NTP and Intrusion Detection Environment FYI - Mandriva

This is a discussion on NTP and Intrusion Detection Environment FYI - Mandriva ; I have installed the Intrusion Detection Environment (aide) package. This mornings firewall log showed numerious inode changes for several /etc/rc.d/rc*.d/ K* and S* links. Just a small panic attack followed. Seems changing NTP server via Mandriva Control Center causes a ...

+ Reply to Thread
Results 1 to 13 of 13

Thread: NTP and Intrusion Detection Environment FYI

  1. NTP and Intrusion Detection Environment FYI

    I have installed the Intrusion Detection Environment (aide) package.

    This mornings firewall log showed numerious inode changes for several
    /etc/rc.d/rc*.d/ K* and S* links. Just a small panic attack followed.

    Seems changing NTP server via Mandriva Control Center causes a
    /bin/rpm -q --qf %{name} ntp
    execution which redid about 72+ link changes in the /etc/rc.d/rc*.d
    directories. :-(

    Thought I would mention it so anyone who might see the alarms, does not
    have to be worried.


  2. Re: NTP and Intrusion Detection Environment FYI

    Bit Twister wrote:
    > I have installed the Intrusion Detection Environment (aide) package.
    >
    > This mornings firewall log showed numerious inode changes for several
    > /etc/rc.d/rc*.d/ K* and S* links. Just a small panic attack followed.
    >
    > Seems changing NTP server via Mandriva Control Center causes a
    > /bin/rpm -q --qf %{name} ntp
    > execution which redid about 72+ link changes in the /etc/rc.d/rc*.d
    > directories. :-(
    >
    > Thought I would mention it so anyone who might see the alarms, does not
    > have to be worried.
    >


    Not quite Unless you know *exactly* what changes the NTP server
    should cause on your particular system and you carefully checked them
    all, you won't know for sure if an attacker didn't take advantage of
    this situation and made some changes while expecting you to believe
    exactly what you wrote above.

    --
    Dawid Michalczyk
    http://www.comp.eonworks.com _Linux SysAdmin and Webmaster scripts_

  3. Re: NTP and Intrusion Detection Environment FYI

    Dawid Michalczyk wrote:
    > Bit Twister wrote:
    >> I have installed the Intrusion Detection Environment (aide) package.
    >>
    >> This mornings firewall log showed numerious inode changes for several
    >> /etc/rc.d/rc*.d/ K* and S* links. Just a small panic attack followed.
    >>
    >> Seems changing NTP server via Mandriva Control Center causes a
    >> /bin/rpm -q --qf %{name} ntp
    >> execution which redid about 72+ link changes in the /etc/rc.d/rc*.d
    >> directories. :-(
    >>
    >> Thought I would mention it so anyone who might see the alarms, does not
    >> have to be worried.
    >>

    >
    > Not quite Unless you know *exactly* what changes the NTP server
    > should cause on your particular system and you carefully checked them
    > all, you won't know for sure if an attacker didn't take advantage of
    > this situation and made some changes while expecting you to believe
    > exactly what you wrote above.
    >


    Good grief

    Using "mcc" to change NTP server(s) simply changes your NTP server(s).

    The 'server' entries in /etc/ntp.conf are changed (obviously).
    The entries in /etc/ntp/step-tickers are changed (obviously).

    Yes, "mcc" does '/bin/rpm -q --qf %{name} ntp', but this does
    nothing to anything under etc/rc.d/ ('man rpm' for details).

    Perhaps your till foil hats are a little tight today, I suggest
    a good dose of sunshine and human contact, it'll do wonders.


  4. Re: NTP and Intrusion Detection Environment FYI

    foo wrote:
    > Dawid Michalczyk wrote:
    >> Bit Twister wrote:
    >>> I have installed the Intrusion Detection Environment (aide) package.
    >>>
    >>> This mornings firewall log showed numerious inode changes for several
    >>> /etc/rc.d/rc*.d/ K* and S* links. Just a small panic attack followed.
    >>>
    >>> Seems changing NTP server via Mandriva Control Center causes a
    >>> /bin/rpm -q --qf %{name} ntp
    >>> execution which redid about 72+ link changes in the /etc/rc.d/rc*.d
    >>> directories. :-(
    >>>
    >>> Thought I would mention it so anyone who might see the alarms, does not
    >>> have to be worried.
    >>>

