At one point I had multiple screen open with tcpdump on all three nic - host, firewall LAN and firewall WAN. I don't see data leaving the host. But I do see stuff that appears to be from the host going out to the WAN.<br>
<br>Tomorrow I rebuild/replace the firewall. I'm not taking any chances that there's not trojaned code on it as well. My test appear good but I think I hole oin my tinfoil beanie...<br><br><div class="gmail_quote">
On Sun, Jun 21, 2009 at 12:42 AM, Jim Popovitch <span dir="ltr"><<a href="mailto:jimpop@gmail.com">jimpop@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
tcpdump -i any ??<br>
<br>
-Jim P.<br>
<div><div></div><div class="h5"><br>
On 2009-06-21, Jim Kinney <<a href="mailto:jim.kinney@gmail.com">jim.kinney@gmail.com</a>> wrote:<br>
> Bad situation: I'm unsure of the entrance point but a black hat<br>
> inserted rogue code on a web/mail server. So I wiped the drives,<br>
> installed from scratch, patched and updated and restored from manually<br>
> inspected backups (ugh.)<br>
><br>
> The web/mail server can't resolve anything except what's in /etc/hosts.<br>
><br>
> I double checked nsswitch, DNS server setting, firewall ports. It's<br>
> the same as other machines in the LAN.<br>
><br>
> So I checked the firewall. The iptables rules are correct (i.e. the<br>
> same ones as diffed from the off-site back made when it went in). I<br>
> even opened it up totally (i.e. NO filters on the WAN<->LAN DNAT/SNAT<br>
> connection process.<br>
><br>
> Still no joy on dns.<br>
><br>
> At this point I'm starting panic. So I fire up tcpdump on the LAN port<br>
> on the firewall and watch for port 53 traffic.<br>
> I see outbound and inbound traffic as I expect.<br>
><br>
> Sol I fire up tcpdump on the single nic on the server itself.<br>
> I see nothing.<br>
><br>
> No traffic at all. I try pinging <a href="http://www.yahoo.com" target="_blank">www.yahoo.com</a> (live ping point good<br>
> for testing) and tcpdump shows nada.<br>
><br>
> WTF!!!<br>
><br>
> Stop the networking on the box, unload the nic module, reload<br>
> networking, module load fine, rerun ping and tcpdump.<br>
><br>
> nada.<br>
><br>
> If I hadn't been doing this on a fresh install, I would say the box<br>
> has trojaned binaries. But it's a clean install.<br>
><br>
> I've run rpm -Va on the firewall and it shows up as fine as well (I<br>
> have a copy of the rpmdb parked offsite for the firewall so I have<br>
> high confidence in the data as I rsynced from the copy to the host<br>
> before the run).<br>
><br>
> I've double checked patch cables even. I can connect to any machine on<br>
> the LAN but nothing, even by IP, past the firewall. The no tcpdump<br>
> data AT ALL at the host itself has me totally batty.<br>
><br>
> Ideas?<br>
><br>
> --<br>
> --<br>
> James P. Kinney III<br>
> Actively in pursuit of Life, Liberty and Happiness<br>
</div></div>> _______________________________________________<br>
> Ale mailing list<br>
> <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
> <a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
><br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
</blockquote></div><br><br clear="all"><br>-- <br>-- <br>James P. Kinney III<br>Actively in pursuit of Life, Liberty and Happiness <br><br>