Re: BIND exploited ?
I have to ask what you would do if your server is a file server with lots of big, expensive drives where a company might not be able to afford replacing them all? Would they be happy with backups (keeping in mind that any tools used to backup the server might no longer be trustworthy)? How about disk images (made with dd, or something similar) of the drives that contain the system stuff? OK. When I described replacing all hard drives I was referring to system disks with the OS and applications not data files. Keeping a backup of your news spool probably doesn't gain you much. Just use find on the data disks (the copy of find on the freshly installed un-cracked system on new system disks) to search for suspicious files (SUID, SGID, and executables where you least expect them). Also search for files and directories starting in '.' in locations where you don't expect them. Another thing to check for is the most recently changed files. On a web server the content may not have changed for a month, any files changed in the last week would be by the intruder... After copying and removing all suspicious files (make sure you use tar or cpio not cp so that permissions and time stamps are preserved) then the data disks will be ready for service again. Make sure that boot sectors are wiped as well (on a Debian installation use install-mbr on every disk that has a partition table). From my experience, police like data untampered and in exactly the same form and such when the intrusion occurred. That means the exact same disks, not a tape backup or something. Sometimes backups can miss stuff, or as mentione previously, the backup software itself could have been rooted. Actually, it would be best to make a duplicate of the disk, USE THE DUPLICATE, and give the police the original. If possible, just yank the power out of the box... the reason being that if you use 'reboot' or 'shutdown' or others, they usually run though the shutdown scripts, and within the shutdown scripts the kiddies could've planted something there as well. You never know. By yanking the power, no software can write/modify the disks, and they are preserved, more or less. Sincerely, Jason -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: BIND exploited ? -UPDATE
You dumbass. Everybody knows you don't try to fix a compromised machine. You take it in stride, wipe the drives and start all over from a clean install. j. -- Jeremy L. Gaddis [EMAIL PROTECTED] -Original Message- From: Ted Knab [mailto:[EMAIL PROTECTED]]On Behalf Of Thedore Knab Sent: Saturday, January 05, 2002 1:43 AM To: [EMAIL PROTECTED] Subject: Re: BIND exploited ? -UPDATE Thanks for your help. This was not a debian box. Maybe the next one will be. I think it was updated from an earilier version that was hacked. I am under the assumption that this server was this way for over 1 year. [ted@moe chkrootkit-0.34]$ cat /etc/redhat-release Red Hat Linux release 6.2 (Zoot) I just started this .edu sys admin job last week. It is fun. I am finding all types of crazy stuff that would send most normal people to the nut house. It is an adventure. I don't think I will be able to rebuild this DNS for a few days. I have some other projects that need to be rolled out for .edu political reasons. It has been rooted for sometime, so I have a lot of fixing to do. I told everyone that needs to be informed, but they just don't get the gravity of the situation. Since I won't be able to build another, I tried isolating the services. It also seems more fun to try and fix the broken box. I think I have most of the cracked services isolated. Behind door number 1 - less services A nmap scan from my laptop reveals: Starting nmap V. 2.54BETA25 ( www.insecure.org/nmap/ ) Interesting ports on dns1.mywork.edu : (The 1540 ports scanned but not shown below are in state: closed) Port State Service 21/tcp openftp 23/tcp opentelnet 53/tcp opendomain 113/tcpopenauth This is an improvement over what it looked like this morning: See your advice helped... :-) Nmap run completed -- 1 IP address (1 host up) scanned in 5 seconds Starting nmap V. 2.54BETA25 ( www.insecure.org/nmap/ ) Interesting ports on dns1.mywork.edu : (The 1533 ports scanned but not shown below are in state: closed) Port State Service 21/tcp openftp 23/tcp opentelnet 53/tcp opendomain 79/tcp openfinger 98/tcp openlinuxconf 111/tcpopensunrpc 113/tcpopenauth 513/tcpopenlogin 514/tcpopenshell 943/tcpopenunknown 1024/tcp openkdm I found the startup location for the scripts. The scripts were starting every reboot. I guess the last time it started was: [ted@moe chkrootkit-0.34]$ uptime 1:40am up 154 days, 9:15, 1 user, load average: 0.00, 0.00, 0.00 [root@moe /etc]# cat rc.d/rc.local #!