Lou Poppler wrote:
On Fri, 11 Jan 2002, Josh Frick wrote:
Is there any reason that Socks and Squid couldn't or shouldn't be run on
the same box? I'd appreciate anyone's advice. Thanks.
Be very careful to configure both of these very restrictively.
The newest favorite trick of pro spammer
On Fri, Jan 11, 2002 at 10:00:32PM -0500, Hubert Chan wrote:
> So daemon, bin, sys, ftp, www-data, mail, mysql, etc. can probably be
> set to /bin/false. (Why does Debian not do this by default?)
Apart from the ftp users which (sometimes) need their ftp password to
be stored in /etc/shadow and thu
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
> "Ivan" == \"Ivan R \" writes:
Ivan> hi all! i want a password file without hole.
Ivan> so i have now in /etc/passwd:
Ivan> root with /bin/bash
Ivan> daemon, bin and sys with /bin/sh
Ivan> sync with /bin/sync
Ivan> normal users with /bin/bash
On Fri, 11 Jan 2002, Josh Frick wrote:
> Is there any reason that Socks and Squid couldn't or shouldn't be run on
> the same box? I'd appreciate anyone's advice. Thanks.
Be very careful to configure both of these very restrictively.
The newest favorite trick of pro spammers is to find promiscu
Lou Poppler wrote:
>On Fri, 11 Jan 2002, Josh Frick wrote:
>
>>Is there any reason that Socks and Squid couldn't or shouldn't be run on
>>the same box? I'd appreciate anyone's advice. Thanks.
>>
>
>Be very careful to configure both of these very restrictively.
>The newest favorite trick of pro
On Sat, 12 Jan 2002, Richard wrote:
> > On Fri, Jan 11, 2002 at 10:25:03PM +0100, martin f krafft wrote:
> > >
> > > i doubt that a kernel module can override the linux kernel filesystem
> > > abstraction layer. but i guess it could be possible.
> > >
> >
> > Oh, it certainly can! knark is a p
On Fri, Jan 11, 2002 at 10:00:32PM -0500, Hubert Chan wrote:
> So daemon, bin, sys, ftp, www-data, mail, mysql, etc. can probably be
> set to /bin/false. (Why does Debian not do this by default?)
Apart from the ftp users which (sometimes) need their ftp password to
be stored in /etc/shadow and th
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
> "Ivan" == \"Ivan R \" writes:
Ivan> hi all! i want a password file without hole.
Ivan> so i have now in /etc/passwd:
Ivan> root with /bin/bash
Ivan> daemon, bin and sys with /bin/sh
Ivan> sync with /bin/sync
Ivan> normal users with /bin/bas
On Fri, 11 Jan 2002, Josh Frick wrote:
> Is there any reason that Socks and Squid couldn't or shouldn't be run on
> the same box? I'd appreciate anyone's advice. Thanks.
Be very careful to configure both of these very restrictively.
The newest favorite trick of pro spammers is to find promisc
hi all!
i want a password file
without hole.
so i have now in /etc/passwd:
root with /bin/bash
daemon, bin and sys with /bin/sh
sync with /bin/sync
normal users with /bin/bash
ftp users with /bin/noshell
here i think that s good
but i have some questions :
what about replace /bin/sh for man b
Is there any reason that Socks and Squid couldn't or shouldn't be run on
the same box? I'd appreciate anyone's advice. Thanks.
Sincerely,
Josh Frick
Sorry but could someone please summerize what the "Hacked too?" thread is
about?
just got back into town and not making sense of the thread that i read in
the archives
Thankx
On Sat, 12 Jan 2002, Richard wrote:
> > On Fri, Jan 11, 2002 at 10:25:03PM +0100, martin f krafft wrote:
> > >
> > > i doubt that a kernel module can override the linux kernel filesystem
> > > abstraction layer. but i guess it could be possible.
> > >
> >
> > Oh, it certainly can! knark is a
Hi Ed,
On Fri, Jan 11, 2002 at 05:46:58PM -0500, Ed Street wrote:
> > > > I have run chkrootkit and get
>
> Anyone have a d/l site for the deb package of this?
apt-get install chkrootkit
Uwe.
