Re: Debian Stable server hacked
Hello, Was anyone else logged in at the time? Perhaps one of your admins had a weak or compromised password? Install johntheripper if you want to check for weak passwords :D a great program! Hobbs. FOR ALL YOUR UNIX/LINUX QUESTIONS, visit: http://unixforum.co.uk -- _-'`-_-'`-_-'`-_-'`-_-'`-_-'`-_-'`-_-'`-_-'`-_-'`-_-'`-_-'`-_-'`-_ || | Richard Hobbs[EMAIL PROTECTED]http://mongeese.co.uk | | http://unixforum.co.uk | || | Registered Linux User: 313906 (http://counter.li.org) | || | There's only one way of life, and that's your own| | The Levellers | '`-_-'`-_-'`-_-'`-_-'`-_-'`-_-'`-_-'`-_-'`-_-'`-_-'`-_-'`-_-'`-_-' __ Send all your jokes to : [EMAIL PROTECTED] !! To subscribe, email: [EMAIL PROTECTED]
IMAP is too secure...
Helo, I think my IMAP server has become too secure... I'm using the current version of uw-imapd and libc-client2003debian, as listed in stable and stable-proposed-updates. I cannot log into my IMAP server any more... It keeps saying Invalid password. I can only assume it's using password encryption, but I don't know how to turn it off. It was never turned on before, but since the upgrade I've een unable to retrieve my mail through IMAP. It usually asks in the config whether I want clear-text passwords enabled or not, but it wasn't an option this time. Any ideas? I really need to get at the mail. Thanks in advance... Hobbs. -- Richard Hobbs [EMAIL PROTECTED] http://mongeese.co.uk | http://unixforum.co.uk There's only one way of life, and that's your own - The Levellers Registered Linux User: 313906 _ Send all your jokes to [EMAIL PROTECTED] !! To subscribe, email: [EMAIL PROTECTED] smime.p7s Description: S/MIME cryptographic signature
IMAP is too secure...
Helo, I think my IMAP server has become too secure... I'm using the current version of uw-imapd and libc-client2003debian, as listed in stable and stable-proposed-updates. I cannot log into my IMAP server any more... It keeps saying Invalid password. I can only assume it's using password encryption, but I don't know how to turn it off. It was never turned on before, but since the upgrade I've een unable to retrieve my mail through IMAP. It usually asks in the config whether I want clear-text passwords enabled or not, but it wasn't an option this time. Any ideas? I really need to get at the mail. Thanks in advance... Hobbs. -- Richard Hobbs [EMAIL PROTECTED] http://mongeese.co.uk | http://unixforum.co.uk There's only one way of life, and that's your own - The Levellers Registered Linux User: 313906 _ Send all your jokes to [EMAIL PROTECTED] !! To subscribe, email: [EMAIL PROTECTED] smime.p7s Description: S/MIME cryptographic signature
Re: Have I been hacked?
Hello, Check /var/log/messages to see if anything happened before 14:49 on 7 May... are you running logcheck?? It emails you daily reports of important goings on... like user's crontab changes, logins, su's and other important things. it's very very useful for spotting non-normal operations like ls. HTH... Richard. Quoting Ian Goodall [EMAIL PROTECTED]: I am running a debian woody server and when I checked the last users yesterday I a large number of logins in the list. On running the command today I get the following: dev1:/home/ian# last ian pts/0172.16.3.195 Wed May 7 14:49 still logged in team1pts/0blue99.ex.ac.uk Wed May 7 13:21 - 13:57 (00:35) I have run chkrootkit but nothing was found. I have never had this before. Am I being paranoid or is someone trying to cover up their tracks? Thanks ijg0 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Richard Hobbs [EMAIL PROTECTED] http://mongeese.co.uk | http://unixforum.co.uk There's only one way of life, and that's your own - The Levellers _ Send all your jokes to [EMAIL PROTECTED] !! To subscribe, email: [EMAIL PROTECTED]
Re: Have I been hacked?
Hello, The SSH error is usually caused by the SSH server (your machine) being reformatted, or having SSH uninstalled and reinstalled, or have the public/private keys regenerated for some reason. have you recently made any changes to SSH, or reinstalled your system?? It could also happen if he has been making changes to his ~/.ssh/known_hosts file. HTH... Richard. Quoting Ian Goodall [EMAIL PROTECTED]: Thanks for your help Guys. It now says this: wtmp begins Wed May 7 13:21:47 2003 I think that is what had happened. I am new to this and this just looked dodgy to me! A friend also has ssh shell access to the box and got the following error message when connecting to the same my box: @@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is 51:bd:cd:2e:6a:b7:35:b9:54:33:a8:e2:9a:57:95:0d. Please contact your system administrator. I don't get this from any other computers so is this just his computer? Thanks - Original Message - From: Eric LeBlanc [EMAIL PROTECTED] To: Ian Goodall [EMAIL PROTECTED] Cc: debian-security@lists.debian.org Sent: Wednesday, May 07, 2003 3:23 PM Subject: Re: Have I been hacked? Check if your program have rotated the logs... cd /var/log ls -l wtmp* and, check in /etc/cron* or do a crontab -l (in user root) E. -- Eric LeBlanc [EMAIL PROTECTED] -- UNIX is user friendly. It's just selective about who its friends are. == On Wed, 7 May 2003, Ian Goodall wrote: I am running a debian woody server and when I checked the last users yesterday I a large number of logins in the list. On running the command today I get the following: dev1:/home/ian# last ian pts/0172.16.3.195 Wed May 7 14:49 still logged in team1pts/0blue99.ex.ac.uk Wed May 7 13:21 - 13:57 (00:35) I have run chkrootkit but nothing was found. I have never had this before. Am I being paranoid or is someone trying to cover up their tracks? Thanks ijg0 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Richard Hobbs [EMAIL PROTECTED] http://mongeese.co.uk | http://unixforum.co.uk There's only one way of life, and that's your own - The Levellers _ Send all your jokes to [EMAIL PROTECTED] !! To subscribe, email: [EMAIL PROTECTED]
Re: Have I been hacked?