/bin/sh # This script will be executed *after* all the other init scripts. # You can put your own initialization stuff in here if you don't # want to do the full Sys V style init stuff. if [ -f /etc/redhat-release ]; then R=$(cat /etc/redhat-release) ... cut fi ### #The Little Bastards Startup scripts #not very complicated #/etc/.../bindshell #/etc/.../bnc #/etc/.../snif #/etc/.../lsh 31333 v0idzz checkroot kit did not seem to find anything except a snifer. This maybe because I did a chmod 0 on a bunch of the binaries I didn't want starting ever again. [root@moe chkrootkit-0.34]# ./chkrootkit ROOTDIR is `/' Checking `amd'... not found Checking `basename'... not infected Checking `biff'... not found Checking `chfn'... not infected Checking `chsh'... not infected Checking `cron'... not infected Checking `date'... not infected Checking `du'... not infected Checking `dirname'... not infected Checking `echo'... not infected Checking `egrep'... not infected Checking `env'... not infected Checking `find'... not infected Checking `fingerd'... not infected Checking `gpm'... not infected Checking `grep'... not infected Checking `hdparm'... not infected Checking `su'... not infected Checking `ifconfig'... not infected Checking `inetd'... not infected Checking `inetdconf'... not infected Checking `identd'... not infected Checking `killall'... not infected Checking `login'... not infected Checking `ls'... not infected Checking `mail'... not infected Checking `mingetty'... not infected Checking `netstat'... not infected Checking `named'... not infected Checking `passwd'... not infected Checking `pidof'... not infected Checking `pop2'... not found Checking `pop3'... not found Checking `ps'... not infected Checking `pstree'... not infected Checking `rpcinfo'... not infected Checking `rlogind'... not infected Checking `rshd'... not infected Checking `slogin'... not found Checking `sendmail'... not infected Checking `sshd'... not infected Checking `syslogd'... not infected Checking `tar'... not infected Checking `tcpd'... not infected Checking `top'... not infected Checking `telnetd'... not infected Checking `timed'... not infected Checking `traceroute'... not infected Checking `write'... not infected Checking `aliens'... /dev/.v0id/ptyq /dev/ptyp /dev/ptypr
Centralized ISP Admin Package
I haven't been able to gleen much about Webmin yet as to whether it can support automating common ISP activities distributed among multiple servers. Does Webmin or any other package provide a means of logging onto a centralized web site (for ISPemployees only) to add radius user accounts, Postfix virtual accounts, customer FTP/Web accounts/sites, and DNS records where each function (web, mail, DNS, etc) are split among multiple machines? As for the DNS, it would have to break this down between adding a primary zone and records to one DNS server and creating secondary zones to one or more backup DNS servers. If no such package exists, Iwill likelycreateone for our internal use with a central SQL database showing the plain text passwords for each individual account and all the supporting records. The SQL database will double as billing control and configuration master. If anyone has suggestions for this project (presuming there is no package available),I would appreciateany constructive suggestions on how to implement the design.
RE: BIND exploited ? -UPDATE
On Sat, 5 Jan 2002, Jeremy L. Gaddis wrote: You dumbass. Everybody knows you don't try to fix a compromised machine. You take it in stride, wipe the drives and start all over from a clean install. Would you mind terribly not airing your oh-so-superior views in public? With such unbridled arrogance? I'm sure I'm not the only one who finds it offensive and not at all representative of the maturity of discussion expected of this list. The aim of a self-help list such as this is to help and educate -- not to sneer and ridicule. OH -- and would you also mind terribly NOT re-posting the complete history of the current thread in your public e-mails? It's a clear sign of inability to either understand or use the medium properly. Thank you. -- Martin Wheeler [EMAIL PROTECTED] [gpg:1024D/01269BEB 2001-09-29] /debian/ msw [EMAIL PROTECTED] [gpg:1024D/8D6B948B 2001-07-04] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: BIND exploited ?