--
Uwe Hermann
[EMAIL PROTECTED]
[EMAIL PROTECTED] | Unmaintained Free Software:
http://www.herma
> Sorry but could someone please summerize what the "Hacked too?" thread is
> about?
someone used a script, which should detect rootkits and it said it found
one, although there is probably none. it seems just to check whether a
certain port is open.
just ignore the thread ;)
bye
Ralf
Thanks Stephen,
I have run the "netstat -anp"
The result is:
" 0.0.0.0:31337 0.0.0.0:*1687/fakebo"
Really I have installed "fakebo".
It is usefull. Very often anybody try to find on my PC backdoors. It help me to
discover theirs.
Billy
Реклама:
ÐоÑковÑÐºÐ°Ñ ÐалеÐ
(2002-01-12) Igor Balusov sed :
| What is mean:
| "If you're running PortSentry/klaxon or another program that binds itself to
| unused ports probably chkrootkit will give you a false positive on the
| bindshell test (ports .. 31336/tcp, 31337/tcp ...)."?
| It is from http://www.chkrootkit.or
On Fri, 2002-01-11 at 17:49, Igor Balusov wrote:
> What is mean:
> "If you're running PortSentry/klaxon or another program that binds itself to
> unused ports probably chkrootkit will give you a false positive on the
> bindshell test (ports .. 31336/tcp, 31337/tcp ...)."?
> It is from http://www.
On Fri, 11 Jan 2002, Noah L. Meyerhans wrote:
> On Fri, Jan 11, 2002 at 10:25:03PM +0100, martin f krafft wrote:
> >
> > i doubt that a kernel module can override the linux kernel filesystem
> > abstraction layer. but i guess it could be possible.
> >
>
> Oh, it certainly can! knark is a per
What is mean:
"If you're running PortSentry/klaxon or another program that binds itself to
unused ports probably chkrootkit will give you a false positive on the
bindshell test (ports .. 31336/tcp, 31337/tcp ...)."?
It is from http://www.chkrootkit.org/
My PC is really hacked or no? How I can det
> > > I have run chkrootkit and get
Anyone have a d/l site for the deb package of this?
Ed
still, I think that one of the first things you should do with your hacked
systems is unplug the network cable. the majority of hacks these days are
for stepping stones, they don't necessarily care about the data on your PC,
but will have other PCs from your. I don't think you really want the FBI
k
also sprach éÃÃÃà âÃÃÃÃÃà <[EMAIL PROTECTED]> [2002.01.11.2316 +0100]:
> I have run chkrootkit and get
> "Checking `bindshell'... INFECTED (PORTS: 31337)"
> What I need to do?
reinstall. no, really! unless this is a non-productive system, in which
case you are free to try to remove i
I have run chkrootkit and get
"Checking `bindshell'... INFECTED (PORTS: 31337)"
What I need to do?
Billy
Реклама:
ÐоÑковÑÐºÐ°Ñ ÐалендаÑÐ½Ð°Ñ Ð¤Ð°Ð±Ñика - кваÑÑалÑнÑе календаÑи
по ÑамÑм низким Ñенам. ТелеÑон: (8
also sprach Noah L. Meyerhans <[EMAIL PROTECTED]> [2002.01.11.2240 +0100]:
> Oh, it certainly can! knark is a perfect example of a kernel module to
> do just this. (knark is Swedish for "drugged".) It allows files,
> processes, network connections, and network interface promiscuity to be
> *comp
hi all!
i want a password file
without hole.
so i have now in /etc/passwd:
root with /bin/bash
daemon, bin and sys with /bin/sh
sync with /bin/sync
normal users with /bin/bash
ftp users with /bin/noshell
here i think that s good
but i have some questions :
what about replace /bin/sh for man
Is there any reason that Socks and Squid couldn't or shouldn't be run on
the same box? I'd appreciate anyone's advice. Thanks.
Sincerely,
Josh Frick
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
On Fri, Jan 11, 2002 at 10:25:03PM +0100, martin f krafft wrote:
>
> i doubt that a kernel module can override the linux kernel filesystem
> abstraction layer. but i guess it could be possible.
