Re: I've been hacked by DevilSoul
On Fri, Jan 11, 2002 at 05:07:02AM +0100, martin f krafft wrote: > you've been hacked -> backup -> re-mkfs -> reinstall -> re-config from > backup very carefully (i.e. file by file) -> restore user data -> do > some post-mortem with backup -> ensure security -> reopen server to > public and users -> more post-mortem -> take more security measures. > > standard procedure. > agreed. full disk format and reinstall from backup is the only secure option. unless you are running something like tripwire there is no way to tell what the intruder did, and even then ... g pgpZ9mmt7A542.pgp Description: PGP signature
Unidentified subject!
unsubscribe -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: I've been hacked by DevilSoul
hi alan where are you ??? if in silicon valley... you can be back online within 1hr or so... ( assuming you have data-only backed up prior to the hacker getting ( into your box.. if the [h/cr]acker didnt "rm -rf /" your machine..you're still online.. - maybe just sniffing your passwds ??? - maybe using it to hack other boxes ?? - you need to see what its doing... and than prevent that from happening on oyour next install - if you think they used a simple/ordinary rootkits... you can try some of the rootkit detectors http://www.chkrootkit.org/ http://www.blackcode.com/scan ( scans your machine - or used to scan for rootkits/trojans ) otherwise.. http://www.Linux-Sec.net/Tracking have fun alvin http://www.Linux-Sec.net/ On Thu, 10 Jan 2002, Alan Aldrich wrote: > > Not sure what all it did, but really played havoc with SSH and some other > networking components and is keeping my aventail authentication server from > honoring socks requests. > Can someone help undo whatever it did or point me to a site that covers it? I > need to get this server back online quick > Thanks > alan > >
Re: I've been hacked by DevilSoul
also sprach Alan Aldrich <[EMAIL PROTECTED]> [2002.01.11.0502 +0100]: > Not sure what all it did, but really played havoc with SSH and some other > networking components and is keeping my aventail authentication server from > honoring socks requests. > Can someone help undo whatever it did or point me to a site that covers it? you've been hacked -> backup -> re-mkfs -> reinstall -> re-config from backup very carefully (i.e. file by file) -> restore user data -> do some post-mortem with backup -> ensure security -> reopen server to public and users -> more post-mortem -> take more security measures. standard procedure. > I need to get this server back online quick i can install a debian system in less than 10 minutes ;) with FAI (thomas lange) supposedly in less than 3... -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] fashions have done more harm than revolutions. -- victor hugo pgpZZQ5N1rzvu.pgp Description: PGP signature
I've been hacked by DevilSoul
Not sure what all it did, but really played havoc with SSH and some other networking components and is keeping my aventail authentication server from honoring socks requests. Can someone help undo whatever it did or point me to a site that covers it? I need to get this server back online quick Thanks alan
Re: I've been hacked by DevilSoul
On Fri, Jan 11, 2002 at 05:07:02AM +0100, martin f krafft wrote: > you've been hacked -> backup -> re-mkfs -> reinstall -> re-config from > backup very carefully (i.e. file by file) -> restore user data -> do > some post-mortem with backup -> ensure security -> reopen server to > public and users -> more post-mortem -> take more security measures. > > standard procedure. > agreed. full disk format and reinstall from backup is the only secure option. unless you are running something like tripwire there is no way to tell what the intruder did, and even then ... g msg05131/pgp0.pgp Description: PGP signature
Re: I've been hacked by DevilSoul
hi alan where are you ??? if in silicon valley... you can be back online within 1hr or so... ( assuming you have data-only backed up prior to the hacker getting ( into your box.. if the [h/cr]acker didnt "rm -rf /" your machine..you're still online.. - maybe just sniffing your passwds ??? - maybe using it to hack other boxes ?? - you need to see what its doing... and than prevent that from happening on oyour next install - if you think they used a simple/ordinary rootkits... you can try some of the rootkit detectors http://www.chkrootkit.org/ http://www.blackcode.com/scan ( scans your machine - or used to scan for rootkits/trojans ) otherwise.. http://www.Linux-Sec.net/Tracking have fun alvin http://www.Linux-Sec.net/ On Thu, 10 Jan 2002, Alan Aldrich wrote: > > Not sure what all it did, but really played havoc with SSH and some other networking >components and is keeping my aventail authentication server from honoring socks >requests. > Can someone help undo whatever it did or point me to a site that covers it? I need >to get this server back online quick > Thanks > alan > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: I've been hacked by DevilSoul
also sprach Alan Aldrich <[EMAIL PROTECTED]> [2002.01.11.0502 +0100]: > Not sure what all it did, but really played havoc with SSH and some other > networking components and is keeping my aventail authentication server from > honoring socks requests. > Can someone help undo whatever it did or point me to a site that covers it? you've been hacked -> backup -> re-mkfs -> reinstall -> re-config from backup very carefully (i.e. file by file) -> restore user data -> do some post-mortem with backup -> ensure security -> reopen server to public and users -> more post-mortem -> take more security measures. standard procedure. > I need to get this server back online quick i can install a debian system in less than 10 minutes ;) with FAI (thomas lange) supposedly in less than 3... -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck fashions have done more harm than revolutions. -- victor hugo msg05129/pgp0.pgp Description: PGP signature
I've been hacked by DevilSoul
Not sure what all it did, but really played havoc with SSH and some other networking components and is keeping my aventail authentication server from honoring socks requests. Can someone help undo whatever it did or point me to a site that covers it? I need to get this server back online quick Thanks alan
Re: How to find process causing periodic DEST_UNREACH replies?