Good point! Having never dealt with the fuzz after being compromised, I have to ask what you would do if your server is a file server with lots of big, expensive drives where a company might not be able to afford replacing them all? Would they be happy with backups (keeping in mind that any tools used to backup the server might no longer be trustworthy)? How about disk images (made with dd, or something similar) of the drives that contain the system stuff? In my experience, the police will have computer crime specialists who'll know all about dd. In fact, one of the first things they'll ask when you contact them is whether they can make complete disk images, and they'll be very happy if you say yes. They'll be happier still if you can provide tcpdump (or similar) traces of the intruder's activiy (electronic format is nice, but they'll need a hard copy too, with each page dated and signed to present to the judge). Once they've made the disk images, you can format your disks and put them back into service. You'll still be able to participate in the forensic examination of those images, though, and (again, in my experience only), they're very good at respecting privacy concerns - ie. not going anywhere near the /home partition, etc. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: BIND exploited ? -UPDATE
On Sat, Jan 05, 2002 at 01:43:24AM -0500, Thedore Knab wrote: Starting nmap V. 2.54BETA25 ( www.insecure.org/nmap/ ) Interesting ports on dns1.mywork.edu : (The 1540 ports scanned but not shown below are in state: closed) ^^ You seem to have only scanned your well-known ports? Joachim -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: BIND exploited ?
On Sun, 6 Jan 2002 04:08, Jason Lim wrote: From my experience, police like data untampered and in exactly the same form and such when the intrusion occurred. That means the exact same disks, not a tape backup or something. Sometimes backups can miss stuff, or as mentione previously, the backup software itself could have been rooted. Actually, it would be best to make a duplicate of the disk, USE THE DUPLICATE, and give the police the original. If possible, just yank the power out of the box... the reason being that if you use 'reboot' or 'shutdown' or others, they usually run though the shutdown scripts, and within the shutdown scripts the kiddies could've planted something there as well. You never know. By yanking the power, no software can write/modify the disks, and they are preserved, more or less. Good point. Also that means not running fsck! Sometimes there's interesting data in files that were deleted but open at the time, fsck will usually remove that data while debugfs can get it. -- http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/projects.html Projects I am working on http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: BIND exploited ? -UPDATE #2
How does this sound ? The system has been rebuilt. It is running Bind 9.2 chroot version on RH 7.2. Someone else built it. I prefer Debian or OpenBSD. I will add tripwire and chkroot kit to run as a cron job. The harddrives will be saved for further investigation at a later date. Since the harddrives have been modified in a hack effort to patch the problem, I don't think it can be used as evidence. Snort will also be installed on an OPENBSD box at the edge of the nework to monitor the administrave network, and on the administrative network. -Ted -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
[OT] help with filtering chars using reg exp in PHP
hello all, for the life of me i cant figure out the reg exp PHP manual, can someone please help me with ereg_replace() or preg_replace() in PHP. i have a string wherein i want to replace all occurences of characters outside of a-z0-9 with nothing. tia, sib - A world of Information. The journey begins here. At Home. Internet Cebu's web based mail. http://www.i-mailbox.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Best way to duplicate HDs--talk more about rsync+ssh system
3) Add this to authorized_keys for the above account, specifying the command that logins with this key are allowed to run. See command= in sshd(1). I can't find the document about this section, can you show me some reference or examples? Many thanks. -- Patrick Hsieh [EMAIL PROTECTED] GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
chroot debian environments
Heya, I've got a project coming up to create a chroot'ed environment, using the grsecurity patches for added security, that provides a separate encapsulated virtual machine for each user or group of users. I want to build the environment the users get chroot'ed into using debian package tools. What I'm wondering is, what's the best way to start this process? Assuming I have a partition set aside (which will be mounted read-only) to act as the root filesystem for the chroot cage, how do I get the basic file layout, dpkg, etc installed on it? I could do a basic debian install, but that'd include things like a kernel, which I don't need. Are there any other projects out there that include this sort of thing? KJL -- Internet techieObsidian Consulting Group Phone: +613 9653 9364Fax: +613 9354 2681 http://www.obsidian.com.au/ [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: chroot debian environments
