Bit Twister wrote:
> I have installed the Intrusion Detection Environment (aide) package.
>
> This mornings firewall log showed numerious inode changes for several
> /etc/rc.d/rc*.d/ K* and S* links. Just a small panic attack followed.
>
> Seems changing NTP server via Mandriva Control Center causes a
> /bin/rpm -q --qf %{name} ntp
> execution which redid about 72+ link changes in the /etc/rc.d/rc*.d
> directories. :-(
>
> Thought I would mention it so anyone who might see the alarms, does not
> have to be worried.
>

Not quite Unless you know *exactly* what changes the NTP server
should cause on your particular system and you carefully checked them
all, you won't know for sure if an attacker didn't take advantage of
this situation and made some changes while expecting you to believe
exactly what you wrote above.

--
Dawid Michalczyk
http://www.comp.eonworks.com _Linux SysAdmin and Webmaster scripts_

Dawid Michalczyk wrote:
> Bit Twister wrote:
>> I have installed the Intrusion Detection Environment (aide) package.
>>
>> This mornings firewall log showed numerious inode changes for several
>> /etc/rc.d/rc*.d/ K* and S* links. Just a small panic attack followed.
>>
>> Seems changing NTP server via Mandriva Control Center causes a
>> /bin/rpm -q --qf %{name} ntp
>> execution which redid about 72+ link changes in the /etc/rc.d/rc*.d
>> directories. :-(
>>
>> Thought I would mention it so anyone who might see the alarms, does not
>> have to be worried.
>>
>
> Not quite Unless you know *exactly* what changes the NTP server
> should cause on your particular system and you carefully checked them
> all, you won't know for sure if an attacker didn't take advantage of
> this situation and made some changes while expecting you to believe
> exactly what you wrote above.
>

Good grief

Using "mcc" to change NTP server(s) simply changes your NTP server(s).

The 'server' entries in /etc/ntp.conf are changed (obviously).
The entries in /etc/ntp/step-tickers are changed (obviously).

Yes, "mcc" does '/bin/rpm -q --qf %{name} ntp', but this does
nothing to anything under etc/rc.d/ ('man rpm' for details).

Perhaps your till foil hats are a little tight today, I suggest
a good dose of sunshine and human contact, it'll do wonders.

foo wrote:
> Dawid Michalczyk wrote:
>> Bit Twister wrote:
>>> I have installed the Intrusion Detection Environment (aide) package.
>>>
>>> This mornings firewall log showed numerious inode changes for several
>>> /etc/rc.d/rc*.d/ K* and S* links. Just a small panic attack followed.
>>>
>>> Seems changing NTP server via Mandriva Control Center causes a
>>> /bin/rpm -q --qf %{name} ntp
>>> execution which redid about 72+ link changes in the /etc/rc.d/rc*.d
>>> directories. :-(
>>>
>>> Thought I would mention it so anyone who might see the alarms, does not
>>> have to be worried.
>>>
>>
>> Not quite Unless you know *exactly* what changes the NTP server
>> should cause on your particular system and you carefully checked them
>> all, you won't know for sure if an attacker didn't take advantage of
>> this situation and made some changes while expecting you to believe
>> exactly what you wrote above.
>>
>
> Good grief
>
> Using "mcc" to change NTP server(s) simply changes your NTP server(s).
>
> The 'server' entries in /etc/ntp.conf are changed (obviously).
> The entries in /etc/ntp/step-tickers are changed (obviously).
>
> Yes, "mcc" does '/bin/rpm -q --qf %{name} ntp', but this does
> nothing to anything under etc/rc.d/ ('man rpm' for details).
>
> Perhaps your till foil hats are a little tight today, I suggest
> a good dose of sunshine and human contact, it'll do wonders.
>

Typo, s/till\ foil/tin\ foil/

On Tue, 24 Jul 2007 12:18:28 +0200, Dawid Michalczyk wrote:
>>
>
> Not quite Unless you know *exactly* what changes the NTP server
> should cause on your particular system and you carefully checked them
> all, you won't know for sure if an attacker didn't take advantage of
> this situation and made some changes while expecting you to believe
> exactly what you wrote above.


I stand corrected. Did the same operations on another system (2007.1) and
only the ntp files changed. Went back and tried again on the 2007.0
system and was not able to reproduce the K/S* changes.

Must have been one patient attacker to wait all this time for me to
make a system change.

On 23 Jul 2007, in the Usenet newsgroup alt.os.linux.mandriva, in article
, Bit Twister wrote:

>This mornings firewall log showed numerious inode changes for several
>/etc/rc.d/rc*.d/ K* and S* links. Just a small panic attack followed.

Understandable - but the next paragraph where you write

>Seems changing NTP server via Mandriva Control Center causes a
> /bin/rpm -q --qf %{name} ntp
>execution which redid about 72+ link changes in the /etc/rc.d/rc*.d
>directories. :-(

REJECT! rpm -q is a query - and if _THAT_ is changing stuff, you have
a lot bigger problems than you can imagine. The -q will query the rpm
databases on your system and can be run as a normal user. It has no
effect on files or links.