    >>
    >> Not quite Unless you know *exactly* what changes the NTP server
    >> should cause on your particular system and you carefully checked them
    >> all, you won't know for sure if an attacker didn't take advantage of
    >> this situation and made some changes while expecting you to believe
    >> exactly what you wrote above.
    >>

    >
    > Good grief
    >
    > Using "mcc" to change NTP server(s) simply changes your NTP server(s).
    >
    > The 'server' entries in /etc/ntp.conf are changed (obviously).
    > The entries in /etc/ntp/step-tickers are changed (obviously).
    >
    > Yes, "mcc" does '/bin/rpm -q --qf %{name} ntp', but this does
    > nothing to anything under etc/rc.d/ ('man rpm' for details).
    >
    > Perhaps your till foil hats are a little tight today, I suggest
    > a good dose of sunshine and human contact, it'll do wonders.
    >


    Typo, s/till\ foil/tin\ foil/

  5. Re: NTP and Intrusion Detection Environment FYI

    On Tue, 24 Jul 2007 12:18:28 +0200, Dawid Michalczyk wrote:
    >>

    >
    > Not quite Unless you know *exactly* what changes the NTP server
    > should cause on your particular system and you carefully checked them
    > all, you won't know for sure if an attacker didn't take advantage of
    > this situation and made some changes while expecting you to believe
    > exactly what you wrote above.



    I stand corrected. Did the same operations on another system (2007.1) and
    only the ntp files changed. Went back and tried again on the 2007.0
    system and was not able to reproduce the K/S* changes.

    Must have been one patient attacker to wait all this time for me to
    make a system change.

  6. Re: NTP and Intrusion Detection Environment FYI

    On 23 Jul 2007, in the Usenet newsgroup alt.os.linux.mandriva, in article
    , Bit Twister wrote:

    >This mornings firewall log showed numerious inode changes for several
    >/etc/rc.d/rc*.d/ K* and S* links. Just a small panic attack followed.


    Understandable - but the next paragraph where you write

    >Seems changing NTP server via Mandriva Control Center causes a
    > /bin/rpm -q --qf %{name} ntp
    >execution which redid about 72+ link changes in the /etc/rc.d/rc*.d
    >directories. :-(


    REJECT! rpm -q is a query - and if _THAT_ is changing stuff, you have
    a lot bigger problems than you can imagine. The -q will query the rpm
    databases on your system and can be run as a normal user. It has no
    effect on files or links.

    Also, the count of 72+ seems awfully high. A dozen, I could see - maybe
    even 14 (seven run levels, Start and Kill link in each), but 72???

    >Thought I would mention it so anyone who might see the alarms, does not
    >have to be worried.


    Something seems wrong with your explanation. I'm not doubting you, I'm
    just saying that this seems rather bizarre. What _else_ might you be
    doing?

    Old guy


  7. Re: NTP and Intrusion Detection Environment FYI

    On 2007-07-25, Moe Trin wrote:
    > On 23 Jul 2007, in the Usenet newsgroup alt.os.linux.mandriva, in article
    >, Bit Twister wrote:
    >
    >>This mornings firewall log showed numerious inode changes for several
    >>/etc/rc.d/rc*.d/ K* and S* links. Just a small panic attack followed.

    >
    > Understandable - but the next paragraph where you write
    >
    >>Seems changing NTP server via Mandriva Control Center causes a
    >> /bin/rpm -q --qf %{name} ntp
    >>execution which redid about 72+ link changes in the /etc/rc.d/rc*.d
    >>directories. :-(

    >
    > REJECT! rpm -q is a query - and if _THAT_ is changing stuff, you have
    > a lot bigger problems than you can imagine. The -q will query the rpm
    > databases on your system and can be run as a normal user. It has no
    > effect on files or links.
    >
    > Also, the count of 72+ seems awfully high. A dozen, I could see - maybe
    > even 14 (seven run levels, Start and Kill link in each), but 72???
    >
    >>Thought I would mention it so anyone who might see the alarms, does not
    >>have to be worried.

    >
    > Something seems wrong with your explanation. I'm not doubting you, I'm
    > just saying that this seems rather bizarre. What _else_ might you be
    > doing?


    (Jumping in the middle of a thread...)

    I have seen tripwire report changes to the /etc/rc*/* files
    and symlinks many times when updating packages. I had
    guessed it was connected with the new non-deterministic
    method of ordering the execution of the init RC files.
    Might there have been a package installation, removal, or
    update that could account for the changes to those files?

    --
    Robert Riches
    spamtrap42@verizon.net
    (Yes, that is one of my email addresses.)

  8. Re: NTP and Intrusion Detection Environment FYI

    On Tue, 24 Jul 2007 21:50:06 -0500, Moe Trin wrote:
    >
    >>Seems changing NTP server via Mandriva Control Center causes a
    >> /bin/rpm -q --qf %{name} ntp
    >>execution which redid about 72+ link changes in the /etc/rc.d/rc*.d
    >>directories. :-(

    >
    > REJECT! rpm -q is a query - and if _THAT_ is changing stuff, you have
    > a lot bigger problems than you can imagine.


    Yes, my fault, i did not bother to do a man to check all the arguments.
    I had guessed -q for query, and just assumed the --qf was forcing an
    update.


    > Also, the count of 72+ seems awfully high. A dozen, I could see - maybe


    Yes, I would have figured just the ntp links at most.

    > even 14 (seven run levels, Start and Kill link in each), but 72???


    What can I say, current count,
    # ls -1 rc?.d/* | wc -l
    183

    > Something seems wrong with your explanation. I'm not doubting you, I'm
    > just saying that this seems rather bizarre. What _else_ might you be
    > doing?


    That's what got me. I was just running the Mandriva Control Center
    to change ntp servers. After going back and checking logs, there was a
    chkconfig --add for run levels 3 and 5 for ntp, the rpm command and
    the chkconfig ntp off/on commands.

    K/S* inode change times were in the middle of that set of activites.

  9. Re: NTP and Intrusion Detection Environment FYI

    On Wed, 25 Jul 2007 03:37:04 GMT, Robert M. Riches Jr. wrote:

    > I have seen tripwire report changes to the /etc/rc*/* files
    > and symlinks many times when updating packages. I had
    > guessed it was connected with the new non-deterministic
    > method of ordering the execution of the init RC files.
    > Might there have been a package installation, removal, or
    > update that could account for the changes to those files?


    I went back a day to check for that and only thing done was the
    ImageMagick update which should not have messed with init links.

    I am hoping it will show up again on the 29'th then I can write it off
    as a function of the weekly msec sweep.

  10. Re: NTP and Intrusion Detection Environment FYI

    On 2007-07-25, Bit Twister wrote:
    >
    > That's what got me. I was just running the Mandriva Control Center
    > to change ntp servers. After going back and checking logs, there was a
    > chkconfig --add for run levels 3 and 5 for ntp, the rpm command and
    > the chkconfig ntp off/on commands.
    >
    > K/S* inode change times were in the middle of that set of activites.


    Ahhh... My hunch is the chkconfig commands did it (in the
    library with the candlestick). With the non-deterministic
    stuff that is done with the K/S* symlinks, playing with the
    set of services to start/stop would cause recalculation of
    the ordering and thus the inode change times.

    --
    Robert Riches
    spamtrap42@verizon.net
    (Yes, that is one of my email addresses.)

  11. Re: NTP and Intrusion Detection Environment FYI

    On Wed, 25 Jul 2007 04:42:55 GMT, Robert M. Riches Jr. wrote:
    >>
    >> K/S* inode change times were in the middle of that set of activites.

    >
    > Ahhh... My hunch is the chkconfig commands did it (in the
    > library with the candlestick). With the non-deterministic
    > stuff that is done with the K/S* symlinks, playing with the
    > set of services to start/stop would cause recalculation of
    > the ordering and thus the inode change times.


    Yes, except for the testshot, I did another --init of database, and did
    all the chkconfig commands --add,off,on found in the log and --check
    did not show any link change.

    Did another ntp server change, --check and only ntp file changes.
    Even rebooted and --check did not show link change.

    There is nothing going on around 14:2* so I am at a loss as to why
    they changed. I thought about a bad disk block causing the change but
    that should have been a remap in the drive and transparent to the
    filesystem. As I misunderstand it.

  12. Re: NTP and Intrusion Detection Environment FYI

    On 25 Jul 2007, in the Usenet newsgroup alt.os.linux.mandriva, in article
    , Bit Twister wrote:

    >Robert M. Riches Jr. wrote:
    >>
    >>> K/S* inode change times were in the middle of that set of activites.

    >>
    >> Ahhh... My hunch is the chkconfig commands did it (in the
    >> library with the candlestick).


    I don't think so - the candlestick has a cast iron alibi from Bud Selig
    who was there, and didn't see it happen. Admittedly, the scullery maid
    might be rather distracting. On the other paw, did you notice the large
    dent in the soup tureen and that the trebuchet on the front lawn has been
    moved? [1]

    >> With the non-deterministic stuff that is done with the K/S* symlinks,
    >> playing with the set of services to start/stop would cause
    >> recalculation of the ordering and thus the inode change times.


