Topic: Went to Hell in Handbasket

[Wally]

Good evening one and all,

I have setup an e-smith box at a school. I used the basic default settings and added some add-ons. I've used e-smith since v3.x and have enjoyed it immensely. I am competent at Linux enough to be dangerous and have experienced many different distros. Enough background, on to the problem.

I added the following add-ons to v5.1.2:

Snort/ACID
Port forwarding
User Panels - couldn't get to work with SARG and/or ACID reports.
Phorum
SARG
SquidGuard v3.x w/blacklist updates from Berkeley
IPSEC/FreeSwan(?)

Something happened and I have no real point of reference. Everything was working as of Friday afternoon/evening. I had SSH open to public access so I could manage it from a remote location. These are the things I cannot do at this time,

1. The IPSEC tunnel appears to be in place. I can ping an internal addresses from the remote location of the main location.
2. I can't NAT through the box from any workstation on the LAN.
3. I can't send or receive email.
4. SquidGuard/proxy is failing to work. when I do the squid-reset, it states that it has failed to stop but it succeeds in starting. Outside of this issue, everything succeeds in starting.
5. I just tried to login with SSH from the remote location and the connection was refused yet telnet accepted my connection. I don't remember turning on public access for telnet. I tried to login as root and the password was refused. Am I wrong in thinking that someone has done something to change/reset the password for root? If so, what do I look for? I was able to login as admin and succeeded in shutting down the system until I can get on-site to repair the problem.

I think this pretty much covers the problems. If anyone needs more clarity, let me know. Since the admin password hasn't changed, when resetting the password using the web manager, does this also reset the root's password? If this has happened and some kind of hack/trojan (for lack of better terminology), will upgrading to the latest release, 5.5 or 5.6, fix or remove the problem? If there is a hack or trojan installed, how would I go about looking for the problem and removing it?

Thanks in advance for any assistance that you might provide.

Wally

[Cory]

I do not think that changing the admin password will change the root password but I'm not sure about it.

If you are looking to see if there is a root kit on your machine try looking here:  http://www.chkrootkit.org/.

[Cory]

I do not think that changing the admin password will change the root password but I'm not sure about it.

If you are looking to see if there is a root kit on your machine try looking here:  http://www.chkrootkit.org/.

[Dan Brown]

Changing the admin password through the server manager will also change the root password--but changing the root password at the command prompt (with the passwd command) won't change the admin password.

Now, I wouldn't worry about telnet rejecting the root password--it should do that, as root should never be able to log on via telnet.  The other indications on your machine are strange, and may indicate a compromise, but I wouldn't worry about that one by itself.

[Charlie Brady]

Wally wrote:
...
> I added the following add-ons to v5.1.2:

Mitel is no longer maintaining updates for 5.1.2, and as far as I am aware, no-one else has stepped in to take up that role. 5.1.2 has multiple vulnerabilities and should no longer be considered secure.

Charlie

[Walter Padgett]

Good Morning,

I understand the version issue, I was trying to maintain it until the end of the school year and this had to happen five weeks out. ARRGHH... When going up there this evening, it looks like I will be reformatting and starting over. I used the backup/restore option under the manager page to backup the unit. After starting over with version 5.5 or 5.6, will this restore work and what does it restore?

1. User id's ?
2. User email ?
3. Basic system info?

If it will do these three, I will be elated.

Thanks for all the assistance,

Walter "Wally" Padgett