Re: Socks & Squid?
Lou Poppler wrote: On Fri, 11 Jan 2002, Josh Frick wrote: Is there any reason that Socks and Squid couldn't or shouldn't be run on the same box? I'd appreciate anyone's advice. Thanks. Be very careful to configure both of these very restrictively. The newest favorite trick of pro spammers is to find promiscuous Socks proxies, Wingate proxies, and Squid or Cacheflow servers which allow untraceable relaying of spam via your machine. Untraceable to the actual spammer that is -- probably you will have some explaining to do to your own ISP as to why so many spam complaints are arriving which show your box as the source of the spam. The default configurations of Socks and Squid seem to allow any host to proxy through them. Thank you. Are there any Debian packages that have settings or scripts for settings you'd recommend? FYI, I was planning on putting Socks/Squid behind one or two packet filters. Not sure if this will make a difference, but I offer *no* services to the outside world. (intentionally, that is :-) )
Re: [d-security] Re: /etc/passwd->shell
On Fri, Jan 11, 2002 at 10:00:32PM -0500, Hubert Chan wrote: > So daemon, bin, sys, ftp, www-data, mail, mysql, etc. can probably be > set to /bin/false. (Why does Debian not do this by default?) Apart from the ftp users which (sometimes) need their ftp password to be stored in /etc/shadow and thus would making it a valid login password to, I can see no reason why not giving a user, that has *no* password, a shell. Without a password in /etc/shadow or /etc/passwd he could not login and if someone cracks the server with i.e. a buffer overflow he does not depend on the passwd entries but executes /bin/bash directly. On the other hand when executing "su -c daemonxy cronscriptxy" from your crontab or similar than you need a valid shell because the shell relies on it when executing child programs. BTW: for ftp and pop3 users I could imagine /bin/passwd beeing a nice shell because it would allow the users to change their password via ssh. bye, -christian-
Re: /etc/passwd->shell
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > "Ivan" == \"Ivan R \" writes: Ivan> hi all! i want a password file without hole. Ivan> so i have now in /etc/passwd: Ivan> root with /bin/bash Ivan> daemon, bin and sys with /bin/sh Ivan> sync with /bin/sync Ivan> normal users with /bin/bash Ivan> ftp users with /bin/noshell Anything that is not a real user can have its shell set to /bin/false. In fact, depending on how your system is set up, you could probably even set root's shell to /bin/false. Just make sure that you have some way of doing stuff as root (e.g. sudo), and that you don't kill single mode. (Never tried this, but I don't see why you couldn't do this.) So daemon, bin, sys, ftp, www-data, mail, mysql, etc. can probably be set to /bin/false. (Why does Debian not do this by default?) I don't know what the sync user is for, though, so I don't know if you can set it to /bin/false. /bin/sync looks like it was put there for a reason. - -- Hubert Chan <[EMAIL PROTECTED]> - http://www.geocities.com/hubertchan/ PGP/GnuPG key: 1024D/71FDA37F Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F Key available at wwwkeys.pgp.net. Encrypted e-mail preferred. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8P6bKZRhU33H9o38RArsIAKCY+idTjmRqnLlZK60R586wjpxtnwCgwnL+ FJUq6Y7683pJX1Fkz4oEauQ= =g3hk -END PGP SIGNATURE-
Re: Socks & Squid?
On Fri, 11 Jan 2002, Josh Frick wrote: > Is there any reason that Socks and Squid couldn't or shouldn't be run on > the same box? I'd appreciate anyone's advice. Thanks. Be very careful to configure both of these very restrictively. The newest favorite trick of pro spammers is to find promiscuous Socks proxies, Wingate proxies, and Squid or Cacheflow servers which allow untraceable relaying of spam via your machine. Untraceable to the actual spammer that is -- probably you will have some explaining to do to your own ISP as to why so many spam complaints are arriving which show your box as the source of the spam. The default configurations of Socks and Squid seem to allow any host to proxy through them.
Re: Socks & Squid?
Lou Poppler wrote: >On Fri, 11 Jan 2002, Josh Frick wrote: > >>Is there any reason that Socks and Squid couldn't or shouldn't be run on >>the same box? I'd appreciate anyone's advice. Thanks. >> > >Be very careful to configure both of these very restrictively. >The newest favorite trick of pro spammers is to find promiscuous >Socks proxies, Wingate proxies, and Squid or Cacheflow servers >which allow untraceable relaying of spam via your machine. >Untraceable to the actual spammer that is -- probably you will >have some explaining to do to your own ISP as to why so many >spam complaints are arriving which show your box as the source >of the spam. The default configurations of Socks and Squid seem >to allow any host to proxy through them. > > Thank you. Are there any Debian packages that have settings or scripts for settings you'd recommend? FYI, I was planning on putting Socks/Squid behind one or two packet filters. Not sure if this will make a difference, but I offer *no* services to the outside world. (intentionally, that is :-) ) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: I've been hacked by DevilSoul
On Sat, 12 Jan 2002, Richard wrote: > > On Fri, Jan 11, 2002 at 10:25:03PM +0100, martin f krafft wrote: > > > > > > i doubt that a kernel module can override the linux kernel filesystem > > > abstraction layer. but i guess it could be possible. > > > > > > > Oh, it certainly can! knark is a perfect example of a kernel module to > > do just this. (knark is Swedish for "drugged".) It allows files, > > processes, network connections, and network interface promiscuity to be > > *completely* hidden. It allows the cracker to override what actual > > binary file gets run when a user tries to run some other (possibly > > hidden) executable. > > Here kstat might be of intrest, it's getting it's information directly > from the kernel structures. (reading /dev/kmen, and using a dummy module) > Looking at all the nice things one can do with a modern (and surprisingly easy to make) rootkit, I'm really thinking about just avoiding modular kernels at any cost. I once had a redhat box hacked (old lpr exploit [from within the 'trusted' network]). Think it was adore I found (along with some sniffers) I already avoid modules on most places (gateway, webservers, ...). Usually the pro's from modules outweight the con's, but nowadays, with memory that cheap i don't think it's worth the trouble anylonger. Still, knark is nice work ;-) Solves the whole AIDE-problem a hacker has on most systems these days... As the document states, one of the only possibilities in detecting knark is using the utils and try to get root yourself, or unhide/hide files. Adore already had a solution for that: those things mostly work by sending a signal to the process, and adore used an offset, so the 'standard' detection tools couldn't detect it anymore. Without the correct offset, nobody but those who installed the rootkit could use it (easily). The problem is that with code like that lying around (don't get me wrong, I think it's *good* that people create things like that - without challenge, there's no need for improvement, and it stimulates creativity - but what worries me is that it lowers the treshold. You don't have to know that much about linux kernel internals to adapt the knark code to use different signals/ports. As soon as people start to do that, most rootkit-detection software fails... And as said in this thread before, one can hide for a very long time in a (standard) linux system... Dries
