0

How to find out which process or program changes IPtables (deletes one of it's chains)?

I run Fedora 23 server. I use it, among the others, to share Internet connection and enforce fair, dynamic traffic shaping. For the last I use Niceshaper. It adds it's chains to IPtables.

Recently I have discovered my server was compromised. It was used as DNS server on IPv6. IP6tables were changed. I have cleared all. Proved all /etc/ settings are unmodified. Verify all installed packages and proved they are unmodified.

Unluckily there is still something wrong. Despite the fact the server's configuration didn't changed for months and Niceshaper worked fine, it now started to exit after detecting it's ns_upload chain was removed.

I would like to find out which process removes the chain to fix it.

I will be thankful for your help.

p.h.
  • 9
  • 1
  • Relevant: [How do I deal with a compromised server?](https://serverfault.com/q/218005/58408) – user Sep 01 '17 at 08:59

1 Answers1

0

You have given the most important hint: your server was compromised. So follow the link Michael Kjörling gave you. And follow the instructions there.

TLDR: Someone has root access to your server - proof: they changed an iptables entry. So find out how they did it, install from scratch and avoid the configuration/software they used to get control over your server. No chance to avoid it: you have to install from scratch. sorry.

If you can't figure out, how they did it, you are a bit lost. They will come back soon, even on a fresh install. At least install a newer version of Fedora - hopefully the backdoor/bug they came in through was fixed meanwhile.

HBruijn
  • 72,524
  • 21
  • 127
  • 192
TomTomTom
  • 611
  • 3
  • 6