Re: cracked? rm uses obsolete (PF_INET,SOCK_PACKET)
On 15 Jun 2003 at 10:36, Noah Meyerhans wrote: In terms of protecting against breakin, it seems like a lot of people here have been advocating the grsecurity kernel patch. I have no experience with it, but the list of features certainly makes it sound like it will protect against some of the frequently exploited classes of bugs. Certainly not all of them, though. The best thing you can do to keep your machine secure is to simply pay attention to what's on it and to the potential intrusion vectors that exist. If you can minimize those, you don't even need grsecurity. (Though there's nothing wrong with a little paranoia, especially now that you've already experienced a breakin.) Some features like overflow-protection make grsecurity really interesting, I think. Need to look into that one further in a while. Using all of grsecurity's features is surely not necessary. But it's amazing what switch it on and you're secure-features you get (e.g. overflow protection, which makes it REALLY interesting for me). Stefan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cracked? rm uses obsolete (PF_INET,SOCK_PACKET)
On 15 Jun 2003 at 10:36, Noah Meyerhans wrote: In terms of protecting against breakin, it seems like a lot of people here have been advocating the grsecurity kernel patch. I have no experience with it, but the list of features certainly makes it sound like it will protect against some of the frequently exploited classes of bugs. Certainly not all of them, though. The best thing you can do to keep your machine secure is to simply pay attention to what's on it and to the potential intrusion vectors that exist. If you can minimize those, you don't even need grsecurity. (Though there's nothing wrong with a little paranoia, especially now that you've already experienced a breakin.) Some features like overflow-protection make grsecurity really interesting, I think. Need to look into that one further in a while. Using all of grsecurity's features is surely not necessary. But it's amazing what switch it on and you're secure-features you get (e.g. overflow protection, which makes it REALLY interesting for me). Stefan
Re: cracked? rm uses obsolete (PF_INET,SOCK_PACKET)
Good luck... The only good thing about being compromised is that it makes you more paranoid about being on the net. paranoid I now am!! I always found the concept of script kiddies amusing ... but if I ever found this guy I'd ring his neck. Is there any way I can track him down ? (I have already backed up some stuff and wiped my hard drive) After following the debian how to secure your system instructions, I would like to go a step further and install snort or something. Is that going too far? ... is snort the relevant thing ? etienne -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cracked? rm uses obsolete (PF_INET,SOCK_PACKET)
On Sun, 15 Jun 2003, eyem wrote: Good luck... The only good thing about being compromised is that it makes you more paranoid about being on the net. paranoid I now am!! I always found the concept of script kiddies amusing ... but if I ever found this guy I'd ring his neck. Is there any way I can track him down ? (I have already backed up some stuff and wiped my hard drive) After following the debian how to secure your system instructions, I would like to go a step further and install snort or something. Is that going too far? ... is snort the relevant thing ? You must understand that Snort, ACID or any other IDS setup does not provide any protection against threats. They just monitor what takes place in the network. To really protect against break-ins, install a system monitor. There are few Tripwire-like programs. Tiger is a set of scripts, AIDE is perhaps the best known, Samhain is the one I've been eyeing myself. You won't get the same level of protection than simply unplugging the boxes, but - when used properly - you should get a comprehensive listing of what exactly has been changed in the system. At least makes the rebuilding process a bit less brutal experience. -- Mika Boström +358-50-410-9042 \-/ The Hell is empty, [EMAIL PROTECTED]www.lut.fi/~bostik Xand all the devils Security freak, and proud of it./-\ are here. -W.S. pgp0.pgp Description: PGP signature
Re: cracked? rm uses obsolete (PF_INET,SOCK_PACKET)