On Mon, Jan 07, 2002 at 03:48:25PM +1100, Kevin Littlejohn wrote: What I'm wondering is, what's the best way to start this process? Assuming I have a partition set aside (which will be mounted read-only) to act as the root filesystem for the chroot cage, how do I get the basic file layout, dpkg, etc installed on it? I could do a basic debian install, but that'd include things like a kernel, which I don't need. I'd start with debootstrap. -- Jacob Elder http://www.lucidpark.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Best way to duplicate HDs
On Tue, Jan 01, 2002 at 08:39:39AM -0500, Keith Elder wrote: This brings up a question. How do you rsync something but keep the ownership and permissions the same. I am pulling data off site nightly and that works, but the permissions are all screwed up. rsync -avxrP --delete $FILESYSTEMS backup-server:backups/$HOSTNAME Some caveats if you want to fully automate this... - remove -vP (verbose w/ progress) - --delete is NECESSARY to make sure deleted files get deleted from the backup - FILESYSTEMS should be any local filesystems you want backed up (-x won't cross filesystems, makes backing up in NFS environment easier) - obviously this doesn't preclude a bad guy checking out backup-server:backups/otherhostname (use ssh keys, and invoke cmd=cd backups/hostname; rsync with whatever daemon options will limit that) Hello Ted, Now I know how to use command= in ~/.ssh/authorized_keys2. Providing I have backupserver and debianclient. In ~/.ssh/authorized_keys2 of backupserver command= section, what command should I put to automate the backup procedure between backupserver and debianclient? I tried: command=cd /backup; /usr/bin/rsync -av debianclient:/dirtobackup ./ But when I ssh from debianclient to backupserver, it gives me a password prompt,, so I enter the password, then rsync begins. I don't understand what command= means. Does it only specify what will the server do upon ssh login? Can it specify some commands and parameters to restrict ssh host pre-specified command ? - on backup-server, rotate the backup every 12 hours or whatever. - rsync -ar --delete store/hostname.2 store/hostname.3 - rsync -ar --delete store/hostname.1 store/hostname.2 - rsync -ar --delete backups/hostname store/hostname.1 # that could be better optimized, but you get the idea I've used this rsync system to successfully maintain up to date backups w/ great ease, AND restore very quickly... use a LinuxCare Bootable Business Card to get the target fdisked and ready, then mount the filesystems as you desire, and rsync -avrP backup-server:backups/hostname /target. I got a 700mb server back online in under 20 minutes from powerup to server serving requests (the rsync itself is 3 to 5 minutes). Making sure you do (cd /target; lilo -r . -C etc/lilo.conf)) is the only tricky part. -- Ted Deppner http://www.psyber.com/~ted/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Patrick Hsieh [EMAIL PROTECTED] GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Best way to duplicate HDs
On Mon, Jan 07, 2002 at 03:03:12PM +0800, Patrick Hsieh wrote: - obviously this doesn't preclude a bad guy checking out backup-server:backups/otherhostname (use ssh keys, and invoke cmd=cd backups/hostname; rsync with whatever daemon options will limit that) Now I know how to use command= in ~/.ssh/authorized_keys2. Providing I have backupserver and debianclient. In ~/.ssh/authorized_keys2 of backupserver command= section, what command should I put to automate the backup procedure between backupserver and debianclient? I tried: command=cd /backup; /usr/bin/rsync -av debianclient:/dirtobackup ./ run the rsync without a command= statement, and do a ps awux | grep rsync on the target (like I already suggested). That command or something close to it will be the basis for your command= But when I ssh from debianclient to backupserver, it gives me a password prompt,, so I enter the password, then rsync begins. and ? I don't understand what command= means. Does it only specify what will the server do upon ssh login? Can it specify some commands and parameters to restrict ssh host pre-specified command ? command= on the target machine is the command that will be run when the client successfully authenticates. Try it yourself. try a command='/bin/cat /etc/motd', and then ssh target:... use an identity key of course. the ssh commandline will have no effect if a command= is present. -- Ted Deppner http://www.psyber.com/~ted/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: BIND exploited ?
I have to ask what you would do if your server is a file server with lots of big, expensive drives where a company might not be able to afford replacing them all? Would they be happy with backups (keeping in mind that any tools used to backup the server might no longer be trustworthy)? How about disk images (made with dd, or something similar) of the drives that contain the system stuff? OK. When I described replacing all hard drives I was referring to system disks with the OS and applications not data files. Keeping a backup of your news spool probably doesn't gain you much. Just use find on the data disks (the copy of find on the freshly installed un-cracked system on new system disks) to search for suspicious files (SUID, SGID, and executables where you least expect them). Also search for files and directories starting in '.' in locations where you don't expect them. Another thing to check for is the most recently changed files. On a web server the content may not have changed for a month, any files changed in the last week would be by the intruder... After copying and removing all suspicious files (make sure you use tar or cpio not cp so that permissions and time stamps are preserved) then the data disks will be ready for service again. Make sure that boot sectors are wiped as well (on a Debian installation use install-mbr on every disk that has a partition table). From my experience, police like data untampered and in exactly the same form and such when the intrusion occurred. That means the exact same disks, not a tape backup or something. Sometimes backups can miss stuff, or as mentione previously, the backup software itself could have been rooted. Actually, it would be best to make a duplicate of the disk, USE THE DUPLICATE, and give the police the original. If possible, just yank the power out of the box... the reason being that if you use 'reboot' or 'shutdown' or others, they usually run though the shutdown scripts, and within the shutdown scripts the kiddies could've planted something there as well. You never know. By yanking the power, no software can write/modify the disks, and they are preserved, more or less. Sincerely, Jason
RE: BIND exploited ? -UPDATE
You dumbass. Everybody knows you don't try to fix a compromised machine. You take it in stride, wipe the drives and start all over from a clean install. j. -- Jeremy L. Gaddis [EMAIL PROTECTED] -Original Message- From: Ted Knab [mailto:[EMAIL PROTECTED] Behalf Of Thedore Knab Sent: Saturday, January 05, 2002 1:43 AM To: debian-isp@lists.debian.org Subject: Re: BIND exploited ? -UPDATE Thanks for your help. This was not a debian box. Maybe the next one will be. I think it was updated from an earilier version that was hacked. I am under the assumption that this server was this way for over 1 year. [EMAIL PROTECTED] chkrootkit-0.34]$ cat /etc/redhat-release Red Hat Linux release 6.2 (Zoot) I just started this .edu sys admin job last week. It is fun. I am finding all types of crazy stuff that would send most normal people to the nut house. It is an adventure. I don't think I will be able to rebuild this DNS for a few days. I have some other projects that need to be rolled out for .edu political reasons. It has been rooted for sometime, so I have a lot of fixing to do. I told everyone that needs to be informed, but they just don't get the gravity of the situation. Since I won't be able to build another, I tried isolating the services. It also seems more fun to try and fix the broken box. I think I have most of the cracked services isolated. Behind door number 1 - less services A nmap scan from my laptop reveals: Starting nmap V. 2.54BETA25 ( www.insecure.org/nmap/ ) Interesting ports on dns1.mywork.edu : (The 1540 ports scanned but not shown below are in state: closed) Port State Service 21/tcp openftp 23/tcp opentelnet 53/tcp opendomain 113/tcpopenauth This is an improvement over what it looked like this morning: See your advice helped... :-) Nmap run completed -- 1 IP address (1 host up) scanned in 5 seconds Starting nmap V. 2.54BETA25 ( www.insecure.org/nmap/ ) Interesting ports on dns1.mywork.edu : (The 1533 ports scanned but not shown below are in state: closed) Port State Service 21/tcp openftp 23/tcp opentelnet 53/tcp opendomain 79/tcp openfinger 98/tcp openlinuxconf 111/tcpopensunrpc 113/tcpopenauth 513/tcpopenlogin 514/tcpopenshell 943/tcpopenunknown 1024/tcp openkdm I found the startup location for the scripts. The scripts were starting every reboot. I guess the last time it started was: [EMAIL PROTECTED] chkrootkit-0.34]$ uptime 1:40am up 154 days, 9:15, 1 user, load average: 0.00, 0.00, 0.00 [EMAIL PROTECTED] /etc]# cat rc.d/rc.local #!/bin/sh # This script will be executed *after* all the other init scripts. # You can put your own initialization stuff in here if you don't # want to do the full Sys V style init stuff. if [ -f /etc/redhat-release ]; then R=$(cat /etc/redhat-release) ... cut fi ### #The Little Bastards Startup scripts #not very complicated #/etc/.../bindshell #/etc/.../bnc #/etc/.../snif #/etc/.../lsh 31333 v0idzz checkroot kit did not seem to find anything except a snifer. This maybe because I did a chmod 0 on a bunch of the binaries I didn't want starting ever again. [EMAIL PROTECTED] chkrootkit-0.34]# ./chkrootkit ROOTDIR is `/' Checking `amd'... not found Checking `basename'... not infected Checking `biff'... not found Checking `chfn'... not infected Checking `chsh'... not infected Checking `cron'... not infected Checking `date'... not infected Checking `du'... not infected Checking `dirname'... not infected Checking `echo'... not infected Checking `egrep'... not infected Checking `env'... not infected Checking `find'... not infected Checking `fingerd'... not infected Checking `gpm'... not infected Checking `grep'... not infected Checking `hdparm'... not infected Checking `su'... not infected Checking `ifconfig'... not infected Checking `inetd'... not infected Checking `inetdconf'... not infected Checking `identd'... not infected Checking `killall'... not infected Checking `login'... not infected Checking `ls'... not infected Checking `mail'... not infected Checking `mingetty'... not infected Checking `netstat'... not infected Checking `named'... not infected Checking `passwd'... not infected Checking `pidof'... not infected Checking `pop2'... not found Checking `pop3'... not found Checking `ps'... not infected Checking `pstree'... not infected Checking `rpcinfo'... not infected Checking `rlogind'... not infected Checking `rshd'... not infected Checking `slogin'... not found Checking `sendmail'... not infected Checking `sshd'... not infected Checking `syslogd'... not infected Checking `tar'... not infected Checking `tcpd'... not infected Checking `top'... not infected Checking `telnetd'... not infected Checking `timed'... not infected Checking `traceroute'... not infected Checking `write'... not infected Checking
Centralized ISP Admin Package
I haven't been able to gleen much about Webmin yet as to whether it can support automating common ISP activities distributed among multiple servers. Does Webmin or any other package provide a means of logging onto a centralized web site (for ISPemployees only) to add radius user accounts, Postfix virtual accounts, customer FTP/Web accounts/sites, and DNS records where each function (web, mail, DNS, etc) are split among multiple machines? As for the DNS, it would have to break this down between adding a primary zone and records to one DNS server and creating secondary zones to one or more backup DNS servers. If no such package exists, Iwill likelycreateone for our internal use with a central SQL database showing the plain text passwords for each individual account and all the supporting records. The SQL database will double as billing control and configuration master. If anyone has suggestions for this project (presuming there is no package available),I would appreciateany constructive suggestions on how to implement the design.
RE: BIND exploited ? -UPDATE
On Sat, 5 Jan 2002, Jeremy L. Gaddis wrote: You dumbass. Everybody knows you don't try to fix a compromised machine. You take it in stride, wipe the drives and start all over from a clean install. Would you mind terribly not airing your oh-so-superior views in public? With such unbridled arrogance? I'm sure I'm not the only one who finds it offensive and not at all representative of the maturity of discussion expected of this list. The aim of a self-help list such as this is to help and educate -- not to sneer and ridicule. OH -- and would you also mind terribly NOT re-posting the complete history of the current thread in your public e-mails? It's a clear sign of inability to either understand or use the medium properly. Thank you. -- Martin Wheeler [EMAIL PROTECTED] [gpg:1024D/01269BEB 2001-09-29] /debian/ msw [EMAIL PROTECTED] [gpg:1024D/8D6B948B 2001-07-04]
Re: BIND exploited ?
Good point! Having never dealt with the fuzz after being compromised, I have to ask what you would do if your server is a file server with lots of big, expensive drives where a company might not be able to afford replacing them all? Would they be happy with backups (keeping in mind that any tools used to backup the server might no longer be trustworthy)? How about disk images (made with dd, or something similar) of the drives that contain the system stuff? In my experience, the police will have computer crime specialists who'll know all about dd. In fact, one of the first things they'll ask when you contact them is whether they can make complete disk images, and they'll be very happy if you say yes. They'll be happier still if you can provide tcpdump (or similar) traces of the intruder's activiy (electronic format is nice, but they'll need a hard copy too, with each page dated and signed to present to the judge). Once they've made the disk images, you can format your disks and put them back into service. You'll still be able to participate in the forensic examination of those images, though, and (again, in my experience only), they're very good at respecting privacy concerns - ie. not going anywhere near the /home partition, etc.
Re: BIND exploited ? -UPDATE
On Sat, Jan 05, 2002 at 01:43:24AM -0500, Thedore Knab wrote: Starting nmap V. 2.54BETA25 ( www.insecure.org/nmap/ ) Interesting ports on dns1.mywork.edu : (The 1540 ports scanned but not shown below are in state: closed) ^^ You seem to have only scanned your well-known ports? Joachim
Re: BIND exploited ?
On Sun, 6 Jan 2002 04:08, Jason Lim wrote: From my experience, police like data untampered and in exactly the same form and such when the intrusion occurred. That means the exact same disks, not a tape backup or something. Sometimes backups can miss stuff, or as mentione previously, the backup software itself could have been rooted. Actually, it would be best to make a duplicate of the disk, USE THE DUPLICATE, and give the police the original. If possible, just yank the power out of the box... the reason being that if you use 'reboot' or 'shutdown' or others, they usually run though the shutdown scripts, and within the shutdown scripts the kiddies could've planted something there as well. You never know. By yanking the power, no software can write/modify the disks, and they are preserved, more or less. Good point. Also that means not running fsck! Sometimes there's interesting data in files that were deleted but open at the time, fsck will usually remove that data while debugfs can get it. -- http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/projects.html Projects I am working on http://www.coker.com.au/~russell/ My home page
Re: BIND exploited ? -UPDATE #2
How does this sound ? The system has been rebuilt. It is running Bind 9.2 chroot version on RH 7.2. Someone else built it. I prefer Debian or OpenBSD. I will add tripwire and chkroot kit to run as a cron job. The harddrives will be saved for further investigation at a later date. Since the harddrives have been modified in a hack effort to patch the problem, I don't think it can be used as evidence. Snort will also be installed on an OPENBSD box at the edge of the nework to monitor the administrave network, and on the administrative network. -Ted
[OT] help with filtering chars using reg exp in PHP
hello all, for the life of me i cant figure out the reg exp PHP manual, can someone please help me with ereg_replace() or preg_replace() in PHP. i have a string wherein i want to replace all occurences of characters outside of a-z0-9 with nothing. tia, sib - A world of Information. The journey begins here. At Home. Internet Cebu's web based mail. http://www.i-mailbox.net
Re: Best way to duplicate HDs--talk more about rsync+ssh system
3) Add this to authorized_keys for the above account, specifying the command that logins with this key are allowed to run. See command= in sshd(1). I can't find the document about this section, can you show me some reference or examples? Many thanks. -- Patrick Hsieh [EMAIL PROTECTED] GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg
Re: chroot debian environments
On Mon, Jan 07, 2002 at 03:48:25PM +1100, Kevin Littlejohn wrote: What I'm wondering is, what's the best way to start this process? Assuming I have a partition set aside (which will be mounted read-only) to act as the root filesystem for the chroot cage, how do I get the basic file layout, dpkg, etc installed on it? I could do a basic debian install, but that'd include things like a kernel, which I don't need. I'd start with debootstrap. -- Jacob Elder http://www.lucidpark.net/