posible crack?

android · 2009-09-22 17:55:49

Hello Fellow Archers,

After running Arch for ~6 years I think I may have finally been cracked?

This arch workstation serves a samba share which is mounted by a windoze machine needing access to version controlled files on the host.

The share is USER level protected with a password.

This share is visible over the LAN's WiFi
(I know, I know, let's try to focus on "What now" not "Should/Shouldn't wa wa wa")

Recently after returning from out of town for 4 or 5 days I found I couldn't connect to the samba share. The SMBD service was not running.

When I try to restart smbd I get this error:

smbd/server.c:open_sockets_smbd(534)
smbd[3225]:   open_sockets_smbd: listen: Address already in use

This is the contents of the /var/run/daemons directory:

[root@4x johnea]# ls /var/run/daemons/
apcupsd  arch32  crond  cups  dbus  gpm  hal  netfs  network  samba  sshd  syslog-ng

This is the result of nmap of this machine from across the LAN:

Starting Nmap 4.68 ( http://nmap.org ) at 2009-09-22 10:25 PDT
Interesting ports on 4x.johnea.net (192.168.100.239):
Not shown: 1707 closed ports
PORT      STATE    SERVICE
22/tcp    open     ssh
501/tcp   filtered stmf
1551/tcp  filtered hecmtl-db
2011/tcp  filtered raid-cc
2033/tcp  filtered glogger
2903/tcp  filtered extensisportfolio
5303/tcp  filtered hacl-probe
12000/tcp filtered cce4x
MAC Address: 00:1C:C0:39:3B:1D (Intel Corporate)

Nmap done: 1 IP address (1 host up) scanned in 3.780 seconds

This shows no 137 even though nmbd shows as running in SWAT, and it shows no 139 even though the smbd service refuses to start saying the address is already in use. Quite frankly I have no idea what most of that other stuff is! 8-/

One other REALLY wierd thing, whenever I try to run netstat on the affected machine it crashes the whole system, leaving the keyboard LEDs flashing.

One thing I've tried is mounting the last arch release CD and reinstalling all of the core packages. This fixes the netstat crash and another "invalid binary" error I was getting trying to run ifconfig. But then if I pacman -Syu the netstat crash comes back!

This makes me think mabe it's not a crack, but some kind of config error on my part.

I've tried to google for the smbd log message, but I don't get a single search result. This seems kind of wierd in and of itself.

This machine has a soft raid mirror, I guess I'll disconnect one of the drives and completely reinstall on the other. Then I can bring in my home directory and anything else I need before recreating the mirror.

Any suggestions or anecdotes of similliar experience are greatly appreciieated.

Kindest Regards...

johnea

wuischke · 2009-09-22 19:09:35

I also recommend you to do a clean install. You never know if you are safe otherwise.

For similar experiences, look at the now infamous "phrakture got hacked" thread in the forums...

ckristi · 2009-09-23 21:25:37

It also may look like pacman is downloading from a repository meant for another architecture (i686 instead of x86_64 or viceversa).
Check your /etc/pacman.d/mirrorlist and see if that's the case.

Last edited by ckristi (2009-09-23 21:26:13)

R00KIE · 2009-09-23 22:18:14

Oh and better make sure no one knows the root password or has sudo privileges (or if you left a root console open), someone like friends may be playing tricks on you, I've seen such a thread before

Arch Linux

#1 2009-09-22 17:55:49

posible crack?

#2 2009-09-22 19:09:35

Re: posible crack?

#3 2009-09-23 21:25:37

Re: posible crack?

#4 2009-09-23 22:18:14

Re: posible crack?

Board footer