Re: Socks & Squid?

2002-01-11 Thread Josh Frick

Lou Poppler wrote:


On Fri, 11 Jan 2002, Josh Frick wrote:

Is there any reason that Socks and Squid couldn't or shouldn't be run on 
the same box?  I'd appreciate anyone's advice.  Thanks.




Be very careful to configure both of these very restrictively.
The newest favorite trick of pro spammers is to find promiscuous
Socks proxies, Wingate proxies, and Squid or Cacheflow servers
which allow untraceable relaying of spam via your machine.
Untraceable to the actual spammer that is -- probably you will
have some explaining to do to your own ISP as to why so many
spam complaints are arriving which show your box as the source
of the spam.  The default configurations of Socks and Squid seem
to allow any host to proxy through them.


Thank you.  Are there any Debian packages that have settings or scripts 
for settings you'd recommend?  FYI,  I was planning on putting 
Socks/Squid behind one or two packet filters.  Not sure if this will 
make a difference,  but I offer *no* services to the outside world.  
(intentionally,  that is :-) )






Re: [d-security] Re: /etc/passwd->shell

2002-01-11 Thread Christian Hammers
On Fri, Jan 11, 2002 at 10:00:32PM -0500, Hubert Chan wrote:
> So daemon, bin, sys, ftp, www-data, mail, mysql, etc. can probably be
> set to /bin/false.  (Why does Debian not do this by default?)
Apart from the ftp users which (sometimes) need their ftp password to
be stored in /etc/shadow and thus would making it a valid login password
to, I can see no reason why not giving a user, that has *no* password,
a shell. 
Without a password in /etc/shadow or /etc/passwd he could not login and
if someone cracks the server with i.e. a buffer overflow he does not
depend on the passwd entries but executes /bin/bash directly.
On the other hand when executing "su -c daemonxy cronscriptxy" from 
your crontab or similar than you need a valid shell because the shell
relies on it when executing child programs.

BTW: for ftp and pop3 users I could imagine /bin/passwd beeing a nice shell
 because it would allow the users to change their password via ssh. 

bye,

 -christian-



Re: /etc/passwd->shell

2002-01-11 Thread Hubert Chan
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

> "Ivan" == \"Ivan R \"  writes:

Ivan> hi all!  i want a password file without hole.

Ivan> so i have now in /etc/passwd:

Ivan> root with /bin/bash
Ivan> daemon, bin and sys with /bin/sh
Ivan> sync with /bin/sync
Ivan> normal users with /bin/bash
Ivan> ftp users with /bin/noshell

Anything that is not a real user can have its shell set to /bin/false.
In fact, depending on how your system is set up, you could probably even
set root's shell to /bin/false.  Just make sure that you have some way
of doing stuff as root (e.g. sudo), and that you don't kill single
mode.  (Never tried this, but I don't see why you couldn't do this.)

So daemon, bin, sys, ftp, www-data, mail, mysql, etc. can probably be
set to /bin/false.  (Why does Debian not do this by default?)

I don't know what the sync user is for, though, so I don't know if you
can set it to /bin/false.  /bin/sync looks like it was put there for a
reason.

- -- 
Hubert Chan <[EMAIL PROTECTED]> - http://www.geocities.com/hubertchan/
PGP/GnuPG key: 1024D/71FDA37F
Fingerprint: 6CC5 822D 2E55 494C 81DD  6F2C 6518 54DF 71FD A37F
Key available at wwwkeys.pgp.net.   Encrypted e-mail preferred.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8P6bKZRhU33H9o38RArsIAKCY+idTjmRqnLlZK60R586wjpxtnwCgwnL+
FJUq6Y7683pJX1Fkz4oEauQ=
=g3hk
-END PGP SIGNATURE-



Re: Socks & Squid?

2002-01-11 Thread Lou Poppler
On Fri, 11 Jan 2002, Josh Frick wrote:

> Is there any reason that Socks and Squid couldn't or shouldn't be run on 
> the same box?  I'd appreciate anyone's advice.  Thanks.

Be very careful to configure both of these very restrictively.
The newest favorite trick of pro spammers is to find promiscuous
Socks proxies, Wingate proxies, and Squid or Cacheflow servers
which allow untraceable relaying of spam via your machine.
Untraceable to the actual spammer that is -- probably you will
have some explaining to do to your own ISP as to why so many
spam complaints are arriving which show your box as the source
of the spam.  The default configurations of Socks and Squid seem
to allow any host to proxy through them.



Re: Socks & Squid?

2002-01-11 Thread Josh Frick

Lou Poppler wrote:

>On Fri, 11 Jan 2002, Josh Frick wrote:
>
>>Is there any reason that Socks and Squid couldn't or shouldn't be run on 
>>the same box?  I'd appreciate anyone's advice.  Thanks.
>>
>
>Be very careful to configure both of these very restrictively.
>The newest favorite trick of pro spammers is to find promiscuous
>Socks proxies, Wingate proxies, and Squid or Cacheflow servers
>which allow untraceable relaying of spam via your machine.
>Untraceable to the actual spammer that is -- probably you will
>have some explaining to do to your own ISP as to why so many
>spam complaints are arriving which show your box as the source
>of the spam.  The default configurations of Socks and Squid seem
>to allow any host to proxy through them.
>
>
Thank you.  Are there any Debian packages that have settings or scripts 
for settings you'd recommend?  FYI,  I was planning on putting 
Socks/Squid behind one or two packet filters.  Not sure if this will 
make a difference,  but I offer *no* services to the outside world.  
(intentionally,  that is :-) )




-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: I've been hacked by DevilSoul

2002-01-11 Thread Dries Kimpe
On Sat, 12 Jan 2002, Richard wrote:

> > On Fri, Jan 11, 2002 at 10:25:03PM +0100, martin f krafft wrote:
> > > 
> > > i doubt that a kernel module can override the linux kernel filesystem
> > > abstraction layer. but i guess it could be possible.
> > > 
> > 
> > Oh, it certainly can!  knark is a perfect example of a kernel module to
> > do just this.  (knark is Swedish for "drugged".)  It allows files,
> > processes, network connections, and network interface promiscuity to be
> > *completely* hidden.  It allows the cracker to override what actual
> > binary file gets run when a user tries to run some other (possibly
> > hidden) executable.
> 
> Here kstat might be of intrest, it's getting it's information directly
> from the kernel structures. (reading /dev/kmen, and using a dummy module)
> 

  Looking at all the nice things one can do with a modern (and
surprisingly easy to make) rootkit, I'm really thinking about just
avoiding modular kernels at any cost.

  I once had a redhat box hacked (old lpr exploit [from within the
'trusted' network]). Think it was adore I found (along with some sniffers)
I already avoid modules on most places (gateway, webservers, ...).
Usually the pro's from modules outweight the con's, but nowadays, with
memory that cheap i don't think it's worth the trouble anylonger.

  Still, knark is nice work ;-) Solves the whole AIDE-problem a hacker has
on most systems these days... As the document states, one of the only
possibilities in detecting knark is using the utils and try to get root
yourself, or unhide/hide files. Adore already had a solution for that:
those things mostly work by sending a signal to the process, and adore
used an offset, so the 'standard' detection tools couldn't detect it
anymore. Without the correct offset, nobody but those who installed the
rootkit could use it (easily). 

