Re: [expert] mounting "win2000" ntfs partitions
On Mon, 22 Jul 2002, civileme uttered these words of wisdom: >To all of your others out there, it is no kidding DEADLY to install >windows second. My recovery here was not for the faint of heart--23 >partitions on two hdds were thoroughly scrambled by XP renumbering. I >had to rescue boot and find root and edit fstab, and that still didn't >work because my old /var partition was renumbered where swap was so my >logs disappeared at swapon... A reinstall was necessary formatting /boot >/ and /usr fortunately I keep /home /usr/local and /opt separate. I >could have used expert mode on fdisk to recover--redoing my old >partition table-- but that still would not have covered the destruction >of /var. > >Civileme I've had similar experience trying to beta test WinXP on the same computer I had linux loaded. Any hard disk which was connected when xp would boot didn't operated correctly afterward. I don't really remember the details since it was quite a while back, but that, along with the rest of your response to this email, makes me want to see Bill Gates behind bars! It sounds like soon it will be illegal to use anything windows - why can't people (lawmakers) just see through all that and quite giving M$ free rides? /mike -- Michael Holt Banning, CA(o_ [EMAIL PROTECTED](o_ (o_ //\ www.holt-tech.net(/)_ (/)_ V_/_www.mandrake.com < "AOL for Dummies" is kind of redundant, don't you think? Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Diagnosing server problems and screwing up threads...
greetings hop along, Hopper wrote: > > Regarding Samba and Winbind again: I've killed my server. you have also distorted an e-mail post thread. email contains what is called a 'header'. in header, along with all that is in an email header, is what is know as 'references:'. 'references:' does just that. it contains reference numbers for emails and in that group of referenced numbers are various referenced email addresses. when a _good_ email reader is set to display in 'thread', 'references:' is used to group emails with *normally* same 'subject:' into a 'spool'. there are many readers of tech support list, such as this, that run their email reader in thread mode. do not ask why, common sense tells you why, try it and you will see why. there are some la's that read post to a list, click reply button, and will break a thread by changing subject line, and throw in there endearing words to something totally unrelated to original subject of thread. yes, i did this my self, tho not because i am an la. some readers will reply to thread busters, some will not. some who answer, may know answer. many who do not reply may know answer. of those who replied, who was able to help. of those who read and did not reply, who knew answer. want to increase you chance of a reply? do not break a thread. want to increase you chance of an answer? do not break a thread. why? simple. it is polite not to break a thread. not all threads are followed, so some spools stay close. new subject/thread is most always seen. i am not being biased, just trying to help some la newbies understand what kind of harm may be within their bad habits. did i break thread? how could i? it is already broken. who will see this? i do not know. who will it help? time will show intelligence. who will reply with flame? those of little ". btw. i do hope you get your problems fixed. samba and winbind work fine, sometimes, they just need some special tweaking. peace out, rocky. tc,hago. g . -- think green... save a tree, save a life, save time, save bandwidth, save storage. send email, text/plain - disable pgp/gpg/geek code =+= if you are proud to be an american, then buy "made in america". Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[expert] lsb dependency on wu-ftpd
Greetigns, Out of curiosity, I started to install the lsb package and discovered that it is dependent on wu-ftpd. I have proftpd installed as my preferred daemon and don't want wu-ftpd. Can the requirement for an ftp daemon be made more flexible? Thanks. David David Relson Osage Software Systems, Inc. [EMAIL PROTECTED] Ann Arbor, MI 48103 www.osagesoftware.com tel: 734.821.8800 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[expert] Hack attack or not?
Hi,
This morning, I ran chkrootkit on my ML 8.2 system, and everything turned
up with the usual "nothing found" message, except the last one. It came
up:
Checking 'sniffer'... Checking 'wted'... 2 deletions found between {time}
and {time}
(The "{time}" is just me saving myself some typing - there were actually
times present. :)
Question: Based on this, is my system likely to have been compromised or
not? For that matter, what's wted?
--Dave
--
David Guntner GEnie: Just say NO!
http://www.akaMail.com/pgpkey/davidg or key server
for PGP Public key
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
Re: [expert] Hack attack or not?
