alientrap-forum-archives

[ManicSon]

Let me start off by saying the reason I am posting this is to help make Nexuiz more secure, and to possibly warn players.

I was playing Nexiuz (2.5.1, using Ubuntu 8.04 up to date) a lot on the Nexican server, I noticed between matches a lot of occurrences of the phrase "nasty URL Scheme rejected" and then my system started REALLY lagging, I quit the game and I noticed massive firewall events (over and over) so I went offline.
I am using a LiveCD now, but everytime that I boot up off the hard drive and go online the same thing happens with the firestarter firewall, massive firewall events, and my browser cannot load ANY web pages.
I was playing late at night, and there was a player or two (don't remember the names, just that they were regulars) consistently remaining in spectator mode.
So, something IS on my PC, but I don't know what it is, I ran rkhunter but I don't exactly know how to interpret the results.
--------------------------------------------------------------------------------------------------------------------------------------
(for brevity, I will post only the rkhunter warnings:

[22:22:40] /usr/bin/curl [ Warning ]
[22:22:40] Warning: The file '/usr/bin/curl' exists on the system, but it is not present in the rkhunter.dat file.

[22:22:42] /usr/bin/ldd [ Warning ]
[22:22:42] Warning: The file properties have changed:
[22:22:43] File: /usr/bin/ldd
[22:22:43] Current inode: 370444 Stored inode: 354581
[22:22:43] Current file modification time: 1250557412
[22:22:43] Stored file modification time : 1221229932

[22:22:43] /usr/bin/lynx [ Warning ]
[22:22:43] Warning: The file '/usr/bin/lynx' exists on the system, but it is not present in the rkhunter.dat file.

[22:22:46] /usr/bin/sudo [ Warning ]
[22:22:46] Warning: The file properties have changed:
[22:22:46] File: /usr/bin/sudo
[22:22:46] Current hash: c11d69109df56dacf33fed3aec366f72bdd53d7e
[22:22:46] Stored hash : d82c24a5852a96725b9e99abe8b8ee2ae50a5e22
[22:22:46] Current inode: 3195832 Stored inode: 3197338
[22:22:46] Current size: 107968 Stored size: 107936
[22:22:46] Current file modification time: 1248858020
[22:22:46] Stored file modification time : 1234840628

[22:22:48] /usr/bin/lynx.stable [ Warning ]
[22:22:48] Warning: The file '/usr/bin/lynx.stable' exists on the system, but it is not present in the rkhunter.dat file.

[22:22:53] /usr/sbin/unhide [ Warning ]
[22:22:53] Warning: The file '/usr/sbin/unhide' exists on the system, but it is not present in the rkhunter.dat file.

[22:22:53] /usr/sbin/unhide-linux26 [ Warning ]
[22:22:53] Warning: The file '/usr/sbin/unhide-linux26' exists on the system, but it is not present in the rkhunter.dat file.

[22:23:23] Performing filesystem checks
[22:23:23] Info: Starting test name 'filesystem'
[22:23:23] Info: SCAN_MODE_DEV set to 'THOROUGH'
[22:23:36] Checking /dev for suspicious file types [ Warning ]
[22:23:36] Warning: Suspicious file types found in /dev:
[22:23:36] /dev/shm/pulse-shm-113649008: data
[22:23:37] Checking for hidden files and directories [ Warning ]
[22:23:37] Warning: Hidden directory found: /etc/.java
[22:23:37] Warning: Hidden directory found: /dev/.static
[22:23:37] Warning: Hidden directory found: /dev/.udev
[22:23:37] Warning: Hidden directory found: /dev/.initramfs
[22:23:37]

--------------------------------------------------------------------------------------------------------------------------------------
Maybe these are false positives, maybe not,
but maybe someone could tell me where else to check for forensic evidence before I reinstall?

One thing I know for sure, is that I will play off a LiveCD from now on, this happened a couple of years ago when I was playing Enemy Territory a lot. AFAIK, I have only been hacked on Ubuntu during multiplayer games.

And yes, I will say it again, it WAS the Nexican server.
Could a admin be trying to hack my PC there?

[divVerent]

First of all, "nasty url scheme" is server misconfiguration and nothing else. Can be ignored.

The firewall events - can you quote them?

Players in spectator mode is nothign bad.

As for the rkhunter warnings: this contains nothing that can't be also caused by system updates. Please verify the update log of your package manager when "sudo" was last updated.

The thing in /dev/shm is normal, as well as the hidden directories in /etc and /dev.

There is no known security hole in Nexuiz that would allow such things, and even if there were, a hacker would also need a security hole in the Linux kernel to gain root.

Maybe this all isn't even a rootkit, but someone evil seeing your IP address when you play and trying a DoS attack on you. Server admins can see your IPs, as well as players on some (not all) servers.

[ManicSon]

Well, 3 or 4 days ago, (like an idiot) I uninstalled my Firestarter firewall to so see if I could get online without it. Nope.
I guess I was angry that something mucked my system up!

Maybe the intent was not to break into my PC, but to make it unusable by making a slight change. (I know, I know it is almost impossible under Linux!)
It is too much of a coincidence that my computer acted that way.



I might have said something mid-match about how I hope Windows evaporates (I know, brilliant), I might have incurred someone's wrath.
Then again, it might be the gub'ment, they can afford to hire all the brilliant hacker minds at the NSA (with a black hole budget) to catch me playing a violent video game!
Or maybe it was a completely unrelated and random glitch , I'm not THAT paranoid!

Anyway, I think I will reinstall on the drive and see if I can replicate the results!

But I cannot believe some Windows hackers don't see Linux as a challenge, especially if Bill Gates is funding the research! Sort of like virus creator/hackers in the basement of the anti-virus companies!

[divVerent]

Well, the interesting part of this would be the firewall logs. It would tell whether there was an attack...

[The mysterious Mr. 4m]

Linux has always been the target of hackers. What's a bigger challange: trying to break into a bank or into a supermarket?