# [SOLVED] eth0 starts by magic. Have I been hacked?

## Karl_R

Hi guys,

I have iptables firewall running on my PC and only allow related traffic and port 80 and 443 into my box. 

PC connects to the internet via a netgear router which has a firewall on it only allowing 80 and 443

Port 80 is apache and 443 is sshd (protocol 2 only and PKI only, ie no password login)

My router is a dhcp host and my eth1 is connected to it.

eth0 is currently not connected to anything.

The wierd thing is that eth0 keeps coming up on reboot.

I don't have net.eth0 in my runlevels scripts.

here is the result of ifconfig -a (MAC address changed to protect the inocent  :Smile:  :

```
/sbin/ifconfig -a

eth0      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:55

          inet6 addr: fe80::2a0:24ff:fe76:b055/64 Scope:Link

          UP BROADCAST MULTICAST  MTU:1500  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:1 errors:0 dropped:0 overruns:0 carrier:1

          collisions:0 txqueuelen:1000

          RX bytes:0 (0.0 b)  TX bytes:90 (90.0 b)

          Interrupt:19 Base address:0xb000

eth0:FWB1 Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:55

          inet addr:192.168.0.21  Bcast:192.168.0.255  Mask:255.255.255.0

          UP BROADCAST MULTICAST  MTU:1500  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

          Interrupt:19 Base address:0xb000

eth1      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:66

          inet addr:192.168.0.2  Bcast:192.168.0.255  Mask:255.255.255.0

          inet6 addr: fe80::205:5dff:fed1:9766/64 Scope:Link

          UP BROADCAST NOTRAILERS RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:4453 errors:0 dropped:0 overruns:0 frame:0

          TX packets:4946 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:1238115 (1.1 Mb)  TX bytes:1122628 (1.0 Mb)

          Interrupt:18

lo        Link encap:Local Loopback

          inet addr:127.0.0.1  Mask:255.0.0.0

          inet6 addr: ::1/128 Scope:Host

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:93 errors:0 dropped:0 overruns:0 frame:0

          TX packets:93 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:177820 (173.6 Kb)  TX bytes:177820 (173.6 Kb)

sit0      Link encap:IPv6-in-IPv4

          NOARP  MTU:1480  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

```

and here is the content of my /etc/conf.d/net

```

# This blank configuration will automatically use DHCP for any net.*

# scripts in /etc/init.d.  To create a more complete configuration,

# see /etc/conf.d/net.example and put your configuration in this file.

modules=( "iproute2" )

ifconfig_eth0=("192.168.1.1 netmask 255.255.255.0")

ipaddr_eth0=(

        "192.168.1.1/24 brd 192.168.0.255"

)

ifconfig_eth1=( "dhcp" )

ipaddr_eth1=( "dhcp" )

dhcpcd_eth1="-d -t 5 -R -N"

```

I only have  *Quote:*   

> /etc/runlevels/boot/net.lo

  and  *Quote:*   

> /etc/runlevels/default/net.eth1

   in my runlevels dirs

I've noticed from my router that it thinks that 192.168.0.21 is connected to it but with the MAC address of the eth1 card.

if i run 

```
ifconfig eth0 down
```

 I get no error but it doesn't shut down.

but if I run 

```
/etc/init.d/net.eth0 start

/etc/init.d/net.eth0 stop
```

 then the interface shuts down.

I've grepped for any file containing the "FWB1" word and the only place I can find it is in 

in 

/var/log/messages

 *Quote:*   

> Jun 27 15:46:43 mymachine ntpd[14569]: Listening on interface eth0:FWB1, 192.168.0.21#123

 

the contents of /etc/ntp.conf are:

```
mymachine ~ # cat /etc/ntp.conf

restrict default noquery notrust nomodify

restrict 127.0.0.1

restrict 192.168.0.0 mask 255.255.255.0

server ntp2a.mcc.ac.uk prefer

server ntp2b.mcc.ac.uk

server ntp2c.mcc.ac.uk

server ntp2d.mcc.ac.uk

server 127.127.1.0

fudge 127.127.1.0 stratum 3

driftfile /var/lib/ntp/ntp.drift

logfile /var/log/ntp.log
```

and ntpq shows

```
firestarter ~ # ntpq -c pe

     remote           refid      st t when poll reach   delay   offset  jitter

==============================================================================

 maverick.mcc.ac .RSTR.          16 u    -   64    0    0.000    0.000 4000.00

 veracity.mcc.ac .RSTR.          16 u    -   64    0    0.000    0.000 4000.00

 utserv.mcc.ac.u .RSTR.          16 u    -   64    0    0.000    0.000 4000.00

 scarp.mc.man.ac .RSTR.          16 u    -   64    0    0.000    0.000 4000.00

*LOCAL(0)        LOCAL(0)         3 l   55   64  377    0.000    0.000   0.002