Hi, It was one of the ntp servers. Many thanks again for your help best regards, Balazs On Thu, Jan 10, 2002 at 02:42:20AM +0100, martin f krafft wrote: >also sprach Balazs Javor <[EMAIL PROTECTED]> [2002.01.09.2329 +0100]: >> Anyway just in case I misinterpreted something... >> I live in Switzerland, and I have a ZyXEL Prestige 642R DSL >> router connected to the ADSL line, which performs some NAT and >> firewalling. The I connect my PCs through an ethernet switch to >> the router. > >are you blocking ICMP packets anywhere? any type? >are you blocking udp or port 123/udp anywhere? > >have you verified that the time server works? > >-- >martin; (greetings from the heart of the sun.) > \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] > >no keyboard present. >press f1 to continue. >zen engineering.
Re: How can I change my domainname on my server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, Jan 10, 2002 at 07:25:48AM +1000, Paul Haesler wrote: > You'll want to edit /etc/resolv.conf too. > > > On Thu, 10 Jan 2002 02:02:00 +1300 (NZDT) > > Patrick Mackey <[EMAIL PROTECTED]> wrote: > > > Edit '/etc/hostname' to reflect the change. Then run: > > > > > > hostname -F /etc/hostname > > > > > > That should do it. > > > > You might also want to edit /etc/mailname There is also your /etc/hosts file. From my experience, in order for hostname and dnsdomainname to work correctly (they use the underlying system call GETHOSTNAME(2)), the file should have the following white space delimited syntax: IP MACHINE.FULLYQUALIFIEDDOMAINNAME MACHINE This file usually has at least two entries, one for the loopback device (127.0.0.1) and one for the ethernet device (we'll assume 192.168.20.30). A sample file might look like: 127.0.0.1 localhost.localdomain localhost 192.168.20.30 [EMAIL PROTECTED] foo good luck, donfede -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8Pe2ISeRbV/op2s4RAtBBAJ4gMjg7RUbuqKnrecHbLp8xK2QjCQCff5Nl U2TBXftnz5Kb21iD9GGRnXQ= =M8fD -END PGP SIGNATURE-
Re: How to find process causing periodic DEST_UNREACH replies?
Hi, It was one of the ntp servers. Many thanks again for your help best regards, Balazs On Thu, Jan 10, 2002 at 02:42:20AM +0100, martin f krafft wrote: >also sprach Balazs Javor <[EMAIL PROTECTED]> [2002.01.09.2329 +0100]: >> Anyway just in case I misinterpreted something... >> I live in Switzerland, and I have a ZyXEL Prestige 642R DSL >> router connected to the ADSL line, which performs some NAT and >> firewalling. The I connect my PCs through an ethernet switch to >> the router. > >are you blocking ICMP packets anywhere? any type? >are you blocking udp or port 123/udp anywhere? > >have you verified that the time server works? > >-- >martin; (greetings from the heart of the sun.) > \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck > >no keyboard present. >press f1 to continue. >zen engineering. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How can I change my domainname on my server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, Jan 10, 2002 at 07:25:48AM +1000, Paul Haesler wrote: > You'll want to edit /etc/resolv.conf too. > > > On Thu, 10 Jan 2002 02:02:00 +1300 (NZDT) > > Patrick Mackey <[EMAIL PROTECTED]> wrote: > > > Edit '/etc/hostname' to reflect the change. Then run: > > > > > > hostname -F /etc/hostname > > > > > > That should do it. > > > > You might also want to edit /etc/mailname There is also your /etc/hosts file. From my experience, in order for hostname and dnsdomainname to work correctly (they use the underlying system call GETHOSTNAME(2)), the file should have the following white space delimited syntax: IP MACHINE.FULLYQUALIFIEDDOMAINNAME MACHINE This file usually has at least two entries, one for the loopback device (127.0.0.1) and one for the ethernet device (we'll assume 192.168.20.30). A sample file might look like: 127.0.0.1 localhost.localdomain localhost 192.168.20.30 [EMAIL PROTECTED] foo good luck, donfede -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8Pe2ISeRbV/op2s4RAtBBAJ4gMjg7RUbuqKnrecHbLp8xK2QjCQCff5Nl U2TBXftnz5Kb21iD9GGRnXQ= =M8fD -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How can I change my domainname on my server
You'll want to edit /etc/resolv.conf too. > On Thu, 10 Jan 2002 02:02:00 +1300 (NZDT) > Patrick Mackey <[EMAIL PROTECTED]> wrote: > > Edit '/etc/hostname' to reflect the change. Then run: > > > > hostname -F /etc/hostname > > > > That should do it. > > You might also want to edit /etc/mailname > > -- > .--=-=-=-=--=---=-=-=. > /David Barclay HarrisAut agere, aut mori. \ > \Clan Barclay Either action, or death./ > `---==-=-=-=-===-=---=--=' > -- Paul Haesler[EMAIL PROTECTED] ICQ: 124547085