Also, the count of 72+ seems awfully high. A dozen, I could see - maybe
even 14 (seven run levels, Start and Kill link in each), but 72???

>Thought I would mention it so anyone who might see the alarms, does not
>have to be worried.

Something seems wrong with your explanation. I'm not doubting you, I'm
just saying that this seems rather bizarre. What _else_ might you be
doing?

Old guy

On 2007-07-25, Moe Trin wrote:
> On 23 Jul 2007, in the Usenet newsgroup alt.os.linux.mandriva, in article
>, Bit Twister wrote:
>
>>This mornings firewall log showed numerious inode changes for several
>>/etc/rc.d/rc*.d/ K* and S* links. Just a small panic attack followed.
>
> Understandable - but the next paragraph where you write
>
>>Seems changing NTP server via Mandriva Control Center causes a
>> /bin/rpm -q --qf %{name} ntp
>>execution which redid about 72+ link changes in the /etc/rc.d/rc*.d
>>directories. :-(
>
> REJECT! rpm -q is a query - and if _THAT_ is changing stuff, you have
> a lot bigger problems than you can imagine. The -q will query the rpm
> databases on your system and can be run as a normal user. It has no
> effect on files or links.
>
> Also, the count of 72+ seems awfully high. A dozen, I could see - maybe
> even 14 (seven run levels, Start and Kill link in each), but 72???
>
>>Thought I would mention it so anyone who might see the alarms, does not
>>have to be worried.
>
> Something seems wrong with your explanation. I'm not doubting you, I'm
> just saying that this seems rather bizarre. What _else_ might you be
> doing?

(Jumping in the middle of a thread...)

I have seen tripwire report changes to the /etc/rc*/* files
and symlinks many times when updating packages. I had
guessed it was connected with the new non-deterministic
method of ordering the execution of the init RC files.
Might there have been a package installation, removal, or
update that could account for the changes to those files?

--
Robert Riches
spamtrap42@verizon.net
(Yes, that is one of my email addresses.)

On Tue, 24 Jul 2007 21:50:06 -0500, Moe Trin wrote:
>
>>Seems changing NTP server via Mandriva Control Center causes a
>> /bin/rpm -q --qf %{name} ntp
>>execution which redid about 72+ link changes in the /etc/rc.d/rc*.d
>>directories. :-(
>
> REJECT! rpm -q is a query - and if _THAT_ is changing stuff, you have
> a lot bigger problems than you can imagine.

Yes, my fault, i did not bother to do a man to check all the arguments.
I had guessed -q for query, and just assumed the --qf was forcing an
update.


> Also, the count of 72+ seems awfully high. A dozen, I could see - maybe

Yes, I would have figured just the ntp links at most.

> even 14 (seven run levels, Start and Kill link in each), but 72???

What can I say, current count,
# ls -1 rc?.d/* | wc -l
183

> Something seems wrong with your explanation. I'm not doubting you, I'm
> just saying that this seems rather bizarre. What _else_ might you be
> doing?

That's what got me. I was just running the Mandriva Control Center
to change ntp servers. After going back and checking logs, there was a
chkconfig --add for run levels 3 and 5 for ntp, the rpm command and
the chkconfig ntp off/on commands.

K/S* inode change times were in the middle of that set of activites.

On Wed, 25 Jul 2007 03:37:04 GMT, Robert M. Riches Jr. wrote:

> I have seen tripwire report changes to the /etc/rc*/* files
> and symlinks many times when updating packages. I had
> guessed it was connected with the new non-deterministic
> method of ordering the execution of the init RC files.
> Might there have been a package installation, removal, or
> update that could account for the changes to those files?

I went back a day to check for that and only thing done was the
ImageMagick update which should not have messed with init links.

I am hoping it will show up again on the 29'th then I can write it off
as a function of the weekly msec sweep.

On 2007-07-25, Bit Twister wrote:
>
> That's what got me. I was just running the Mandriva Control Center
> to change ntp servers. After going back and checking logs, there was a
> chkconfig --add for run levels 3 and 5 for ntp, the rpm command and
> the chkconfig ntp off/on commands.
>
> K/S* inode change times were in the middle of that set of activites.

Ahhh... My hunch is the chkconfig commands did it (in the
library with the candlestick). With the non-deterministic
stuff that is done with the K/S* symlinks, playing with the
set of services to start/stop would cause recalculation of
the ordering and thus the inode change times.

--
Robert Riches
spamtrap42@verizon.net
(Yes, that is one of my email addresses.)

On Wed, 25 Jul 2007 04:42:55 GMT, Robert M. Riches Jr. wrote:
>>
>> K/S* inode change times were in the middle of that set of activites.
>
> Ahhh... My hunch is the chkconfig commands did it (in the
> library with the candlestick). With the non-deterministic
> stuff that is done with the K/S* symlinks, playing with the
> set of services to start/stop would cause recalculation of
> the ordering and thus the inode change times.

Yes, except for the testshot, I did another --init of database, and did
all the chkconfig commands --add,off,on found in the log and --check
did not show any link change.

