[ale] busted networking
Jim Kinney
jim.kinney at gmail.com
Sun Jun 21 00:51:52 EDT 2009
At one point I had multiple screen open with tcpdump on all three nic -
host, firewall LAN and firewall WAN. I don't see data leaving the host. But
I do see stuff that appears to be from the host going out to the WAN.
Tomorrow I rebuild/replace the firewall. I'm not taking any chances that
there's not trojaned code on it as well. My test appear good but I think I
hole oin my tinfoil beanie...
On Sun, Jun 21, 2009 at 12:42 AM, Jim Popovitch <jimpop at gmail.com> wrote:
> tcpdump -i any ??
>
> -Jim P.
>
> On 2009-06-21, Jim Kinney <jim.kinney at gmail.com> wrote:
> > Bad situation: I'm unsure of the entrance point but a black hat
> > inserted rogue code on a web/mail server. So I wiped the drives,
> > installed from scratch, patched and updated and restored from manually
> > inspected backups (ugh.)
> >
> > The web/mail server can't resolve anything except what's in /etc/hosts.
> >
> > I double checked nsswitch, DNS server setting, firewall ports. It's
> > the same as other machines in the LAN.
> >
> > So I checked the firewall. The iptables rules are correct (i.e. the
> > same ones as diffed from the off-site back made when it went in). I
> > even opened it up totally (i.e. NO filters on the WAN<->LAN DNAT/SNAT
> > connection process.
> >
> > Still no joy on dns.
> >
> > At this point I'm starting panic. So I fire up tcpdump on the LAN port
> > on the firewall and watch for port 53 traffic.
> > I see outbound and inbound traffic as I expect.
> >
> > Sol I fire up tcpdump on the single nic on the server itself.
> > I see nothing.
> >
> > No traffic at all. I try pinging www.yahoo.com (live ping point good
> > for testing) and tcpdump shows nada.
> >
> > WTF!!!
> >
> > Stop the networking on the box, unload the nic module, reload
> > networking, module load fine, rerun ping and tcpdump.
> >
> > nada.
> >
> > If I hadn't been doing this on a fresh install, I would say the box
> > has trojaned binaries. But it's a clean install.
> >
> > I've run rpm -Va on the firewall and it shows up as fine as well (I
> > have a copy of the rpmdb parked offsite for the firewall so I have
> > high confidence in the data as I rsynced from the copy to the host
> > before the run).
> >
> > I've double checked patch cables even. I can connect to any machine on
> > the LAN but nothing, even by IP, past the firewall. The no tcpdump
> > data AT ALL at the host itself has me totally batty.
> >
> > Ideas?
> >
> > --
> > --
> > James P. Kinney III
> > Actively in pursuit of Life, Liberty and Happiness
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://mail.ale.org/mailman/listinfo/ale
> >
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
>
--
--
James P. Kinney III
Actively in pursuit of Life, Liberty and Happiness
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20090621/75433eff/attachment.html
More information about the Ale
mailing list