Re: [d-security] Re: /etc/passwd->shell
On Fri, Jan 11, 2002 at 10:00:32PM -0500, Hubert Chan wrote: > So daemon, bin, sys, ftp, www-data, mail, mysql, etc. can probably be > set to /bin/false. (Why does Debian not do this by default?) Apart from the ftp users which (sometimes) need their ftp password to be stored in /etc/shadow and thus would making it a valid login password to, I can see no reason why not giving a user, that has *no* password, a shell. Without a password in /etc/shadow or /etc/passwd he could not login and if someone cracks the server with i.e. a buffer overflow he does not depend on the passwd entries but executes /bin/bash directly. On the other hand when executing "su -c daemonxy cronscriptxy" from your crontab or similar than you need a valid shell because the shell relies on it when executing child programs. BTW: for ftp and pop3 users I could imagine /bin/passwd beeing a nice shell because it would allow the users to change their password via ssh. bye, -christian- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: /etc/passwd->shell
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > "Ivan" == \"Ivan R \" writes: Ivan> hi all! i want a password file without hole. Ivan> so i have now in /etc/passwd: Ivan> root with /bin/bash Ivan> daemon, bin and sys with /bin/sh Ivan> sync with /bin/sync Ivan> normal users with /bin/bash Ivan> ftp users with /bin/noshell Anything that is not a real user can have its shell set to /bin/false. In fact, depending on how your system is set up, you could probably even set root's shell to /bin/false. Just make sure that you have some way of doing stuff as root (e.g. sudo), and that you don't kill single mode. (Never tried this, but I don't see why you couldn't do this.) So daemon, bin, sys, ftp, www-data, mail, mysql, etc. can probably be set to /bin/false. (Why does Debian not do this by default?) I don't know what the sync user is for, though, so I don't know if you can set it to /bin/false. /bin/sync looks like it was put there for a reason. - -- Hubert Chan <[EMAIL PROTECTED]> - http://www.geocities.com/hubertchan/ PGP/GnuPG key: 1024D/71FDA37F Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F Key available at wwwkeys.pgp.net. Encrypted e-mail preferred. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8P6bKZRhU33H9o38RArsIAKCY+idTjmRqnLlZK60R586wjpxtnwCgwnL+ FJUq6Y7683pJX1Fkz4oEauQ= =g3hk -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Socks & Squid?
On Fri, 11 Jan 2002, Josh Frick wrote: > Is there any reason that Socks and Squid couldn't or shouldn't be run on > the same box? I'd appreciate anyone's advice. Thanks. Be very careful to configure both of these very restrictively. The newest favorite trick of pro spammers is to find promiscuous Socks proxies, Wingate proxies, and Squid or Cacheflow servers which allow untraceable relaying of spam via your machine. Untraceable to the actual spammer that is -- probably you will have some explaining to do to your own ISP as to why so many spam complaints are arriving which show your box as the source of the spam. The default configurations of Socks and Squid seem to allow any host to proxy through them. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
/etc/passwd->shell
hi all! i want a password file without hole. so i have now in /etc/passwd: root with /bin/bash daemon, bin and sys with /bin/sh sync with /bin/sync normal users with /bin/bash ftp users with /bin/noshell here i think that s good but i have some questions : what about replace /bin/sh for man by /bin/false? i tried and to see man pages that s ok. is there a reason to let /bin/sh? why mail and www-data has got /bin/sh and not mysql (/bin/false)? why no shell for mysqld and shell for the others? what should i do here? thanks in advance for all ;D - Ivan R. sysadmin
Socks & Squid?
Is there any reason that Socks and Squid couldn't or shouldn't be run on the same box? I'd appreciate anyone's advice. Thanks. Sincerely, Josh Frick
RE: Hacked too?
Sorry but could someone please summerize what the "Hacked too?" thread is about? just got back into town and not making sense of the thread that i read in the archives Thankx
Re: I've been hacked by DevilSoul
On Sat, 12 Jan 2002, Richard wrote: > > On Fri, Jan 11, 2002 at 10:25:03PM +0100, martin f krafft wrote: > > > > > > i doubt that a kernel module can override the linux kernel filesystem > > > abstraction layer. but i guess it could be possible. > > > > > > > Oh, it certainly can! knark is a perfect example of a kernel module to > > do just this. (knark is Swedish for "drugged".) It allows files, > > processes, network connections, and network interface promiscuity to be > > *completely* hidden. It allows the cracker to override what actual > > binary file gets run when a user tries to run some other (possibly > > hidden) executable. > > Here kstat might be of intrest, it's getting it's information directly > from the kernel structures. (reading /dev/kmen, and using a dummy module) > Looking at all the nice things one can do with a modern (and surprisingly easy to make) rootkit, I'm really thinking about just avoiding modular kernels at any cost. I once had a redhat box hacked (old lpr exploit [from within the 'trusted' network]). Think it was adore I found (along with some sniffers) I already avoid modules on most places (gateway, webservers, ...). Usually the pro's from modules outweight the con's, but nowadays, with memory that cheap i don't think it's worth the trouble anylonger. Still, knark is nice work ;-) Solves the whole AIDE-problem a hacker has on most systems these days... As the document states, one of the only possibilities in detecting knark is using the utils and try to get root yourself, or unhide/hide files. Adore already had a solution for that: those things mostly work by sending a signal to the process, and adore used an offset, so the 'standard' detection tools couldn't detect it anymore. Without the correct offset, nobody but those who installed the rootkit could use it (easily). The problem is that with code like that lying around (don't get me wrong, I think it's *good* that people create things like that - without challenge, there's no need for improvement, and it stimulates creativity - but what worries me is that it lowers the treshold. You don't have to know that much about linux kernel internals to adapt the knark code to use different signals/ports. As soon as people start to do that, most rootkit-detection software fails... And as said in this thread before, one can hide for a very long time in a (standard) linux system... Dries -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Hacked too?
Hi Ed, On Fri, Jan 11, 2002 at 05:46:58PM -0500, Ed Street wrote: > > > > I have run chkrootkit and get > > Anyone have a d/l site for the deb package of this? apt-get install chkrootkit Uwe. -- Uwe Hermann [EMAIL PROTECTED] [EMAIL PROTECTED] | Unmaintained Free Software: http://www.hermann-uwe.de | http://www.unmaintained-free-software.org
Re: Hacked too?
> Sorry but could someone please summerize what the "Hacked too?" thread is > about? someone used a script, which should detect rootkits and it said it found one, although there is probably none. it seems just to check whether a certain port is open. just ignore the thread ;) bye Ralf
RE: Hacked too?
Thanks Stephen, I have run the "netstat -anp" The result is: " 0.0.0.0:31337 0.0.0.0:*1687/fakebo" Really I have installed "fakebo". It is usefull. Very often anybody try to find on my PC backdoors. It help me to discover theirs. Billy Реклама: ÐоÑковÑÐºÐ°Ñ ÐалендаÑÐ½Ð°Ñ Ð¤Ð°Ð±Ñика - кваÑÑалÑнÑе календаÑи по ÑамÑм низким Ñенам. ТелеÑон: (8095)254-88-55 http://www.kalendar.r2.ru/
RE: Hacked too?
(2002-01-12) Igor Balusov sed : | What is mean: | "If you're running PortSentry/klaxon or another program that binds itself to | unused ports probably chkrootkit will give you a false positive on the | bindshell test (ports .. 31336/tcp, 31337/tcp ...)."? | It is from http://www.chkrootkit.org/ | My PC is really hacked or no? How I can determine it? | When I run "netstat -an" I get | "udp0 0 0.0.0.0:31337 0.0.0.0:*" | How I can stop this? | Billy fuser -n udp 31337 will give you the PID of the process lsitening on the port 31337. The with ps you will be able to discover the process hiding behind. Otherwise, lsof is too your friend :) -- VALLIET Emmanuel Webmotion Inc. (-> http://www.webmotion.com <-) Bored? Drive the speed limit... in your garage.
RE: Hacked too?
On Fri, 2002-01-11 at 17:49, Igor Balusov wrote:
> What is mean:
> "If you're running PortSentry/klaxon or another program that binds itself to
> unused ports probably chkrootkit will give you a false positive on the
> bindshell test (ports .. 31336/tcp, 31337/tcp ...)."?
> It is from http://www.chkrootkit.org/
> My PC is really hacked or no? How I can determine it?
> When I run "netstat -an" I get
> "udp0 0 0.0.0.0:31337 0.0.0.0:*"
> How I can stop this?
> Billy
Try "netstat -anp" to find out which program is listening on that port.
You should also check to see whether you have portsentry installed or
anything like it. ("dpkg -s portsentry" if you installed it via Debian;
I don't know what others might be installed or where to look if you
installed them from source instead.)
Re: I've been hacked by DevilSoul
On Fri, 11 Jan 2002, Noah L. Meyerhans wrote: > On Fri, Jan 11, 2002 at 10:25:03PM +0100, martin f krafft wrote: > > > > i doubt that a kernel module can override the linux kernel filesystem > > abstraction layer. but i guess it could be possible. > > > > Oh, it certainly can! knark is a perfect example of a kernel module to > do just this. (knark is Swedish for "drugged".) It allows files, > processes, network connections, and network interface promiscuity to be > *completely* hidden. It allows the cracker to override what actual > binary file gets run when a user tries to run some other (possibly > hidden) executable. Here kstat might be of intrest, it's getting it's information directly from the kernel structures. (reading /dev/kmen, and using a dummy module) [RicV]
RE: Hacked too?
What is mean: "If you're running PortSentry/klaxon or another program that binds itself to unused ports probably chkrootkit will give you a false positive on the bindshell test (ports .. 31336/tcp, 31337/tcp ...)."? It is from http://www.chkrootkit.org/ My PC is really hacked or no? How I can determine it? When I run "netstat -an" I get "udp0 0 0.0.0.0:31337 0.0.0.0:*" How I can stop this? Billy Реклама: ÐоÑковÑÐºÐ°Ñ ÐалендаÑÐ½Ð°Ñ Ð¤Ð°Ð±Ñика - кваÑÑалÑнÑе календаÑи по ÑамÑм низким Ñенам. ТелеÑон: (8095)254-88-55 http://www.kalendar.r2.ru/
RE: Hacked too?
> > > I have run chkrootkit and get Anyone have a d/l site for the deb package of this? Ed
RE: Hacked too?
still, I think that one of the first things you should do with your hacked systems is unplug the network cable. the majority of hacks these days are for stepping stones, they don't necessarily care about the data on your PC, but will have other PCs from your. I don't think you really want the FBI knocking on your door after they findout that your home PC has been banging on their network .. :P > -Original Message- > From: martin f krafft [mailto:[EMAIL PROTECTED] > Sent: January 11, 2002 2:34 PM > To: debian-security@lists.debian.org > Subject: Re: Hacked too? > > > also sprach éÃÃÃà âÃÃÃÃÃà <[EMAIL PROTECTED]> > [2002.01.11.2316 +0100]: > > I have run chkrootkit and get > > "Checking `bindshell'... INFECTED (PORTS: 31337)" > > What I need to do? > > reinstall. no, really! unless this is a non-productive > system, in which > case you are free to try to remove it. but once you have a cracked > system, you can't take anything for granted, you can't even trust your > keyboard anymore. and everytime you use SSH or telnet or > whatever, your > password is probably going straight to the hacker. so all the systems > you SSH into are possibly also hacked. let's hope you don't root-login > remotely anywhere! > > -- > martin; (greetings from the heart of the sun.) > \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] > > f u cn rd ths, u cn gt a nce jb in th prgrmng indstry >
Re: Hacked too?
also sprach éÃÃÃà âÃÃÃÃÃà <[EMAIL PROTECTED]> [2002.01.11.2316 +0100]: > I have run chkrootkit and get > "Checking `bindshell'... INFECTED (PORTS: 31337)" > What I need to do? reinstall. no, really! unless this is a non-productive system, in which case you are free to try to remove it. but once you have a cracked system, you can't take anything for granted, you can't even trust your keyboard anymore. and everytime you use SSH or telnet or whatever, your password is probably going straight to the hacker. so all the systems you SSH into are possibly also hacked. let's hope you don't root-login remotely anywhere! -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] f u cn rd ths, u cn gt a nce jb in th prgrmng indstry pgpYNrzz3I39Y.pgp Description: PGP signature
Hacked too?