```

I can't see where the eth0 interface is being started from. any ideas?

Cheers

KarlLast edited by Karl_R on Wed Jun 29, 2005 11:05 pm; edited 1 time in total

----------

## corley

hmmm... You are clearly setting up eth0 as a local network interface. If you don't want it, then don't put it there.

 *Quote:*   

> 
> 
> and here is the content of my /etc/conf.d/net
> 
> Code:
> ...

 

----------

## UberLord

Either hotplug or coldplug could be starting it for you.

----------

## Karl_R

 *Quote:*   

> hmmm... You are clearly setting up eth0 as a local network interface. If you don't want it, then don't put it there. 

 

its not as simple as that. I do need it every now and then, when I plug other boxes into the internal network hub. The problem is that is is starting with the ip address 192.168.0.21 which is not what I set it to.

The fact that I have eth0 in my conf file shouldn't matter if I'm not starting eth0.

The fact that I'm not starting eth0 and yet it is restarting and on an ip address not of my choosing is worrying.

----------

## Karl_R

 *Quote:*   

> Either hotplug or coldplug could be starting it for you.

 

Hadn't thought of that. How can I find out what they are up to?

Cheers

----------

## UberLord

 *Karl_R wrote:*   

>  *Quote:*   Either hotplug or coldplug could be starting it for you. 
> 
> Hadn't thought of that. How can I find out what they are up to?
> 
> Cheers

 

Easy. Move /etc/hotplug/net.agent to a temporary location.

Reboot. If the devices fail to come up (which I would expect) then hotplug/coldplug are the guilty party here.

baselayout-1.12.0-alpha3 will support hotplug policy for network devices (works for coldplug too)

----------

## Karl_R

OK, I copied /etc/hotplug/net.agent to a temporary place, rebooted and the eth0 is back up again same as before.

So I guess hotplug is out of the frame.

Any more ideas?

Cheers

Karl

----------

## UberLord

Uh - eth0:FWB1 - Fire Wall Builder? Is that bringing it up?

----------

## toralf

 *Karl_R wrote:*   

> OK, I copied /etc/hotplug/net.agent to a temporary place

 You should *move* that script away instead of copying it.

----------

## Karl_R

 *Quote:*   

> Uh - eth0:FWB1 - Fire Wall Builder? Is that bringing it up?

 

I was thinking along the same lines too, and looks like you are right.  :Very Happy: 

Here's the guilty line in the fwbuilder generated iptables.fw script

```
add_addr 192.168.0.21 24 eth0

$IP link set eth0 up
```

I'll have to recheck my rules to see how that got there! 

Thanks for all your help

this one is solved.

Karl

----------

## Karl_R

It turns out that in tab (firewall) found by right clicking on the firewall machine and clicking edit, there is an option I'd not seen before, "Configure firewall machine interfaces" this is the culprit that starts the interface with the ip address that the fwbuilder thinks it has.

I turned it off, and all is now right in the world again

K

----------

## c_riis

Im having some problems with my network settings.

I have a server (fwbuilder using iptables) set to NAT, and im loosing connection to my server from the underlying network... the pc's are getting dhcp-from the servers dhcp-deamon, so something are working  :Smile:   My iptables-rules are working fine after the server is rebooted.

But i would like to reset all iptables rules and all that stuff.... and i'd like to get rid of the eth0:FWB1 too, since it seems to be created by iptables, and therefore could corrupt my network.

After looking a bit more at the problem the pc's seems to loose the connection when i restart the network-device on the server, and after that it doenst matter if i run my firewall/NAT-script - they cant connect, not even ping.

Thanks in advance

- Christian

----------