On Sun, 15 Jun 2003 at 04:13:19AM -0500, eyem wrote: paranoid I now am!! I always found the concept of script kiddies amusing ... but if I ever found this guy I'd ring his neck. Is there any way I can track him down ? (I have already backed up some stuff and wiped my hard drive) You can try, but do you trust logs of a cracked system? If you had an uncompromised syslog server it would be more reliable b/c they can INSERT bogus logs but not delete/modify any logs... After following the debian how to secure your system instructions, I would like to go a step further and install snort or something. Is that going too far? ... is snort the relevant thing ? Snort in stable is old. You may wish to compile the one in unstable and use that one or download it from snort.org. Here is a few keys to security: 1. Watch bug track. If a new vuln is discivered in a service you are running then shut it off or block it at some network boarder. 2. When a DSA comes out, apt-get uppdate and apt-get upgrade EVERY machine. You may wish to put this in your cron.daily or in a crontab @daily apt-get -q -q -q -q update apt-get -s -q -q -q -q upgrade 3. Don't send passwords in the clear, ever. 4. Firewall your machine/network or both. -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #132: Bugs in the RAID -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cracked? rm uses obsolete (PF_INET,SOCK_PACKET)
On Sun, Jun 15, 2003 at 04:29:36PM +0300, Mika Bostr?m wrote: You must understand that Snort, ACID or any other IDS setup does not provide any protection against threats. They just monitor what takes place in the network. To really protect against break-ins, install a system monitor. There are few Tripwire-like programs. Tiger is a set of scripts, AIDE is perhaps the best known, Samhain is the one I've been eyeing myself. tripwire and similar programs don't provide any protection against break-ins. Certainly no more than snort and other network-based IDSes. Tripwire, Tiger, etc are host-based IDSes, while snort is an example of a network-based IDS. Neither provides any actual protection against break-in, they merely help you to realize it when it happens. They should be used in concert with each other for maximum utility. In terms of protecting against breakin, it seems like a lot of people here have been advocating the grsecurity kernel patch. I have no experience with it, but the list of features certainly makes it sound like it will protect against some of the frequently exploited classes of bugs. Certainly not all of them, though. The best thing you can do to keep your machine secure is to simply pay attention to what's on it and to the potential intrusion vectors that exist. If you can minimize those, you don't even need grsecurity. (Though there's nothing wrong with a little paranoia, especially now that you've already experienced a breakin.) noah pgp0.pgp Description: PGP signature
Re: cracked? rm uses obsolete (PF_INET,SOCK_PACKET)
Am Son, 2003-06-15 um 16.03 schrieb Phillip Hofmeister: @daily apt-get -q -q -q -q update apt-get -s -q -q -q -q upgrade Better use secpack, it will verify the signatures before upgrade: http://therapy.endorphin.org/secpack/ But still, automatic installation is not sufficient. For example, if there is a bug in the openssl libraries, you must restart all services that use it. Just installing new libraries is not enough. Sebastian -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cracked? rm uses obsolete (PF_INET,SOCK_PACKET)
-BEGIN PGP SIGNED MESSAGE- On Saturday 14 June 2003 08:16, eyem wrote: Hello, Hello. rm uses obsolete (PF_INET,SOCK_PACKET) ... eth0: Setting promiscuous mode ppp0: Setting promiscuous mode ... I found some stuff in /dev, hdx1 and hdx2 is that normal? No, that isn't normal. It seems that you have been infected whith the rstb virus. It infects all executable files under /bin/ directory and under the directory from which the infected file has been launched. Seach for rstb_cleaner, whith this tool you can clean the infected files. Anyway, I have no idea where to go from here. I dont know if it will be just a couple of things to fix up, or if I should toast my whole system: major major hasstle) Most of 7350* fake 0days are infected with some kind of virus. Maybe a user uploaded and executed an infected exploit. - -- Linux registered User #142704Clave PGP: http://www.keyserver.net:11371/pks/lookup?search=Fuskaop=get Fingerprint = F6B3 B665 95FA B9D0 13FD 72D5 5106 22F7 58BD 7EDE ~~~ Vosotros me imponeis la ley del silencio | You are in a dark room with a porque teneis miedo de que este, vuestro | compiler, emacs, an internet mundo, no sea el mejor de los mundos | connection, and a thermos of sino el peor, el mas sordido. - Dario Fo | coffe. Your move? -BEGIN PGP SIGNATURE- Version: PGPfreeware 5.0i for non-commercial use MessageID: QzZFtJcjInzgThn2BD7Asqto3spoiD/O iQA/AwUBPuywJFEGIvdYvX7eEQI/4wCguUF96cQcF1JxBWW2w0MBzQnpxVgAn1N5 Voagw8y6Ip3BlT6QJpPWQT3o =vZgy -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cracked? rm uses obsolete (PF_INET,SOCK_PACKET)
