LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-28-2007, 04:09 AM   #1
xnomad
Member
 
Registered: Jun 2005
Posts: 53

Rep: Reputation: 15
Shorewall rules mysteriously changed after system crash


Hi,

A Mandriva 2007 box of mine just hung after I tried to SSH to it. This box is always on and is behind a NAT firewall on my ADSL Router and this box also has it's own shorewall firewall.

After I rebooted the box I found that these files have changed:

interfaces (changed but no visible change)
masq (changed but no visible change)
policy (changed the logging used to go to ulogd now has "info")
rules.drakx (some of my old rules stuff ended in here but not all)
shorewall.conf (no visible change)
zones (no visible changes)
rules (my rules are missing it now calls on rules.drakx)
params (changed but my params are still there)


The timestamp has changed for some of these files but nothing visible has changed but for some files like my rules files there is a lot of info missing. The rules file seems to have reverted to the original setting that came with the RPM when I installed Mandriva 2007. Some of my rules are now in the rules.drakx.

I know I didn't install or uninstall shorewall recently. I also checked the rules file 2 days ago and it looked normal. Is it possible that the files were lost in a crash and shorewall rebuilt the rules from scratch?

I'm a bit nervous this box has been compromised.

Thanks
 
Old 06-28-2007, 07:09 AM   #2
MoMule
Member
 
Registered: Jul 2006
Posts: 134

Rep: Reputation: 15
Are you running httpd-naat? Have you updated any packages recently?

From past experience I ran into something similar. I installed shorewall using httpd-naat frontend. Later I went in and manually changed those files you mentioned to fit my needs. At some certain time of the night httpd-naat configurations would overwrite my manual entries...

Do you have rkhunter installed and running to check for any rootkits or file changes?

Deion "Mule" Christopher
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Shorewall ignoring rules DeusExMichael Linux - Security 2 03-06-2007 02:20 PM
shorewall config question with /etc/shorewall/rules peter72 Linux - Networking 3 01-01-2007 09:33 PM
Resolution mysteriously changed-Round 2 Odyssey1942 Linux - Newbie 10 11-01-2006 03:24 PM
ICEauthority file permissions mysteriously changed andy_g_gray Linux - Software 0 03-06-2006 02:48 PM
Shorewall .....rules or tos? matthewa Linux - Security 3 06-26-2005 01:57 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:52 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration