsl modem. I cannot
say their name..
I have also booted the 4 different flavors of kernels, from the
original to the latest rev. level. No, this is real life happening.
Wonder if using devil-linux box as a first system and then configuring the other original system off it will prevent this?
Seems really weird to me man... To be absolutely safe, scan your system with rkhunter and clam. Thoroughly look over all start up configurations and scripts for any evidence of tampering.
Seems really weird to me man... To be absolutely safe, scan your system with rkhunter and clam. Thoroughly look over all start up configurations and scripts for any evidence of tampering.
thanks, will try this when back at home. Also, will think very much as to going back to
a PIII processor that does not have the implant that all P4's have..
Roger that. Hopefully it's not as bad as we are hoping for :/
Did one better, relocated the pc to a different location, different ISP provider,
guess what... No intrusion..
One more final comment about this isp provider.. Approx. 6 months ago, they notified
someone that was windows based pc, told that person that in files such-n-such, there was and listed the trojan name as well as having 3 files infected with such-n-such
viruses. Informed that person that in 1 week if the pc files were not taken care of,
that they would 'cancel' the service.. Also remember that the trojan & virus files were
new ones, not old ones. Won't go any further with this.
Fact remains: There is a problem, Scotty..
So you are saying that you really believe your ISP is doing this?
Next time please ask for evidence instead. Allowing the OP to back up claims with tool output and logs means nobody is being forced to interpret things and makes it easier, more efficient to reach an objective conclusion.
I'm saying this because in the OP "server" means "local setroubleshootd service". This has nothing at all to do with any ISP. And if anyone disabled anything from a remote location then network and account access will be logged, even on a machine with std logging configuration.
If the OP doesn't add logs, regardless of the reason, then I'm calling FUD, not ISP (ab)use.
Next time please ask for evidence instead. Allowing the OP to back up claims with tool output and logs means nobody is being forced to interpret things and makes it easier, more efficient to reach an objective conclusion.
I'm saying this because in the OP "server" means "local setroubleshootd service". This has nothing at all to do with any ISP. And if anyone disabled anything from a remote location then network and account access will be logged, even on a machine with std logging configuration.
If the OP doesn't add logs, regardless of the reason, then I'm calling FUD, not ISP (ab)use.
Good point about the logs. The OP kept extending what he was saying, I didn't really think of checking logs yet.
Good point about the logs. The OP kept extending what he was saying, I didn't really think of checking logs yet.
The output of doing a 'dmesg' does not show any issues. Yet the original message in red
at the bottom of the active setroubleshoot says so. Explain the change in my root prompt
that just so happens to coinside with whichever port I connect my cat5 into on their
dsl box.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.