Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 2 Oct 2017 04:10:47 +0200
From:      Polytropon <freebsd@edvax.de>
To:        The Doctor <doctor@doctor.nl2k.ab.ca>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Weird turnoff
Message-ID:  <20171002041047.31f81a0d.freebsd@edvax.de>
In-Reply-To: <20171002002506.GA42212@doctor.nl2k.ab.ca>
References:  <20171001232531.GA18260@doctor.nl2k.ab.ca> <20171002021140.931f17de.freebsd@edvax.de> <20171002002506.GA42212@doctor.nl2k.ab.ca>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sun, 1 Oct 2017 18:25:06 -0600, The Doctor wrote:
> On Mon, Oct 02, 2017 at 02:11:40AM +0200, Polytropon wrote:
> > On Sun, 1 Oct 2017 17:25:31 -0600, The Doctor wrote:
> > > Could be an attack.
> > > 
> > > All right.
> > > 
> > > As of this morning (3 p.m. UTC) my seconday FreeBSD 11.1 server
> > > has been going intreface down then up and then unable to route.
> > > 
> > > Rebooted this system 2 times today.
> > > 
> > > 
> > > What should I bee looking for?
> > 
> > Primarily the system's log files in /var/log: messages, auth.log,
> > security. Also check the output of the periodic scripts (mailed
> > to root or another user), do they contain hints to something that
> > looks suspicious (SUID changes, system file modifications, etc.)?
> >
> 
> exactly what I am looking for

Many system actions are recorded in those log files. Of course
if an attacker has write access to them, it's fairly easy for
him to delete the entries which suggest that he has been there...



> I am going to have to do a transcribe as I am opreating from the
> potential victim and ssh'ing to this terminal
> 
> or ftp the information over

Use FTP only within a trusted network (which implies only trusted
participants), as information is typically transmitted without
encryption!




> Oct  1 16:56:46 gallifrey kernel: igb0: link state changed to DOWN
> Oct  1 17:00:10 gallifrey kernel: igb0: link state changed to UP
> Oct  1 17:17:32 gallifrey kernel: igb0: <Intel(R) PRO/1000 Network Connection, Version - 2.5.3-k> port 0x6020-0x603f mem 0xc7120000-0xc713ffff,0xc7144000-0xc7147fff irq 26 at device 0.0 numa-domain 0 on pci3

This looks like some reboot. The last message above usually is
the _first_ message with igb0 originator, the following ones
(the ones _above_ it!) must be from a previous run of the system.
A link change cannot be reported before the device hasn't been
initialized by the kernel.

>From your log, we can easily see the NIC init messages with
the following timestamps (summarized):

	Oct  1 17:17:32 gallifrey kernel: igb0
	Oct  1 17:17:32 gallifrey kernel: igb1

	Oct  1 17:40:09 gallifrey kernel: igb0
	Oct  1 17:40:09 gallifrey kernel: igb1

	Oct  1 12:04:48 gallifrey kernel: igb0
	Oct  1 12:04:48 gallifrey kernel: igb1

This looks like reboots. Does /var/log/messages have multiple
occurances of the FreeBSD "kernel banner" (the copyright
information and so on)?



> Nothing in the auth.log that I can see as an issue.

That matches the reboot theory. A manual reboot (issued by a system
operator) would cause an entry, but an accidental reboot would not.



> Also, how do I turn routing / ifconfig back on?

You can use "service netif restart" to restart the networking
subsystem.



> Rebooting is not that fun

Agreed, and it doesn't fix the problem either... :-)




-- 
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20171002041047.31f81a0d.freebsd>