Re: Count traffic
> what exactly does this patch and how is it to be used? not much > documentation on that site... It creates an PROMISC chain that catches all pakets on the wire, this is then connected to an hub just before the border router ans sniffes the paktes, it goes like iptables -t meter -P PROMISCUOUS ACCEPT iptables -t meter -N incoming iptables -t meter -N outgoing iptables -t meter -A incoming -d 62.208.70.1 -j ACCEPT iptables -t meter -A outgoing -s 62.208.70.1 -j ACCEPT This data is read by a cronjob that runs a perlskript with a statement like my(@OUTLINES) = `/usr/local/sbin/iptables -t meter -nL outgoing -vx -Z`; -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Count traffic
> I'm searching a solution to count in- and outgoing traffic for each > virtual user (domain). I searched for a solution some Month ago. All accounting i could find is based on ipchains/iptables who are not working on the needed Layer to seperate virtual Hosts. They just work up to the tcp Layer, so you can only seperate between ip's. There are Solutions to Account virtual Hosts, but the are not free. I now patched iptables to get an promisc chains on which i account the traffic ip-based. http://idea.hosting.lv/a/iptables-promisc/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Count traffic
> >There are Solutions to Account virtual Hosts, but the are not free. > > could you name these, please? would be interested in taking a closer > look at this... This was done by ip24 i think, but the company was bought by ipvalue (www.ipvalue.de) I dont't know what happened to that produnkt, i cannot rember the name under which it had run by ipvalue. But this was so expensive i dropped all research on that. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Rootkit?
Hello, > Did you copy the gzip binary under the gzip name, or under another, and > of course, the machine was "possibly infected" at the time? Uh, i got so much stuff in my mind today, it's hard to remember ;-) I think tried to ftp' the clean gzip binary named as 'gzip' and 'foo', both where then infected. > If so, it would tend to indicate a similar situation to what I had, on a > non-debian box, where a certain list of binaries were hijacked through > ld_preload tricks and uninfected copies were on the file system, but > infection wrappers in /proc were run before each one... Well, i will put the 'infected' disc into an other clean box at the weekend and see what i can find...
Re: Rootkit?
Hello, >just need to find one that offers additional protection WITHOUT > needing a whole bunch of new config files to make and set, I got stuck waiting for updated Kernel Security-Patches when new kernels are released, so i use libsafe (http://www.research.avayalabs.com/project/libsafe/) which seems to run nice even in production environment. Until now i only found one Binary not running, hwclock. This will be terminated by libsafe because it seems to do nasty stuff :) Bute there is an 'exclude these binarys please' file where this could be specified [EMAIL PROTECTED] the countless lonely voices, like whispers in the dark...
Re: Rootkit?
Hello, > Did you copy the gzip binary under the gzip name, or under another, and > of course, the machine was "possibly infected" at the time? Uh, i got so much stuff in my mind today, it's hard to remember ;-) I think tried to ftp' the clean gzip binary named as 'gzip' and 'foo', both where then infected. > If so, it would tend to indicate a similar situation to what I had, on a > non-debian box, where a certain list of binaries were hijacked through > ld_preload tricks and uninfected copies were on the file system, but > infection wrappers in /proc were run before each one... Well, i will put the 'infected' disc into an other clean box at the weekend and see what i can find... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Rootkit?
Hello, >just need to find one that offers additional protection WITHOUT > needing a whole bunch of new config files to make and set, I got stuck waiting for updated Kernel Security-Patches when new kernels are released, so i use libsafe (http://www.research.avayalabs.com/project/libsafe/) which seems to run nice even in production environment. Until now i only found one Binary not running, hwclock. This will be terminated by libsafe because it seems to do nasty stuff :) Bute there is an 'exclude these binarys please' file where this could be specified [EMAIL PROTECTED] the countless lonely voices, like whispers in the dark... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Rootkit?
Hello,
> Looks almost same here:
Yes, but without those lines
> open("/proc/uptime", O_RDONLY) = 3
> open("/proc/4215/exe", O_RDONLY)= 3
This is in all binary's i have checked (echo, ifconfig, ...)
> The gzip thing looks really weird. Does chkrootkit show any evidents?
> maybe gzip got broken somehow.
No, chrootkit doesn't find anything. I got this some weeks ago, but couldn't
find
anything on the box, so i thought it was just broken an re-installed. But
the same
box was hit again this week and an other one to, which got also all websites
defaced tonight.
And again, the only thing i could find is gzip not working.
> I would build some checksum database of /bin,/sbin,/usr/bin,/usr/sbin off
a
> definitely not infected machine (using tripwire or aide), burn the
> database(s) and the binaries to check/build them on a CDROM and compare
that
> with the weird system's binaries.
I checked with md5sum, the binarys differ to other machines who look clean.
Very strange: if i ftp the 'gzip' Binary from a clean Machine to the
'infected' it is
then changed to the same md5sum that the 'gzip' binary has on the 'infected'
Machine.
> _really_ check if something seriuos has changed without taking the
machines
> in question off (and check them with e.g. chkrootkit from a knoppix cd)
I already did this. I bootet from the woody install-cd and did a chroot to
the system.
the effects are still there, so this should be nothing running in the
kernel.
I reinstalled the Machines (got the old disks here for further research) so
this is not urgent.
I just need to know what happened, because i would like the other boxes here
to stay clean ;-)
Rootkit?
Hello,
In our Serverfarm i found different Machines not working properly. They show
up complaining:
webbox:/chkrootkit# gzip -d
gzip: invalid option -- d
Segmentation fault
The binarys running are take a look at /proc/uptime, what they are not
supposed to do:
webbox:/chkrootkit# strace -eopen ls
open("/etc/ld.so.preload", O_RDONLY)= -1 ENOENT (No such file or
directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
open("/lib/librt.so.1", O_RDONLY) = 3
open("/lib/libc.so.6", O_RDONLY)= 3
open("/lib/libpthread.so.0", O_RDONLY) = 3
open("/proc/uptime", O_RDONLY) = 3
open("/proc/4215/exe", O_RDONLY)= 3
--- SIGCHLD (Child exited) ---
open("/dev/null", O_RDONLY|O_NONBLOCK|O_DIRECTORY) = -1 ENOTDIR (Not a
directory)
open(".", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY) = 5
open("/etc/mtab", O_RDONLY) = 5
open("/proc/meminfo", O_RDONLY) = 5
ACKNOWLEDGMENTS README check_wtmpxchkdirs.c chkpro
chkrootkit chkwtmp.cstrings
COPYRIGHTREADME.chklastlog check_wtmpx.c chklastlogchkproc
chkrootkit.lsm ifpromiscstrings.c
Makefile README.chkwtmp chkdirschklastlog.c chkproc.c
chkwtmp ifpromisc.c
webbox:/chkrootkit#
Is this an rootkit installed, has someone experienced stuff like this? The
machine's are running debian 3.0 with differents kernel's
2.4.18-bf2.4 or an static 2.4.20
[EMAIL PROTECTED]
the countless lonely voices, like whispers in the dark...
Re: Rootkit?
Hello,
> Looks almost same here:
Yes, but without those lines
> open("/proc/uptime", O_RDONLY) = 3
> open("/proc/4215/exe", O_RDONLY)= 3
This is in all binary's i have checked (echo, ifconfig, ...)
> The gzip thing looks really weird. Does chkrootkit show any evidents?
> maybe gzip got broken somehow.
No, chrootkit doesn't find anything. I got this some weeks ago, but couldn't
find
anything on the box, so i thought it was just broken an re-installed. But
the same
box was hit again this week and an other one to, which got also all websites
defaced tonight.
And again, the only thing i could find is gzip not working.
> I would build some checksum database of /bin,/sbin,/usr/bin,/usr/sbin off
a
> definitely not infected machine (using tripwire or aide), burn the
> database(s) and the binaries to check/build them on a CDROM and compare
that
> with the weird system's binaries.
I checked with md5sum, the binarys differ to other machines who look clean.
Very strange: if i ftp the 'gzip' Binary from a clean Machine to the
'infected' it is
then changed to the same md5sum that the 'gzip' binary has on the 'infected'
Machine.
> _really_ check if something seriuos has changed without taking the
machines
> in question off (and check them with e.g. chkrootkit from a knoppix cd)
I already did this. I bootet from the woody install-cd and did a chroot to
the system.
the effects are still there, so this should be nothing running in the
kernel.
I reinstalled the Machines (got the old disks here for further research) so
this is not urgent.
I just need to know what happened, because i would like the other boxes here
to stay clean ;-)
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Rootkit?
Hello,
In our Serverfarm i found different Machines not working properly. They show
up complaining:
webbox:/chkrootkit# gzip -d
gzip: invalid option -- d
Segmentation fault
The binarys running are take a look at /proc/uptime, what they are not
supposed to do:
webbox:/chkrootkit# strace -eopen ls
open("/etc/ld.so.preload", O_RDONLY)= -1 ENOENT (No such file or
directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
open("/lib/librt.so.1", O_RDONLY) = 3
open("/lib/libc.so.6", O_RDONLY)= 3
open("/lib/libpthread.so.0", O_RDONLY) = 3
open("/proc/uptime", O_RDONLY) = 3
open("/proc/4215/exe", O_RDONLY)= 3
--- SIGCHLD (Child exited) ---
open("/dev/null", O_RDONLY|O_NONBLOCK|O_DIRECTORY) = -1 ENOTDIR (Not a
directory)
open(".", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY) = 5
open("/etc/mtab", O_RDONLY) = 5
open("/proc/meminfo", O_RDONLY) = 5
ACKNOWLEDGMENTS README check_wtmpxchkdirs.c chkpro
chkrootkit chkwtmp.cstrings
COPYRIGHTREADME.chklastlog check_wtmpx.c chklastlogchkproc
chkrootkit.lsm ifpromiscstrings.c
Makefile README.chkwtmp chkdirschklastlog.c chkproc.c
chkwtmp ifpromisc.c
webbox:/chkrootkit#
Is this an rootkit installed, has someone experienced stuff like this? The
machine's are running debian 3.0 with differents kernel's
2.4.18-bf2.4 or an static 2.4.20
[EMAIL PROTECTED]
the countless lonely voices, like whispers in the dark...
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Apache Virtual Hosts Chroot ?
http://httpd.apache.org/docs-2.0/mod/perchild.html I tried that one, but the child-processes directly died. As it says, work is ongoing to make it functional.
Re: Apache Virtual Hosts Chroot ?
http://httpd.apache.org/docs-2.0/mod/perchild.html I tried that one, but the child-processes directly died. As it says, work is ongoing to make it functional. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Virtual hosting solutions
Hello List, > I'm currently in the need of a complete virtual hosting solution. Confixx could do the Job. The only Service it does not have is imap. The mailuser it creates don't have a shell, so they have no space to store the folders. > I'm completely independent in the backend choice, but I think it will > scale down to either LDAP, mysql or pgsql. Anyone can give some hints what > backend has which advantages and disadvantages? It uses MySQL or pgsql as backend and handels even 1000 Domains easily. > Any hints, URLS or tools are welcome. Any comments and experience reports > are very welcome :) http://www.yippi-yeah.de/prod_cfx_pro.html When this all sounds good, here comes the worse part: it's not free :( If someone knows a free System that runs nice and can handle resellers, i'm very interested. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: debian friendly unmanaged hosting joints?
Hello List > >We are looking for simple unmanaged hosting service that provides Debian > >3.0 as the baseline. We are offering debian-based hosting. We have a 'default' setup for the machines, but we will install them the way the customer want's them to be. For further information see www.domainbox.de. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: PHP using suexec
Hello list, > My experience with PHP and suexec was less than favorable. I have been playing around yesterday, but found nothing that worked perfect. The Problem is that most of those Patches need a hashbang in the.php files and all need a HTML-header sent out by the PHP skript. There are some wrappers out who deal with this problem, but those i found needed to be installed for every vhost. This is not a good idea because the customer can delete it. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
PHP using suexec
Hello list, Has anyone experiences running PHP using suexec? All doku's are telling this should not be use to keep the Performance of the Server up, but is this still true for a today's dual XEON Machine? I need to feed about 1,5 Million hits a day, around 30 hits request .php files. [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [Help] IDE Raid - Another Question,,,,
http://www.tldp.org/HOWTO/Software-RAID-0.4x-HOWTO.html - Original Message - From: "Lem Bryant" <[EMAIL PROTECTED]> To: Sent: Tuesday, August 13, 2002 4:44 PM Subject: [Help] IDE Raid - Another Question > I would like to implement a RAID 1 setup using software and the built in > controllers for a system that I have just installed Woody on.
