From owner-freebsd-questions@freebsd.org Mon Oct 2 02:10:53 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 14D0DE33923 for ; Mon, 2 Oct 2017 02:10:53 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from mailrelay10.qsc.de (mailrelay10.qsc.de [212.99.163.152]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.antispameurope.com", Issuer "TeleSec ServerPass DE-2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 933B3767EF for ; Mon, 2 Oct 2017 02:10:51 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from mx01.qsc.de ([213.148.129.14]) by mailrelay10.qsc.de; Mon, 02 Oct 2017 04:10:49 +0200 Received: from r56.edvax.de (port-92-195-63-92.dynamic.qsc.de [92.195.63.92]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx01.qsc.de (Postfix) with ESMTPS id 4DB773CC3F; Mon, 2 Oct 2017 04:10:48 +0200 (CEST) Received: from r56.edvax.de (localhost [127.0.0.1]) by r56.edvax.de (8.14.5/8.14.5) with SMTP id v922Alta003676; Mon, 2 Oct 2017 04:10:47 +0200 (CEST) (envelope-from freebsd@edvax.de) Date: Mon, 2 Oct 2017 04:10:47 +0200 From: Polytropon To: The Doctor Cc: freebsd-questions@freebsd.org Subject: Re: Weird turnoff Message-Id: <20171002041047.31f81a0d.freebsd@edvax.de> In-Reply-To: <20171002002506.GA42212@doctor.nl2k.ab.ca> References: <20171001232531.GA18260@doctor.nl2k.ab.ca> <20171002021140.931f17de.freebsd@edvax.de> <20171002002506.GA42212@doctor.nl2k.ab.ca> Reply-To: Polytropon Organization: EDVAX X-Mailer: Sylpheed 3.1.1 (GTK+ 2.24.5; i386-portbld-freebsd8.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-cloud-security-sender: freebsd@edvax.de X-cloud-security-recipient: freebsd-questions@freebsd.org X-cloud-security-Virusscan: CLEAN X-cloud-security-disclaimer: This E-Mail was scanned by E-Mailservice on mailrelay10.qsc.de with B546F683493 X-cloud-security-connect: mx01.qsc.de[213.148.129.14], TLS=1, IP=213.148.129.14 X-cloud-security: scantime:.1436 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Oct 2017 02:10:53 -0000 On Sun, 1 Oct 2017 18:25:06 -0600, The Doctor wrote: > On Mon, Oct 02, 2017 at 02:11:40AM +0200, Polytropon wrote: > > On Sun, 1 Oct 2017 17:25:31 -0600, The Doctor wrote: > > > Could be an attack. > > > > > > All right. > > > > > > As of this morning (3 p.m. UTC) my seconday FreeBSD 11.1 server > > > has been going intreface down then up and then unable to route. > > > > > > Rebooted this system 2 times today. > > > > > > > > > What should I bee looking for? > > > > Primarily the system's log files in /var/log: messages, auth.log, > > security. Also check the output of the periodic scripts (mailed > > to root or another user), do they contain hints to something that > > looks suspicious (SUID changes, system file modifications, etc.)? > > > > exactly what I am looking for Many system actions are recorded in those log files. Of course if an attacker has write access to them, it's fairly easy for him to delete the entries which suggest that he has been there... > I am going to have to do a transcribe as I am opreating from the > potential victim and ssh'ing to this terminal > > or ftp the information over Use FTP only within a trusted network (which implies only trusted participants), as information is typically transmitted without encryption! > Oct 1 16:56:46 gallifrey kernel: igb0: link state changed to DOWN > Oct 1 17:00:10 gallifrey kernel: igb0: link state changed to UP > Oct 1 17:17:32 gallifrey kernel: igb0: port 0x6020-0x603f mem 0xc7120000-0xc713ffff,0xc7144000-0xc7147fff irq 26 at device 0.0 numa-domain 0 on pci3 This looks like some reboot. The last message above usually is the _first_ message with igb0 originator, the following ones (the ones _above_ it!) must be from a previous run of the system. A link change cannot be reported before the device hasn't been initialized by the kernel. >From your log, we can easily see the NIC init messages with the following timestamps (summarized): Oct 1 17:17:32 gallifrey kernel: igb0 Oct 1 17:17:32 gallifrey kernel: igb1 Oct 1 17:40:09 gallifrey kernel: igb0 Oct 1 17:40:09 gallifrey kernel: igb1 Oct 1 12:04:48 gallifrey kernel: igb0 Oct 1 12:04:48 gallifrey kernel: igb1 This looks like reboots. Does /var/log/messages have multiple occurances of the FreeBSD "kernel banner" (the copyright information and so on)? > Nothing in the auth.log that I can see as an issue. That matches the reboot theory. A manual reboot (issued by a system operator) would cause an entry, but an accidental reboot would not. > Also, how do I turn routing / ifconfig back on? You can use "service netif restart" to restart the networking subsystem. > Rebooting is not that fun Agreed, and it doesn't fix the problem either... :-) -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...