I have run chkrootkit and get "Checking `bindshell'... INFECTED (PORTS: 31337)" What I need to do? Billy Реклама: ÐоÑковÑÐºÐ°Ñ ÐалендаÑÐ½Ð°Ñ Ð¤Ð°Ð±Ñика - кваÑÑалÑнÑе календаÑи по ÑамÑм низким Ñенам. ТелеÑон: (8095)254-88-55 http://www.kalendar.r2.ru/
Re: I've been hacked by DevilSoul
also sprach Noah L. Meyerhans <[EMAIL PROTECTED]> [2002.01.11.2240 +0100]: > Oh, it certainly can! knark is a perfect example of a kernel module to > do just this. (knark is Swedish for "drugged".) It allows files, > processes, network connections, and network interface promiscuity to be > *completely* hidden. It allows the cracker to override what actual > binary file gets run when a user tries to run some other (possibly > hidden) executable. wow. a link please? http://www.sans.org/newlook/resources/IDFAQ/knark.htm ? -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] the remote desktop feature of windows xp is really nice (and *novel*!). as a micro$oft consultant can *remotely* disable the personal firewall and control the system. we'll ignore the fact that this tampering with the firewall is not logged, and more importantly, that the firewall isn't restored when the clowns from redmod are done with their job. pgpH6Al8WOwWl.pgp Description: PGP signature
/etc/passwd->shell
hi all! i want a password file without hole. so i have now in /etc/passwd: root with /bin/bash daemon, bin and sys with /bin/sh sync with /bin/sync normal users with /bin/bash ftp users with /bin/noshell here i think that s good but i have some questions : what about replace /bin/sh for man by /bin/false? i tried and to see man pages that s ok. is there a reason to let /bin/sh? why mail and www-data has got /bin/sh and not mysql (/bin/false)? why no shell for mysqld and shell for the others? what should i do here? thanks in advance for all ;D - Ivan R. sysadmin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Socks & Squid?
Is there any reason that Socks and Squid couldn't or shouldn't be run on the same box? I'd appreciate anyone's advice. Thanks. Sincerely, Josh Frick -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: I've been hacked by DevilSoul
On Fri, Jan 11, 2002 at 10:25:03PM +0100, martin f krafft wrote: > > i doubt that a kernel module can override the linux kernel filesystem > abstraction layer. but i guess it could be possible. > Oh, it certainly can! knark is a perfect example of a kernel module to do just this. (knark is Swedish for "drugged".) It allows files, processes, network connections, and network interface promiscuity to be *completely* hidden. It allows the cracker to override what actual binary file gets run when a user tries to run some other (possibly hidden) executable. It works amazingly well, and it is scary. It's been around for quite a while now (couple of years, I guess), but hasn't shown up in rootkits much yet. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpDVRsRjs1EV.pgp Description: PGP signature
Re: I've been hacked by DevilSoul
On Fri, Jan 11, 2002 at 05:04:53PM +, Ricardo B wrote: > He can be loaded as a kernel module and then hide all traces of its > presence in the system, by overriding the proper system calls and > /proc info. Isn't there a way to turn module loading off (a way that > can't be chagend back - without rebooting) ? Yes, but it won't help you much. I've read some very interesting articles recently about writing directly to /dev/kmem. That allows you to do some fun kernel level stuff without any module support needed at all. This kernel level stuff makes traditional host based intrusion detection really difficult. LIDS helps, but I don't think it's the final solution. Network intrusion detection helps, but it's really difficult to fine-tune something like SNORT to only give you interesting information, especially if you're in a really large network. In these days of kernel-level compromises, a lot of network indruders are only detected when they do something stupid like portscan a box from one of their cracked machines. If they lie low and are smart about covering their tracks, they're likely to go unnoticed for a very long time. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpHzUnFsD0Jt.pgp Description: PGP signature
Re: Hacked too?
Hi Ed, On Fri, Jan 11, 2002 at 05:46:58PM -0500, Ed Street wrote: > > > > I have run chkrootkit and get > > Anyone have a d/l site for the deb package of this? apt-get install chkrootkit Uwe. -- Uwe Hermann [EMAIL PROTECTED] [EMAIL PROTECTED] | Unmaintained Free Software: http://www.hermann-uwe.de | http://www.unmaintained-free-software.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: I've been hacked by DevilSoul
also sprach Ricardo B <[EMAIL PROTECTED]> [2002.01.11.1804 +0100]: > There is no need for a rootkit to reboot the machine in order to hide > himself. > He can be loaded as a kernel module and then hide all traces of its presence > in > the system, by overriding the proper system calls and /proc info. > Isn't there a way to turn module loading off (a way that can't be chagend > back > - without rebooting) ? i doubt that a kernel module can override the linux kernel filesystem abstraction layer. but i guess it could be possible. > Boot the machine with a secure (as in external) kernel and root file system. > Only then use tripwire to see if anything has changed. > Hmm... can we trust the BIOS? :-) how can you overwrite the bios from linux? and: how much does linux care about the bios? we're dealing with harddrives, and i have *no* harddrives configured in any bios, i let the kernel take care of it all. -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] si vis pacem, para bellum pgpUG33fzRERN.pgp Description: PGP signature
Re: Hacked too?
> Sorry but could someone please summerize what the "Hacked too?" thread is > about? someone used a script, which should detect rootkits and it said it found one, although there is probably none. it seems just to check whether a certain port is open. just ignore the thread ;) bye Ralf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Hacked too?
Thanks Stephen, I have run the "netstat -anp" The result is: " 0.0.0.0:31337 0.0.0.0:*1687/fakebo" Really I have installed "fakebo". It is usefull. Very often anybody try to find on my PC backdoors. It help me to discover theirs. Billy òÅËÌÁÍÁ: íÏÓËÏ×ÓËÁÑ ëÁÌÅÎÄÁÒÎÁÑ æÁÂÒÉËÁ - Ë×ÁÒÔÁÌØÎÙÅ ËÁÌÅÎÄÁÒÉ ÐÏ ÓÁÍÙÍ ÎÉÚËÉÍ ÃÅÎÁÍ. ôÅÌÅÆÏÎ: (8095)254-88-55 http://www.kalendar.r2.ru/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Hacked too?
Sorry but could someone please summerize what the "Hacked too?" thread is about? just got back into town and not making sense of the thread that i read in the archives Thankx -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Hacked too?
