Find the answer to your Linux question:
Results 1 to 5 of 5
Linux security breach. I have a Linux NAT box and was making an "emerge -u world" on a Gentoo box connected to the Internet trough the NAT box. Unfortunately I ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Oct 2004
    Location
    Bavaria / Germany
    Posts
    13

    User from Internet overtaking my Gentoo box !!! / Security !


    Linux security breach.

    I have a Linux NAT box and was making an
    "emerge -u world" on a Gentoo box connected to the Internet trough the NAT box.
    Unfortunately I was running the "emerge" with root rights as root.
    Well some tough guy from outside broke in, deleted my user, removed me from the wheel group, changed my IP address and my X starting parameters.
    Still happy he didn't erase the box.

    Is there a posibility to run emerge as a normal user ??
    "emerge -u world" as normal user??

  2. #2
    Linux Engineer
    Join Date
    Jul 2003
    Location
    Stockholm, Sweden
    Posts
    1,296
    Yes it is set FEATURES="sandbox usersandbox userpriv" in /etc/make.conf. you wont actualy be running emerge as a user but portage will drop root privilages when it is compiling something.

    It seems highly unlikly that what you describe is the case. what makes you so sure that it was an outside user accessing your box that has done this? what IDS software are you running and what information did it supply?

  3. #3
    Just Joined!
    Join Date
    Oct 2004
    Location
    Bavaria / Germany
    Posts
    13
    Practically I was running the Gentoo box as a sync server and home mirror for my home network.
    At the questionable time I was running "fixpackages" on the box when it actually happend.
    - my login user deleted from passwd file
    - removed from the wheel group
    - my IP address changed to Gentoo default network "192.x.x.x"
    - my X server comming up with the wrong windows manager
    - my keyboard reset to "us"

    Perhaps it was also one the packages who got fixed and reset everything to default values.
    I'm going to check that out.

    Thanks

  4. #4
    Linux Guru kkubasik's Avatar
    Join Date
    Mar 2004
    Location
    Lat: 39:03:51N Lon: 77:14:37W
    Posts
    2,396
    did you run etc-config at any time? reguardless, these are all just files being overwritten, to regain root access. (whitch if your machine is truely stolen, should be far more important than emergeing anything) boot the liveboot cd, and use the passwd function on that to reset the root password. the class-c subnet 192.x.x.x is not the Gentoo default, it and 10.x.x.x are the ones that are available to all home users, those who run NAT's and need local IP's Basicaly, someone 99.9 percent chance did not take control of your computer, you just ran a command that rewrote some config files, it might be a bit of a pain to fix, but a great example of reasons to keep backups..... to reset the default WM when you startx modify the ./.xinirdrc file to have exce gnome-session --or-- exce fluxbox or whatever command you use to start your window manager.

    I don't use genkernel, but that, new kernel sources, and a new xorg all hit portage about a week ago, its possible that your x settings got shot by the xorg, and perhaps genkernel recompiled the kernel sources and the new portage just overrote something in there. not really sure, b/c without running etc-config its VERY unlikely that portage would get involved with your config files to that level.....
    Avoid the Gates of Hell. Use Linux
    A Penny for your Thoughts

    Formerly Known as qub333

  5. #5
    Just Joined!
    Join Date
    Oct 2004
    Location
    Bavaria / Germany
    Posts
    13
    I fixed everything.
    So I'm fine now, I guess I must have done something that triggerd the overwriting of some basic config files.

    Thanks,

    have a nice weekend.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •