[ale] busted networking
Jim Kinney
jim.kinney at gmail.com
Sun Jun 21 00:32:29 EDT 2009
Bad situation: I'm unsure of the entrance point but a black hat
inserted rogue code on a web/mail server. So I wiped the drives,
installed from scratch, patched and updated and restored from manually
inspected backups (ugh.)
The web/mail server can't resolve anything except what's in /etc/hosts.
I double checked nsswitch, DNS server setting, firewall ports. It's
the same as other machines in the LAN.
So I checked the firewall. The iptables rules are correct (i.e. the
same ones as diffed from the off-site back made when it went in). I
even opened it up totally (i.e. NO filters on the WAN<->LAN DNAT/SNAT
connection process.
Still no joy on dns.
At this point I'm starting panic. So I fire up tcpdump on the LAN port
on the firewall and watch for port 53 traffic.
I see outbound and inbound traffic as I expect.
Sol I fire up tcpdump on the single nic on the server itself.
I see nothing.
No traffic at all. I try pinging www.yahoo.com (live ping point good
for testing) and tcpdump shows nada.
WTF!!!
Stop the networking on the box, unload the nic module, reload
networking, module load fine, rerun ping and tcpdump.
nada.
If I hadn't been doing this on a fresh install, I would say the box
has trojaned binaries. But it's a clean install.
I've run rpm -Va on the firewall and it shows up as fine as well (I
have a copy of the rpmdb parked offsite for the firewall so I have
high confidence in the data as I rsynced from the copy to the host
before the run).
I've double checked patch cables even. I can connect to any machine on
the LAN but nothing, even by IP, past the firewall. The no tcpdump
data AT ALL at the host itself has me totally batty.
Ideas?
--
--
James P. Kinney III
Actively in pursuit of Life, Liberty and Happiness
More information about the Ale
mailing list