Re: Install on many machines
On Fri, Dec 28, 2001 at 10:35:57AM -0600, Gregory Wood wrote: Assuming that the machines are basically the same -- I have used Norton Ghost 2002. I loaded up Debian from CD, updated from the ftp site, installed and configured my base packages. Then created a ghost image (1. ghost works with lilo but not with grub 2. I've left out a number of steps - I have several spare hard drives and computers to work with) and burned it to a CD. As a test, I installed the ghost image on a couple of different machines. It takes less than 10 minutes to restore the ghost image. Next change the IP and host names and I was done. [snip] Don't forget the SSH host keys... -- Michael Wood [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Apache ErrorDocument virtual hosts
* [EMAIL PROTECTED] (KOZMAN Balint) [2002.01.03 10:41]: Sorry if offtopic, but is it possible to give back different 404 error messages via apache based on virtual hosts? VirtualHost 1.2.3.4 ... ErrorDocument 404 /path/to/error/doc.html /VirtualHost -- Cameron Moore -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Apache ErrorDocument virtual hosts
Ya just throw a: ErrorDocument 404 /path-to-error-document inside of the virtualhost On Thu, 2002-01-03 at 11:38, KOZMAN Balint wrote: Hi, Sorry if offtopic, but is it possible to give back different 404 error messages via apache based on virtual hosts? Thanks in advance. Regards, Balint -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Sean Porth System Admin Tortus Technologies 1686 Riverdale Street West Springfield, MA 01089 http://www.tortus.com Phone: 413-788-5080 Fax: 413-785-1901 Tortus Technologies: We Make the 'Net Work. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Install on many machines
For our needs, FAI seems to be the more flexible solution. Although the hardware is basically the same, it might proof valuable to have several configurations to choose from. Anyone experience with FAI? I've just set up a new woody machine and downloaded the stuff. Still the docs get slightly confusing after the very clear introduction. For example, fai-setup throws *a lot* of dependency warnings and complains about exim (which is not installed) Cheers, Marcel Michael Wood [EMAIL PROTECTED] 3 Jan 2002, at 10:02: On Fri, Dec 28, 2001 at 10:35:57AM -0600, Gregory Wood wrote: Assuming that the machines are basically the same -- I have used Norton Ghost 2002. I loaded up Debian from CD, updated from the ftp site, installed and configured my base packages. Then created a ghost image (1. ghost works with lilo but not with grub 2. I've left out a number of steps - I have several spare hard drives and computers to work with) and burned it to a CD. As a test, I installed the ghost image on a couple of different machines. It takes less than 10 minutes to restore the ghost image. Next change the IP and host names and I was done. [snip] Don't forget the SSH host keys... -- Michael Wood [EMAIL PROTECTED] -- __ .´ `. : :' ! Enjoy `. `´ Debian/GNU Linux `- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Apache cgi-bin for users
ScriptAlias /cgi-bin/ /path/to/customers/cgi-bin/ See http://httpd.apache.org/docs/mod/mod_alias.html#scriptalias Please make really(!) sure what security implications it has to allow not trustworthy people (customers ;-) to run programms on _your_ server. Hint: Look for cgi-wrap and changeroot. http://httpd.apache.org/docs-2.0/misc/security_tips.html http://httpd.apache.org/docs-2.0/suexec.html or better http://wwwcgi.umr.edu/~cgiwrap/ Cheers, Marcel Keith Elder [EMAIL PROTECTED] 31 Dec 2001, at 17:31: Greetings and Happy New Year! I am trying to enable cgi-bin on user directories. I found the following lines on the apache.org site, put them in, but they didn't work: Directory /home/*/public_html/cgi-bin Options ExecCGI SetHandler cgi-script /Directory Any other suggestions as to how to setup cgi-bin directories for user accounts? Thanks, Keith ### Keith Elder Email: [EMAIL PROTECTED] Phone: 1-734-507-1438 Text Messaging (145 characters): [EMAIL PROTECTED] Web: http://www.zorka.com (Howto's, News, and hosting!) With enough memory and hard drive space anything in life is possible! ### -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- __ .´ `. : :' ! Enjoy `. `´ Debian/GNU Linux `- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Apache cgi-bin for users
Thanks Marcel, Let me restate what it was I was asking just to clarify my situation. If anyone has any input, by all means annie up. What I am trying to do is setup the server so users in /home/*/ can execute CGI programs on their personal web pages on this particular machine. I found a reference in the apache admin guide I have and the apache site which say to put the following in the httpd.conf: Directory /home/*/public_html/cgi-bin Options ExecCGI Addhandler cgi-script .cgi .pl /Directory I have done that, but I still cannot make the following work: http://yourdomain.com/~username/cgi-bin/test.cgi When this page is run, I get premature end of headers in the error.log file. I thought this would be fairly simple but it is turning out to be a headache. Anything else I can try? Keith * Marcel Hicking ([EMAIL PROTECTED]) wrote: From: Marcel Hicking [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Thu, 3 Jan 2002 19:08:32 +0100 Subject: Re: Apache cgi-bin for users Reply-to: [EMAIL PROTECTED] X-mailer: Pegasus Mail for Win32 (v3.12c) ScriptAlias /cgi-bin/ /path/to/customers/cgi-bin/ See http://httpd.apache.org/docs/mod/mod_alias.html#scriptalias Please make really(!) sure what security implications it has to allow not trustworthy people (customers ;-) to run programms on _your_ server. Hint: Look for cgi-wrap and changeroot. http://httpd.apache.org/docs-2.0/misc/security_tips.html http://httpd.apache.org/docs-2.0/suexec.html or better http://wwwcgi.umr.edu/~cgiwrap/ Cheers, Marcel Keith Elder [EMAIL PROTECTED] 31 Dec 2001, at 17:31: Greetings and Happy New Year! I am trying to enable cgi-bin on user directories. I found the following lines on the apache.org site, put them in, but they didn't work: Directory /home/*/public_html/cgi-bin Options ExecCGI SetHandler cgi-script /Directory Any other suggestions as to how to setup cgi-bin directories for user accounts? Thanks, Keith ### Keith Elder Email: [EMAIL PROTECTED] Phone: 1-734-507-1438 Text Messaging (145 characters): [EMAIL PROTECTED] Web: http://www.zorka.com (Howto's, News, and hosting!) With enough memory and hard drive space anything in life is possible! ### -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- __ .´ `. : :' ! Enjoy `. `´ Debian/GNU Linux `- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] ### Keith Elder Email: [EMAIL PROTECTED] Phone: 1-734-507-1438 Text Messaging (145 characters): [EMAIL PROTECTED] Web: http://www.zorka.com (Howto's, News, and hosting!) With enough memory and hard drive space anything in life is possible! ### -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Apache cgi-bin for users
