# strange behavior / machine compromised?

## e3k

first the mplayer dropped from fullscreen to window.

then i checked iptables -L with and everything was open.

then i setup a basic iptables but there is some NAT configuration inside /var/lib/iptables/rules-save which i did not add:

```

...

*nat

:PREROUTING ACCEPT [389:30114]

:INPUT ACCEPT [0:0]

:OUTPUT ACCEPT [733:75266]

:POSTROUTING ACCEPT [733:75266]

COMMIT

...

```

oh and also some months i have a message that the hw clock could not be set, but now also that it cant be stopped at shutdown.

any ideas what else i could check?

----------

## e3k

the story did go on like this:

suddenly my gcc got broken when i tried to install lsof to check what is writing to my iptables config file.

when trying to repair gcc from tarball, almost all links to usefull commands such as emerge broke.

i decided to reinstall so i booted from an old livecd, but the strange behavour did go on:

when emerging gentoo-sources emerge did pull something like 30 packages besides gentoo-sources.

so i suspected a man in the middle attack on my old router/dsl modem. after replacing the piece i was able to reinstall gentoo and the system now behaves normaly...

the question is how well is gentoo protected if somebody/something takes control of your router. is it possible to redirect the traffic somewhere to fake a portage and then install tempered packages into gentoo during a standard update?

----------

## ulenrich

emerge-webrsync

... then you will be on the save side.

----------

## e3k

done. no more emerge --sync for me now.

i wonder why there is only a emerge-webrsync/pgp implementation.

thank you.

----------

## Hu

Note that emerge-webrsync is only safer if you have a way to validate the signature of the downloaded file.  To do that, you need to obtain the public portion of the signing key through a secure channel, and trust that your system's ability to validate signatures is not compromised.

----------

## kerframil

 *e3k wrote:*   

> then i checked iptables -L with and everything was open.

 

If you're behind a router performing NAT then that doesn't necessarily matter.

 *e3k wrote:*   

> then i setup a basic iptables but there is some NAT configuration inside /var/lib/iptables/rules-save which i did not add:
> 
> ```
> 
> ...
> ...

 

The policy for all built-in chains defaults to ACCEPT. There's nothing unusual about this.

----------

## e3k

 *kerframil wrote:*   

>  *e3k wrote:*   then i checked iptables -L with and everything was open. 
> 
> If you're behind a router performing NAT then that doesn't necessarily matter.
> 
> The policy for all built-in chains defaults to ACCEPT. There's nothing unusual about this.

 

it is safer to connect directly than to connect via a compromised router...

and yes the NAT part was false alarm, but the fact that my iptables got overwritten permanetly to ACCEPT everything was strange (and i did save them after edit, even when i edited the config file manualy it got changed)

----------

## e3k

 *Hu wrote:*   

> Note that emerge-webrsync is only safer if you have a way to validate the signature of the downloaded file.  To do that, you need to obtain the public portion of the signing key through a secure channel, and trust that your system's ability to validate signatures is not compromised.

 

i changed the router so have now more trust to the channel, or should i book a plane ticket and go with a usb key to download it somewhere  :Smile: ?

----------

## kerframil

 *e3k wrote:*   

> and yes the NAT part was false alarm, but the fact that my iptables got overwritten permanetly to ACCEPT everything was strange (and i did save them after edit, even when i edited the config file manualy it got changed)

 

The chances of this being a mistake on your part are vastly greater. Also, if SAVE_ON_STOP is set to "yes" in /etc/conf.d/iptables and you have iptables in your default runlevel, the rules will be saved upon shutdown. This is worth mentioning because it can lead to accidental loss if the tables are not in the desired state.

----------

## roravun

e3k,

I too do not think you were under attack. Mildly experienced gentooer could set up fake mirror and portage tree that would not look suspicious at all. 

You could hide hostile payloads in thousands of places that would go unnoticed if you didnt take additional precautions. This "attack" just seem so amateur.  :Wink: 

----------

## e3k

 *roravun wrote:*   

> e3k,
> 
> I too do not think you were under attack. Mildly experienced gentooer could set up fake mirror and portage tree that would not look suspicious at all. 
> 
> You could hide hostile payloads in thousands of places that would go unnoticed if you didnt take additional precautions. This "attack" just seem so amateur. 

 

i can only guess what it was and my theory is that my router was hacked by a bot which did attack someone outside who did attack then me to force me to reinstall and replace the router.

but of course it could also be that multiple things broke accidentally on my gentoo, but it is hard to believe for me as until now (years) i had no problems with it i did not do anything special with my system last days before the attack or "attack".

----------