Did another ntp server change, --check and only ntp file changes.
Even rebooted and --check did not show link change.

There is nothing going on around 14:2* so I am at a loss as to why
they changed. I thought about a bad disk block causing the change but
that should have been a remap in the drive and transparent to the
filesystem. As I misunderstand it.

On 25 Jul 2007, in the Usenet newsgroup alt.os.linux.mandriva, in article
, Bit Twister wrote:

>Robert M. Riches Jr. wrote:
>>
>>> K/S* inode change times were in the middle of that set of activites.
>>
>> Ahhh... My hunch is the chkconfig commands did it (in the
>> library with the candlestick).

I don't think so - the candlestick has a cast iron alibi from Bud Selig
who was there, and didn't see it happen. Admittedly, the scullery maid
might be rather distracting. On the other paw, did you notice the large
dent in the soup tureen and that the trebuchet on the front lawn has been
moved? [1]

>> With the non-deterministic stuff that is done with the K/S* symlinks,
>> playing with the set of services to start/stop would cause
>> recalculation of the ordering and thus the inode change times.

And people wonder why I rip out these automated "let me help you - don't
worry about the man behind the curtain" tools. It would be nice if the
so-called "helper" mailed root an explanation of what was done and why
(the following links were reordered; \n old name new name \n [bla,
bla, bla]\n Reason: link $FOO requires service $BAR to be running
before it is able to start.) so that people are offered the chance to
learn WTF is happening. It's not like SysVinits is rocket science.

>Yes, except for the testshot, I did another --init of database, and did
>all the chkconfig commands --add,off,on found in the log and --check
>did not show any link change.
>
>Did another ntp server change, --check and only ntp file changes.
>Even rebooted and --check did not show link change.

Perhaps the changes that were made earlier aren't being reversed
because they are not incompatible with the "latest" configuration.

>There is nothing going on around 14:2* so I am at a loss as to why
>they changed.

In your response to my post, you wrote:

]That's what got me. I was just running the Mandriva Control Center
]to change ntp servers. After going back and checking logs, there was a
]chkconfig --add for run levels 3 and 5 for ntp, the rpm command and
]the chkconfig ntp off/on commands.
]
]K/S* inode change times were in the middle of that set of activites.

Are you saying that you were not running NTP beforehand, or that you
were, but updated the package? Both of those actions could conceivably
trigger a re-arrangement of the link order if the currently installed
setup differs from before.

You could try 'rpm -qf rc3.d/*' to see what package (if any) owns the
links there (they could be created by a package post-install script
and may or may not be listed as being owned by any specific package).
If some package _does_ claim ownership, run 'rpm -V $PACKAGENAME' to
see if the chkconfig numbers in each file may have been altered.

>I thought about a bad disk block causing the change but that should
>have been a remap in the drive and transparent to the filesystem.

Correct. The operating system sees nothing of the change, because the
disk controller is the only one that knows, and it's not telling.

>As I misunderstand it.

No, you've got the theory right.

Old guy

[1] I'll bet there are a few people scratching their heads over _that_
little dialog, right Inspector? ;-)

On Wed, 25 Jul 2007 15:17:57 -0500, Moe Trin wrote:
> On 25 Jul 2007, in the Usenet newsgroup alt.os.linux.mandriva, in article
>, Bit Twister wrote:

>
>>Yes, except for the testshot, I did another --init of database, and did
>>all the chkconfig commands --add,off,on found in the log and --check
>>did not show any link change.
>>
>>Did another ntp server change, --check and only ntp file changes.
>>Even rebooted and --check did not show link change.


> Perhaps the changes that were made earlier aren't being reversed
> because they are not incompatible with the "latest" configuration.

Sounds good to me. Since this was the first time I had done anything
having to do through MCC, it could be a resudial effect of
http://www.mandriva.com/security/adv...=MDKA-2007:077

System updates are normaly done through my CLI update script.

>]That's what got me. I was just running the Mandriva Control Center
>]to change ntp servers. After going back and checking logs, there was a
>]chkconfig --add for run levels 3 and 5 for ntp, the rpm command and
>]the chkconfig ntp off/on commands.
>]
>]K/S* inode change times were in the middle of that set of activites.
>
> Are you saying that you were not running NTP beforehand, or that you
> were, but updated the package?

No, yeah, no. NTP package was installed during the clean install.
System updates were current as of the Jul-20 update.

Only reason I was dinking with NTP was there is a DSL node in the
North American ntp pool which seemed to be causing my NTP sync to keep
hunting back and forth. I am scheduled to get FiOS connection 31'th
and noticed a dlink ntp servier in the router's docs.

Thought I would see how much hunting my system would do with dlink's
server. Log became pretty quiet with their server.

> You could try 'rpm -qf rc3.d/*' to see what package (if any) owns the

No script shows up, which sounds normal to me.

> links there (they could be created by a package post-install script

It was truly a random set, of links that I knew had no direct
relationship to NTP. Matter of fact, when my eye fell on the firewall
link (shorewall), I quit playing around with aide settings. Started
checking into what may have gone on and try to recreate it.