While I've never run things from /home/*/public_html/cgi-bin/somethinghere.cgi, we've always had to recompile suexec to get things working. suexec has hard-compiled in the allowed directory, so you'd need to recompile that to get some other directory to work. I suggest you try that. Sincerely, Jason - Original Message - From: Keith Elder [EMAIL PROTECTED] To: Marcel Hicking [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, January 04, 2002 5:36 AM Subject: Re: Apache cgi-bin for users Thanks Marcel, Let me restate what it was I was asking just to clarify my situation. If anyone has any input, by all means annie up. What I am trying to do is setup the server so users in /home/*/ can execute CGI programs on their personal web pages on this particular machine. I found a reference in the apache admin guide I have and the apache site which say to put the following in the httpd.conf: Directory /home/*/public_html/cgi-bin Options ExecCGI Addhandler cgi-script .cgi .pl /Directory I have done that, but I still cannot make the following work: http://yourdomain.com/~username/cgi-bin/test.cgi When this page is run, I get premature end of headers in the error.log file. I thought this would be fairly simple but it is turning out to be a headache. Anything else I can try? Keith * Marcel Hicking ([EMAIL PROTECTED]) wrote: From: Marcel Hicking [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Thu, 3 Jan 2002 19:08:32 +0100 Subject: Re: Apache cgi-bin for users Reply-to: [EMAIL PROTECTED] X-mailer: Pegasus Mail for Win32 (v3.12c) ScriptAlias /cgi-bin/ /path/to/customers/cgi-bin/ See http://httpd.apache.org/docs/mod/mod_alias.html#scriptalias Please make really(!) sure what security implications it has to allow not trustworthy people (customers ;-) to run programms on _your_ server. Hint: Look for cgi-wrap and changeroot. http://httpd.apache.org/docs-2.0/misc/security_tips.html http://httpd.apache.org/docs-2.0/suexec.html or better http://wwwcgi.umr.edu/~cgiwrap/ Cheers, Marcel Keith Elder [EMAIL PROTECTED] 31 Dec 2001, at 17:31: Greetings and Happy New Year! I am trying to enable cgi-bin on user directories. I found the following lines on the apache.org site, put them in, but they didn't work: Directory /home/*/public_html/cgi-bin Options ExecCGI SetHandler cgi-script /Directory Any other suggestions as to how to setup cgi-bin directories for user accounts? Thanks, Keith ### Keith Elder Email: [EMAIL PROTECTED] Phone: 1-734-507-1438 Text Messaging (145 characters): [EMAIL PROTECTED] Web: http://www.zorka.com (Howto's, News, and hosting!) With enough memory and hard drive space anything in life is possible! ### -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- __ .´ `. : :' ! Enjoy `. `´ Debian/GNU Linux `- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] ### Keith Elder Email: [EMAIL PROTECTED] Phone: 1-734-507-1438 Text Messaging (145 characters): [EMAIL PROTECTED] Web: http://www.zorka.com (Howto's, News, and hosting!) With enough memory and hard drive space anything in life is possible! ### http://www.zentek-international.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Qmail and Stunnel
Hi All I've just setup qmail to run over stunnel for POP on port 995. Below is the command I use to run it #!/bin/sh exec /usr/local/bin/softlimit -m 300 /usr/local/bin/tcpserver -DRHv -l 0 0 995 /usr/sbin/stunnel -l /var/qmail/bin/qmail-popup domain name /bin/checkpassword /var/qmail/bin/qmail-pop3d Maildir 21 The first time I checked with Outlook Express I was prompted with the certificate warning etc. I accepted that and now get this error after having the login/password windows popup several times (because of the failure) There was a problem logging onto your mail server. Your Password was rejected. Account: 'dave', Server: '192.168.20.251', Protocol: POP3, Server Response: '-ERR this user has no $HOME/Maildir', Port: 995, Secure(SSL): Yes, Server Error: 0x800CCC90, Error Number: 0x800CCC92 My concern is the no $HOME/Maildir, but I can't understand why it's not working. Standard logins to port 110 are fine. Basically all I did was copy my run script from the normal POP service and change the port tcpserver listens on and add the stunnel command. Thanks Dave -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
BIND exploited ?
I recently inherited a machine that I think has been exploited. It seems to have a stupid root kit installed unless this is a decoy. What does it look like to you professionals? [root@moe ...]# uname -a Linux moe. 2.2.14-5.0 #1 Tue Mar 7 21:07:39 EST 2000 i686 unknown [root@moe ...]