  The problem is that with code like that lying around (don't get me
wrong, I think it's *good* that people create things like that - without
challenge, there's no need for improvement, and it stimulates creativity  
- but what worries me is that it lowers the treshold. You don't have to
know that much about linux kernel internals to adapt the knark code to use
different signals/ports. As soon as people start to do that, most
rootkit-detection software fails... And as said in this thread before, one
can hide for a very long time in a (standard) linux system...

  Dries




Re: [d-security] Re: /etc/passwd->shell

2002-01-11 Thread Christian Hammers

On Fri, Jan 11, 2002 at 10:00:32PM -0500, Hubert Chan wrote:
> So daemon, bin, sys, ftp, www-data, mail, mysql, etc. can probably be
> set to /bin/false.  (Why does Debian not do this by default?)
Apart from the ftp users which (sometimes) need their ftp password to
be stored in /etc/shadow and thus would making it a valid login password
to, I can see no reason why not giving a user, that has *no* password,
a shell. 
Without a password in /etc/shadow or /etc/passwd he could not login and
if someone cracks the server with i.e. a buffer overflow he does not
depend on the passwd entries but executes /bin/bash directly.
On the other hand when executing "su -c daemonxy cronscriptxy" from 
your crontab or similar than you need a valid shell because the shell
relies on it when executing child programs.

BTW: for ftp and pop3 users I could imagine /bin/passwd beeing a nice shell
 because it would allow the users to change their password via ssh. 

bye,

 -christian-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: /etc/passwd->shell

2002-01-11 Thread Hubert Chan

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

> "Ivan" == \"Ivan R \"  writes:

Ivan> hi all!  i want a password file without hole.

Ivan> so i have now in /etc/passwd:

Ivan> root with /bin/bash
Ivan> daemon, bin and sys with /bin/sh
Ivan> sync with /bin/sync
Ivan> normal users with /bin/bash
Ivan> ftp users with /bin/noshell

Anything that is not a real user can have its shell set to /bin/false.
In fact, depending on how your system is set up, you could probably even
set root's shell to /bin/false.  Just make sure that you have some way
of doing stuff as root (e.g. sudo), and that you don't kill single
mode.  (Never tried this, but I don't see why you couldn't do this.)

So daemon, bin, sys, ftp, www-data, mail, mysql, etc. can probably be
set to /bin/false.  (Why does Debian not do this by default?)

I don't know what the sync user is for, though, so I don't know if you
can set it to /bin/false.  /bin/sync looks like it was put there for a
reason.

- -- 
Hubert Chan <[EMAIL PROTECTED]> - http://www.geocities.com/hubertchan/
PGP/GnuPG key: 1024D/71FDA37F
Fingerprint: 6CC5 822D 2E55 494C 81DD  6F2C 6518 54DF 71FD A37F
Key available at wwwkeys.pgp.net.   Encrypted e-mail preferred.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8P6bKZRhU33H9o38RArsIAKCY+idTjmRqnLlZK60R586wjpxtnwCgwnL+
FJUq6Y7683pJX1Fkz4oEauQ=
=g3hk
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: Socks & Squid?

2002-01-11 Thread Lou Poppler

On Fri, 11 Jan 2002, Josh Frick wrote:

> Is there any reason that Socks and Squid couldn't or shouldn't be run on 
> the same box?  I'd appreciate anyone's advice.  Thanks.

Be very careful to configure both of these very restrictively.
The newest favorite trick of pro spammers is to find promiscuous
Socks proxies, Wingate proxies, and Squid or Cacheflow servers
which allow untraceable relaying of spam via your machine.
Untraceable to the actual spammer that is -- probably you will
have some explaining to do to your own ISP as to why so many
spam complaints are arriving which show your box as the source
of the spam.  The default configurations of Socks and Squid seem
to allow any host to proxy through them.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




/etc/passwd->shell

2002-01-11 Thread \"Ivan R.\"
hi all!

i want a password file
without hole.

so i have now in /etc/passwd:

root with /bin/bash
daemon, bin and sys with /bin/sh
sync with /bin/sync
normal users with /bin/bash
ftp users with /bin/noshell

here i think that s good

but i have some questions :

what about replace /bin/sh for man by /bin/false?
i tried and to see man pages that s ok.
is there a reason to let /bin/sh?

why mail and www-data has got /bin/sh
and not mysql (/bin/false)?
why no shell for mysqld and shell
for the others?
what should i do here?

thanks in advance for all

;D

-
Ivan R.
sysadmin



Socks & Squid?

2002-01-11 Thread Josh Frick
Is there any reason that Socks and Squid couldn't or shouldn't be run on 
the same box?  I'd appreciate anyone's advice.  Thanks.


  Sincerely,

  Josh Frick



RE: Hacked too?

2002-01-11 Thread dude


Sorry but could someone please summerize what the "Hacked too?" thread is
about?

just got back into town and not making sense of the thread that i read in
the archives

Thankx




Re: I've been hacked by DevilSoul

2002-01-11 Thread Dries Kimpe

On Sat, 12 Jan 2002, Richard wrote:

> > On Fri, Jan 11, 2002 at 10:25:03PM +0100, martin f krafft wrote:
> > > 
> > > i doubt that a kernel module can override the linux kernel filesystem
> > > abstraction layer. but i guess it could be possible.
> > > 
> > 
> > Oh, it certainly can!  knark is a perfect example of a kernel module to
> > do just this.  (knark is Swedish for "drugged".)  It allows files,
> > processes, network connections, and network interface promiscuity to be
> > *completely* hidden.  It allows the cracker to override what actual
> > binary file gets run when a user tries to run some other (possibly
> > hidden) executable.
> 
> Here kstat might be of intrest, it's getting it's information directly
> from the kernel structures. (reading /dev/kmen, and using a dummy module)
> 

  Looking at all the nice things one can do with a modern (and
surprisingly easy to make) rootkit, I'm really thinking about just
avoiding modular kernels at any cost.

  I once had a redhat box hacked (old lpr exploit [from within the
'trusted' network]). Think it was adore I found (along with some sniffers)
I already avoid modules on most places (gateway, webservers, ...).
Usually the pro's from modules outweight the con's, but nowadays, with
memory that cheap i don't think it's worth the trouble anylonger.

  Still, knark is nice work ;-) Solves the whole AIDE-problem a hacker has
on most systems these days... As the document states, one of the only
possibilities in detecting knark is using the utils and try to get root
yourself, or unhide/hide files. Adore already had a solution for that:
those things mostly work by sending a signal to the process, and adore
used an offset, so the 'standard' detection tools couldn't detect it
anymore. Without the correct offset, nobody but those who installed the
rootkit could use it (easily). 

  The problem is that with code like that lying around (don't get me
wrong, I think it's *good* that people create things like that - without
challenge, there's no need for improvement, and it stimulates creativity  
- but what worries me is that it lowers the treshold. You don't have to
know that much about linux kernel internals to adapt the knark code to use
different signals/ports. As soon as people start to do that, most
rootkit-detection software fails... And as said in this thread before, one
can hide for a very long time in a (standard) linux system...

  Dries



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: Hacked too?

2002-01-11 Thread Uwe Hermann
Hi Ed,

On Fri, Jan 11, 2002 at 05:46:58PM -0500, Ed Street wrote:
> > > > I have run chkrootkit and get
> 
> Anyone have a d/l site for the deb package of this?

apt-get install chkrootkit


Uwe.
-- 
Uwe Hermann
[EMAIL PROTECTED]
[EMAIL PROTECTED] | Unmaintained Free Software:
http://www.hermann-uwe.de | http://www.unmaintained-free-software.org



Re: Hacked too?