(2002-01-12) Igor Balusov sed : | What is mean: | "If you're running PortSentry/klaxon or another program that binds itself to | unused ports probably chkrootkit will give you a false positive on the | bindshell test (ports .. 31336/tcp, 31337/tcp ...)."? | It is from http://www.chkrootkit.org/ | My PC is really hacked or no? How I can determine it? | When I run "netstat -an" I get | "udp0 0 0.0.0.0:31337 0.0.0.0:*" | How I can stop this? | Billy fuser -n udp 31337 will give you the PID of the process lsitening on the port 31337. The with ps you will be able to discover the process hiding behind. Otherwise, lsof is too your friend :) -- VALLIET Emmanuel Webmotion Inc. (-> http://www.webmotion.com <-) Bored? Drive the speed limit... in your garage. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Hacked too?
On Fri, 2002-01-11 at 17:49, Igor Balusov wrote:
> What is mean:
> "If you're running PortSentry/klaxon or another program that binds itself to
> unused ports probably chkrootkit will give you a false positive on the
> bindshell test (ports .. 31336/tcp, 31337/tcp ...)."?
> It is from http://www.chkrootkit.org/
> My PC is really hacked or no? How I can determine it?
> When I run "netstat -an" I get
> "udp0 0 0.0.0.0:31337 0.0.0.0:*"
> How I can stop this?
> Billy
Try "netstat -anp" to find out which program is listening on that port.
You should also check to see whether you have portsentry installed or
anything like it. ("dpkg -s portsentry" if you installed it via Debian;
I don't know what others might be installed or where to look if you
installed them from source instead.)
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: I've been hacked by DevilSoul
On Fri, 11 Jan 2002, Noah L. Meyerhans wrote: > On Fri, Jan 11, 2002 at 10:25:03PM +0100, martin f krafft wrote: > > > > i doubt that a kernel module can override the linux kernel filesystem > > abstraction layer. but i guess it could be possible. > > > > Oh, it certainly can! knark is a perfect example of a kernel module to > do just this. (knark is Swedish for "drugged".) It allows files, > processes, network connections, and network interface promiscuity to be > *completely* hidden. It allows the cracker to override what actual > binary file gets run when a user tries to run some other (possibly > hidden) executable. Here kstat might be of intrest, it's getting it's information directly from the kernel structures. (reading /dev/kmen, and using a dummy module) [RicV] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Hacked too?
What is mean: "If you're running PortSentry/klaxon or another program that binds itself to unused ports probably chkrootkit will give you a false positive on the bindshell test (ports .. 31336/tcp, 31337/tcp ...)."? It is from http://www.chkrootkit.org/ My PC is really hacked or no? How I can determine it? When I run "netstat -an" I get "udp0 0 0.0.0.0:31337 0.0.0.0:*" How I can stop this? Billy òÅËÌÁÍÁ: íÏÓËÏ×ÓËÁÑ ëÁÌÅÎÄÁÒÎÁÑ æÁÂÒÉËÁ - Ë×ÁÒÔÁÌØÎÙÅ ËÁÌÅÎÄÁÒÉ ÐÏ ÓÁÍÙÍ ÎÉÚËÉÍ ÃÅÎÁÍ. ôÅÌÅÆÏÎ: (8095)254-88-55 http://www.kalendar.r2.ru/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Hacked too?
> > > I have run chkrootkit and get Anyone have a d/l site for the deb package of this? Ed -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Hacked too?
still, I think that one of the first things you should do with your hacked systems is unplug the network cable. the majority of hacks these days are for stepping stones, they don't necessarily care about the data on your PC, but will have other PCs from your. I don't think you really want the FBI knocking on your door after they findout that your home PC has been banging on their network .. :P > -Original Message- > From: martin f krafft [mailto:[EMAIL PROTECTED]] > Sent: January 11, 2002 2:34 PM > To: [EMAIL PROTECTED] > Subject: Re: Hacked too? > > > also sprach éÇÏÒØ âÁÌÕÓÏ× <[EMAIL PROTECTED]> > [2002.01.11.2316 +0100]: > > I have run chkrootkit and get > > "Checking `bindshell'... INFECTED (PORTS: 31337)" > > What I need to do? > > reinstall. no, really! unless this is a non-productive > system, in which > case you are free to try to remove it. but once you have a cracked > system, you can't take anything for granted, you can't even trust your > keyboard anymore. and everytime you use SSH or telnet or > whatever, your > password is probably going straight to the hacker. so all the systems > you SSH into are possibly also hacked. let's hope you don't root-login > remotely anywhere! > > -- > martin; (greetings from the heart of the sun.) > \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck > > f u cn rd ths, u cn gt a nce jb in th prgrmng indstry > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Hacked too?
also sprach éÇÏÒØ âÁÌÕÓÏ× <[EMAIL PROTECTED]> [2002.01.11.2316 +0100]: > I have run chkrootkit and get > "Checking `bindshell'... INFECTED (PORTS: 31337)" > What I need to do? reinstall. no, really! unless this is a non-productive system, in which case you are free to try to remove it. but once you have a cracked system, you can't take anything for granted, you can't even trust your keyboard anymore. and everytime you use SSH or telnet or whatever, your password is probably going straight to the hacker. so all the systems you SSH into are possibly also hacked. let's hope you don't root-login remotely anywhere! -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck f u cn rd ths, u cn gt a nce jb in th prgrmng indstry msg05150/pgp0.pgp Description: PGP signature
Re: I've been hacked by DevilSoul
On Fri, 11 Jan 2002, Ricardo B wrote: > Isn't there a way to turn module loading off (a way that can't be chagend > back - without rebooting) ? None that cannot be undone if you're root in a non-ACL kernel. It gets hard if the kernel has no module support at all, but not impossible. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh
Hacked too?