# ps auxww USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.3 1120 476 ?S 2001 0:06 init [3] root 2 0.0 0.0 00 ?SW2001 0:00 [kflushd] root 3 0.0 0.0 00 ?SW2001 0:27 [kupdate] root 4 0.0 0.0 00 ?SW2001 0:00 [kpiod] root 5 0.0 0.0 00 ?SW2001 0:01 [kswapd] root 6 0.0 0.0 00 ?SW 2001 0:00 [mdrecoveryd] root 154 0.0 0.3 1104 392 ?S 2001 0:00 /usr/sbin/apmd -p 10 -w 5 -W -s /etc/sysconfig/apm-scripts/suspend -r /etc/sysconfig/apm-scripts/resume bin315 0.0 0.3 1216 404 ?S 2001 0:00 portmap root 330 0.0 0.0 00 ?SW2001 0:00 [lockd] root 331 0.0 0.0 00 ?SW2001 0:00 [rpciod] root 340 0.0 0.4 1164 516 ?S 2001 0:00 rpc.statd nobody 414 0.0 0.4 1308 544 ?S 2001 0:00 identd -e -o nobody 415 0.0 0.4 1308 544 ?S 2001 0:00 identd -e -o nobody 416 0.0 0.4 1308 544 ?S 2001 0:00 identd -e -o nobody 420 0.0 0.4 1308 544 ?S 2001 0:00 identd -e -o nobody 421 0.0 0.4 1308 544 ?S 2001 0:00 identd -e -o daemon 432 0.0 0.2 1144 296 ?S 2001 0:00 /usr/sbin/atd root 446 0.0 0.4 1328 572 ?S 2001 0:00 crond root 464 0.0 0.3 1168 468 ?S 2001 0:00 inetd root 478 0.0 1.6 3160 2120 ?S 2001 14:00 /usr/sbin/snmpd root 543 0.0 0.3 1156 400 ?S 2001 0:00 gpm -t imps2 xfs604 0.0 0.6 1920 876 ?S 2001 0:00 xfs -droppriv -daemon -port -1 root 645 0.0 0.0 852 100 ?S 2001 0:00 /etc/.../bindshell root 646 0.0 0.0 864 124 ?S 2001 0:00 /etc/.../bnc root 650 0.0 0.3 1092 408 tty2 S 2001 0:00 /sbin/mingetty tty2 root 651 0.0 0.3 1092 408 tty3 S 2001 0:00 /sbin/mingetty tty3 root 652 0.0 0.3 1092 408 tty4 S 2001 0:00 /sbin/mingetty tty4 root 653 0.0 0.3 1092 408 tty5 S 2001 0:00 /sbin/mingetty tty5 root 654 0.0 0.3 1092 408 tty6 S 2001 0:00 /sbin/mingetty tty6 root 655 0.0 0.0 856 104 ?S 2001 0:00 /etc/.../lsh 31333 v0idzz named 9928 0.0 4.9 7268 6356 ?S 2001 6:48 named -u named root 11369 0.0 0.3 1092 408 tty1 S 2001 0:00 /sbin/mingetty tty1 root 3574 0.0 0.5 1464 760 ?S20:28 0:00 in.telnetd: calendar-spaces. root 3575 0.0 0.9 2312 1196 pts/0S20:28 0:00 login -- ted ted 3576 0.0 0.7 1696 940 pts/0S20:28 0:00 -bash root 3599 0.0 0.7 2008 900 pts/0S20:28 0:00 su - root 3600 0.0 0.7 1748 996 pts/0S20:29 0:00 -bash root 3719 0.0 0.4 1172 540 ?S20:38 0:00 syslogd -m 0 root 3728 0.0 0.6 1440 768 ?S20:38 0:00 klogd root 3817 0.0 0.5 2332 704 pts/0R20:43 0:00 ps auxww [root@moe ...]# cd /etc/... [root@moe ...]# ls -la [root@moe ...]# chmod 0 /etc/rc.d/init.d/apmd [root@moe ...]# chmod 0 /etc/rc.d/init.d/atd Processess running after making a few kills: [root@moe /root]# ps aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.3 1120 476 ?S 2001 0:06 init [3] root 2 0.0 0.0 00 ?SW2001 0:00 [kflushd] root 3 0.0 0.0 00 ?SW2001 0:28 [kupdate] root 4 0.0 0.0 00 ?SW2001 0:00 [kpiod] root 5 0.0 0.0 00 ?SW2001 0:01 [kswapd] root 6 0.0 0.0 00 ?SW 2001 0:00 [mdrecoveryd] bin315 0.0 0.3 1216 404 ?S 2001 0:00 portmap root 330 0.0 0.0 00 ?SW2001 0:00 [lockd] root 331 0.0 0.0 00 ?SW2001 0:00 [rpciod] root 340 0.0 0.4 1164 516 ?S 2001 0:00 rpc.statd nobody 414 0.0 0.4 1308 544 ?S 2001 0:00 identd -e -o nobody 415 0.0 0.4 1308 544 ?S 2001 0:00 identd -e -o nobody 416 0.0 0.4 1308 544 ?S 2001 0:00 identd -e -o nobody 420 0.0 0.4 1308 544 ?S 2001 0:00 identd -e
Re: BIND exploited ?
rooted by some script kiddies,perhaps.. rpc.statd or bind exploited,some say its better to reinstall the box,personally i like diggin' :-)) first,disconnect,kick out all aliens,or save them somewhere,quarantined to check them out later, then,get some new packages on cds,or floppies or from the lan,update the daemons,after assuring they're not trojanized,also,search for traces of adore,get the kstat program to detect it,( sorry no url at hand), check your logs,email the attackers isp addresses if you can find something, and always be aware :) good luck.. At 09:16 PM 1/3/02 -0500, Thedore Knab wrote: I recently inherited a machine that I think has been exploited. It seems to have a stupid root kit installed unless this is a decoy. What does it look like to you professionals? [root@moe ...]# uname -a Linux moe. 2.2.14-5.0 #1 Tue Mar 7 21:07:39 EST 2000 i686 unknown [root@moe ...]# ps auxww USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.3 1120 476 ?S 2001 0:06 init [3] root 2 0.0 0.0 00 ?SW2001 0:00 [kflushd] root 3 0.0 0.0 00 ?SW2001 0:27 [kupdate] root 4 0.0 0.0 00 ?SW2001 0:00 [kpiod] root 5 0.0 0.0 00 ?SW2001 0:01 [kswapd] root 6 0.0 0.0 00 ?SW 2001 0:00 [mdrecoveryd] root 154 0.0 0.3 1104 392 ?S 2001 0:00 /usr/sbin/apmd -p 10 -w 5 -W -s /etc/sysconfig/apm-scripts/suspend -r /etc/sysconfig/apm-scripts/resume bin315 0.0 0.3 1216 404 ?S 2001 0:00 portmap root 330 0.0 0.0 00 ?SW2001 0:00 [lockd] root 331 0.0 0.0 00 ?SW2001 0:00 [rpciod] root 340 0.0 0.4 1164 516 ?S 2001 0:00 rpc.statd nobody 414 0.0 0.4 1308 544 ?S 2001 0:00 identd -e -o nobody 415 0.0 0.4 1308 544 ?S 2001 0:00 identd -e -o nobody 416 0.0 0.4 1308 544 ?S 2001 0:00 identd -e -o nobody 420 0.0 0.4 1308 544 ?S 2001 0:00 identd -e -o nobody 421 0.0 0.4 1308 544 ?S 2001 0:00 identd -e -o daemon 432 0.0 0.2 1144 296 ?S 2001 0:00 /usr/sbin/atd root 446 0.0 0.4 1328 572 ?S 2001 0:00 crond root 464 0.0 0.3 1168 468 ?S 2001 0:00 inetd root 478 0.0 1.6 3160 2120 ?S 2001 14:00 /usr/sbin/snmpd root 543 0.0 0.3 1156 400 ?S 2001 0:00 gpm -t imps2 xfs604 0.0 0.6 1920 876 ?S 2001 0:00 xfs -droppriv -daemon -port -1 root 645 0.0 0.0 852 100 ?S 2001 0:00 /etc/.../bindshell root 646 0.0 0.0 864 124 ?S 2001 0:00 /etc/.../bnc root 650 0.0 0.3 1092 408 tty2 S 2001 0:00 /sbin/mingetty tty2 root 651 0.0 0.3 1092 408 tty3 S 2001 0:00 /sbin/mingetty tty3 root 652 0.0 0.3 1092 408 tty4 S 2001 0:00 /sbin/mingetty tty4 root 653 0.0 0.3 1092 408 tty5 S 2001 0:00 /sbin/mingetty tty5 root 654 0.0 0.3 1092 408 tty6 S 2001 0:00 /sbin/mingetty tty6 root 655 0.0 0.0 856 104 ?S 2001 0:00 /etc/.../lsh 31333 v0idzz named 9928 0.0 4.9 7268 6356 ?S 2001 6:48 named -u named root 11369 0.0 0.3 1092 408 tty1 S 2001 0:00 /sbin/mingetty tty1 root 3574 0.0 0.5 1464 760 ?S20:28 0:00 in.telnetd: calendar-spaces. root 3575 0.0 0.9 2312 1196 pts/0S20:28 0:00 login -- ted ted 3576 0.0 0.7 1696 940 pts/0S20:28 0:00 -bash root 3599 0.0 0.7 2008 900 pts/0S20:28 0:00 su - root 3600 0.0 0.7 1748 996 pts/0S20:29 0:00 -bash root 3719 0.0 0.4 1172 540 ?S20:38 0:00 syslogd -m 0 root 3728 0.0 0.6 1440 768 ?S20:38 0:00 klogd root 3817 0.0 0.5 2332 704 pts/0R20:43 0:00 ps auxww [root@moe ...]# cd /etc/... [root@moe ...]# ls -la [root@moe ...]# chmod 0 /etc/rc.d/init.d/apmd [root@moe ...]# chmod 0 /etc/rc.d/init.d/atd Processess running after making a few kills: [root@moe /root]# ps aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.3 1120 476 ?S 2001 0:06 init [3] root 2 0.0 0.0 00 ?SW2001 0:00 [kflushd] root 3 0.0 0.0 00 ?SW2001 0:28 [kupdate] root 4 0.0 0.0 00 ?SW2001 0:00 [kpiod] root 5 0.0 0.0 00 ?SW2001 0:01 [kswapd] root 6 0.0 0.0 00 ?SW 2001 0:00 [mdrecoveryd] bin315 0.0 0.3 1216 404 ?S 2001 0:00 portmap root 330 0.0 0.0 00 ?SW2001 0:00
Re: BIND exploited ?