David Guntner wrote:
>Hi,
>
>This morning, I ran chkrootkit on my ML 8.2 system, and everything turned
>up with the usual "nothing found" message, except the last one. It came
>up:
>
>Checking 'sniffer'... Checking 'wted'... 2 deletions found between {time}
>and {time}
>
>(The "{time}" is just me saving myself some typing - there were actually
>times present. :)
>
>Question: Based on this, is my system likely to have been compromised or
>not? For that matter, what's wted?
>
> --Dave
>
>
>
>
>Want to buy your Pack or Services from MandrakeSoft?
>Go to http://www.mandrakestore.com
>
wted -- wtmp editor
>
http://www.cleo-and-nacho.com/cnd/text/hackkit.txt
Reading the whole doc will be educational. The grammar isn't perfect
but the message is unusually clear.
Civileme
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
Re: [expert] Hack attack or not?
David Guntner wrote:
>
> Hi,
>
> This morning, I ran chkrootkit on my ML 8.2 system, and everything turned
> up with the usual "nothing found" message, except the last one. It came
> up:
>
> Checking 'sniffer'... Checking 'wted'... 2 deletions found between {time}
> and {time}
>
> (The "{time}" is just me saving myself some typing - there were actually
> times present. :)
>
> Question: Based on this, is my system likely to have been compromised or
> not? For that matter, what's wted?
>
Looks like it is telling you about some file deletions. Did you do any
file deleting between the times listed in the message? Chrootkit is a
*good* program for doing what it is designed to do: that is find
rootkits. To monitor files, all files, i.e. file perms/attribs that
change, changed md5 info on files, additions/deletions of files, etc.,
you really should try using Tripwire in conjunction with chrootkit.
David, from what you have posted, it is difficult to say if you were or
you were not cracked but I would be very suspicious, and do a bunch of
"greps" on your other log files, esp auth and security logs...
drjung
--
J. Craig Woods
UNIX/NT Network/System Administration
http://www.trismegistus.net/resume.html
Character is built upon the debris of despair --Emerson
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
[expert] how to acknowledge changes to msec
Hello everyone! This is a repost from the newbie list, so sorry about that, but I haven't had any replies to this yet. When I look into /var/log/messages I get various of the following: "Security Warning: There are modifications for port listening on your machine :" "Security Warning: These packages have changed on the system :" "Security Warning: These config files belonging to packages have changed of status on the system" I get them every day. These changes are correct, and I am aware of them (and happy to be notified). Yet, since I agree on them being correct, I'd like to be able to acknowledge them, and not get them again (if there is a change a second time, I will know, else I might just ignore cause I thought it was my initial change). How do I do that? Thanks in advance: gikoreno Join Excite! - http://www.excite.comThe most personalized portal on the Web!
[expert] Quota on XFS problems
Hello everyone, This is a repost from the newbie list, so sorry about that, I haven't had a reply yet. I am running LM 8.2, and all my partitions are XFS. I am also running the system with msec level 5. The machine's Kernel is : kernel-secure-2.4.18.8 Today I setup quotas for my users. I added the lines that were needed in fstab, and the quotas are being enforced. For some reason it only works certain times... "edquota" opens up an editor, in which I make the changes and then save and quit. Is there a better way of doing this? One that works every time? am I missing a step? My problem is that I would like my users to know what their current quota is, and for some reason typing quota doesn't work (the users for which I tried this command do have quota enforced). If a user types "quota", they get something like: "Disk quotas for user XXX(uid ): none" If they type "quota -v" they get something like: << Disk quotas for user XXX (uid ): Filesystem blocks quota limit grace files quota limit grace /dev/hda5 0 0 0 0 0 0 /dev/hdc7 0 0 0 0 0 0 >> Yet, if I check their quota as root, I get the accurate values. In other words, the quota command works as expected only if I am running it as root. I am guessing it might be that quota can't read something that contains the quota info when it is run as a user. What else could it be? What should I try? I read the XFS info about the quota system on SGI's site (and in the docs), but they all seem to imply that it should be possible to run the quota command as a user and get the proper result. An edquota is supposed to work every time... My third and last question is that I would like the quota info to be displayed for each user when they log on through ssh. How do I make that happen? Thanks in advance! gikoreno Join Excite! - http://www.excite.comThe most personalized portal on the Web!