2002-01-11 Thread Ralf Dreibrodt
> Sorry but could someone please summerize what the "Hacked too?" thread is
> about?

someone used a script, which should detect rootkits and it said it found
one, although there is probably none. it seems just to check whether a
certain port is open.

just ignore the thread ;)

bye
Ralf



RE: Hacked too?

2002-01-11 Thread Igor Balusov
Thanks Stephen,
I have run the "netstat -anp"
The result is: 
" 0.0.0.0:31337  0.0.0.0:*1687/fakebo"
Really I have installed "fakebo".
It is usefull. Very often anybody try to find on my PC backdoors. It help me to 
discover theirs.
Billy

  Реклама: 
  Московская Календарная Фабрика - квартальные календари 
  по самым низким ценам. Телефон: (8095)254-88-55 
  http://www.kalendar.r2.ru/



RE: Hacked too?

2002-01-11 Thread Emmanuel Valliet
(2002-01-12) Igor Balusov sed :

 | What is mean:
 | "If you're running PortSentry/klaxon or another program that binds itself to
 | unused ports probably chkrootkit will give you a false positive on the
 | bindshell test (ports .. 31336/tcp, 31337/tcp ...)."?
 | It is from http://www.chkrootkit.org/
 | My PC is really hacked or no? How I can determine it?
 | When I run "netstat -an" I get
 | "udp0  0 0.0.0.0:31337   0.0.0.0:*"
 | How I can stop this?
 | Billy

fuser -n udp 31337 will give you the PID of the process lsitening on
the port 31337.
The with ps you will be able to discover the process hiding behind.
Otherwise, lsof is too your friend :)

-- 
VALLIET Emmanuel
Webmotion Inc. (-> http://www.webmotion.com <-)
Bored? Drive the speed limit... in your garage.



RE: Hacked too?

2002-01-11 Thread Stephen Ryan
On Fri, 2002-01-11 at 17:49, Igor Balusov wrote:
> What is mean:
> "If you're running PortSentry/klaxon or another program that binds itself to 
> unused ports probably chkrootkit will give you a false positive on the 
> bindshell test (ports .. 31336/tcp, 31337/tcp ...)."?
> It is from http://www.chkrootkit.org/
> My PC is really hacked or no? How I can determine it?
> When I run "netstat -an" I get 
> "udp0  0 0.0.0.0:31337   0.0.0.0:*"
> How I can stop this? 
> Billy

Try "netstat -anp" to find out which program is listening on that port. 

You should also check to see whether you have portsentry installed or
anything like it.  ("dpkg -s portsentry" if you installed it via Debian;
I don't know what others might be installed or where to look if you
installed them from source instead.)



Re: I've been hacked by DevilSoul

2002-01-11 Thread Richard


On Fri, 11 Jan 2002, Noah L. Meyerhans wrote:

> On Fri, Jan 11, 2002 at 10:25:03PM +0100, martin f krafft wrote:
> > 
> > i doubt that a kernel module can override the linux kernel filesystem
> > abstraction layer. but i guess it could be possible.
> > 
> 
> Oh, it certainly can!  knark is a perfect example of a kernel module to
> do just this.  (knark is Swedish for "drugged".)  It allows files,
> processes, network connections, and network interface promiscuity to be
> *completely* hidden.  It allows the cracker to override what actual
> binary file gets run when a user tries to run some other (possibly
> hidden) executable.

Here kstat might be of intrest, it's getting it's information directly
from the kernel structures. (reading /dev/kmen, and using a dummy module)

[RicV]



RE: Hacked too?

2002-01-11 Thread Igor Balusov
What is mean:
"If you're running PortSentry/klaxon or another program that binds itself to 
unused ports probably chkrootkit will give you a false positive on the 
bindshell test (ports .. 31336/tcp, 31337/tcp ...)."?
It is from http://www.chkrootkit.org/
My PC is really hacked or no? How I can determine it?
When I run "netstat -an" I get 
"udp0  0 0.0.0.0:31337   0.0.0.0:*"
How I can stop this? 
Billy





  Реклама: 
  Московская Календарная Фабрика - квартальные календари 
  по самым низким ценам. Телефон: (8095)254-88-55 
  http://www.kalendar.r2.ru/



RE: Hacked too?

2002-01-11 Thread Ed Street
> > > I have run chkrootkit and get

Anyone have a d/l site for the deb package of this?

Ed



RE: Hacked too?

2002-01-11 Thread Hassard, Stephen
still, I think that one of the first things you should do with your hacked
systems is unplug the network cable. the majority of hacks these days are
for stepping stones, they don't necessarily care about the data on your PC,
but will have other PCs from your. I don't think you really want the FBI
knocking on your door after they findout that your home PC has been banging
on their network .. :P

> -Original Message-
> From: martin f krafft [mailto:[EMAIL PROTECTED] 
> Sent: January 11, 2002 2:34 PM
> To: debian-security@lists.debian.org
> Subject: Re: Hacked too?
> 
> 
> also sprach éÇÏÒØ âÁÌÕÓÏ× <[EMAIL PROTECTED]> 
> [2002.01.11.2316 +0100]:
> > I have run chkrootkit and get 
> > "Checking `bindshell'... INFECTED (PORTS:  31337)"
> > What I need to do?
> 
> reinstall. no, really! unless this is a non-productive 
> system, in which
> case you are free to try to remove it. but once you have a cracked
> system, you can't take anything for granted, you can't even trust your
> keyboard anymore. and everytime you use SSH or telnet or 
> whatever, your
> password is probably going straight to the hacker. so all the systems
> you SSH into are possibly also hacked. let's hope you don't root-login
> remotely anywhere!
> 
> -- 
> martin;  (greetings from the heart of the sun.)
>   \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED]
>   
> f u cn rd ths, u cn gt a nce jb in th prgrmng indstry
> 



Re: Hacked too?

2002-01-11 Thread martin f krafft
also sprach éÇÏÒØ âÁÌÕÓÏ× <[EMAIL PROTECTED]> [2002.01.11.2316 +0100]:
> I have run chkrootkit and get 
> "Checking `bindshell'... INFECTED (PORTS:  31337)"
> What I need to do?

reinstall. no, really! unless this is a non-productive system, in which
case you are free to try to remove it. but once you have a cracked
system, you can't take anything for granted, you can't even trust your
keyboard anymore. and everytime you use SSH or telnet or whatever, your
password is probably going straight to the hacker. so all the systems
you SSH into are possibly also hacked. let's hope you don't root-login
remotely anywhere!

-- 
martin;  (greetings from the heart of the sun.)
  \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED]
  
f u cn rd ths, u cn gt a nce jb in th prgrmng indstry


pgpYNrzz3I39Y.pgp
Description: PGP signature


Hacked too?

2002-01-11 Thread éÇÏÒØ

I have run chkrootkit and get 
"Checking `bindshell'... INFECTED (PORTS:  31337)"
What I need to do?
Billy

  Реклама: 
  Московская Календарная Фабрика - квартальные календари 
  по самым низким ценам. Телефон: (8095)254-88-55 
  http://www.kalendar.r2.ru/



Re: I've been hacked by DevilSoul

2002-01-11 Thread martin f krafft
also sprach Noah L. Meyerhans <[EMAIL PROTECTED]> [2002.01.11.2240 +0100]:
> Oh, it certainly can!  knark is a perfect example of a kernel module to
> do just this.  (knark is Swedish for "drugged".)  It allows files,
> processes, network connections, and network interface promiscuity to be
> *completely* hidden.  It allows the cracker to override what actual
> binary file gets run when a user tries to run some other (possibly
> hidden) executable.

wow. a link please?
http://www.sans.org/newlook/resources/IDFAQ/knark.htm
?