I would also strongly suggest getting chkrootkit. chkrootkit - Checks for signs of rootkits on the local system chkrootkit identifies whether the target computer is infected with a rootkit. It can currently identify the following root kits: 1. lrk3, lrk4, lrk5, lrk6 (and some variants); 2. Solaris rootkit; 3. FreeBSD rootkit; 4. t0rn (including latest variant); 5. Ambient's Rootkit for Linux (ARK); 6. Ramen Worm; 7. rh[67]-shaper; 8. RSHA; 9. Romanian rootkit; 10. RK17; 11. Lion Worm; 12. Adore Worm. Please note that this is not a definitive test, it does not ensure that the target has not been cracked. In addition to running chkrootkit, one should perform more specific tests. Hope that helps. What we did was install new hard disks, restore from backups to the new hard disks, immediately find out how they got in by analysing the old hard disks, patch/fix/whatever the new hard disks so the kiddies can't get back in, and slowly and carefully go through the old hard disks and find out what they did and such (if you are interested). Good for a learning experience. Trace their actions, what they did/changed/installed/etc. - Original Message - From: Thedore Knab [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, January 04, 2002 10:16 AM Subject: BIND exploited ? I recently inherited a machine that I think has been exploited. It seems to have a stupid root kit installed unless this is a decoy. What does it look like to you professionals? [root@moe ...]# uname -a Linux moe. 2.2.14-5.0 #1 Tue Mar 7 21:07:39 EST 2000 i686 unknown [root@moe ...]# ps auxww USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.3 1120 476 ?S 2001 0:06 init [3] root 2 0.0 0.0 00 ?SW2001 0:00 [kflushd] root 3 0.0 0.0 00 ?SW2001 0:27 [kupdate] root 4 0.0 0.0 00 ?SW2001 0:00 [kpiod] root 5 0.0 0.0 00 ?SW2001 0:01 [kswapd] root 6 0.0 0.0 00 ?SW 2001 0:00 [mdrecoveryd] root 154 0.0 0.3 1104 392 ?S 2001 0:00 /usr/sbin/apmd -p 10 -w 5 -W -s /etc/sysconfig/apm-scripts/suspend -r /etc/sysconfig/apm-scripts/resume bin315 0.0 0.3 1216 404 ?S 2001 0:00 portmap root 330 0.0 0.0 00 ?SW2001 0:00 [lockd] root 331 0.0 0.0 00 ?SW2001 0:00 [rpciod] root 340 0.0 0.4 1164 516 ?S 2001 0:00 rpc.statd nobody 414 0.0 0.4 1308 544 ?S 2001 0:00 identd -e -o nobody 415 0.0 0.4 1308 544 ?S 2001 0:00 identd -e -o nobody 416 0.0 0.4 1308 544 ?S 2001 0:00 identd -e -o nobody 420 0.0 0.4 1308 544 ?S 2001 0:00 identd -e -o nobody 421 0.0 0.4 1308 544 ?S 2001 0:00 identd -e -o daemon 432 0.0 0.2 1144 296 ?S 2001 0:00 /usr/sbin/atd root 446 0.0 0.4 1328 572 ?S 2001 0:00 crond root 464 0.0 0.3 1168 468 ?S 2001 0:00 inetd root 478 0.0 1.6 3160 2120 ?S 2001 14:00 /usr/sbin/snmpd root 543 0.0 0.3 1156 400 ?S 2001 0:00 gpm -t imps2 xfs604 0.0 0.6 1920 876 ?S 2001 0:00 xfs -droppriv -daemon -port -1 root 645 0.0 0.0 852 100 ?S 2001 0:00 /etc/.../bindshell root 646 0.0 0.0 864 124 ?S 2001 0:00 /etc/.../bnc root 650 0.0 0.3 1092 408 tty2 S 2001 0:00 /sbin/mingetty tty2 root 651 0.0 0.3 1092 408 tty3 S 2001 0:00 /sbin/mingetty tty3 root 652 0.0 0.3 1092 408 tty4 S 2001 0:00 /sbin/mingetty tty4 root 653 0.0 0.3 1092 408 tty5 S 2001 0:00 /sbin/mingetty tty5 root 654 0.0 0.3 1092 408 tty6 S 2001 0:00 /sbin/mingetty tty6 root 655 0.0 0.0 856 104 ?S 2001 0:00 /etc/.../lsh 31333 v0idzz named 9928 0.0 4.9 7268 6356 ?S 2001 6:48 named -u named root 11369 0.0 0.3 1092 408 tty1 S 2001 0:00 /sbin/mingetty tty1 root 3574 0.0 0.5 1464 760 ?S20:28 0:00 in.telnetd: calendar-spaces. root 3575 0.0 0.9 2312 1196 pts/0S20:28 0:00 login -- ted ted 3576 0.0 0.7 1696 940 pts/0S20:28 0:00 -bash root 3599 0.0 0.7 2008 900 pts/0S20:28 0:00 su - root 3600 0.0 0.7 1748 996 pts/0S20:29 0:00 -bash root 3719 0.0 0.4 1172 540 ?S20:38 0:00 syslogd -m 0 root 3728 0.0 0.6 1440 768 ?S20:38 0:00 klogd root 3817 0.0 0.5 2332 704 pts/0R20:43 0:00 ps auxww [root@moe ...]# cd /etc/... [root@moe ...]# ls -la [root@moe ...]# chmod 0
Re: Install on many machines
On Fri, Dec 28, 2001 at 10:35:57AM -0600, Gregory Wood wrote: Assuming that the machines are basically the same -- I have used Norton Ghost 2002. I loaded up Debian from CD, updated from the ftp site, installed and configured my base packages. Then created a ghost image (1. ghost works with lilo but not with grub 2. I've left out a number of steps - I have several spare hard drives and computers to work with) and burned it to a CD. As a test, I installed the ghost image on a couple of different machines. It takes less than 10 minutes to restore the ghost image. Next change the IP and host names and I was done. [snip] Don't forget the SSH host keys... -- Michael Wood [EMAIL PROTECTED]
Apache ErrorDocument virtual hosts
Hi, Sorry if offtopic, but is it possible to give back different 404 error messages via apache based on virtual hosts? Thanks in advance. Regards, Balint
Re: Apache ErrorDocument virtual hosts
* [EMAIL PROTECTED] (KOZMAN Balint) [2002.01.03 10:41]: Sorry if offtopic, but is it possible to give back different 404 error messages via apache based on virtual hosts? VirtualHost 1.2.3.4 ... ErrorDocument 404 /path/to/error/doc.html /VirtualHost -- Cameron Moore
Re: Apache ErrorDocument virtual hosts
Ya just throw a: ErrorDocument 404 /path-to-error-document inside of the virtualhost On Thu, 2002-01-03 at 11:38, KOZMAN Balint wrote: Hi, Sorry if offtopic, but is it possible to give back different 404 error messages via apache based on virtual hosts? Thanks in advance. Regards, Balint -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Sean Porth System Admin Tortus Technologies 1686 Riverdale Street West Springfield, MA 01089 http://www.tortus.com Phone: 413-788-5080 Fax: 413-785-1901 Tortus Technologies: We Make the 'Net Work.
