Weird Network Manager Problem
JB
jb.1234abcd at gmail.com
Sat Sep 25 19:54:05 UTC 2010
Mike Dwiggins <mike <at> azdwiggins.com> writes:
>
> On 9/25/2010 6:38 AM, JB wrote:
> > some unrelated software package malfunctions ...
> > You have to consider that you have been hacked, I guess. Normally you
> > should
> > take your machine offline until you understand what is the damage.
> >
> > I am only online long enough to test the ping
>
> > Well, where do you get that info from ?
> System/Administration/Network/
> > Are you auto-configured by dhclient ?
> Not supposed to be eth0 is set to Static IP
Not quite. But read on.
> > Controlled by NetworkManager ?
> Yes
Just a propos.
Enable (check off) the "Activate device when computer starts".
> > Automatically obtain IP address settings with DHCP ?
> Again it is not set to
OK.
If you select for "Statically set IP addresses", then
the "Automatically obtain IP address settings with DHCP" is turned off.
> > Automatically obtain DNS info from provider ?
> No
Not quite. But read on.
> > Also, check:
> > $ ps aux |grep -i dhc
> > jb 6982 0.0 0.0 4360 708 pts/3 S+ 15:21 0:00 grep -i
> > dhc
> > root 14415 0.0 0.0 2984 676 ? S 06:13 0:00
> > /sbin/dhclient
> > -d -4 -sf /usr/libexec/nm-dhcp-client.action -pf /var/run/dhclient-eth0.
> > pid
> > -lf
> > /var/lib/dhclient/dhclient-5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03-eth0.lease
> > -cf
> > /var/run/nm-dhclient-eth0.conf eth0
> >
> > That's response on my system.
> On mine
>
> # ps aux|grep -i dhc
> root 1047 0.0 0.1 2828 1192 ? S 08:10 0:00
> /sbin/dhclient -d -4 -sf
> /usr/libexec/nm-dhcp-client.action -pf
> /var/run/dhclient-eth0.pid -lf
> /var/lib/dhclient/dhclient-15087fb0-92c7-40fe-ad3e-373bf0997205-eth0.lease
> -cf
> /var/run/nm-dhclient-eth0.conf eth0
> root 2349 0.0 0.0 4360 736 pts/1 S+ 08:26 0:00 grep -i dhc
> #
Here we go !
The entry 'ps aux |grep -i dhc' that there is a dhclient run under control of
NetworkManager.
When it runs, it obtains all default and user requested data from DHCP and DNS
servers and modifies those pesky system files.
Important:
Normally, when you configure your interface as you described (static IP, DNS),
the NetworkManager is run, but without NetworkManager-controlled dhclient.
I just checked that that on my other machine :-)
So, something got screwed up in the past, either during configuration thru
System/Administration/Network/ utility or panel's NetworkManager Applet
utility.
FYI, I had bad experience with the second one some months ago, submitted
report and they did these and other fixes to it.
Let's try to clean up some of this stuff.
Let's save that dhcp-lease file for interrogation later on (it probably
contains lease data that relates to invalid IP addresses, etc; that's what
screwed up your IP data in various system files):
# mv /var/lib/dhclient/dhclient-15087fb0-92c7-40fe-ad3e-373bf0997205-eth0.lease
/var/lib/dhclient/dhclient-15087fb0-92c7-40fe-ad3e-373bf0997205-eth0.lease-
crash
and create an empty file instead:
# touch /var/lib/dhclient/dhclient-15087fb0-92c7-40fe-ad3e-373bf0997205-
eth0.lease
Later on, you should examine that saved file for IP addresses, etc; check them
with some DNS-type entries (dig, nslookup) on the Internet; you may want to
talk to your ISP about them, time of the presumed attack (system downtime),
check with your utilities provider about a time of presumed downtime in
electricity supply, etc.
Let's kill that dhclient that should not run.
# killall /sbin/dhclient
Confirm that it is gone:
# ps aux|grep -i dhc
After that you should restart your desktop (GNOME, etc), but best would be to
verify the entire startup sequence and reboot your machine back to the desktop.
After that verify again as above that dhclient is gone and that lease file
is still empty as it should be.
>
> > Look at what kind of info you got last time:
> > # less
/var/lib/dhclient/dhclient-5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03-eth0.lease
> >
> > Look at your own config settings:
> > # less /var/run/nm-dhclient-eth0.conf
> > That's perhaps from:
> > # # ls -al /etc/dhclient-*
> > -rw-r--r--. 1 root root 40 Feb 21 2010 /etc/dhclient-eth0.conf
> > -rw-r--r--. 1 root root 40 Feb 21 2010 /etc/dhclient-wlan0.conf
> >
> on mine
>
> # ls -al /etc/dhclient-*
> ls: cannot access /etc/dhclient-*: No such file or directory
> #
>
> /etc/sysconfig/network-scripts/ifcfg-eth0 is as follows
>
> # Intel Corporation 82540EM Gigabit Ethernet Controller
> DEVICE=eth0
> BOOTPROTO=none
> DNS1=68.2.16.30
> GATEWAY=x.x.x.1
> HWADDR=00:C0:9F:20:FF:BA
> IPADDR=x.x.x.12
> NETMASK=255.255.255.240
> ONBOOT=yes
> DNS2=68.1.203.30
> TYPE=Ethernet
> NM_CONTROLLED=yes
> IPV6INIT=no
> USERCTL=no
> PREFIX=28
> DEFROUTE=yes
> IPV4_FAILURE_FATAL=yes
> NAME="System eth0"
> UUID=5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03
>
> At his point I am thinking about pulling the data for my Bind and Web
> pages and doing a scorched earth recovery.
>
> If this was as I am beginning to think a hack just waiting for a reboot
> to pounce< I am not sure if my back-up is clean!
>
I understand that you have 2 more servers, so I assume that you can take
this one (Fedora) offline without any impact on business you run.
Regardless, do some investigation - you may learn something ...
Do run these security programs.
First install them:
# yum install chkrootkit rkhunter
Note that some of them are interactive when run, so stand by.
Run this one and see output for any warnings:
# chkrootkit
Run next one and see output for any warnings:
# rkhunter
Now, regarding what to do next.
Because of that root password hosing I am inclined to believe that your system
has been compromised. This to me would be enough to reinstall the system.
Regardless of any suspicion about shutdown process being compromised by
an attacker, you should test your Fedora under stress condition to verify that
it works correctly with controlled shutdown when AC fails and UPS jumps in.
Good luck and let us know the results.
JB
More information about the users
mailing list