Re: [expert] Hack attack or not?
civileme grabbed a keyboard and wrote:
> David Guntner wrote:
> >
> >Checking 'sniffer'... Checking 'wted'... 2 deletions found between {time}
> >and {time}
> >
> >Question: Based on this, is my system likely to have been compromised or
> >not? For that matter, what's wted?
>
> wted -- wtmp editor
>
> >
> http://www.cleo-and-nacho.com/cnd/text/hackkit.txt
>
> Reading the whole doc will be educational. The grammar isn't perfect
> but the message is unusually clear.
I'm reading it now, and I am not heartened by what I see
Is there anything that could cause the checker to trip on that? I.E., is
there something else which could result in it thinking that something was
removed from wtmp?
I'm pretty careful in my password choices and am on the mandrake-security
announce list so that I know when a fix has been released (and I put it in
right away), so I'm really curious as to how someone could have gotten in,
installed that program, run it to cover up whatever else it was they did,
and then remove it.
And, I'm *not* enjoying the prospect of having to wipe and reinstall my
system :-/
Any other thoughts on the subject? Or is it just time to "push the button,
Max?" (Probably no one will get the joke, but I'm sure you understand the
meaning... :)
--Dave
--
David Guntner GEnie: Just say NO!
http://www.akaMail.com/pgpkey/davidg or key server
for PGP Public key
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
Re: [expert] Hack attack or not?
On Saturday 27 July 2002 14:18, David Guntner Wrote Thusly:
> civileme grabbed a keyboard and wrote:
> > David Guntner wrote:
> > >Checking 'sniffer'... Checking 'wted'... 2 deletions found between
> > > {time} and {time}
> > >
> > >Question: Based on this, is my system likely to have been compromised
> > > or not? For that matter, what's wted?
> >
> > wted -- wtmp editor
> >
> >
> > http://www.cleo-and-nacho.com/cnd/text/hackkit.txt
> >
> > Reading the whole doc will be educational. The grammar isn't perfect
> > but the message is unusually clear.
>
> I'm reading it now, and I am not heartened by what I see
>
> Is there anything that could cause the checker to trip on that? I.E., is
> there something else which could result in it thinking that something was
> removed from wtmp?
>
> I'm pretty careful in my password choices and am on the mandrake-security
> announce list so that I know when a fix has been released (and I put it in
> right away), so I'm really curious as to how someone could have gotten in,
> installed that program, run it to cover up whatever else it was they did,
> and then remove it.
>
> And, I'm *not* enjoying the prospect of having to wipe and reinstall my
> system :-/
>
> Any other thoughts on the subject? Or is it just time to "push the button,
> Max?" (Probably no one will get the joke, but I'm sure you understand the
> meaning... :)
>
> --Dave
Up Max, UUpp Max!
- Professor Fate, The Great Race
But seriously, do you have tripwire running on a fixed medium (e.g. the
Tripwire database on a CD-ROM)? Do you have tripwire running at all?
Are other, "softer" systems (e.g. Windows running LookOut) connected
to the suspect box with trusted access (this might be a way for someone
to get in).
Basically, the correct paranoid response is if you are not sure, wipe it.
While this level of paranoia is not for everybody, it works for me.
Good luck with this.
HTH,
DGO
--
"Entropy Requires No Maintenance"
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
Re: [expert] Hack attack or not?