Re: Install on many machines
For our needs, FAI seems to be the more flexible solution. Although the hardware is basically the same, it might proof valuable to have several configurations to choose from. Anyone experience with FAI? I've just set up a new woody machine and downloaded the stuff. Still the docs get slightly confusing after the very clear introduction. For example, fai-setup throws *a lot* of dependency warnings and complains about exim (which is not installed) Cheers, Marcel Michael Wood [EMAIL PROTECTED] 3 Jan 2002, at 10:02: On Fri, Dec 28, 2001 at 10:35:57AM -0600, Gregory Wood wrote: Assuming that the machines are basically the same -- I have used Norton Ghost 2002. I loaded up Debian from CD, updated from the ftp site, installed and configured my base packages. Then created a ghost image (1. ghost works with lilo but not with grub 2. I've left out a number of steps - I have several spare hard drives and computers to work with) and burned it to a CD. As a test, I installed the ghost image on a couple of different machines. It takes less than 10 minutes to restore the ghost image. Next change the IP and host names and I was done. [snip] Don't forget the SSH host keys... -- Michael Wood [EMAIL PROTECTED] -- __ .´ `. : :' ! Enjoy `. `´ Debian/GNU Linux `-
Re: Apache ErrorDocument virtual hosts
Or allow your customers to use ErrorDocument statements in their .htaccess file by AllowOverride FileInfo in your httpd.conf-virtual setup (valid within a directoy section) Then add the following in the .htacess file in your document root. ErrorDocument 401 /errordocs/401.php ErrorDocument 403 /errordocs/403.php ErrorDocument 404 /errordocs/404.php ErrorDocument 414 /errordocs/414.php Where /errordocs/... is a valid *URL* I usually keep the errordocs in an httpd.conf-aliased directory to make sure error docs are shown even when we have access restrictions like passwords in effect. Make sure you understand what issues AllowOverride might have for performance and security. Cheers, Marcel Sean Porth [EMAIL PROTECTED] 3 Jan 2002, at 11:46: Ya just throw a: ErrorDocument 404 /path-to-error-document inside of the virtualhost On Thu, 2002-01-03 at 11:38, KOZMAN Balint wrote: Hi, Sorry if offtopic, but is it possible to give back different 404 error messages via apache based on virtual hosts? Thanks in advance. Regards, Balint -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Sean Porth System Admin Tortus Technologies 1686 Riverdale Street West Springfield, MA 01089 http://www.tortus.com Phone: 413-788-5080 Fax: 413-785-1901 Tortus Technologies: We Make the 'Net Work. -- __ .´ `. : :' ! Enjoy `. `´ Debian/GNU Linux `-
Re: Apache cgi-bin for users
ScriptAlias /cgi-bin/ /path/to/customers/cgi-bin/ See http://httpd.apache.org/docs/mod/mod_alias.html#scriptalias Please make really(!) sure what security implications it has to allow not trustworthy people (customers ;-) to run programms on _your_ server. Hint: Look for cgi-wrap and changeroot. http://httpd.apache.org/docs-2.0/misc/security_tips.html http://httpd.apache.org/docs-2.0/suexec.html or better http://wwwcgi.umr.edu/~cgiwrap/ Cheers, Marcel Keith Elder [EMAIL PROTECTED] 31 Dec 2001, at 17:31: Greetings and Happy New Year! I am trying to enable cgi-bin on user directories. I found the following lines on the apache.org site, put them in, but they didn't work: Directory /home/*/public_html/cgi-bin Options ExecCGI SetHandler cgi-script /Directory Any other suggestions as to how to setup cgi-bin directories for user accounts? Thanks, Keith ### Keith Elder Email: [EMAIL PROTECTED] Phone: 1-734-507-1438 Text Messaging (145 characters): [EMAIL PROTECTED] Web: http://www.zorka.com (Howto's, News, and hosting!) With enough memory and hard drive space anything in life is possible! ### -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- __ .´ `. : :' ! Enjoy `. `´ Debian/GNU Linux `-
Re: Apache cgi-bin for users
Thanks Marcel, Let me restate what it was I was asking just to clarify my situation. If anyone has any input, by all means annie up. What I am trying to do is setup the server so users in /home/*/ can execute CGI programs on their personal web pages on this particular machine. I found a reference in the apache admin guide I have and the apache site which say to put the following in the httpd.conf: Directory /home/*/public_html/cgi-bin Options ExecCGI Addhandler cgi-script .cgi .pl /Directory I have done that, but I still cannot make the following work: http://yourdomain.com/~username/cgi-bin/test.cgi When this page is run, I get premature end of headers in the error.log file. I thought this would be fairly simple but it is turning out to be a headache. Anything else I can try? Keith * Marcel Hicking ([EMAIL PROTECTED]) wrote: From: Marcel Hicking [EMAIL PROTECTED] To: debian-isp@lists.debian.org Date: Thu, 3 Jan 2002 19:08:32 +0100 Subject: Re: Apache cgi-bin for users Reply-to: [EMAIL PROTECTED] X-mailer: Pegasus Mail for Win32 (v3.12c) ScriptAlias /cgi-bin/ /path/to/customers/cgi-bin/ See http://httpd.apache.org/docs/mod/mod_alias.html#scriptalias Please make really(!) sure what security implications it has to allow not trustworthy people (customers ;-) to run programms on _your_ server. Hint: Look for cgi-wrap and changeroot. http://httpd.apache.org/docs-2.0/misc/security_tips.html http://httpd.apache.org/docs-2.0/suexec.html or better http://wwwcgi.umr.edu/~cgiwrap/ Cheers, Marcel Keith Elder [EMAIL PROTECTED] 31 Dec 2001, at 17:31: Greetings and Happy New Year! I am trying to enable cgi-bin on user directories. I found the following lines on the apache.org site, put them in, but they didn't work: Directory /home/*/public_html/cgi-bin Options ExecCGI SetHandler cgi-script /Directory Any other suggestions as to how to setup cgi-bin directories for user accounts? Thanks, Keith ### Keith Elder Email: [EMAIL PROTECTED] Phone: 1-734-507-1438 Text Messaging (145 characters): [EMAIL PROTECTED] Web: http://www.zorka.com (Howto's, News, and hosting!) With enough memory and hard drive space anything in life is possible! ### -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- __ .´ `. : :' ! Enjoy `. `´ Debian/GNU Linux `- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] ### Keith Elder Email: [EMAIL PROTECTED] Phone: 1-734-507-1438 Text Messaging (145 characters): [EMAIL PROTECTED] Web: http://www.zorka.com (Howto's, News, and hosting!) With enough memory and hard drive space anything in life is possible! ###