Quoting Fuska ([EMAIL PROTECTED]): No, that isn't normal. It seems that you have been infected whith the rstb virus. It infects all executable files under /bin/ directory and under the directory from which the infected file has been launched. Seach for rstb_cleaner, whith this tool you can clean the infected files. Ah, a local ELF-header infector. How quaint! Haven't seen those in a dog's age. Most of 7350* fake 0days are infected with some kind of virus. Maybe a user uploaded and executed an infected exploit. Executed with root-user authority, if the process modified /bin/*, yes? -- Cheers, First they came for the verbs, and I said nothing, for Rick Moenverbing weirds language. Then, they arrival for the nouns [EMAIL PROTECTED] and I speech nothing, for I no verbs. - Peter Ellis -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cracked? rm uses obsolete (PF_INET,SOCK_PACKET)
Fuska schrieb: rm uses obsolete (PF_INET,SOCK_PACKET) ... eth0: Setting promiscuous mode ppp0: Setting promiscuous mode ... I found some stuff in /dev, hdx1 and hdx2 is that normal? No, that isn't normal. It seems that you have been infected whith the rstb virus. It infects all executable files under /bin/ directory and under the directory from which the infected file has been launched. Seach for rstb_cleaner, whith this tool you can clean the infected files. http://www.sophos.com/virusinfo/analyses/linuxrstb.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cracked? rm uses obsolete (PF_INET,SOCK_PACKET)
Good luck... The only good thing about being compromised is that it makes you more paranoid about being on the net. paranoid I now am!! I always found the concept of script kiddies amusing ... but if I ever found this guy I'd ring his neck. Is there any way I can track him down ? (I have already backed up some stuff and wiped my hard drive) After following the debian how to secure your system instructions, I would like to go a step further and install snort or something. Is that going too far? ... is snort the relevant thing ? etienne
Re: cracked? rm uses obsolete (PF_INET,SOCK_PACKET)
On Sun, 15 Jun 2003, eyem wrote: Good luck... The only good thing about being compromised is that it makes you more paranoid about being on the net. paranoid I now am!! I always found the concept of script kiddies amusing ... but if I ever found this guy I'd ring his neck. Is there any way I can track him down ? (I have already backed up some stuff and wiped my hard drive) After following the debian how to secure your system instructions, I would like to go a step further and install snort or something. Is that going too far? ... is snort the relevant thing ? You must understand that Snort, ACID or any other IDS setup does not provide any protection against threats. They just monitor what takes place in the network. To really protect against break-ins, install a system monitor. There are few Tripwire-like programs. Tiger is a set of scripts, AIDE is perhaps the best known, Samhain is the one I've been eyeing myself. You won't get the same level of protection than simply unplugging the boxes, but - when used properly - you should get a comprehensive listing of what exactly has been changed in the system. At least makes the rebuilding process a bit less brutal experience. -- Mika Boström +358-50-410-9042 \-/ The Hell is empty, [EMAIL PROTECTED]www.lut.fi/~bostik Xand all the devils Security freak, and proud of it./-\ are here. -W.S. pgpI3l1RQsEcW.pgp Description: PGP signature
Re: cracked? rm uses obsolete (PF_INET,SOCK_PACKET)
On Sun, 15 Jun 2003 at 04:13:19AM -0500, eyem wrote: paranoid I now am!! I always found the concept of script kiddies amusing ... but if I ever found this guy I'd ring his neck. Is there any way I can track him down ? (I have already backed up some stuff and wiped my hard drive) You can try, but do you trust logs of a cracked system? If you had an uncompromised syslog server it would be more reliable b/c they can INSERT bogus logs but not delete/modify any logs... After following the debian how to secure your system instructions, I would like to go a step further and install snort or something. Is that going too far? ... is snort the relevant thing ? Snort in stable is old. You may wish to compile the one in unstable and use that one or download it from snort.org. Here is a few keys to security: 1. Watch bug track. If a new vuln is discivered in a service you are running then shut it off or block it at some network boarder. 2. When a DSA comes out, apt-get uppdate and apt-get upgrade EVERY machine. You may wish to put this in your cron.daily or in a crontab @daily apt-get -q -q -q -q update apt-get -s -q -q -q -q upgrade 3. Don't send passwords in the clear, ever. 4. Firewall your machine/network or both. -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #132: Bugs in the RAID
Re: cracked? rm uses obsolete (PF_INET,SOCK_PACKET)