-- 
martin;  (greetings from the heart of the sun.)
  \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED]
  
the remote desktop feature of windows xp is really nice (and
*novel*!). as a micro$oft consultant can *remotely* disable the
personal firewall and control the system. we'll ignore the fact that
this tampering with the firewall is not logged, and more importantly,
that the firewall isn't restored when the clowns from redmod are done
with their job.


pgpH6Al8WOwWl.pgp
Description: PGP signature


/etc/passwd->shell

2002-01-11 Thread \"Ivan R.\"

hi all!

i want a password file
without hole.

so i have now in /etc/passwd:

root with /bin/bash
daemon, bin and sys with /bin/sh
sync with /bin/sync
normal users with /bin/bash
ftp users with /bin/noshell

here i think that s good

but i have some questions :

what about replace /bin/sh for man by /bin/false?
i tried and to see man pages that s ok.
is there a reason to let /bin/sh?

why mail and www-data has got /bin/sh
and not mysql (/bin/false)?
why no shell for mysqld and shell
for the others?
what should i do here?

thanks in advance for all

;D

-
Ivan R.
sysadmin


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Socks & Squid?

2002-01-11 Thread Josh Frick

Is there any reason that Socks and Squid couldn't or shouldn't be run on 
the same box?  I'd appreciate anyone's advice.  Thanks.

   Sincerely,

   Josh Frick


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: I've been hacked by DevilSoul

2002-01-11 Thread Noah L. Meyerhans
On Fri, Jan 11, 2002 at 10:25:03PM +0100, martin f krafft wrote:
> 
> i doubt that a kernel module can override the linux kernel filesystem
> abstraction layer. but i guess it could be possible.
> 

Oh, it certainly can!  knark is a perfect example of a kernel module to
do just this.  (knark is Swedish for "drugged".)  It allows files,
processes, network connections, and network interface promiscuity to be
*completely* hidden.  It allows the cracker to override what actual
binary file gets run when a user tries to run some other (possibly
hidden) executable.

It works amazingly well, and it is scary.  It's been around for quite a
while now (couple of years, I guess), but hasn't shown up in rootkits
much yet.

noah

-- 
 ___
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 


pgpDVRsRjs1EV.pgp
Description: PGP signature


Re: I've been hacked by DevilSoul

2002-01-11 Thread Noah L. Meyerhans
On Fri, Jan 11, 2002 at 05:04:53PM +, Ricardo B wrote:
> He can be loaded as a kernel module and then hide all traces of its
> presence in the system, by overriding the proper system calls and
> /proc info.  Isn't there a way to turn module loading off (a way that
> can't be chagend back - without rebooting) ?

Yes, but it won't help you much.  I've read some very interesting
articles recently about writing directly to /dev/kmem.  That allows you
to do some fun kernel level stuff without any module support needed at
all.

This kernel level stuff makes traditional host based intrusion detection
really difficult.  LIDS helps, but I don't think it's the final
solution.  Network intrusion detection helps, but it's really difficult
to fine-tune something like SNORT to only give you interesting
information, especially if you're in a really large network.

In these days of kernel-level compromises, a lot of network indruders
are only detected when they do something stupid like portscan a box from
one of their cracked machines.  If they lie low and are smart about
covering their tracks, they're likely to go unnoticed for a very long
time.

noah

-- 
 ___
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 


pgpHzUnFsD0Jt.pgp
Description: PGP signature


Re: Hacked too?

2002-01-11 Thread Uwe Hermann

Hi Ed,

On Fri, Jan 11, 2002 at 05:46:58PM -0500, Ed Street wrote:
> > > > I have run chkrootkit and get
> 
> Anyone have a d/l site for the deb package of this?

apt-get install chkrootkit


Uwe.
-- 
Uwe Hermann
[EMAIL PROTECTED]
[EMAIL PROTECTED] | Unmaintained Free Software:
http://www.hermann-uwe.de | http://www.unmaintained-free-software.org


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: I've been hacked by DevilSoul

2002-01-11 Thread martin f krafft
also sprach Ricardo B <[EMAIL PROTECTED]> [2002.01.11.1804 +0100]:
> There is no need for a rootkit to reboot the machine in order to hide 
> himself. 
> He can be loaded as a kernel module and then hide all traces of its presence 
> in
> the system, by overriding the proper system calls and /proc info.
> Isn't there a way to turn module loading off (a way that can't be chagend 
> back 
>  - without rebooting) ?

i doubt that a kernel module can override the linux kernel filesystem
abstraction layer. but i guess it could be possible.

> Boot the machine with a secure (as in external) kernel and root file system. 
> Only then use tripwire to see if anything has changed.
> Hmm... can we trust the BIOS? :-)

how can you overwrite the bios from linux? and: how much does linux care
about the bios? we're dealing with harddrives, and i have *no*
harddrives configured in any bios, i let the kernel take care of it all.

-- 
martin;  (greetings from the heart of the sun.)
  \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED]
  
si vis pacem, para bellum


pgpUG33fzRERN.pgp
Description: PGP signature


Re: Hacked too?

2002-01-11 Thread Ralf Dreibrodt

> Sorry but could someone please summerize what the "Hacked too?" thread is
> about?

someone used a script, which should detect rootkits and it said it found
one, although there is probably none. it seems just to check whether a
certain port is open.

just ignore the thread ;)

bye
Ralf


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




RE: Hacked too?

2002-01-11 Thread Igor Balusov

Thanks Stephen,
I have run the "netstat -anp"
The result is: 
" 0.0.0.0:31337  0.0.0.0:*1687/fakebo"
Really I have installed "fakebo".
It is usefull. Very often anybody try to find on my PC backdoors. It help me to 
discover theirs.
Billy

  òÅËÌÁÍÁ: 
  íÏÓËÏ×ÓËÁÑ ëÁÌÅÎÄÁÒÎÁÑ æÁÂÒÉËÁ - Ë×ÁÒÔÁÌØÎÙÅ ËÁÌÅÎÄÁÒÉ 
  ÐÏ ÓÁÍÙÍ ÎÉÚËÉÍ ÃÅÎÁÍ. ôÅÌÅÆÏÎ: (8095)254-88-55 
  http://www.kalendar.r2.ru/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




RE: Hacked too?

2002-01-11 Thread dude



Sorry but could someone please summerize what the "Hacked too?" thread is
about?

just got back into town and not making sense of the thread that i read in
the archives

Thankx



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




RE: Hacked too?

2002-01-11 Thread Emmanuel Valliet

(2002-01-12) Igor Balusov sed :

 | What is mean:
 | "If you're running PortSentry/klaxon or another program that binds itself to
 | unused ports probably chkrootkit will give you a false positive on the
 | bindshell test (ports .. 31336/tcp, 31337/tcp ...)."?
 | It is from http://www.chkrootkit.org/
 | My PC is really hacked or no? How I can determine it?
 | When I run "netstat -an" I get
 | "udp0  0 0.0.0.0:31337   0.0.0.0:*"
 | How I can stop this?
 | Billy

fuser -n udp 31337 will give you the PID of the process lsitening on
the port 31337.
The with ps you will be able to discover the process hiding behind.
Otherwise, lsof is too your friend :)

-- 
VALLIET Emmanuel
Webmotion Inc. (-> http://www.webmotion.com <-)
Bored? Drive the speed limit... in your garage.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




RE: Hacked too?

