Topic: Is there a way to restore IP table?

[vnt]

My SME v6.01 server was hacked.  Root .bash_history shows the following commands...

iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain

Now iptables -L shows nothing.  Is there a way to recover/restore the IP table or do I have to re-install SME from scratch???

Please help...  

[gordonr]

My SME v6.01 server was hacked.  Root .bash_history shows the following commands...

Security issues should be reported to security@contribs.org rather than the forums.

Please include your version (6.0.1), what services are enabled and whether you have made any changes or installed additional software.

The box should be disconnected from the network. The only safe way to recover from an intrusion is to reinstall, restore user data, change all passwords and delete any ssh keys.

You can restore the iptables configuration by a reboot, but if someone has managed to break your system, that is unlikely to stop them.

Thanks,

Gordon

[arne]

I guess someone have had full root access to the server. I believe only root is allowed to run the iptables command. (If someone really have runned those cammands.)

"Now iptables -L shows nothing. Is there a way to recover/restore the IP table"

To "restore" ipåtables is very easy. (If not other configuration things are changed) The command mentioned does only work on the firewall configuration until next reboot. Reboot the server and the configuration command that is mentioned will be gone.

"or do I have to re-install SME from scratch???"

Yes and no .. Not because of those specific commands that is mentioned. Those will be gone as soon as the machine is rebooted. But on the other hand, if someone have had full root access to the machine, what else cluld have been done ? I wonder if the machine does not now have a rather "unknown condition" ??!!

I belive this certain problem or issue is likely to be not a specific SME security problem, but rather that someone has guessed the root password and obtained full access. I think there is a lot of internet robots that try to obtain such access. My log use to be full of them.

The first thing to do will be to reboot the machine and obtain the default firewall setting (if there should be any, by other words, it is no "server only" but a gateway. The also all remote ssh access should be turned off (via configuration panel) until it is clarified what has happened. The root password should also be changed.

If the conclusion is that the system have been compromised by a "root hacker", you never know what more that might have happened, and all the system should be reinstalled again.

But of course this will only be valid if the server initially should have a firewall. (No firewall is the default normal condition for the "server only" installation.)

If someone have obtained full root access this might of course be due to a security flow in the sme server installation, a buffer overflow in the ssh logon buffer as an excample (If the server is configured with remote ssh access), but I thin it is a lot more likely to believe that someone eventually have guessed the root password.

Best regards Arne.

[arne]

"Now iptables -L shows nothing."

This will be "the normal condition" for a server only installation and "rather unnormal" for a server gateway installation.