Cyber Attack??
I've just noticed that i couldn't unlock an encrypted external hard drive and that my encrypted swap partition wasn't mounted because cryptsetup "magically" disappeared from my computer. Also, my root partition appears to be 100% full and, although not knowing if it's related to cryptsetups disappearance, i can't explain why my root partition is full. My root partition is only 1 GB, but i can't remember that being a problem.
The only thing i've installed lately (this very day) was IcedTea Java browser plugin from the repos! While trying to figure out why my encrypted swap wan't mounted i tried to open /etc/fstab in gedit from the command line and i got the following message: "_IceTransSocketUNIXConnect: Cannot connect to non-local host ". I had already closed Abrowser, after unsuccessfully tried to load a webpage (Portuguese IRS submittal webpage) that had a java app.
I then remembered to do dmesg | tail in the command line and i got some strange inbound traffic, like from address 211.224.108.50 so i did a whois query on it and got this: whois 211.224.108.50
query: 211.224.108.50
# KOREAN
조회하신 IPv4주소는 한국인터넷진흥원으로부터 아래의 관리대행자에게 할당되었으며, 할당 정보는 다음과 같습니다.
[ 네트워크 할당 정보 ]
IPv4주소 : 211.216.0.0 - 211.225.255.255 (/13+/15)
서비스명 : KORNET
기관명 : 주식회사 케이티
기관고유번호 : ORG1600
주소 : 성남시 분당구 정자동 206 한국통신 e-Biz본부 기획팀
우편번호 : 463-711
할당일자 : 20000912
[ IPv4주소 책임자 정보 ]
이름 : IP주소관리자
전화번호 : +82-2-500-6630
전자우편 : name at domain
[ IPv4주소 담당자 정보 ]
이름 : IP주소담당자
전화번호 : +82-2-500-6630
전자우편 : name at domain
[ 스팸 해킹 담당자 정보 ]
이름 : 스팸/해킹담당
전화번호 : +82-2-100-0000
전자우편 : name at domain
--------------------------------------------------------------------------------
조회하신 IPv4주소는 위의 관리대행자로부터 아래의 사용자에게 할당되었으며, 할당 정보는 다음과 같습니다.
[ 네트워크 할당 정보 ]
IPv4주소 : 211.224.108.0 - 211.224.108.255 (/24)
네트워크 이름 : KORNET-11177520780
기관명 : (주)에피밸리
기관고유번호 : ORG841923
주소 : 구미시 공단동
우편번호 : 730-030
할당내역 등록일 : 20080714
공개여부 : N
[ 네트워크 담당자 정보 ]
기관명 : (주)에피밸리
주소 : 구미시 공단동
우편번호 : 730-030
전자우편 : name at domain
# ENGLISH
KRNIC is not an ISP but a National Internet Registry similar to APNIC.
[ Network Information ]
IPv4 Address : 211.216.0.0 - 211.225.255.255 (/13+/15)
Service Name : KORNET
Organization Name : Korea Telecom
Organization ID : ORG1600
Address : 206, Jungja-dong, Bundang-gu, Sungnam-ci
Zip Code : 463-711
Registration Date : 20000912
[ Admin Contact Information ]
Name : IP Administrator
Phone : +82-2-500-6630
E-Mail : name at domain
[ Tech Contact Information ]
Name : IP Manager
Phone : +82-2-500-6630
E-Mail : name at domain
[ Network Abuse Contact Information ]
Name : Network Abuse
Phone : +82-2-100-0000
E-Mail : name at domain
--------------------------------------------------------------------------------
More specific assignment information is as follows.
[ Network Information ]
IPv4 Address : 211.224.108.0 - 211.224.108.255 (/24)
Network Name : KORNET-11177520780
Organization Name : (ju)epibaelri
Organization ID : ORG841923
Address : Gongdan-dong, Gumi-si, Gyeongsangbuk-do
Zip Code : 730-030
Registration Date : 20080714
Publishes : N
[ Technical Contact Information ]
Organization Name : (ju)epibaelri
Address : Gongdan-dong, Gumi-si, Gyeongsangbuk-do
Zip Code : 730-030
E-Mail : name at domain
My browser was closed and i can't explain the reason for this inbound traffic. Putting it all toghether, i can only guess that something very fishy was going on. Has anyone got any idea to why cryptsetup could just vanish from my computer without me uninstalling it?
I'm puzzled...
Regarding the cryptsetup issue, sometimes it happened to me when I tried to run apt-get autoremove that the cryptsetup package was marked for removal.
Is there any way possible to have mistakenly removed the package ?
Regarding the space, my best guest would be that the space is used by some logs.
I once had experienced a similar issue when a 'stupid' app flooded with a couple of gigs.
I don't have the expertise or the experience to to give network related advice but I can tell you that according to the 'Securing Debian Manual' it's advised to do a clean install in break-in situations, you weigh the situation.
I just used apt-get install cryptsetup
to install the missing cryptsetup app and also installed (previously to cryptsetup) IcedTea; i haven't used apt for anything else in a long time. Just one or two days ago i had cryptsetup installed!
About the filled root partition: i have a separate partition for /var, /boot, /home, /opt, /usr and /usr/local, so i think that logs (separated in its own /var partition) ain't the problem, and... i really can't find big files in / or /root that could ever fill anything at all... neither some big corrupt config file in /etc ... weird! I do have some 320 MB in /dev/shm (five 64 MB pulse-shm-xxxxxxxxxx files) and over 500 MB somewhere in /sys/devices/pci/ ... what could this mean?
Could a malevolent Java applet embedded in a webpage be able to delete my local cryptsetup app???
I just used apt-get install cryptsetup to install the missing cryptsetup app
and also installed (previously to cryptsetup) IcedTea; i haven't used apt for
anything else in a long time. Just one or two days ago i had cryptsetup
installed!
About the filled root partition: i have a separate partition for /var, /boot,
/home, /opt, /usr and /usr/local, so i think that logs (separated in its own
/var partition) ain't the problem, and... i really can't find big files in /
or /root that could ever fill anything at all... neither some big corrupt
config file in /etc ... weird! I do have some 320 MB in /dev/shm (five 64 MB
pulse-shm-xxxxxxxxxx) and over 500 MB somewhere in /sys/devices/pci/ ... what
could this mean?
Could a malevolent Java applet embedded in a webpage be able to delete my
local cryptsetup app???
1 GB root does sound too small to me. And if your root is full, then expect
the unexpected, any number of crazy random things will happen.
If your root indeed is full, then expect the unexpected, any number of crazy random things will happen.