    And people wonder why I rip out these automated "let me help you - don't
    worry about the man behind the curtain" tools. It would be nice if the
    so-called "helper" mailed root an explanation of what was done and why
    (the following links were reordered; \n old name new name \n [bla,
    bla, bla]\n Reason: link $FOO requires service $BAR to be running
    before it is able to start.) so that people are offered the chance to
    learn WTF is happening. It's not like SysVinits is rocket science.

    >Yes, except for the testshot, I did another --init of database, and did
    >all the chkconfig commands --add,off,on found in the log and --check
    >did not show any link change.
    >
    >Did another ntp server change, --check and only ntp file changes.
    >Even rebooted and --check did not show link change.


    Perhaps the changes that were made earlier aren't being reversed
    because they are not incompatible with the "latest" configuration.

    >There is nothing going on around 14:2* so I am at a loss as to why
    >they changed.


    In your response to my post, you wrote:

    ]That's what got me. I was just running the Mandriva Control Center
    ]to change ntp servers. After going back and checking logs, there was a
    ]chkconfig --add for run levels 3 and 5 for ntp, the rpm command and
    ]the chkconfig ntp off/on commands.
    ]
    ]K/S* inode change times were in the middle of that set of activites.

    Are you saying that you were not running NTP beforehand, or that you
    were, but updated the package? Both of those actions could conceivably
    trigger a re-arrangement of the link order if the currently installed
    setup differs from before.

    You could try 'rpm -qf rc3.d/*' to see what package (if any) owns the
    links there (they could be created by a package post-install script
    and may or may not be listed as being owned by any specific package).
    If some package _does_ claim ownership, run 'rpm -V $PACKAGENAME' to
    see if the chkconfig numbers in each file may have been altered.

    >I thought about a bad disk block causing the change but that should
    >have been a remap in the drive and transparent to the filesystem.


    Correct. The operating system sees nothing of the change, because the
    disk controller is the only one that knows, and it's not telling.

    >As I misunderstand it.


    No, you've got the theory right.

    Old guy

    [1] I'll bet there are a few people scratching their heads over _that_
    little dialog, right Inspector? ;-)

  13. Re: NTP and Intrusion Detection Environment FYI

    On Wed, 25 Jul 2007 15:17:57 -0500, Moe Trin wrote:
    > On 25 Jul 2007, in the Usenet newsgroup alt.os.linux.mandriva, in article
    >, Bit Twister wrote:


    >
    >>Yes, except for the testshot, I did another --init of database, and did
    >>all the chkconfig commands --add,off,on found in the log and --check
    >>did not show any link change.
    >>
    >>Did another ntp server change, --check and only ntp file changes.
    >>Even rebooted and --check did not show link change.



    > Perhaps the changes that were made earlier aren't being reversed
    > because they are not incompatible with the "latest" configuration.


    Sounds good to me. Since this was the first time I had done anything
    having to do through MCC, it could be a resudial effect of
    http://www.mandriva.com/security/adv...=MDKA-2007:077

    System updates are normaly done through my CLI update script.

    >]That's what got me. I was just running the Mandriva Control Center
    >]to change ntp servers. After going back and checking logs, there was a
    >]chkconfig --add for run levels 3 and 5 for ntp, the rpm command and
    >]the chkconfig ntp off/on commands.
    >]
    >]K/S* inode change times were in the middle of that set of activites.
    >
    > Are you saying that you were not running NTP beforehand, or that you
    > were, but updated the package?


    No, yeah, no. NTP package was installed during the clean install.
    System updates were current as of the Jul-20 update.

    Only reason I was dinking with NTP was there is a DSL node in the
    North American ntp pool which seemed to be causing my NTP sync to keep
    hunting back and forth. I am scheduled to get FiOS connection 31'th
    and noticed a dlink ntp servier in the router's docs.

    Thought I would see how much hunting my system would do with dlink's
    server. Log became pretty quiet with their server.

    > You could try 'rpm -qf rc3.d/*' to see what package (if any) owns the


    No script shows up, which sounds normal to me.

    > links there (they could be created by a package post-install script


    It was truly a random set, of links that I knew had no direct
    relationship to NTP. Matter of fact, when my eye fell on the firewall
    link (shorewall), I quit playing around with aide settings. Started
    checking into what may have gone on and try to recreate it.


+ Reply to Thread