User from Internet overtaking my Gentoo box !!! / Security !

[winfried]

Linux security breach.

I have a Linux NAT box and was making an
"emerge -u world" on a Gentoo box connected to the Internet trough the NAT box.
Unfortunately I was running the "emerge" with root rights as root.
Well some tough guy from outside broke in, deleted my user, removed me from the wheel group, changed my IP address and my X starting parameters.
Still happy he didn't erase the box.

Is there a posibility to run emerge as a normal user ??
"emerge -u world" as normal user??

[variant]

Yes it is set FEATURES="sandbox usersandbox userpriv" in /etc/make.conf. you wont actualy be running emerge as a user but portage will drop root privilages when it is compiling something.

It seems highly unlikly that what you describe is the case. what makes you so sure that it was an outside user accessing your box that has done this? what IDS software are you running and what information did it supply?

[winfried]

Practically I was running the Gentoo box as a sync server and home mirror for my home network.
At the questionable time I was running "fixpackages" on the box when it actually happend.
- my login user deleted from passwd file
- removed from the wheel group
- my IP address changed to Gentoo default network "192.x.x.x"
- my X server comming up with the wrong windows manager
- my keyboard reset to "us"

Perhaps it was also one the packages who got fixed and reset everything to default values.
I'm going to check that out.

Thanks

[kkubasik]

did you run etc-config at any time? reguardless, these are all just files being overwritten, to regain root access. (whitch if your machine is truely stolen, should be far more important than emergeing anything) boot the liveboot cd, and use the passwd function on that to reset the root password. the class-c subnet 192.x.x.x is not the Gentoo default, it and 10.x.x.x are the ones that are available to all home users, those who run NAT's and need local IP's Basicaly, someone 99.9 percent chance did not take control of your computer, you just ran a command that rewrote some config files, it might be a bit of a pain to fix, but a great example of reasons to keep backups..... to reset the default WM when you startx modify the ./.xinirdrc file to have exce gnome-session --or-- exce fluxbox or whatever command you use to start your window manager.

I don't use genkernel, but that, new kernel sources, and a new xorg all hit portage about a week ago, its possible that your x settings got shot by the xorg, and perhaps genkernel recompiled the kernel sources and the new portage just overrote something in there. not really sure, b/c without running etc-config its VERY unlikely that portage would get involved with your config files to that level.....

[winfried]

I fixed everything.
So I'm fine now, I guess I must have done something that triggerd the overwriting of some basic config files.

Thanks,

have a nice weekend.