I have run chkrootkit and get "Checking `bindshell'... INFECTED (PORTS: 31337)" What I need to do? Billy òÅËÌÁÍÁ: íÏÓËÏ×ÓËÁÑ ëÁÌÅÎÄÁÒÎÁÑ æÁÂÒÉËÁ - Ë×ÁÒÔÁÌØÎÙÅ ËÁÌÅÎÄÁÒÉ ÐÏ ÓÁÍÙÍ ÎÉÚËÉÍ ÃÅÎÁÍ. ôÅÌÅÆÏÎ: (8095)254-88-55 http://www.kalendar.r2.ru/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: I've been hacked by DevilSoul
also sprach Noah L. Meyerhans <[EMAIL PROTECTED]> [2002.01.11.2240 +0100]: > Oh, it certainly can! knark is a perfect example of a kernel module to > do just this. (knark is Swedish for "drugged".) It allows files, > processes, network connections, and network interface promiscuity to be > *completely* hidden. It allows the cracker to override what actual > binary file gets run when a user tries to run some other (possibly > hidden) executable. wow. a link please? http://www.sans.org/newlook/resources/IDFAQ/knark.htm ? -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck the remote desktop feature of windows xp is really nice (and *novel*!). as a micro$oft consultant can *remotely* disable the personal firewall and control the system. we'll ignore the fact that this tampering with the firewall is not logged, and more importantly, that the firewall isn't restored when the clowns from redmod are done with their job. msg05148/pgp0.pgp Description: PGP signature
Re: I've been hacked by DevilSoul
On Fri, Jan 11, 2002 at 10:25:03PM +0100, martin f krafft wrote: > > i doubt that a kernel module can override the linux kernel filesystem > abstraction layer. but i guess it could be possible. > Oh, it certainly can! knark is a perfect example of a kernel module to do just this. (knark is Swedish for "drugged".) It allows files, processes, network connections, and network interface promiscuity to be *completely* hidden. It allows the cracker to override what actual binary file gets run when a user tries to run some other (possibly hidden) executable. It works amazingly well, and it is scary. It's been around for quite a while now (couple of years, I guess), but hasn't shown up in rootkits much yet. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html msg05147/pgp0.pgp Description: PGP signature
Re: I've been hacked by DevilSoul
On Fri, Jan 11, 2002 at 05:04:53PM +, Ricardo B wrote: > He can be loaded as a kernel module and then hide all traces of its > presence in the system, by overriding the proper system calls and > /proc info. Isn't there a way to turn module loading off (a way that > can't be chagend back - without rebooting) ? Yes, but it won't help you much. I've read some very interesting articles recently about writing directly to /dev/kmem. That allows you to do some fun kernel level stuff without any module support needed at all. This kernel level stuff makes traditional host based intrusion detection really difficult. LIDS helps, but I don't think it's the final solution. Network intrusion detection helps, but it's really difficult to fine-tune something like SNORT to only give you interesting information, especially if you're in a really large network. In these days of kernel-level compromises, a lot of network indruders are only detected when they do something stupid like portscan a box from one of their cracked machines. If they lie low and are smart about covering their tracks, they're likely to go unnoticed for a very long time. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html msg05146/pgp0.pgp Description: PGP signature
Re: I've been hacked by DevilSoul
also sprach Ricardo B <[EMAIL PROTECTED]> [2002.01.11.1804 +0100]: > There is no need for a rootkit to reboot the machine in order to hide himself. > He can be loaded as a kernel module and then hide all traces of its presence in > the system, by overriding the proper system calls and /proc info. > Isn't there a way to turn module loading off (a way that can't be chagend back > - without rebooting) ? i doubt that a kernel module can override the linux kernel filesystem abstraction layer. but i guess it could be possible. > Boot the machine with a secure (as in external) kernel and root file system. > Only then use tripwire to see if anything has changed. > Hmm... can we trust the BIOS? :-) how can you overwrite the bios from linux? and: how much does linux care about the bios? we're dealing with harddrives, and i have *no* harddrives configured in any bios, i let the kernel take care of it all. -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck si vis pacem, para bellum msg05145/pgp0.pgp Description: PGP signature
Re: I've been hacked by DevilSoul
On Fri, 11 Jan 2002, Ricardo B wrote: > Isn't there a way to turn module loading off (a way that can't be chagend > back - without rebooting) ? None that cannot be undone if you're root in a non-ACL kernel. It gets hard if the kernel has no module support at all, but not impossible. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: I've been hacked by DevilSoul
msg.pgp Description: PGP message
Re: I've been hacked by DevilSoul
"Jacques Lav!gnotte" wrote: > On Thu, Jan 10, 2002 at 08:31:00PM -0800, Alvin Oga wrote: > > A RootKit was installed, only the sniffer was used... > > Any idea of what the «default files and dirs» are ? Please see http://www.sans.org/y2k/t0rn.htm Greetz Christoph -- .-. Ruhr-Universitaet Bochum /v\L I N U XLehrstuhl fuer Biophysik // \\ >Penguin Computing< c/o Christoph Wegener /( )\ Gebaeude ND 04/Nord ^^-^^D-44780 Bochum, GERMANY Tel: +49 (234) 32-25754 Fax: +49 (234) 32-14626 mailto:[EMAIL PROTECTED] http://www.bph.ruhr-uni-bochum.de
Re: I've been hacked by DevilSoul
On Thu, Jan 10, 2002 at 08:31:00PM -0800, Alvin Oga wrote: > - if you think they used a simple/ordinary rootkits... you can > try some of the rootkit detectors > > http://www.chkrootkit.org/ Great tool Got : Searching for t0rn's default files and dirs... Possible t0rn rootkit installed Searching for t0rn's v8 defaults... nothing found ALL The rest of the log is clean A RootKit was installed, only the sniffer was used... Any idea of what the «default files and dirs» are ? Tks, Jacques -- 0CBE 3F8A 5A77 A35C 27C7 2D42 3EC5 806B 9178 088D pgpqcoAXQ8dgF.pgp Description: PGP signature
Re: I've been hacked by DevilSoul - confusion
hi patrice yup .. sillicon valley has nothing to do with getting backonline but was intended ...that i could go over ahd help figure out what happened to the box... before the reinstall ... but never mind... scaramento is not too far awayeither.. on the way up to go skiing on a fri-weekend.. - am assuming the server back online by now and know how they hacker got in... c ya alvin On 11 Jan 2002, Patrice Neff wrote: > [EMAIL PROTECTED] writes: > > > if in silicon valley... > > you can be back online within 1hr or so... > > What does the Silicon Valley have to do with the time to getting back > online? > > > - maybe just sniffing your passwds ??? > > - maybe using it to hack other boxes ?? > > Oh if it's not more... ;-) > > > - you need to see what its doing... and than prevent that from > > happening on oyour next install > > This can be quite difficult. If you really want to do this you should > certainely take the box offline during this time. >
Re: I've been hacked by DevilSoul
msg.pgp Description: PGP message
Re: I've been hacked by DevilSoul