2002-01-11 Thread Stephen Ryan

On Fri, 2002-01-11 at 17:49, Igor Balusov wrote:
> What is mean:
> "If you're running PortSentry/klaxon or another program that binds itself to 
> unused ports probably chkrootkit will give you a false positive on the 
> bindshell test (ports .. 31336/tcp, 31337/tcp ...)."?
> It is from http://www.chkrootkit.org/
> My PC is really hacked or no? How I can determine it?
> When I run "netstat -an" I get 
> "udp0  0 0.0.0.0:31337   0.0.0.0:*"
> How I can stop this? 
> Billy

Try "netstat -anp" to find out which program is listening on that port. 

You should also check to see whether you have portsentry installed or
anything like it.  ("dpkg -s portsentry" if you installed it via Debian;
I don't know what others might be installed or where to look if you
installed them from source instead.)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: I've been hacked by DevilSoul

2002-01-11 Thread Richard



On Fri, 11 Jan 2002, Noah L. Meyerhans wrote:

> On Fri, Jan 11, 2002 at 10:25:03PM +0100, martin f krafft wrote:
> > 
> > i doubt that a kernel module can override the linux kernel filesystem
> > abstraction layer. but i guess it could be possible.
> > 
> 
> Oh, it certainly can!  knark is a perfect example of a kernel module to
> do just this.  (knark is Swedish for "drugged".)  It allows files,
> processes, network connections, and network interface promiscuity to be
> *completely* hidden.  It allows the cracker to override what actual
> binary file gets run when a user tries to run some other (possibly
> hidden) executable.

Here kstat might be of intrest, it's getting it's information directly
from the kernel structures. (reading /dev/kmen, and using a dummy module)

[RicV]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




RE: Hacked too?

2002-01-11 Thread Igor Balusov

What is mean:
"If you're running PortSentry/klaxon or another program that binds itself to 
unused ports probably chkrootkit will give you a false positive on the 
bindshell test (ports .. 31336/tcp, 31337/tcp ...)."?
It is from http://www.chkrootkit.org/
My PC is really hacked or no? How I can determine it?
When I run "netstat -an" I get 
"udp0  0 0.0.0.0:31337   0.0.0.0:*"
How I can stop this? 
Billy





  òÅËÌÁÍÁ: 
  íÏÓËÏ×ÓËÁÑ ëÁÌÅÎÄÁÒÎÁÑ æÁÂÒÉËÁ - Ë×ÁÒÔÁÌØÎÙÅ ËÁÌÅÎÄÁÒÉ 
  ÐÏ ÓÁÍÙÍ ÎÉÚËÉÍ ÃÅÎÁÍ. ôÅÌÅÆÏÎ: (8095)254-88-55 
  http://www.kalendar.r2.ru/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




RE: Hacked too?

2002-01-11 Thread Ed Street

> > > I have run chkrootkit and get

Anyone have a d/l site for the deb package of this?

Ed


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




RE: Hacked too?

2002-01-11 Thread Hassard, Stephen

still, I think that one of the first things you should do with your hacked
systems is unplug the network cable. the majority of hacks these days are
for stepping stones, they don't necessarily care about the data on your PC,
but will have other PCs from your. I don't think you really want the FBI
knocking on your door after they findout that your home PC has been banging
on their network .. :P

> -Original Message-
> From: martin f krafft [mailto:[EMAIL PROTECTED]] 
> Sent: January 11, 2002 2:34 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Hacked too?
> 
> 
> also sprach éÇÏÒØ âÁÌÕÓÏ× <[EMAIL PROTECTED]> 
> [2002.01.11.2316 +0100]:
> > I have run chkrootkit and get 
> > "Checking `bindshell'... INFECTED (PORTS:  31337)"
> > What I need to do?
> 
> reinstall. no, really! unless this is a non-productive 
> system, in which
> case you are free to try to remove it. but once you have a cracked
> system, you can't take anything for granted, you can't even trust your
> keyboard anymore. and everytime you use SSH or telnet or 
> whatever, your
> password is probably going straight to the hacker. so all the systems
> you SSH into are possibly also hacked. let's hope you don't root-login
> remotely anywhere!
> 
> -- 
> martin;  (greetings from the heart of the sun.)
>   \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
>   
> f u cn rd ths, u cn gt a nce jb in th prgrmng indstry
> 


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: Hacked too?

2002-01-11 Thread martin f krafft

also sprach éÇÏÒØ âÁÌÕÓÏ× <[EMAIL PROTECTED]> [2002.01.11.2316 +0100]:
> I have run chkrootkit and get 
> "Checking `bindshell'... INFECTED (PORTS:  31337)"
> What I need to do?

reinstall. no, really! unless this is a non-productive system, in which
case you are free to try to remove it. but once you have a cracked
system, you can't take anything for granted, you can't even trust your
keyboard anymore. and everytime you use SSH or telnet or whatever, your
password is probably going straight to the hacker. so all the systems
you SSH into are possibly also hacked. let's hope you don't root-login
remotely anywhere!

-- 
martin;  (greetings from the heart of the sun.)
  \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
  
f u cn rd ths, u cn gt a nce jb in th prgrmng indstry



msg05150/pgp0.pgp
Description: PGP signature


Re: I've been hacked by DevilSoul

2002-01-11 Thread Henrique de Moraes Holschuh
On Fri, 11 Jan 2002, Ricardo B wrote:
> Isn't there a way to turn module loading off (a way that can't be chagend
> back - without rebooting) ?

None that cannot be undone if you're root in a non-ACL kernel. It gets hard
if the kernel has no module support at all, but not impossible.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh



Hacked too?

2002-01-11 Thread éÇÏÒØ âÁÌÕÓÏ×


I have run chkrootkit and get 
"Checking `bindshell'... INFECTED (PORTS:  31337)"
What I need to do?
Billy

  òÅËÌÁÍÁ: 
  íÏÓËÏ×ÓËÁÑ ëÁÌÅÎÄÁÒÎÁÑ æÁÂÒÉËÁ - Ë×ÁÒÔÁÌØÎÙÅ ËÁÌÅÎÄÁÒÉ 
  ÐÏ ÓÁÍÙÍ ÎÉÚËÉÍ ÃÅÎÁÍ. ôÅÌÅÆÏÎ: (8095)254-88-55 
  http://www.kalendar.r2.ru/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: I've been hacked by DevilSoul

2002-01-11 Thread martin f krafft

also sprach Noah L. Meyerhans <[EMAIL PROTECTED]> [2002.01.11.2240 +0100]:
> Oh, it certainly can!  knark is a perfect example of a kernel module to
> do just this.  (knark is Swedish for "drugged".)  It allows files,
> processes, network connections, and network interface promiscuity to be
> *completely* hidden.  It allows the cracker to override what actual
> binary file gets run when a user tries to run some other (possibly
> hidden) executable.

wow. a link please?
http://www.sans.org/newlook/resources/IDFAQ/knark.htm
?