On Sun, Jun 15, 2003 at 04:29:36PM +0300, Mika Bostr?m wrote: You must understand that Snort, ACID or any other IDS setup does not provide any protection against threats. They just monitor what takes place in the network. To really protect against break-ins, install a system monitor. There are few Tripwire-like programs. Tiger is a set of scripts, AIDE is perhaps the best known, Samhain is the one I've been eyeing myself. tripwire and similar programs don't provide any protection against break-ins. Certainly no more than snort and other network-based IDSes. Tripwire, Tiger, etc are host-based IDSes, while snort is an example of a network-based IDS. Neither provides any actual protection against break-in, they merely help you to realize it when it happens. They should be used in concert with each other for maximum utility. In terms of protecting against breakin, it seems like a lot of people here have been advocating the grsecurity kernel patch. I have no experience with it, but the list of features certainly makes it sound like it will protect against some of the frequently exploited classes of bugs. Certainly not all of them, though. The best thing you can do to keep your machine secure is to simply pay attention to what's on it and to the potential intrusion vectors that exist. If you can minimize those, you don't even need grsecurity. (Though there's nothing wrong with a little paranoia, especially now that you've already experienced a breakin.) noah pgpjct5rcaOAk.pgp Description: PGP signature
Re: cracked? rm uses obsolete (PF_INET,SOCK_PACKET)
Am Son, 2003-06-15 um 16.03 schrieb Phillip Hofmeister: @daily apt-get -q -q -q -q update apt-get -s -q -q -q -q upgrade Better use secpack, it will verify the signatures before upgrade: http://therapy.endorphin.org/secpack/ But still, automatic installation is not sufficient. For example, if there is a bug in the openssl libraries, you must restart all services that use it. Just installing new libraries is not enough. Sebastian
Re: cracked? rm uses obsolete (PF_INET,SOCK_PACKET)
-BEGIN PGP SIGNED MESSAGE- On Saturday 14 June 2003 08:16, eyem wrote: Hello, Hello. rm uses obsolete (PF_INET,SOCK_PACKET) ... eth0: Setting promiscuous mode ppp0: Setting promiscuous mode ... I found some stuff in /dev, hdx1 and hdx2 is that normal? No, that isn't normal. It seems that you have been infected whith the rstb virus. It infects all executable files under /bin/ directory and under the directory from which the infected file has been launched. Seach for rstb_cleaner, whith this tool you can clean the infected files. Anyway, I have no idea where to go from here. I dont know if it will be just a couple of things to fix up, or if I should toast my whole system: major major hasstle) Most of 7350* fake 0days are infected with some kind of virus. Maybe a user uploaded and executed an infected exploit. - -- Linux registered User #142704Clave PGP: http://www.keyserver.net:11371/pks/lookup?search=Fuskaop=get Fingerprint = F6B3 B665 95FA B9D0 13FD 72D5 5106 22F7 58BD 7EDE ~~~ Vosotros me imponeis la ley del silencio | You are in a dark room with a porque teneis miedo de que este, vuestro | compiler, emacs, an internet mundo, no sea el mejor de los mundos | connection, and a thermos of sino el peor, el mas sordido. - Dario Fo | coffe. Your move? -BEGIN PGP SIGNATURE- Version: PGPfreeware 5.0i for non-commercial use MessageID: QzZFtJcjInzgThn2BD7Asqto3spoiD/O iQA/AwUBPuywJFEGIvdYvX7eEQI/4wCguUF96cQcF1JxBWW2w0MBzQnpxVgAn1N5 Voagw8y6Ip3BlT6QJpPWQT3o =vZgy -END PGP SIGNATURE-
Re: cracked? rm uses obsolete (PF_INET,SOCK_PACKET)
Quoting Fuska ([EMAIL PROTECTED]): No, that isn't normal. It seems that you have been infected whith the rstb virus. It infects all executable files under /bin/ directory and under the directory from which the infected file has been launched. Seach for rstb_cleaner, whith this tool you can clean the infected files. Ah, a local ELF-header infector. How quaint! Haven't seen those in a dog's age. Most of 7350* fake 0days are infected with some kind of virus. Maybe a user uploaded and executed an infected exploit. Executed with root-user authority, if the process modified /bin/*, yes? -- Cheers, First they came for the verbs, and I said nothing, for Rick Moenverbing weirds language. Then, they arrival for the nouns [EMAIL PROTECTED] and I speech nothing, for I no verbs. - Peter Ellis
Re: cracked? rm uses obsolete (PF_INET,SOCK_PACKET)
Fuska schrieb: rm uses obsolete (PF_INET,SOCK_PACKET) ... eth0: Setting promiscuous mode ppp0: Setting promiscuous mode ... I found some stuff in /dev, hdx1 and hdx2 is that normal? No, that isn't normal. It seems that you have been infected whith the rstb virus. It infects all executable files under /bin/ directory and under the directory from which the infected file has been launched. Seach for rstb_cleaner, whith this tool you can clean the infected files. http://www.sophos.com/virusinfo/analyses/linuxrstb.html
Re: cracked? rm uses obsolete (PF_INET,SOCK_PACKET)