David Oberbeck grabbed a keyboard and wrote: > > On Saturday 27 July 2002 14:18, David Guntner Wrote Thusly: >> >> Any other thoughts on the subject? Or is it just time to "push the >> button, Max?" (Probably no one will get the joke, but I'm sure you >> understand the meaning... :) > > Up Max, UUpp Max! > - Professor Fate, The Great Race LOL! I really didn't figure that anyone here would get that. :-) > But seriously, do you have tripwire running on a fixed medium (e.g. > the > Tripwire database on a CD-ROM)? Do you have tripwire running at all? No, I don't. Tell me about Tripwire. What is it, how does it work, where can I get it? Oh yea, and will it help keep me from having to wipe and reinstall again in the future? :-) > Are other, "softer" systems (e.g. Windows running LookOut) connected > to the suspect box with trusted access (this might be a way for someone > to get in). There's a Windows 98SE computer on the same network (I'm behind a DSL broadband router, and both machines are connected via a switch). However, I don't think there's any "trusted" access going on there. I don't even have Samba running on the Linux box, although I do have my C: and D: drive mounted (type smbfs on the mount command) on the Linux box so that I can copy files easily from the Windows box to the Linux box when I'm logged in to the Linux box. Other than that, no direct contact is made between them. > Basically, the correct paranoid response is if you are not sure, wipe > it. Yea, that's what I was afraid of. I was just hoping that someone could give me another plausable reason why two entries would have been deleted from wtmp. My other response (at least for the time being) has been to configure the DSL router to no longer forward incoming connections on ports 20-22 to the Linux box, to cut off access to services that let you log in. And I've moved the ssh port to another non-standard port (and configured the sshd config file to listen on that port, of course) so that I can still log in remotely if needed. I'll probably leave it like that after the dust has settled from this as well > While this level of paranoia is not for everybody, it works for me. Unfortunately, I'm paranoid enough about this kind of thing to realize that it's needed. I just hate the time it takes to do it :-/ > Good luck with this. > > HTH, > DGO Thanks. And do fill me in on Tripwire; you've got me curious. --Dave Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[expert] KDE:(re)starting artsd gracefully: How?
Hi Experts, I have some important software that I use that is un-aware of the arts, (Okay, I admit, it's games, sue me... :^) )so to use it with KDE3, I have a script linked to a desktop Icon to stop the artsd if it is running, and start it if it is not running. Is there an official way to stop/start the sound server? Herewith is the script I use to do the work: (It is very stupid, but it seems to work) ---Begin--- #!/bin/bash # This script starts/stops the arts sound daemon... if [ "`ps -ef | grep artsd | grep -v grep`" == "" ]; then echo Starting artsd... 2>&1 exec /usr/bin/artswrapper -F 8 -S 1024 -d -s 5 -m artsmessage -l 3 -f & echo " ...Done"2>&1 else echo Stopping artsd... 2>&1 killall artsd echo " ...Done"2>&1 fi ---End--- -Chuck -- +-% He's a real UNIX Man $-+-+ \ Sitting in his UNIX LAN \ Charles A. Shirley \ \ Making all his UNIX plans \ cashirley (at) comcast (dot) net \ +--# For nobody @--+-+ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Hack attack or not?
David Guntner wrote:
>civileme grabbed a keyboard and wrote:
>
>>David Guntner wrote:
>>
>>>Checking 'sniffer'... Checking 'wted'... 2 deletions found between {time}
>>>and {time}
>>>
>>>Question: Based on this, is my system likely to have been compromised or
>>>not? For that matter, what's wted?
>>>
>>wted -- wtmp editor
>>
>>http://www.cleo-and-nacho.com/cnd/text/hackkit.txt
>>
>>Reading the whole doc will be educational. The grammar isn't perfect
>>but the message is unusually clear.
>>
>
>I'm reading it now, and I am not heartened by what I see
>
>Is there anything that could cause the checker to trip on that? I.E., is
>there something else which could result in it thinking that something was
>removed from wtmp?
>
>I'm pretty careful in my password choices and am on the mandrake-security
>announce list so that I know when a fix has been released (and I put it in
>right away), so I'm really curious as to how someone could have gotten in,
>installed that program, run it to cover up whatever else it was they did,
>and then remove it.
>
>And, I'm *not* enjoying the prospect of having to wipe and reinstall my
>system :-/
>
>Any other thoughts on the subject? Or is it just time to "push the button,
>Max?" (Probably no one will get the joke, but I'm sure you understand the
>meaning... :)
>
>--Dave
>
>
>
>
>Want to buy your Pack or Services from MandrakeSoft?
>Go to http://www.mandrakestore.com
>
Well, you noted I was very terse in my message. I hate to be the bearer
of bad news. But first try
Put in CD#1
cd /mnt/cdrom
rpm -ivh --force basesystem-8.2-1mdk.i586.rpm
This will generally blow away anything done to /bin /sbin or /lib
Use the now good ls and rgrep tools to scan other directories for
martians--if you see any, by God, push the button.