>
Oh, it certainly can! knark is a perfect example of a kernel module to
do just this. (knark is Swe
On Fri, Jan 11, 2002 at 05:04:53PM +, Ricardo B wrote:
> He can be loaded as a kernel module and then hide all traces of its
> presence in the system, by overriding the proper system calls and
> /proc info. Isn't there a way to turn module loading off (a way that
> can't be chagend back - with
Hi Ed,
On Fri, Jan 11, 2002 at 05:46:58PM -0500, Ed Street wrote:
> > > > I have run chkrootkit and get
>
> Anyone have a d/l site for the deb package of this?
apt-get install chkrootkit
Uwe.
--
Uwe Hermann
[EMAIL PROTECTED]
[EMAIL PROTECTED] | Unmaintained Free Software:
http://www.herm
also sprach Ricardo B <[EMAIL PROTECTED]> [2002.01.11.1804 +0100]:
> There is no need for a rootkit to reboot the machine in order to hide
> himself.
> He can be loaded as a kernel module and then hide all traces of its presence
> in
> the system, by overriding the proper system calls and /proc
> Sorry but could someone please summerize what the "Hacked too?" thread is
> about?
someone used a script, which should detect rootkits and it said it found
one, although there is probably none. it seems just to check whether a
certain port is open.
just ignore the thread ;)
bye
Ralf
--
To
Thanks Stephen,
I have run the "netstat -anp"
The result is:
" 0.0.0.0:31337 0.0.0.0:*1687/fakebo"
Really I have installed "fakebo".
It is usefull. Very often anybody try to find on my PC backdoors. It help me to
discover theirs.
Billy
òÅËÌÁÍÁ:
íÏÓËÏ×ÓËÁÑ ëÁÌÅÎÄÁÒÎÁÑ æÁÂÒÉËÁ - Ë×Á
Sorry but could someone please summerize what the "Hacked too?" thread is
about?
just got back into town and not making sense of the thread that i read in
the archives
Thankx
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
(2002-01-12) Igor Balusov sed :
| What is mean:
| "If you're running PortSentry/klaxon or another program that binds itself to
| unused ports probably chkrootkit will give you a false positive on the
| bindshell test (ports .. 31336/tcp, 31337/tcp ...)."?
| It is from http://www.chkrootkit.o
On Fri, 2002-01-11 at 17:49, Igor Balusov wrote:
> What is mean:
> "If you're running PortSentry/klaxon or another program that binds itself to
> unused ports probably chkrootkit will give you a false positive on the
> bindshell test (ports .. 31336/tcp, 31337/tcp ...)."?
> It is from http://www
On Fri, 11 Jan 2002, Noah L. Meyerhans wrote:
> On Fri, Jan 11, 2002 at 10:25:03PM +0100, martin f krafft wrote:
> >
> > i doubt that a kernel module can override the linux kernel filesystem
> > abstraction layer. but i guess it could be possible.
> >
>
> Oh, it certainly can! knark is a pe
What is mean:
"If you're running PortSentry/klaxon or another program that binds itself to
unused ports probably chkrootkit will give you a false positive on the
bindshell test (ports .. 31336/tcp, 31337/tcp ...)."?
It is from http://www.chkrootkit.org/
My PC is really hacked or no? How I can de
> > > I have run chkrootkit and get
Anyone have a d/l site for the deb package of this?
Ed
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
still, I think that one of the first things you should do with your hacked
systems is unplug the network cable. the majority of hacks these days are
for stepping stones, they don't necessarily care about the data on your PC,
but will have other PCs from your. I don't think you really want the FBI
also sprach éÇÏÒØ âÁÌÕÓÏ× <[EMAIL PROTECTED]> [2002.01.11.2316 +0100]:
> I have run chkrootkit and get
> "Checking `bindshell'... INFECTED (PORTS: 31337)"
> What I need to do?
reinstall. no, really! unless this is a non-productive system, in which
case you are free to try to remove it. but once
On Fri, 11 Jan 2002, Ricardo B wrote:
> Isn't there a way to turn module loading off (a way that can't be chagend
> back - without rebooting) ?
None that cannot be undone if you're root in a non-ACL kernel. It gets hard
if the kernel has no module support at all, but not impossible.