On Sat, 14 Jun 2003 01:16:56 -0500 eyem [EMAIL PROTECTED] wrote: Anyway, I have no idea where to go from here. I dont know if it will be just a couple of things to fix up, or if I should toast my whole system: major major hasstle) any help is appreciated Really, yes, you want to rebuild it entirely from scratch. Most likely, your machine will (at the very least) be used to attack any number of networks - some of which I may be involved in administering :) However, hopefully before you do that you can get somebody to find out how the intruder got in (I don't have the time or the skill myself, but we can hope somebody else will volunteer) - chances are it was some insecure configuration or a not-updated-recently-enough package. There's the off chance it's a new vulnerability though. pgp0.pgp Description: PGP signature
Re: cracked? rm uses obsolete (PF_INET,SOCK_PACKET)
On Sat, 14 Jun 2003, eyem wrote: Hello, I think my box has been compromised.. its my first time and it is a rather unpleasant experience! Yes, it sounds as if you have been, and yes, it is not fun. I sympathize (only happened to me once, which was more than enough). I found some stuff in /dev, hdx1 and hdx2 is that normal? Hard to say. Are they device files? If they aren't, investigate them to try to figure out what's going on (get them to a known good machine, run strings on them, for starters. Try to find commonalities with known rootkits. If you have the skill, disassemble them. If not, run them in a sandbox on a machine you can afford to rebuild and see what they do.). Anyway, I have no idea where to go from here. I dont know if it will be just a couple of things to fix up, or if I should toast my whole system: major major hasstle) Best practice is to pull the network plug and investigate how the attacker got in. Then, redeploy with that problem (and any other problem you found during forensics) fixed. Frequently in the real world, that isn't possible. Then you have to fall back on a reinstall and restore from backups, and watch what happens in from an extremely paranoid stance. You really don't want to attempt a cleanup, because you never know if you found every potential trap, so you can never trust the machine again. Not the sort of thing you want on your network. Good luck... The only good thing about being compromised is that it makes you more paranoid about being on the net. -j -- Jamie Lawrence[EMAIL PROTECTED] A computer without a Microsoft operating system is like a dog without bricks tied to its head. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cracked? rm uses obsolete (PF_INET,SOCK_PACKET)
On Sat, 14 Jun 2003 01:16:56 -0500 eyem [EMAIL PROTECTED] wrote: Anyway, I have no idea where to go from here. I dont know if it will be just a couple of things to fix up, or if I should toast my whole system: major major hasstle) any help is appreciated Really, yes, you want to rebuild it entirely from scratch. Most likely, your machine will (at the very least) be used to attack any number of networks - some of which I may be involved in administering :) However, hopefully before you do that you can get somebody to find out how the intruder got in (I don't have the time or the skill myself, but we can hope somebody else will volunteer) - chances are it was some insecure configuration or a not-updated-recently-enough package. There's the off chance it's a new vulnerability though. pgp9rhK1atZOO.pgp Description: PGP signature
Re: cracked? rm uses obsolete (PF_INET,SOCK_PACKET)
On Sat, 14 Jun 2003, eyem wrote: Hello, I think my box has been compromised.. its my first time and it is a rather unpleasant experience! Yes, it sounds as if you have been, and yes, it is not fun. I sympathize (only happened to me once, which was more than enough). I found some stuff in /dev, hdx1 and hdx2 is that normal? Hard to say. Are they device files? If they aren't, investigate them to try to figure out what's going on (get them to a known good machine, run strings on them, for starters. Try to find commonalities with known rootkits. If you have the skill, disassemble them. If not, run them in a sandbox on a machine you can afford to rebuild and see what they do.). Anyway, I have no idea where to go from here. I dont know if it will be just a couple of things to fix up, or if I should toast my whole system: major major hasstle) Best practice is to pull the network plug and investigate how the attacker got in. Then, redeploy with that problem (and any other problem you found during forensics) fixed. Frequently in the real world, that isn't possible. Then you have to fall back on a reinstall and restore from backups, and watch what happens in from an extremely paranoid stance. You really don't want to attempt a cleanup, because you never know if you found every potential trap, so you can never trust the machine again. Not the sort of thing you want on your network. Good luck... The only good thing about being compromised is that it makes you more paranoid about being on the net. -j -- Jamie Lawrence[EMAIL PROTECTED] A computer without a Microsoft operating system is like a dog without bricks tied to its head.