On Fri, Jan 11, 2002 at 03:43:11PM +0100, Preben Randhol wrote: > > agreed. full disk format and reinstall from backup is the only secure > ^ > > This is not safe at all if you mean reinstall programs too. You should > reinstall programs from the net/CD distro and update all programs that > has security fixes. > > You should only install user files and not configuration files without > checking. > Yes. Sorry if I didn't make that clear. I just wanted to emphasize that there was no secure away to avoid a full disk wipe. g pgpWkWeK7honD.pgp Description: PGP signature
Re: I've been hacked by DevilSoul
also sprach Preben Randhol <[EMAIL PROTECTED]> [2002.01.11.1543 +0100]: > This is not safe at all if you mean reinstall programs too. You should > reinstall programs from the net/CD distro and update all programs that > has security fixes. yeah sorry, i meant that actually. reinstall debian from .deb and the recover all other files from backup, one by one. > You should only install user files and not configuration files without > checking. yes. however, do check for setuid proggies in the user dirs... -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] echo '[dO%O+38%O+PO/d0<0]Fi22os0CC4BA64E418CE7l0xAP'|dc pgpfGkB7Qe8Jb.pgp Description: PGP signature
Re: I've been hacked by DevilSoul
"Jacques Lav!gnotte" wrote: > On Thu, Jan 10, 2002 at 08:31:00PM -0800, Alvin Oga wrote: > > A RootKit was installed, only the sniffer was used... > > Any idea of what the «default files and dirs» are ? Please see http://www.sans.org/y2k/t0rn.htm Greetz Christoph -- .-. Ruhr-Universitaet Bochum /v\L I N U XLehrstuhl fuer Biophysik // \\ >Penguin Computing< c/o Christoph Wegener /( )\ Gebaeude ND 04/Nord ^^-^^D-44780 Bochum, GERMANY Tel: +49 (234) 32-25754 Fax: +49 (234) 32-14626 mailto:[EMAIL PROTECTED] http://www.bph.ruhr-uni-bochum.de -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: I've been hacked by DevilSoul
also sprach Angus D Madden <[EMAIL PROTECTED]> [2002.01.11.0649 +0100]: > agreed. full disk format and reinstall from backup is the only secure > option. unless you are running something like tripwire there is no way > to tell what the intruder did, and even then ... ... if, only if, you have the tripwire binary and database securely stored away on read-only media, and it's current. then you can use it to verify that no files have changed, and no rootkit was installed. however, i did post-mortem analyze a machine once where the actual kernel had been modified so as to mess with file reads in such a way that the installed root kit wasn't even detected by tripwire! so be careful. has the machine been up since the break-in? was it restarted then? -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] "in the stage of grand illusion you walked into my life out of my dreams." -- david bowie pgpn09oM78aLD.pgp Description: PGP signature
Re: I've been hacked by DevilSoul
Angus D Madden <[EMAIL PROTECTED]> wrote on 11/01/2002 (11:53) : > On Fri, Jan 11, 2002 at 05:07:02AM +0100, martin f krafft wrote: > > you've been hacked -> backup -> re-mkfs -> reinstall -> re-config from > > backup very carefully (i.e. file by file) -> restore user data -> do > > some post-mortem with backup -> ensure security -> reopen server to > > public and users -> more post-mortem -> take more security measures. > > > > standard procedure. > > > > agreed. full disk format and reinstall from backup is the only secure ^ This is not safe at all if you mean reinstall programs too. You should reinstall programs from the net/CD distro and update all programs that has security fixes. You should only install user files and not configuration files without checking. -- Preben Randhol --- http://www.pvv.org/~randhol/ -- «For me, Ada95 puts back the joy in programming.»
Re: I've been hacked by DevilSoul
On Thu, Jan 10, 2002 at 08:31:00PM -0800, Alvin Oga wrote: > - if you think they used a simple/ordinary rootkits... you can > try some of the rootkit detectors > > http://www.chkrootkit.org/ Great tool Got : Searching for t0rn's default files and dirs... Possible t0rn rootkit installed Searching for t0rn's v8 defaults... nothing found ALL The rest of the log is clean A RootKit was installed, only the sniffer was used... Any idea of what the «default files and dirs» are ? Tks, Jacques -- 0CBE 3F8A 5A77 A35C 27C7 2D42 3EC5 806B 9178 088D msg05141/pgp0.pgp Description: PGP signature
Re: I've been hacked by DevilSoul
[EMAIL PROTECTED] writes: > if in silicon valley... > you can be back online within 1hr or so... What does the Silicon Valley have to do with the time to getting back online? > - maybe just sniffing your passwds ??? > - maybe using it to hack other boxes ?? Oh if it's not more... ;-) > - you need to see what its doing... and than prevent that from > happening on oyour next install This can be quite difficult. If you really want to do this you should certainely take the box offline during this time. bye, patrice -- GPG ID: A5F15976 Key fingerprint: 201D 12D1 F629 1E9B 0BB0 EAF5 3009 AF60 A5F1 5976
Re: I've been hacked by DevilSoul - confusion
hi patrice yup .. sillicon valley has nothing to do with getting backonline but was intended ...that i could go over ahd help figure out what happened to the box... before the reinstall ... but never mind... scaramento is not too far awayeither.. on the way up to go skiing on a fri-weekend.. - am assuming the server back online by now and know how they hacker got in... c ya alvin On 11 Jan 2002, Patrice Neff wrote: > [EMAIL PROTECTED] writes: > > > if in silicon valley... > > you can be back online within 1hr or so... > > What does the Silicon Valley have to do with the time to getting back > online? > > > - maybe just sniffing your passwds ??? > > - maybe using it to hack other boxes ?? > > Oh if it's not more... ;-) > > > - you need to see what its doing... and than prevent that from > > happening on oyour next install > > This can be quite difficult. If you really want to do this you should > certainely take the box offline during this time. > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: I've been hacked by DevilSoul
On Fri, Jan 11, 2002 at 03:43:11PM +0100, Preben Randhol wrote: > > agreed. full disk format and reinstall from backup is the only secure > ^ > > This is not safe at all if you mean reinstall programs too. You should > reinstall programs from the net/CD distro and update all programs that > has security fixes. > > You should only install user files and not configuration files without > checking. > Yes. Sorry if I didn't make that clear. I just wanted to emphasize that there was no secure away to avoid a full disk wipe. g msg05139/pgp0.pgp Description: PGP signature
Re: I've been hacked by DevilSoul
also sprach Preben Randhol <[EMAIL PROTECTED]> [2002.01.11.1543 +0100]: > This is not safe at all if you mean reinstall programs too. You should > reinstall programs from the net/CD distro and update all programs that > has security fixes. yeah sorry, i meant that actually. reinstall debian from .deb and the recover all other files from backup, one by one. > You should only install user files and not configuration files without > checking. yes. however, do check for setuid proggies in the user dirs... -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck echo '[dO%O+38%O+PO/d0<0]Fi22os0CC4BA64E418CE7l0xAP'|dc msg05138/pgp0.pgp Description: PGP signature
Re: I've been hacked by DevilSoul