Re: Apache cgi-bin for users
While I've never run things from /home/*/public_html/cgi-bin/somethinghere.cgi, we've always had to recompile suexec to get things working. suexec has hard-compiled in the allowed directory, so you'd need to recompile that to get some other directory to work. I suggest you try that. Sincerely, Jason - Original Message - From: Keith Elder [EMAIL PROTECTED] To: Marcel Hicking [EMAIL PROTECTED] Cc: debian-isp@lists.debian.org Sent: Friday, January 04, 2002 5:36 AM Subject: Re: Apache cgi-bin for users Thanks Marcel, Let me restate what it was I was asking just to clarify my situation. If anyone has any input, by all means annie up. What I am trying to do is setup the server so users in /home/*/ can execute CGI programs on their personal web pages on this particular machine. I found a reference in the apache admin guide I have and the apache site which say to put the following in the httpd.conf: Directory /home/*/public_html/cgi-bin Options ExecCGI Addhandler cgi-script .cgi .pl /Directory I have done that, but I still cannot make the following work: http://yourdomain.com/~username/cgi-bin/test.cgi When this page is run, I get premature end of headers in the error.log file. I thought this would be fairly simple but it is turning out to be a headache. Anything else I can try? Keith * Marcel Hicking ([EMAIL PROTECTED]) wrote: From: Marcel Hicking [EMAIL PROTECTED] To: debian-isp@lists.debian.org Date: Thu, 3 Jan 2002 19:08:32 +0100 Subject: Re: Apache cgi-bin for users Reply-to: [EMAIL PROTECTED] X-mailer: Pegasus Mail for Win32 (v3.12c) ScriptAlias /cgi-bin/ /path/to/customers/cgi-bin/ See http://httpd.apache.org/docs/mod/mod_alias.html#scriptalias Please make really(!) sure what security implications it has to allow not trustworthy people (customers ;-) to run programms on _your_ server. Hint: Look for cgi-wrap and changeroot. http://httpd.apache.org/docs-2.0/misc/security_tips.html http://httpd.apache.org/docs-2.0/suexec.html or better http://wwwcgi.umr.edu/~cgiwrap/ Cheers, Marcel Keith Elder [EMAIL PROTECTED] 31 Dec 2001, at 17:31: Greetings and Happy New Year! I am trying to enable cgi-bin on user directories. I found the following lines on the apache.org site, put them in, but they didn't work: Directory /home/*/public_html/cgi-bin Options ExecCGI SetHandler cgi-script /Directory Any other suggestions as to how to setup cgi-bin directories for user accounts? Thanks, Keith ### Keith Elder Email: [EMAIL PROTECTED] Phone: 1-734-507-1438 Text Messaging (145 characters): [EMAIL PROTECTED] Web: http://www.zorka.com (Howto's, News, and hosting!) With enough memory and hard drive space anything in life is possible! ### -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- __ .´ `. : :' ! Enjoy `. `´ Debian/GNU Linux `- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] ### Keith Elder Email: [EMAIL PROTECTED] Phone: 1-734-507-1438 Text Messaging (145 characters): [EMAIL PROTECTED] Web: http://www.zorka.com (Howto's, News, and hosting!) With enough memory and hard drive space anything in life is possible! ### http://www.zentek-international.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Qmail and Stunnel
Hi All I've just setup qmail to run over stunnel for POP on port 995. Below is the command I use to run it #!/bin/sh exec /usr/local/bin/softlimit -m 300 /usr/local/bin/tcpserver -DRHv -l 0 0 995 /usr/sbin/stunnel -l /var/qmail/bin/qmail-popup domain name /bin/checkpassword /var/qmail/bin/qmail-pop3d Maildir 21 The first time I checked with Outlook Express I was prompted with the certificate warning etc. I accepted that and now get this error after having the login/password windows popup several times (because of the failure) There was a problem logging onto your mail server. Your Password was rejected. Account: 'dave', Server: '192.168.20.251', Protocol: POP3, Server Response: '-ERR this user has no $HOME/Maildir', Port: 995, Secure(SSL): Yes, Server Error: 0x800CCC90, Error Number: 0x800CCC92 My concern is the no $HOME/Maildir, but I can't understand why it's not working. Standard logins to port 110 are fine. Basically all I did was copy my run script from the normal POP service and change the port tcpserver listens on and add the stunnel command. Thanks Dave
BIND exploited ?
I recently inherited a machine that I think has been exploited. It seems to have a stupid root kit installed unless this is a decoy. What does it look like to you professionals? [EMAIL PROTECTED] ...]# uname -a Linux moe. 2.2.14-5.0 #1 Tue Mar 7 21:07:39 EST 2000 i686 unknown [EMAIL PROTECTED] ...]# ps auxww USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.3 1120 476 ?S 2001 0:06 init [3] root 2 0.0 0.0 00 ?SW2001 0:00 [kflushd] root 3 0.0 0.0 00 ?SW2001 0:27 [kupdate] root 4 0.0 0.0 00 ?SW2001 0:00 [kpiod] root 5 0.0 0.0 00 ?SW2001 0:01 [kswapd] root 6 0.0 0.0 00 ?SW 2001 0:00 [mdrecoveryd] root 154 0.0 0.3 1104 392 ?S 2001 0:00 /usr/sbin/apmd -p 10 -w 5 -W -s /etc/sysconfig/apm-scripts/suspend -r /etc/sysconfig/apm-scripts/resume bin315 0.0 0.3 1216 404 ?S 2001 0:00 portmap root 330 0.0 0.0 00 ?SW2001 0:00 [lockd] root 331 0.0 0.0 00 ?SW2001 0:00 [rpciod] root 340 0.0 0.4 1164 516 ?S 2001 0:00 rpc.statd nobody 414 0.0 0.4 1308 544 ?S 2001 0:00 identd -e -o nobody 415 0.0 0.4 1308 544 ?S 2001 0:00 identd -e -o nobody 416 0.0 0.4 1308 544 ?S 2001 0:00 identd -e -o nobody 420 0.0 0.4 1308 544 ?S 2001 0:00 identd -e -o nobody 421 0.0 0.4 1308 544 ?S 2001 0:00 identd -e -o daemon 432 0.0 0.2 1144 296 ?S 2001 0:00 /usr/sbin/atd root 446 0.0 0.4 1328 572 ?S 2001 0:00 crond root 464 0.0 0.3 1168 468 ?S 2001 0:00 inetd root 478 0.0 1.6 3160 2120 ?S 2001 14:00 /usr/sbin/snmpd root 543 0.0 0.3 1156 400 ?S 2001 0:00 gpm -t imps2 xfs604 0.0 0.6 1920 876 ?S 2001 0:00 xfs -droppriv -daemon -port -1 root 645 0.0 0.0 852 100 ?S 2001 0:00 /etc/.../bindshell root 646 0.0 0.0 864 124 ?S 2001 0:00 /etc/.../bnc root 650 0.0 0.3 1092 408 tty2 S 2001 0:00 /sbin/mingetty tty2 root 651 0.0 0.3 1092 408 tty3 S 2001 0:00 /sbin/mingetty tty3 root 652 0.0 0.3 1092 408 tty4 S 2001 0:00 /sbin/mingetty tty4 root 653 0.0 0.3 1092 408 tty5 S 2001 0:00 /sbin/mingetty tty5 root 654 0.0 0.3 1092 408 tty6 S 2001 0:00 /sbin/mingetty tty6 root 655 0.0 0.0 856 104 ?S 2001 0:00 /etc/.../lsh 31333 v0idzz named 9928 0.0 4.9 7268 6356 ?S 2001 6:48 named -u named root 11369 0.0 0.3 1092 408 tty1 S 2001 0:00 /sbin/mingetty tty1 root 3574 0.0 0.5 1464 760 ?S20:28 0:00 in.telnetd: calendar-spaces. root 3575 0.0 0.9 2312 1196 pts/0S20:28 0:00 login -- ted ted 3576 0.0 0.7 1696 940 pts/0S20:28 0:00 -bash root 3599 0.0 0.7 2008 900 pts/0S20:28 0:00 su - root 3600 0.0 0.7 1748 996 pts/0S20:29 0:00 -bash root 3719 0.0 0.4 1172 540 ?S20:38 0:00 syslogd -m 0 root 3728 0.0 0.6 1440 768 ?S20:38 0:00 klogd root 3817 0.0 0.5 2332 704 pts/0R20:43 0:00 ps auxww [EMAIL PROTECTED] ...]# cd /etc/... [EMAIL PROTECTED] ...]# ls -la [EMAIL PROTECTED] ...]# chmod 0 /etc/rc.d/init.d/apmd [EMAIL PROTECTED] ...]# chmod 0 /etc/rc.d/init.d/atd Processess running after making a few kills: [EMAIL PROTECTED] /root]# ps aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.3 1120 476 ?S 2001 0:06 init [3] root 2 0.0 0.0 00 ?SW2001 0:00 [kflushd] root 3 0.0 0.0 00 ?SW2001 0:28 [kupdate] root 4 0.0 0.0 00 ?SW2001 0:00 [kpiod] root 5 0.0 0.0 00 ?SW2001 0:01 [kswapd] root 6 0.0 0.0 00 ?SW 2001 0:00 [mdrecoveryd] bin315 0.0 0.3 1216 404 ?S 2001 0:00 portmap root 330 0.0 0.0 00 ?SW2001 0:00 [lockd] root 331 0.0 0.0 00 ?SW2001 0:00 [rpciod] root 340 0.0 0.4 1164 516 ?S 2001 0:00 rpc.statd nobody 414 0.0 0.4 1308 544 ?S 2001 0:00 identd -e -o nobody 415 0.0 0.4 1308 544 ?S 2001 0:00 identd -e -o nobody 416 0.0 0.4 1308 544 ?S 2001 0:00 identd -e -o nobody 420
Re: BIND exploited ?
rooted by some script kiddies,perhaps.. rpc.statd or bind exploited,some say its better to reinstall the box,personally i like diggin' :-)) first,disconnect,kick out all aliens,or save them somewhere,quarantined to check them out later, then,get some new packages on cds,or floppies or from the lan,update the daemons,after assuring they're not trojanized,also,search for traces of adore,get the kstat program to detect it,( sorry no url at hand), check your logs,email the attackers isp addresses if you can find something, and always be aware :) good luck.. At 09:16 PM 1/3/02 -0500, Thedore Knab wrote: I recently inherited a machine that I think has been exploited. It seems to have a stupid root kit installed unless this is a decoy. What does it look like to you professionals? [EMAIL PROTECTED] ...]# uname -a Linux moe. 2.2.14-5.0 #1 Tue Mar 7 21:07:39 EST 2000 i686 unknown [EMAIL PROTECTED] ...]# ps auxww USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.3 1120 476 ?S 2001 0:06 init [3] root 2 0.0 0.0 00 ?SW2001 0:00 [kflushd] root 3 0.0 0.0 00 ?SW2001 0:27 [kupdate] root 4 0.0 0.0 00 ?SW2001 0:00 [kpiod] root 5 0.0 0.0 00 ?SW2001 0:01 [kswapd] root 6 0.0 0.0 00 ?SW 2001 0:00 [mdrecoveryd] root 154 0.0 0.3 1104 392 ?S 2001 0:00 /usr/sbin/apmd -p 10 -w 5 -W -s /etc/sysconfig/apm-scripts/suspend -r /etc/sysconfig/apm-scripts/resume bin315 0.0 0.3 1216 404 ?S 2001 0:00 portmap root 330 0.0 0.0 00 ?SW2001 0:00 [lockd] root 331 0.0 0.0 00 ?SW2001 0:00 [rpciod] root 340 0.0 0.4 1164 516 ?S 2001 0:00 rpc.statd nobody 414 0.0 0.4 1308 544 ?S 2001 0:00 identd -e -o nobody 415 0.0 0.4 1308 544 ?S 2001 0:00 identd -e -o nobody 416 0.0 0.4 1308 544 ?S 2001 0:00 identd -e -o nobody 420 0.0 0.4 1308 544 ?S 2001 0:00 identd -e -o nobody 421 0.0 0.4 1308 544 ?S 2001 0:00 identd -e -o daemon 432 0.0 0.2 1144 296 ?S 2001 0:00 /usr/sbin/atd root 446 0.0 0.4 1328 572 ?S 2001 0:00 crond root 464 0.0 0.3 1168 468 ?S 2001 0:00 inetd root 478 0.0 1.6 3160 2120 ?S 2001 14:00 /usr/sbin/snmpd root 543 0.0 0.3 1156 400 ?S 2001 0:00 gpm -t imps2 xfs604 0.0 0.6 1920 876 ?S 2001 0:00 xfs -droppriv -daemon -port -1 root 645 0.0 0.0 852 100 ?S 2001 0:00 /etc/.../bindshell root 646 0.0 0.0 864 124 ?S 2001 0:00 /etc/.../bnc root 650 0.0 0.3 1092 408 tty2 S 2001 0:00 /sbin/mingetty tty2 root 651 0.0 0.3 1092 408 tty3 S 2001 0:00 /sbin/mingetty tty3 root 652 0.0 0.3 1092 408 tty4 S 2001 0:00 /sbin/mingetty tty4 root 653 0.0 0.3 1092 408 tty5 S 2001 0:00 /sbin/mingetty tty5 root 654 0.0 0.3 1092 408 tty6 S 2001 0:00 /sbin/mingetty tty6 root 655 0.0 0.0 856 104 ?S 2001 0:00 /etc/.../lsh 31333 v0idzz named 9928 0.0 4.9 7268 6356 ?S 2001 6:48 named -u named root 11369 0.0 0.3 1092 408 tty1 S 2001 0:00 /sbin/mingetty tty1 root 3574 0.0 0.5 1464 760 ?S20:28 0:00 in.telnetd: calendar-spaces. root 3575 0.0 0.9 2312 1196 pts/0S20:28 0:00 login -- ted ted 3576 0.0 0.7 1696 940 pts/0S20:28 0:00 -bash root 3599 0.0 0.7 2008 900 pts/0S20:28 0:00 su - root 3600 0.0 0.7 1748 996 pts/0S20:29 0:00 -bash root 3719 0.0 0.4 1172 540 ?S20:38 0:00 syslogd -m 0 root 3728 0.0 0.6 1440 768 ?S20:38 0:00 klogd root 3817 0.0 0.5 2332 704 pts/0R20:43 0:00 ps auxww [EMAIL PROTECTED] ...]# cd /etc/... [EMAIL PROTECTED] ...]# ls -la [EMAIL PROTECTED] ...]# chmod 0 /etc/rc.d/init.d/apmd [EMAIL PROTECTED] ...]# chmod 0 /etc/rc.d/init.d/atd Processess running after making a few kills: [EMAIL PROTECTED] /root]# ps aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.3 1120 476 ?S 2001 0:06 init [3] root 2 0.0 0.0 00 ?SW2001 0:00 [kflushd] root 3 0.0 0.0 00 ?SW2001 0:28 [kupdate] root 4 0.0 0.0 00 ?SW2001 0:00 [kpiod] root 5 0.0 0.0 00 ?SW2001 0:01 [kswapd] root 6 0.0 0.0 00 ?SW 2001 0:00 [mdrecoveryd] bin315 0.0 0.3 1216 404 ?S 2001 0:00 portmap root 330 0.0
Re: BIND exploited ?