--
"One di
I have run chkrootkit and get
"Checking `bindshell'... INFECTED (PORTS: 31337)"
What I need to do?
Billy
òÅËÌÁÍÁ:
íÏÓËÏ×ÓËÁÑ ëÁÌÅÎÄÁÒÎÁÑ æÁÂÒÉËÁ - Ë×ÁÒÔÁÌØÎÙÅ ËÁÌÅÎÄÁÒÉ
ÐÏ ÓÁÍÙÍ ÎÉÚËÉÍ ÃÅÎÁÍ. ôÅÌÅÆÏÎ: (8095)254-88-55
http://www.kalendar.r2.ru/
--
To UNSUBSCRIBE, email to [EMA
also sprach Noah L. Meyerhans <[EMAIL PROTECTED]> [2002.01.11.2240 +0100]:
> Oh, it certainly can! knark is a perfect example of a kernel module to
> do just this. (knark is Swedish for "drugged".) It allows files,
> processes, network connections, and network interface promiscuity to be
> *com
On Fri, Jan 11, 2002 at 10:25:03PM +0100, martin f krafft wrote:
>
> i doubt that a kernel module can override the linux kernel filesystem
> abstraction layer. but i guess it could be possible.
>
Oh, it certainly can! knark is a perfect example of a kernel module to
do just this. (knark is Sw
On Fri, Jan 11, 2002 at 05:04:53PM +, Ricardo B wrote:
> He can be loaded as a kernel module and then hide all traces of its
> presence in the system, by overriding the proper system calls and
> /proc info. Isn't there a way to turn module loading off (a way that
> can't be chagend back - wit
also sprach Ricardo B <[EMAIL PROTECTED]> [2002.01.11.1804 +0100]:
> There is no need for a rootkit to reboot the machine in order to hide himself.
> He can be loaded as a kernel module and then hide all traces of its presence in
> the system, by overriding the proper system calls and /proc info.
On Fri, 11 Jan 2002, Ricardo B wrote:
> Isn't there a way to turn module loading off (a way that can't be chagend
> back - without rebooting) ?
None that cannot be undone if you're root in a non-ACL kernel. It gets hard
if the kernel has no module support at all, but not impossible.
--
"One d
msg.pgp
Description: PGP message
"Jacques Lav!gnotte" wrote:
> On Thu, Jan 10, 2002 at 08:31:00PM -0800, Alvin Oga wrote:
>
> A RootKit was installed, only the sniffer was used...
>
> Any idea of what the «default files and dirs» are ?
Please see
http://www.sans.org/y2k/t0rn.htm
Greetz
Christoph
--
.-.
On Thu, Jan 10, 2002 at 08:31:00PM -0800, Alvin Oga wrote:
> - if you think they used a simple/ordinary rootkits... you can
> try some of the rootkit detectors
>
> http://www.chkrootkit.org/
Great tool
Got :
Searching for t0rn's default files and dirs... Possible t0rn rootkit ins
hi patrice
yup .. sillicon valley has nothing to do with getting backonline
but was intended ...that i could go over ahd help figure out
what happened to the box... before the reinstall ...
but never mind... scaramento is not too far awayeither..
on the way up to go skiing on a fri-weekend..
-
msg.pgp
Description: PGP message
On Fri, Jan 11, 2002 at 03:43:11PM +0100, Preben Randhol wrote:
> > agreed. full disk format and reinstall from backup is the only secure
> ^
>
> This is not safe at all if you mean reinstall programs too. You should
> reinstall programs from th
also sprach Preben Randhol <[EMAIL PROTECTED]> [2002.01.11.1543 +0100]:
> This is not safe at all if you mean reinstall programs too. You should
> reinstall programs from the net/CD distro and update all programs that
> has security fixes.
yeah sorry, i meant that actually. reinstall debian from
"Jacques Lav!gnotte" wrote:
> On Thu, Jan 10, 2002 at 08:31:00PM -0800, Alvin Oga wrote:
>
> A RootKit was installed, only the sniffer was used...
>
> Any idea of what the «default files and dirs» are ?
