[ale] busted networking
Jim Popovitch
jimpop at gmail.com
Sun Jun 21 00:42:28 EDT 2009
tcpdump -i any ??
-Jim P.
On 2009-06-21, Jim Kinney <jim.kinney at gmail.com> wrote:
> Bad situation: I'm unsure of the entrance point but a black hat
> inserted rogue code on a web/mail server. So I wiped the drives,
> installed from scratch, patched and updated and restored from manually
> inspected backups (ugh.)
>
> The web/mail server can't resolve anything except what's in /etc/hosts.
>
> I double checked nsswitch, DNS server setting, firewall ports. It's
> the same as other machines in the LAN.
>
> So I checked the firewall. The iptables rules are correct (i.e. the
> same ones as diffed from the off-site back made when it went in). I
> even opened it up totally (i.e. NO filters on the WAN<->LAN DNAT/SNAT
> connection process.
>
> Still no joy on dns.
>
> At this point I'm starting panic. So I fire up tcpdump on the LAN port
> on the firewall and watch for port 53 traffic.
> I see outbound and inbound traffic as I expect.
>
> Sol I fire up tcpdump on the single nic on the server itself.
> I see nothing.
>
> No traffic at all. I try pinging www.yahoo.com (live ping point good
> for testing) and tcpdump shows nada.
>
> WTF!!!
>
> Stop the networking on the box, unload the nic module, reload
> networking, module load fine, rerun ping and tcpdump.
>
> nada.
>
> If I hadn't been doing this on a fresh install, I would say the box
> has trojaned binaries. But it's a clean install.
>
> I've run rpm -Va on the firewall and it shows up as fine as well (I
> have a copy of the rpmdb parked offsite for the firewall so I have
> high confidence in the data as I rsynced from the copy to the host
> before the run).
>
> I've double checked patch cables even. I can connect to any machine on
> the LAN but nothing, even by IP, past the firewall. The no tcpdump
> data AT ALL at the host itself has me totally batty.
>
> Ideas?
>
> --
> --
> James P. Kinney III
> Actively in pursuit of Life, Liberty and Happiness
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
>
More information about the Ale
mailing list