-- 
martin;  (greetings from the heart of the sun.)
  \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
  
the remote desktop feature of windows xp is really nice (and
*novel*!). as a micro$oft consultant can *remotely* disable the
personal firewall and control the system. we'll ignore the fact that
this tampering with the firewall is not logged, and more importantly,
that the firewall isn't restored when the clowns from redmod are done
with their job.



msg05148/pgp0.pgp
Description: PGP signature


Re: I've been hacked by DevilSoul

2002-01-11 Thread Noah L. Meyerhans

On Fri, Jan 11, 2002 at 10:25:03PM +0100, martin f krafft wrote:
> 
> i doubt that a kernel module can override the linux kernel filesystem
> abstraction layer. but i guess it could be possible.
> 

Oh, it certainly can!  knark is a perfect example of a kernel module to
do just this.  (knark is Swedish for "drugged".)  It allows files,
processes, network connections, and network interface promiscuity to be
*completely* hidden.  It allows the cracker to override what actual
binary file gets run when a user tries to run some other (possibly
hidden) executable.

It works amazingly well, and it is scary.  It's been around for quite a
while now (couple of years, I guess), but hasn't shown up in rootkits
much yet.

noah

-- 
 ___
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 



msg05147/pgp0.pgp
Description: PGP signature


Re: I've been hacked by DevilSoul

2002-01-11 Thread Noah L. Meyerhans

On Fri, Jan 11, 2002 at 05:04:53PM +, Ricardo B wrote:
> He can be loaded as a kernel module and then hide all traces of its
> presence in the system, by overriding the proper system calls and
> /proc info.  Isn't there a way to turn module loading off (a way that
> can't be chagend back - without rebooting) ?

Yes, but it won't help you much.  I've read some very interesting
articles recently about writing directly to /dev/kmem.  That allows you
to do some fun kernel level stuff without any module support needed at
all.

This kernel level stuff makes traditional host based intrusion detection
really difficult.  LIDS helps, but I don't think it's the final
solution.  Network intrusion detection helps, but it's really difficult
to fine-tune something like SNORT to only give you interesting
information, especially if you're in a really large network.

In these days of kernel-level compromises, a lot of network indruders
are only detected when they do something stupid like portscan a box from
one of their cracked machines.  If they lie low and are smart about
covering their tracks, they're likely to go unnoticed for a very long
time.

noah

-- 
 ___
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 



msg05146/pgp0.pgp
Description: PGP signature


Re: I've been hacked by DevilSoul

2002-01-11 Thread martin f krafft

also sprach Ricardo B <[EMAIL PROTECTED]> [2002.01.11.1804 +0100]:
> There is no need for a rootkit to reboot the machine in order to hide himself. 
> He can be loaded as a kernel module and then hide all traces of its presence in
> the system, by overriding the proper system calls and /proc info.
> Isn't there a way to turn module loading off (a way that can't be chagend back 
>  - without rebooting) ?

i doubt that a kernel module can override the linux kernel filesystem
abstraction layer. but i guess it could be possible.

> Boot the machine with a secure (as in external) kernel and root file system. 
> Only then use tripwire to see if anything has changed.
> Hmm... can we trust the BIOS? :-)

how can you overwrite the bios from linux? and: how much does linux care
about the bios? we're dealing with harddrives, and i have *no*
harddrives configured in any bios, i let the kernel take care of it all.

-- 
martin;  (greetings from the heart of the sun.)
  \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
  
si vis pacem, para bellum



msg05145/pgp0.pgp
Description: PGP signature


Re: I've been hacked by DevilSoul

2002-01-11 Thread Henrique de Moraes Holschuh

On Fri, 11 Jan 2002, Ricardo B wrote:
> Isn't there a way to turn module loading off (a way that can't be chagend
> back - without rebooting) ?

None that cannot be undone if you're root in a non-ACL kernel. It gets hard
if the kernel has no module support at all, but not impossible.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: I've been hacked by DevilSoul

2002-01-11 Thread Ricardo B


msg.pgp
Description: PGP message


Re: I've been hacked by DevilSoul

2002-01-11 Thread Christoph Wegener
"Jacques Lav!gnotte" wrote:

> On Thu, Jan 10, 2002 at 08:31:00PM -0800, Alvin Oga wrote:
>
> A RootKit was installed, only the sniffer was used...
>
> Any idea of what the «default files and dirs» are ?

Please see
http://www.sans.org/y2k/t0rn.htm

Greetz
Christoph
--
.-. Ruhr-Universitaet Bochum
/v\L   I   N   U   XLehrstuhl fuer Biophysik
   // \\  >Penguin Computing<   c/o Christoph Wegener
  /(   )\   Gebaeude ND 04/Nord
   ^^-^^D-44780 Bochum, GERMANY

Tel: +49 (234) 32-25754 Fax: +49 (234) 32-14626
mailto:[EMAIL PROTECTED] http://www.bph.ruhr-uni-bochum.de




Re: I've been hacked by DevilSoul

2002-01-11 Thread Jacques Lav!gnotte
On Thu, Jan 10, 2002 at 08:31:00PM -0800, Alvin Oga wrote:

> - if you think they used a simple/ordinary rootkits... you can 
>   try some of the rootkit detectors
> 
>   http://www.chkrootkit.org/

Great tool

Got : 

Searching for t0rn's default files and dirs... Possible t0rn rootkit installed
Searching for t0rn's v8 defaults... nothing found

ALL The rest of the log is clean

A RootKit was installed, only the sniffer was used...

Any idea of what the «default files and dirs» are ?


 Tks, Jacques


-- 

0CBE 3F8A 5A77 A35C 27C7  2D42 3EC5 806B 9178 088D



pgpqcoAXQ8dgF.pgp
Description: PGP signature


Re: I've been hacked by DevilSoul - confusion

2002-01-11 Thread Alvin Oga

hi patrice

yup .. sillicon valley has nothing to do with getting backonline
but was intended ...that i could go over ahd help figure out
what happened to the box... before the reinstall ...

but never mind... scaramento is not too far awayeither..
on the way up to go skiing on a fri-weekend..

- am assuming the server back online by now
  and know how they hacker got in...

c ya
alvin

On 11 Jan 2002, Patrice Neff wrote:

> [EMAIL PROTECTED] writes:
> 
> > if in silicon valley...
> > you can be back online within 1hr or so...
> 
> What does the Silicon Valley have to do with the time to getting back
> online?
> 
> > - maybe just sniffing your passwds ???
> > - maybe using it to hack other boxes ??
> 
> Oh if it's not more... ;-)
> 
> > - you need to see what its doing... and than prevent that from
> >   happening on oyour next install
> 
> This can be quite difficult. If you really want to do this you should
> certainely take the box offline during this time.
> 



Re: I've been hacked by DevilSoul

2002-01-11 Thread Ricardo B


msg.pgp
Description: PGP message


Re: I've been hacked by DevilSoul

2002-01-11 Thread Angus D Madden
On Fri, Jan 11, 2002 at 03:43:11PM +0100, Preben Randhol wrote:
> > agreed.  full disk format and reinstall from backup is the only secure
> ^
> 
> This is not safe at all if you mean reinstall programs too. You should
> reinstall programs from the net/CD distro and update all programs that
> has security fixes. 
> 
> You should only install user files and not configuration files without
> checking.
>

Yes.  Sorry if I didn't make that clear.  I just wanted to emphasize
that there was no secure away to avoid a full disk wipe.

g



pgpWkWeK7honD.pgp
Description: PGP signature


Re: I've been hacked by DevilSoul

2002-01-11 Thread martin f krafft
also sprach Preben Randhol <[EMAIL PROTECTED]> [2002.01.11.1543 +0100]:
> This is not safe at all if you mean reinstall programs too. You should
> reinstall programs from the net/CD distro and update all programs that
> has security fixes. 

yeah sorry, i meant that actually. reinstall debian from .deb and the
recover all other files from backup, one by one.