Please see
http://www.sans.org/y2k/t0rn.htm
Greetz
Christoph
--
.-.
also sprach Angus D Madden <[EMAIL PROTECTED]> [2002.01.11.0649 +0100]:
> agreed. full disk format and reinstall from backup is the only secure
> option. unless you are running something like tripwire there is no way
> to tell what the intruder did, and even then ...
... if, only if, you have th
Angus D Madden <[EMAIL PROTECTED]> wrote on 11/01/2002 (11:53) :
> On Fri, Jan 11, 2002 at 05:07:02AM +0100, martin f krafft wrote:
> > you've been hacked -> backup -> re-mkfs -> reinstall -> re-config from
> > backup very carefully (i.e. file by file) -> restore user data -> do
> > some post-morte
On Thu, Jan 10, 2002 at 08:31:00PM -0800, Alvin Oga wrote:
> - if you think they used a simple/ordinary rootkits... you can
> try some of the rootkit detectors
>
> http://www.chkrootkit.org/
Great tool
Got :
Searching for t0rn's default files and dirs... Possible t0rn rootkit in
[EMAIL PROTECTED] writes:
> if in silicon valley...
> you can be back online within 1hr or so...
What does the Silicon Valley have to do with the time to getting back
online?
> - maybe just sniffing your passwds ???
> - maybe using it to hack other boxes ??
Oh if it's not more... ;-)
> - you n
hi patrice
yup .. sillicon valley has nothing to do with getting backonline
but was intended ...that i could go over ahd help figure out
what happened to the box... before the reinstall ...
but never mind... scaramento is not too far awayeither..
on the way up to go skiing on a fri-weekend..
-
On Fri, Jan 11, 2002 at 03:43:11PM +0100, Preben Randhol wrote:
> > agreed. full disk format and reinstall from backup is the only secure
> ^
>
> This is not safe at all if you mean reinstall programs too. You should
> reinstall programs from t
also sprach Preben Randhol <[EMAIL PROTECTED]> [2002.01.11.1543 +0100]:
> This is not safe at all if you mean reinstall programs too. You should
> reinstall programs from the net/CD distro and update all programs that
> has security fixes.
yeah sorry, i meant that actually. reinstall debian from
also sprach Angus D Madden <[EMAIL PROTECTED]> [2002.01.11.0649 +0100]:
> agreed. full disk format and reinstall from backup is the only secure
> option. unless you are running something like tripwire there is no way
> to tell what the intruder did, and even then ...
... if, only if, you have t
Angus D Madden <[EMAIL PROTECTED]> wrote on 11/01/2002 (11:53) :
> On Fri, Jan 11, 2002 at 05:07:02AM +0100, martin f krafft wrote:
> > you've been hacked -> backup -> re-mkfs -> reinstall -> re-config from
> > backup very carefully (i.e. file by file) -> restore user data -> do
> > some post-mort
hi alan
where are you ???
if in silicon valley...
you can be back online within 1hr or so...
( assuming you have data-only backed up prior to the hacker getting
( into your box..
if the [h/cr]acker didnt "rm -rf /" your machine..you're still online..
- maybe just sniffing your passwds ???
- may
[EMAIL PROTECTED] writes:
> if in silicon valley...
> you can be back online within 1hr or so...
What does the Silicon Valley have to do with the time to getting back
online?
> - maybe just sniffing your passwds ???
> - maybe using it to hack other boxes ??
Oh if it's not more... ;-)
> - you
On Fri, 2002-01-11 at 05:02, Alan Aldrich wrote:
>
> Not sure what all it did, but really played havoc with SSH and some other
> networking components and is keeping my aventail authentication server from
> honoring socks requests.
> Can someone help undo whatever it did or point me to a site th
hi alan
where are you ???
if in silicon valley...
you can be back online within 1hr or so...
( assuming you have data-only backed up prior to the hacker getting
( into your box..
if the [h/cr]acker didnt "rm -rf /" your machine..you're still online..
- maybe just sniffing your passwds ???
- ma
On Fri, 2002-01-11 at 05:02, Alan Aldrich wrote:
>
> Not sure what all it did, but really played havoc with SSH and some other networking
>components and is keeping my aventail authentication server from honoring socks
>requests.
> Can someone help undo whatever it did or point me to a site tha
unsubscribe
71 matches
Mail list logo