also sprach Angus D Madden <[EMAIL PROTECTED]> [2002.01.11.0649 +0100]: > agreed. full disk format and reinstall from backup is the only secure > option. unless you are running something like tripwire there is no way > to tell what the intruder did, and even then ... ... if, only if, you have the tripwire binary and database securely stored away on read-only media, and it's current. then you can use it to verify that no files have changed, and no rootkit was installed. however, i did post-mortem analyze a machine once where the actual kernel had been modified so as to mess with file reads in such a way that the installed root kit wasn't even detected by tripwire! so be careful. has the machine been up since the break-in? was it restarted then? -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck "in the stage of grand illusion you walked into my life out of my dreams." -- david bowie msg05137/pgp0.pgp Description: PGP signature
Re: I've been hacked by DevilSoul
Angus D Madden <[EMAIL PROTECTED]> wrote on 11/01/2002 (11:53) : > On Fri, Jan 11, 2002 at 05:07:02AM +0100, martin f krafft wrote: > > you've been hacked -> backup -> re-mkfs -> reinstall -> re-config from > > backup very carefully (i.e. file by file) -> restore user data -> do > > some post-mortem with backup -> ensure security -> reopen server to > > public and users -> more post-mortem -> take more security measures. > > > > standard procedure. > > > > agreed. full disk format and reinstall from backup is the only secure ^ This is not safe at all if you mean reinstall programs too. You should reinstall programs from the net/CD distro and update all programs that has security fixes. You should only install user files and not configuration files without checking. -- Preben Randhol --- http://www.pvv.org/~randhol/ -- «For me, Ada95 puts back the joy in programming.» -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: I've been hacked by DevilSoul
hi alan where are you ??? if in silicon valley... you can be back online within 1hr or so... ( assuming you have data-only backed up prior to the hacker getting ( into your box.. if the [h/cr]acker didnt "rm -rf /" your machine..you're still online.. - maybe just sniffing your passwds ??? - maybe using it to hack other boxes ?? - you need to see what its doing... and than prevent that from happening on oyour next install - if you think they used a simple/ordinary rootkits... you can try some of the rootkit detectors http://www.chkrootkit.org/ http://www.blackcode.com/scan ( scans your machine - or used to scan for rootkits/trojans ) otherwise.. http://www.Linux-Sec.net/Tracking have fun alvin http://www.Linux-Sec.net/ On Thu, 10 Jan 2002, Alan Aldrich wrote: > > Not sure what all it did, but really played havoc with SSH and some other > networking components and is keeping my aventail authentication server from > honoring socks requests. > Can someone help undo whatever it did or point me to a site that covers it? I > need to get this server back online quick > Thanks > alan > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] pgpvon14GuSvt.pgp Description: PGP signature
Re: I've been hacked by DevilSoul
[EMAIL PROTECTED] writes: > if in silicon valley... > you can be back online within 1hr or so... What does the Silicon Valley have to do with the time to getting back online? > - maybe just sniffing your passwds ??? > - maybe using it to hack other boxes ?? Oh if it's not more... ;-) > - you need to see what its doing... and than prevent that from > happening on oyour next install This can be quite difficult. If you really want to do this you should certainely take the box offline during this time. bye, patrice -- GPG ID: A5F15976 Key fingerprint: 201D 12D1 F629 1E9B 0BB0 EAF5 3009 AF60 A5F1 5976 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: I've been hacked by DevilSoul
On Fri, 2002-01-11 at 05:02, Alan Aldrich wrote: > > Not sure what all it did, but really played havoc with SSH and some other > networking components and is keeping my aventail authentication server from > honoring socks requests. > Can someone help undo whatever it did or point me to a site that covers it? I > need to get this server back online quick Just making sure for you: do *not* restore binary files from backup, only data (text?) files and any /etc/-files you can't recreate from your head. We had an incident where we suspected a break-in on one server. Reinstalling all our 7 highly intertwined Debian servers from scratch took less than a week. Just get email up first, then install apache, or what you are providing, restore your htdocs and then fiddle with getting your system right. Try to use as possible of Debian plain installation configurations, they are usually quite well thought through :) Did you use potato or woody? I would be nice for the rest of us to have some clue on what might have happened. It might no be trivial ( ie. a stolen password or an old version of SSH.) -- Lars Bahner, http://lars.bahner.com/ Nihil est sine ratione cur potius sit, quam non sit. pgpDE7AGMnQA5.pgp Description: PGP signature
Re: I've been hacked by DevilSoul
hi alan where are you ??? if in silicon valley... you can be back online within 1hr or so... ( assuming you have data-only backed up prior to the hacker getting ( into your box.. if the [h/cr]acker didnt "rm -rf /" your machine..you're still online.. - maybe just sniffing your passwds ??? - maybe using it to hack other boxes ?? - you need to see what its doing... and than prevent that from happening on oyour next install - if you think they used a simple/ordinary rootkits... you can try some of the rootkit detectors http://www.chkrootkit.org/ http://www.blackcode.com/scan ( scans your machine - or used to scan for rootkits/trojans ) otherwise.. http://www.Linux-Sec.net/Tracking have fun alvin http://www.Linux-Sec.net/ On Thu, 10 Jan 2002, Alan Aldrich wrote: > > Not sure what all it did, but really played havoc with SSH and some other networking >components and is keeping my aventail authentication server from honoring socks >requests. > Can someone help undo whatever it did or point me to a site that covers it? I need >to get this server back online quick > Thanks > alan > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] msg05134/pgp0.pgp Description: PGP signature
Re: I've been hacked by DevilSoul
On Fri, 2002-01-11 at 05:02, Alan Aldrich wrote: > > Not sure what all it did, but really played havoc with SSH and some other networking >components and is keeping my aventail authentication server from honoring socks >requests. > Can someone help undo whatever it did or point me to a site that covers it? I need >to get this server back online quick Just making sure for you: do *not* restore binary files from backup, only data (text?) files and any /etc/-files you can't recreate from your head. We had an incident where we suspected a break-in on one server. Reinstalling all our 7 highly intertwined Debian servers from scratch took less than a week. Just get email up first, then install apache, or what you are providing, restore your htdocs and then fiddle with getting your system right. Try to use as possible of Debian plain installation configurations, they are usually quite well thought through :) Did you use potato or woody? I would be nice for the rest of us to have some clue on what might have happened. It might no be trivial ( ie. a stolen password or an old version of SSH.) -- Lars Bahner, http://lars.bahner.com/ Nihil est sine ratione cur potius sit, quam non sit. msg05133/pgp0.pgp Description: PGP signature
Unidentified subject!
unsubscribe