> You should only install user files and not configuration files without
> checking.

yes. however, do check for setuid proggies in the user dirs...

-- 
martin;  (greetings from the heart of the sun.)
  \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED]
  
echo '[dO%O+38%O+PO/d0<0]Fi22os0CC4BA64E418CE7l0xAP'|dc


pgpfGkB7Qe8Jb.pgp
Description: PGP signature


Re: I've been hacked by DevilSoul

2002-01-11 Thread Christoph Wegener

"Jacques Lav!gnotte" wrote:

> On Thu, Jan 10, 2002 at 08:31:00PM -0800, Alvin Oga wrote:
>
> A RootKit was installed, only the sniffer was used...
>
> Any idea of what the «default files and dirs» are ?

Please see
http://www.sans.org/y2k/t0rn.htm

Greetz
Christoph
--
.-. Ruhr-Universitaet Bochum
/v\L   I   N   U   XLehrstuhl fuer Biophysik
   // \\  >Penguin Computing<   c/o Christoph Wegener
  /(   )\   Gebaeude ND 04/Nord
   ^^-^^D-44780 Bochum, GERMANY

Tel: +49 (234) 32-25754 Fax: +49 (234) 32-14626
mailto:[EMAIL PROTECTED] http://www.bph.ruhr-uni-bochum.de



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: I've been hacked by DevilSoul

2002-01-11 Thread martin f krafft
also sprach Angus D Madden <[EMAIL PROTECTED]> [2002.01.11.0649 +0100]:
> agreed.  full disk format and reinstall from backup is the only secure
> option.  unless you are running something like tripwire there is no way
> to tell what the intruder did, and even then ...

... if, only if, you have the tripwire binary and database securely
stored away on read-only media, and it's current. then you can use it to
verify that no files have changed, and no rootkit was installed.

however, i did post-mortem analyze a machine once where the actual
kernel had been modified so as to mess with file reads in such a way
that the installed root kit wasn't even detected by tripwire! so be
careful. has the machine been up since the break-in? was it restarted
then?

-- 
martin;  (greetings from the heart of the sun.)
  \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED]
  
"in the stage of grand illusion
 you walked into my life
 out of my dreams."
-- david bowie


pgpn09oM78aLD.pgp
Description: PGP signature


Re: I've been hacked by DevilSoul

2002-01-11 Thread Preben Randhol
Angus D Madden <[EMAIL PROTECTED]> wrote on 11/01/2002 (11:53) :
> On Fri, Jan 11, 2002 at 05:07:02AM +0100, martin f krafft wrote:
> > you've been hacked -> backup -> re-mkfs -> reinstall -> re-config from
> > backup very carefully (i.e. file by file) -> restore user data -> do
> > some post-mortem with backup -> ensure security -> reopen server to
> > public and users -> more post-mortem -> take more security measures.
> > 
> > standard procedure.
> > 
> 
> agreed.  full disk format and reinstall from backup is the only secure
^

This is not safe at all if you mean reinstall programs too. You should
reinstall programs from the net/CD distro and update all programs that
has security fixes. 

You should only install user files and not configuration files without
checking.

-- 
Preben Randhol --- http://www.pvv.org/~randhol/ --
 «For me, Ada95 puts back the joy in programming.»



Re: I've been hacked by DevilSoul

2002-01-11 Thread Jacques Lav!gnotte

On Thu, Jan 10, 2002 at 08:31:00PM -0800, Alvin Oga wrote:

> - if you think they used a simple/ordinary rootkits... you can 
>   try some of the rootkit detectors
> 
>   http://www.chkrootkit.org/

Great tool

Got : 

Searching for t0rn's default files and dirs... Possible t0rn rootkit installed
Searching for t0rn's v8 defaults... nothing found

ALL The rest of the log is clean

A RootKit was installed, only the sniffer was used...

Any idea of what the «default files and dirs» are ?


 Tks, Jacques


-- 

0CBE 3F8A 5A77 A35C 27C7  2D42 3EC5 806B 9178 088D




msg05141/pgp0.pgp
Description: PGP signature


Re: I've been hacked by DevilSoul

2002-01-11 Thread Patrice Neff
[EMAIL PROTECTED] writes:

> if in silicon valley...
> you can be back online within 1hr or so...

What does the Silicon Valley have to do with the time to getting back
online?

> - maybe just sniffing your passwds ???
> - maybe using it to hack other boxes ??

Oh if it's not more... ;-)

> - you need to see what its doing... and than prevent that from
>   happening on oyour next install

This can be quite difficult. If you really want to do this you should
certainely take the box offline during this time.

bye,
patrice

-- 
GPG ID: A5F15976
Key fingerprint: 201D 12D1 F629 1E9B 0BB0  EAF5 3009 AF60 A5F1 5976



Re: I've been hacked by DevilSoul - confusion

2002-01-11 Thread Alvin Oga


hi patrice

yup .. sillicon valley has nothing to do with getting backonline
but was intended ...that i could go over ahd help figure out
what happened to the box... before the reinstall ...

but never mind... scaramento is not too far awayeither..
on the way up to go skiing on a fri-weekend..

- am assuming the server back online by now
  and know how they hacker got in...

c ya
alvin

On 11 Jan 2002, Patrice Neff wrote:

> [EMAIL PROTECTED] writes:
> 
> > if in silicon valley...
> > you can be back online within 1hr or so...
> 
> What does the Silicon Valley have to do with the time to getting back
> online?
> 
> > - maybe just sniffing your passwds ???
> > - maybe using it to hack other boxes ??
> 
> Oh if it's not more... ;-)
> 
> > - you need to see what its doing... and than prevent that from
> >   happening on oyour next install
> 
> This can be quite difficult. If you really want to do this you should
> certainely take the box offline during this time.
> 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: I've been hacked by DevilSoul

2002-01-11 Thread Angus D Madden

On Fri, Jan 11, 2002 at 03:43:11PM +0100, Preben Randhol wrote:
> > agreed.  full disk format and reinstall from backup is the only secure
> ^
> 
> This is not safe at all if you mean reinstall programs too. You should
> reinstall programs from the net/CD distro and update all programs that
> has security fixes. 
> 
> You should only install user files and not configuration files without
> checking.
>

Yes.  Sorry if I didn't make that clear.  I just wanted to emphasize
that there was no secure away to avoid a full disk wipe.

g




msg05139/pgp0.pgp
Description: PGP signature


Re: I've been hacked by DevilSoul

2002-01-11 Thread martin f krafft

also sprach Preben Randhol <[EMAIL PROTECTED]> [2002.01.11.1543 +0100]:
> This is not safe at all if you mean reinstall programs too. You should
> reinstall programs from the net/CD distro and update all programs that
> has security fixes. 

yeah sorry, i meant that actually. reinstall debian from .deb and the
recover all other files from backup, one by one.

> You should only install user files and not configuration files without
> checking.

yes. however, do check for setuid proggies in the user dirs...

