Page 2 of 2 FirstFirst 12
Results 11 to 19 of 19

Thread: Hacked?

  1. #11
    Master Untangler
    Join Date
    Aug 2008
    Posts
    112

    Default

    So I'm still trying to figure this out...
    I found out earlier today that a bit torrent client was running the past few days. Shortly after it was shut down, everything resumed normal operation. At the time, I didn't put any thought into it.
    I still keep coming back to the thought of hard disk failure because I can't find a hack attempt on this.
    Is it possible that the system ran out of resources, ie, temp file or swap files, etc due to the torrent activity. Could that cause this type of a failure, ie loss of writing logs, tcpdumps etc.
    The client is understandably anxious, ready to involve police and I want to be absolutely sure we're not dealing with some type of system failure before going down this road.
    Thanks in advance
    D.
    Dave Bour
    Desktop Solution Center
    Burlington, ON, Canada
    www.desktopsolutioncenter.ca
    905.381.0077 X501

  2. #12
    Untangle Ninja Mathiau's Avatar
    Join Date
    Feb 2008
    Location
    Costa Frickn' Rica
    Posts
    1,636

    Default

    I was about to say as you mentioned, inside job.

    are any systems on a domain? time to lock them down so people cant install stuff, if not look into http://www.faronics.com/en/Products/...Corporate.aspx for users who are abusing their systems.
    kv-2 | UT 11.0.1 | Dell R610 Server | Intel Xeon 2.8Ghz Quad Cores | 24Gb DDR3 ECC | 1 Intel QPort NIC | Integrated Broadcom QP | Dell Perc 4i | 6 x 73G 2.5 15k SAS raid 10 | 100mb/100mb | 30mb/30Mb

  3. #13
    Master Untangler Big D's Avatar
    Join Date
    Nov 2008
    Posts
    719

    Default

    there is a hard limit to the number of sessions UT can handle wonder if the bit torrent was causing untangle to freak out. Think the session limit is over 10000 or more don't know exact number.
    The beatings shall continue until morale improves!

  4. #14
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    Quote Originally Posted by dcbour View Post
    So I'm still trying to figure this out...
    I found out earlier today that a bit torrent client was running the past few days. Shortly after it was shut down, everything resumed normal operation. At the time, I didn't put any thought into it.
    I still keep coming back to the thought of hard disk failure because I can't find a hack attempt on this.
    Is it possible that the system ran out of resources, ie, temp file or swap files, etc due to the torrent activity. Could that cause this type of a failure, ie loss of writing logs, tcpdumps etc.
    The client is understandably anxious, ready to involve police and I want to be absolutely sure we're not dealing with some type of system failure before going down this road.
    Thanks in advance
    D.


    So besides his email password being known - is there any evidence of any kind of break-in? For all you know his password was guessed. Or he could have logged in over wifi while someone ran a sniffer in starbucks. There are a million ways that don't involve anything local which is where you seem 100% focused. They could have sniffed at an ISP. They could have hacked the carrier and they bought his email/password with a whole batch of other emails. The list of possibilities is endless.

    I suspect the outage was an outage. I see no reason to believe its connected until there is evidence suggesting its connected. Are you running attack blocker? If not, slowness and outages might happen when someone runs bittorrent.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  5. #15
    Master Untangler
    Join Date
    Aug 2008
    Posts
    112

    Default

    As to the original compromise, that was before my time (and untangle) and yes, anything is possible. Seeing his passwords, definitely not hacked by brute force. Be it wifi attack, physical access keyloggers, who knows... The only certainty of it is there was a compromise.

    As to yesterday's event... as I said, I don't know absolutely that it's an attack or system failure.

    In light of the past issues (pre untangle), I initially suspected attack.

    The behavior is the system stopped writing to the hard disk for 13 hrs. Everything occurring in that window wasn't logged.

    I'm now leaning more towards a system failure of some point at this point in light of Bit Torrent running, add in the logging attempts I've added, and the previous comment from BigD that it's possible due to limits in UT.

    What are the specific limits that could occur in UT. Is there a session limit typically found on POS consumer routers. Is there a document summarizing these limits?

    thanks in advance
    D.
    Dave Bour
    Desktop Solution Center
    Burlington, ON, Canada
    www.desktopsolutioncenter.ca
    905.381.0077 X501

  6. #16
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    Quote Originally Posted by dcbour View Post
    The behavior is the system stopped writing to the hard disk for 13 hrs. Everything occurring in that window wasn't logged.
    In that case sounds like a full disk or disk problem to me.
    That would be consistent with being able to get to websites but not getting email.
    (spam blocker uses the disk to write emails to spamassassin, but web will still work)
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  7. #17
    Master Untangler
    Join Date
    Aug 2008
    Posts
    112

    Default

    That's my thought except disk has plenty of space. Thought it 60% free. Actually 60GB free. Disk failure, possible, but never seen one resume after 13 hrs of no activity...that said, first time for everything.
    That's why I was wondering about resource limits and if we hit that. Could it cause a similar type failure?
    Going to replace disk in unit tomorrow to see if anything else unusual occurs.
    Dave Bour
    Desktop Solution Center
    Burlington, ON, Canada
    www.desktopsolutioncenter.ca
    905.381.0077 X501

  8. #18
    Master Untangler wharfratjoe's Avatar
    Join Date
    Dec 2008
    Location
    Southern California
    Posts
    431

    Default

    Quote Originally Posted by dcbour View Post
    will do. got open vpn now but still have it external access too. If only I could configure it to read by Mac addresses, rather than ip...then I'm guaranteed to lock it down securely as there's only two systems that are used.
    D.
    PM sent

  9. #19
    Untangler RatKnight's Avatar
    Join Date
    Nov 2010
    Location
    Shepherd University
    Posts
    57

    Default

    I will say this:

    I am a Networking and Security Major, and I run the network in the computer building in my school. We have a Cisco ASA 5510 running as our front end firewall (I objected VERY much to keeping this), and then I put in Untangle behind this firewall in bridge mode.

    I had some loss of logs early on before I began blocking bit torrent because of the massive amount of traffic going through. Based on the logs, the system was hitting very high CPU usage, and my bet is that the system cannibalized the logging system to continue passing through data. Once I enabled the protocol control, I never saw another issue.

    Keep in mind, I am running this on a Dell blade server with dual Xeon processors at 2.5 Ghz, and 8 GB of ram with a 500 GB HD. Also remember that the network services about 350 - 400 students and faculty at any time, and that the university moved us to our own network because of the torrenting activity. Before UT, the torrenting in this building was out of control, and now it is manageable.

    Sorry for rambling... it is 2 AM here, so I am out of it, but I doubt you have been compromised, this is a system based on Debian which is on an extremely secure kernel. I would agree though that you need to disable external access, and also that you should cycle passwords, just to be safe. Also, turn on the spyware and virus blockers so that these fools aren't getting their passwords stolen, lol.

    Sorry for the ramble.

    Rat

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2