Hello, yeah, but they don't mean anything... i think they are just markers to say yes - the daemon is still running. what is the first thing before all of those --MARK--'s, and when is it? Richard. Quoting Ian Goodall [EMAIL PROTECTED]: just lots of May 7 06:03:06 dev1 -- MARK -- - Original Message - From: Hobbs, Richard [EMAIL PROTECTED] To: Ian Goodall [EMAIL PROTECTED] Cc: debian-security@lists.debian.org Sent: Wednesday, May 07, 2003 3:27 PM Subject: Re: Have I been hacked? Hello, Check /var/log/messages to see if anything happened before 14:49 on 7 May... are you running logcheck?? It emails you daily reports of important goings on... like user's crontab changes, logins, su's and other important things. it's very very useful for spotting non-normal operations like ls. HTH... Richard. Quoting Ian Goodall [EMAIL PROTECTED]: I am running a debian woody server and when I checked the last users yesterday I a large number of logins in the list. On running the command today I get the following: dev1:/home/ian# last ian pts/0172.16.3.195 Wed May 7 14:49 still logged in team1pts/0blue99.ex.ac.uk Wed May 7 13:21 - 13:57 (00:35) I have run chkrootkit but nothing was found. I have never had this before. Am I being paranoid or is someone trying to cover up their tracks? Thanks ijg0 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Richard Hobbs [EMAIL PROTECTED] http://mongeese.co.uk | http://unixforum.co.uk There's only one way of life, and that's your own - The Levellers _ Send all your jokes to [EMAIL PROTECTED] !! To subscribe, email: [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Richard Hobbs [EMAIL PROTECTED] http://mongeese.co.uk | http://unixforum.co.uk There's only one way of life, and that's your own - The Levellers _ Send all your jokes to [EMAIL PROTECTED] !! To subscribe, email: [EMAIL PROTECTED]
RE: grsec patch over debian 2.4.20 kernel
Hello, I was under the impression that an apt-get dist-upgrade would upgrade me to the latest everything... I am running stable if that makes a difference. Is 2.4.20 in testing or unstable at the moment, or is it just being blocked from my woody installation? Thanks, Richard. -Original Message- From: Marcel Weber [mailto:[EMAIL PROTECTED] Sent: 22 April 2003 17:13 To: Hobbs, Richard Cc: [EMAIL PROTECTED]; debian-security@lists.debian.org Subject: Re: grsec patch over debian 2.4.20 kernel Hobbs, Richard wrote: Hello, Where is the 2.4.20 kernel in apt?? Hi You do not miss anything (or I would miss the same thing...). The 2.4.20 kernel is part of sid and not woody. For a 2.4.20 kernel grab sid's kernel source or the plain vanilla kernel from kernel.org. Regards Marcel -- Richard Hobbs [EMAIL PROTECTED] http://mongeese.co.uk | http://unixforum.co.uk There's only one way of life, and that's your own - The Levellers _ Send all your jokes to: [EMAIL PROTECTED] !! To subscribe, email: [EMAIL PROTECTED] smime.p7s Description: S/MIME cryptographic signature
RE: grsec patch over debian 2.4.20 kernel
Hello, Thanks for the reply... So does this mean it will become available in woody when it is deemed stable enough? Any ideas when this might be? Also I am right in saying this does fix the ptrace bug, right? I think I'm right on this one. Thanks, Richard. -Original Message- From: Emmanuel Lacour [mailto:[EMAIL PROTECTED] Sent: 22 April 2003 18:11 To: debian-security@lists.debian.org Subject: Re: grsec patch over debian 2.4.20 kernel On Tue, Apr 22, 2003 at 06:13:06PM +0200, Marcel Weber wrote: Hobbs, Richard wrote: Hello, Where is the 2.4.20 kernel in apt?? Hi You do not miss anything (or I would miss the same thing...). The 2.4.20 kernel is part of sid and not woody. For a 2.4.20 kernel grab sid's kernel source or the plain vanilla kernel from kernel.org. you've got a 2.4.20 for woody in the pool, you can get it via: deb http://http.us.debian.org/debian woody-proposed-updates main -- Emmanuel Lacour Easter-eggs 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Richard Hobbs [EMAIL PROTECTED] http://mongeese.co.uk | http://unixforum.co.uk There's only one way of life, and that's your own - The Levellers _ Send all your jokes to: [EMAIL PROTECTED] !! To subscribe, email: [EMAIL PROTECTED] smime.p7s Description: S/MIME cryptographic signature