I would also strongly suggest getting chkrootkit. chkrootkit - Checks for signs of rootkits on the local system chkrootkit identifies whether the target computer is infected with a rootkit. It can currently identify the following root kits: 1. lrk3, lrk4, lrk5, lrk6 (and some variants); 2. Solaris rootkit; 3. FreeBSD rootkit; 4. t0rn (including latest variant); 5. Ambient's Rootkit for Linux (ARK); 6. Ramen Worm; 7. rh[67]-shaper; 8. RSHA; 9. Romanian rootkit; 10. RK17; 11. Lion Worm; 12. Adore Worm. Please note that this is not a definitive test, it does not ensure that the target has not been cracked. In addition to running chkrootkit, one should perform more specific tests. Hope that helps. What we did was install new hard disks, restore from backups to the new hard disks, immediately find out how they got in by analysing the old hard disks, patch/fix/whatever the new hard disks so the kiddies can't get back in, and slowly and carefully go through the old hard disks and find out what they did and such (if you are interested). Good for a learning experience. Trace their actions, what they did/changed/installed/etc. - Original Message - From: Thedore Knab [EMAIL PROTECTED] To: debian-isp@lists.debian.org Sent: Friday, January 04, 2002 10:16 AM Subject: BIND exploited ? I recently inherited a machine that I think has been exploited. It seems to have a stupid root kit installed unless this is a decoy. What does it look like to you professionals? [EMAIL PROTECTED] ...]# uname -a Linux moe. 2.2.14-5.0 #1 Tue Mar 7 21:07:39 EST 2000 i686 unknown [EMAIL PROTECTED] ...]# ps auxww USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.3 1120 476 ?S 2001 0:06 init [3] root 2 0.0 0.0 00 ?SW2001 0:00 [kflushd] root 3 0.0 0.0 00 ?SW2001 0:27 [kupdate] root 4 0.0 0.0 00 ?SW2001 0:00 [kpiod] root 5 0.0 0.0 00 ?SW2001 0:01 [kswapd] root 6 0.0 0.0 00 ?SW 2001 0:00 [mdrecoveryd] root 154 0.0 0.3 1104 392 ?S 2001 0:00 /usr/sbin/apmd -p 10 -w 5 -W -s /etc/sysconfig/apm-scripts/suspend -r /etc/sysconfig/apm-scripts/resume bin315 0.0 0.3 1216 404 ?S 2001 0:00 portmap root 330 0.0 0.0 00 ?SW2001 0:00 [lockd] root 331 0.0 0.0 00 ?SW2001 0:00 [rpciod] root 340 0.0 0.4 1164 516 ?S 2001 0:00 rpc.statd nobody 414 0.0 0.4 1308 544 ?S 2001 0:00 identd -e -o nobody 415 0.0 0.4 1308 544 ?S 2001 0:00 identd -e -o nobody 416 0.0 0.4 1308 544 ?S 2001 0:00 identd -e -o nobody 420 0.0 0.4 1308 544 ?S 2001 0:00 identd -e -o nobody 421 0.0 0.4 1308 544 ?S 2001 0:00 identd -e -o daemon 432 0.0 0.2 1144 296 ?S 2001 0:00 /usr/sbin/atd root 446 0.0 0.4 1328 572 ?S 2001 0:00 crond root 464 0.0 0.3 1168 468 ?S 2001 0:00 inetd root 478 0.0 1.6 3160 2120 ?S 2001 14:00 /usr/sbin/snmpd root 543 0.0 0.3 1156 400 ?S 2001 0:00 gpm -t imps2 xfs604 0.0 0.6 1920 876 ?S 2001 0:00 xfs -droppriv -daemon -port -1 root 645 0.0 0.0 852 100 ?S 2001 0:00 /etc/.../bindshell root 646 0.0 0.0 864 124 ?S 2001 0:00 /etc/.../bnc root 650 0.0 0.3 1092 408 tty2 S 2001 0:00 /sbin/mingetty tty2 root 651 0.0 0.3 1092 408 tty3 S 2001 0:00 /sbin/mingetty tty3 root 652 0.0 0.3 1092 408 tty4 S 2001 0:00 /sbin/mingetty tty4 root 653 0.0 0.3 1092 408 tty5 S 2001 0:00 /sbin/mingetty tty5 root 654 0.0 0.3 1092 408 tty6 S 2001 0:00 /sbin/mingetty tty6 root 655 0.0 0.0 856 104 ?S 2001 0:00 /etc/.../lsh 31333 v0idzz named 9928 0.0 4.9 7268 6356 ?S 2001 6:48 named -u named root 11369 0.0 0.3 1092 408 tty1 S 2001 0:00 /sbin/mingetty tty1 root 3574 0.0 0.5 1464 760 ?S20:28 0:00 in.telnetd: calendar-spaces. root 3575 0.0 0.9 2312 1196 pts/0S20:28 0:00 login -- ted ted 3576 0.0 0.7 1696 940 pts/0S20:28 0:00 -bash root 3599 0.0 0.7 2008 900 pts/0S20:28 0:00 su - root 3600 0.0 0.7 1748 996 pts/0S20:29 0:00 -bash root 3719 0.0 0.4 1172 540 ?S20:38 0:00 syslogd -m 0 root 3728 0.0 0.6 1440 768 ?S20:38 0:00 klogd root 3817 0.0 0.5 2332 704 pts/0R20:43 0:00 ps auxww [EMAIL PROTECTED] ...]# cd /etc/... [EMAIL PROTECTED] ...]# ls -la