-- 
martin;  (greetings from the heart of the sun.)
  \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
  
echo '[dO%O+38%O+PO/d0<0]Fi22os0CC4BA64E418CE7l0xAP'|dc



msg05138/pgp0.pgp
Description: PGP signature


Re: I've been hacked by DevilSoul

2002-01-11 Thread martin f krafft

also sprach Angus D Madden <[EMAIL PROTECTED]> [2002.01.11.0649 +0100]:
> agreed.  full disk format and reinstall from backup is the only secure
> option.  unless you are running something like tripwire there is no way
> to tell what the intruder did, and even then ...

... if, only if, you have the tripwire binary and database securely
stored away on read-only media, and it's current. then you can use it to
verify that no files have changed, and no rootkit was installed.

however, i did post-mortem analyze a machine once where the actual
kernel had been modified so as to mess with file reads in such a way
that the installed root kit wasn't even detected by tripwire! so be
careful. has the machine been up since the break-in? was it restarted
then?

-- 
martin;  (greetings from the heart of the sun.)
  \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
  
"in the stage of grand illusion
 you walked into my life
 out of my dreams."
-- david bowie



msg05137/pgp0.pgp
Description: PGP signature


Re: I've been hacked by DevilSoul

2002-01-11 Thread Preben Randhol

Angus D Madden <[EMAIL PROTECTED]> wrote on 11/01/2002 (11:53) :
> On Fri, Jan 11, 2002 at 05:07:02AM +0100, martin f krafft wrote:
> > you've been hacked -> backup -> re-mkfs -> reinstall -> re-config from
> > backup very carefully (i.e. file by file) -> restore user data -> do
> > some post-mortem with backup -> ensure security -> reopen server to
> > public and users -> more post-mortem -> take more security measures.
> > 
> > standard procedure.
> > 
> 
> agreed.  full disk format and reinstall from backup is the only secure
^

This is not safe at all if you mean reinstall programs too. You should
reinstall programs from the net/CD distro and update all programs that
has security fixes. 

You should only install user files and not configuration files without
checking.

-- 
Preben Randhol --- http://www.pvv.org/~randhol/ --
 «For me, Ada95 puts back the joy in programming.»


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: I've been hacked by DevilSoul

2002-01-11 Thread gyuri

hi alan

where are you ???

if in silicon valley...
you can be back online within 1hr or so...
( assuming you have data-only backed up prior to the hacker getting
( into your box..

if the [h/cr]acker didnt "rm -rf /" your machine..you're still online..
- maybe just sniffing your passwds ???
- maybe using it to hack other boxes ??

- you need to see what its doing... and than prevent that from
  happening on oyour next install

- if you think they used a simple/ordinary rootkits... you can 
  try some of the rootkit detectors

http://www.chkrootkit.org/

http://www.blackcode.com/scan 
( scans your machine - or used to scan for rootkits/trojans )

otherwise..
http://www.Linux-Sec.net/Tracking

have fun
alvin
http://www.Linux-Sec.net/


On Thu, 10 Jan 2002, Alan Aldrich wrote:

> 
> Not sure what all it did, but really played havoc with SSH and some other 
> networking components and is keeping my aventail authentication server from 
> honoring socks requests.
> Can someone help undo whatever it did or point me to a site that covers it? I 
> need to get this server back online quick
> Thanks
> alan
> 
> 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]



pgpvon14GuSvt.pgp
Description: PGP signature


Re: I've been hacked by DevilSoul

2002-01-11 Thread Patrice Neff

[EMAIL PROTECTED] writes:

> if in silicon valley...
> you can be back online within 1hr or so...

What does the Silicon Valley have to do with the time to getting back
online?

> - maybe just sniffing your passwds ???
> - maybe using it to hack other boxes ??

Oh if it's not more... ;-)

> - you need to see what its doing... and than prevent that from
>   happening on oyour next install

This can be quite difficult. If you really want to do this you should
certainely take the box offline during this time.

bye,
patrice

-- 
GPG ID: A5F15976
Key fingerprint: 201D 12D1 F629 1E9B 0BB0  EAF5 3009 AF60 A5F1 5976


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: I've been hacked by DevilSoul

2002-01-11 Thread Lars Bahner
On Fri, 2002-01-11 at 05:02, Alan Aldrich wrote:
> 
> Not sure what all it did, but really played havoc with SSH and some other 
> networking components and is keeping my aventail authentication server from 
> honoring socks requests.
> Can someone help undo whatever it did or point me to a site that covers it? I 
> need to get this server back online quick

Just making sure for you: do *not* restore binary files from backup,
only data (text?) files and any /etc/-files you can't recreate from your
head.

We had an incident where we suspected a break-in on one server.
Reinstalling all our 7 highly intertwined Debian servers from scratch
took less than a week. Just get email up first, then install apache, or
what you are providing, restore your htdocs and then fiddle with getting
your system right.

Try to use as possible of Debian plain installation configurations, they
are usually quite well thought through :)

Did you use potato or woody? I would be nice for the rest of us to have
some clue on what might have happened. It might no be trivial ( ie. a
stolen password or an old version of SSH.)
-- 
Lars Bahner,
http://lars.bahner.com/

Nihil est sine ratione cur potius sit, quam non sit.


pgpDE7AGMnQA5.pgp
Description: PGP signature


Re: I've been hacked by DevilSoul

2002-01-11 Thread gyuri


hi alan

where are you ???

if in silicon valley...
you can be back online within 1hr or so...
( assuming you have data-only backed up prior to the hacker getting
( into your box..

if the [h/cr]acker didnt "rm -rf /" your machine..you're still online..
- maybe just sniffing your passwds ???
- maybe using it to hack other boxes ??

- you need to see what its doing... and than prevent that from
  happening on oyour next install

- if you think they used a simple/ordinary rootkits... you can 
  try some of the rootkit detectors

http://www.chkrootkit.org/

http://www.blackcode.com/scan 
( scans your machine - or used to scan for rootkits/trojans )

otherwise..
http://www.Linux-Sec.net/Tracking

have fun
alvin
http://www.Linux-Sec.net/


On Thu, 10 Jan 2002, Alan Aldrich wrote:

> 
> Not sure what all it did, but really played havoc with SSH and some other networking 
>components and is keeping my aventail authentication server from honoring socks 
>requests.
> Can someone help undo whatever it did or point me to a site that covers it? I need 
>to get this server back online quick
> Thanks
> alan
> 
> 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




msg05134/pgp0.pgp
Description: PGP signature


Re: I've been hacked by DevilSoul

2002-01-11 Thread Lars Bahner

On Fri, 2002-01-11 at 05:02, Alan Aldrich wrote:
> 
> Not sure what all it did, but really played havoc with SSH and some other networking 
>components and is keeping my aventail authentication server from honoring socks 
>requests.
> Can someone help undo whatever it did or point me to a site that covers it? I need 
>to get this server back online quick

Just making sure for you: do *not* restore binary files from backup,
only data (text?) files and any /etc/-files you can't recreate from your
head.

We had an incident where we suspected a break-in on one server.
Reinstalling all our 7 highly intertwined Debian servers from scratch
took less than a week. Just get email up first, then install apache, or
what you are providing, restore your htdocs and then fiddle with getting
your system right.

Try to use as possible of Debian plain installation configurations, they
are usually quite well thought through :)

Did you use potato or woody? I would be nice for the rest of us to have
some clue on what might have happened. It might no be trivial ( ie. a
stolen password or an old version of SSH.)
-- 
Lars Bahner,
http://lars.bahner.com/

Nihil est sine ratione cur potius sit, quam non sit.



msg05133/pgp0.pgp
Description: PGP signature


Unidentified subject!

2002-01-11 Thread bastr
unsubscribe