If you are in an unfriendly environment it is time to consider a
separate firewall machine between you and the web. Mandrake SNF is
exceptionally conservative, not even allowing a DMZ, and is configurable
from inside via a web browser. MNF is coming soon and will have
stateful firewalling which is an additional degree of security.
Now as to how this may happen, have you ever connected via ftp? Or
downloaded by http? There is a way (and damned near undetectable if you
are more than a few hops from both client and server) to desynchronize
the ends of a TCP connection and become a machine in the middle, acting
as server to the client and client to the server. (There is also
another way of doing this with https, sometimes called
Man-in-the-middle.) These are very sophisticated attacks run by
knowledgeable blackhats and not by script kiddies.
To avoid such problems,
NEVER accept self-signed certirficates.
NEVER download pure binaries--download source unless it is something
like a full iso.
Grab md5sums for what you do download from a different mirror (and check
them). Don't download isos for which there are no md5sums available.
(Exception: Really old stuff or really new--crackers are unlikely to
have infected copise to supply.
Civileme
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
Re: [expert] KDE:(re)starting artsd gracefully: How?
On Sat, 27 Jul 2002 21:10:13 -0400 Chuck Shirley <[EMAIL PROTECTED]> wrote: > Hi Experts, > > I have some important software that I use that is un-aware of the > arts, (Okay, I admit, it's games, sue me... :^) )so to use it with > KDE3, I have a script linked to a desktop Icon to stop the artsd > if it is running, and start it if it is not running. Is there an > official way to stop/start the sound server? Herewith is the > script I use to do the work: (It is very stupid, but it seems to > work) > hey, instead of killing/reviving the poor arts all the time, have you tried to make your game work with artswrapper? as in [user@localhost user]$ artswrapper nameofmyveryimportantsoftware maybe it'll help. that wrapper stuff is supposed to make the app use arts without even noticing it is... or something like that. see ya. Damian -- Who is General Failure, and why is he reading my disk? Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: Maxtor 4G120J6 okay? (was: Re: [expert] Western Digital WD1200AB
> I think it meant the diskdrives die soon if they are in a power-on state > for more than eight hours a day. That is what I have heard at least, Well, my IBM Deskstar has been in such a state since about October of 2000. :) I suppose the advisory only applies to newer drives, then. > -Chuck Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Hack attack or not?
David If you find Tripwire a bit much to install you might look at Snort (from freshmeat) it's a little less of a hassle to install and is on par with the free version of TripWire. James On Sat, 27 Jul 2002 16:52:00 -0700 (PDT) "David Guntner" <[EMAIL PROTECTED]> wrote: > David Oberbeck grabbed a keyboard and wrote: > > > > On Saturday 27 July 2002 14:18, David Guntner Wrote Thusly: > >> > >> Any other thoughts on the subject? Or is it just time to > >> "push the button, Max?" (Probably no one will get the joke, > >> but I'm sure you understand the meaning... :) > > > > Up Max, UUpp Max! > > - Professor Fate, The Great Race > > LOL! I really didn't figure that anyone here would get that. > :-) > > > But seriously, do you have tripwire running on a fixed > > medium (e.g. the > > Tripwire database on a CD-ROM)? Do you have tripwire running > > at all? > > No, I don't. Tell me about Tripwire. What is it, how does it > work, where can I get it? Oh yea, and will it help keep me from > having to wipe and reinstall again in the future? :-) > > Are other, "softer" systems (e.g. Windows running LookOut) > > connected to the suspect box with trusted access (this might > > be a way for someone to get in). > > There's a Windows 98SE computer on the same network (I'm behind > a DSL broadband router, and both machines are connected via a > switch). However, I don't think there's any "trusted" access > going on there. I don't even have Samba running on the Linux > box, although I do have my C: and D: drive mounted (type smbfs > on the mount command) on the Linux box so that I can copy files > easily from the Windows box to the Linux box when I'm logged in > to the Linux box. Other than that, no direct contact is made > between them. > > Basically, the correct paranoid response is if you are not > > sure, wipe it. > > Yea, that's what I was afraid of. I was just hoping that > someone could give me another plausable reason why two entries > would have been deleted from wtmp. > My other response (at least for the time being) has been to > configure the DSL router to no longer forward incoming > connections on ports 20-22 to the Linux box, to cut off access > to services that let you log in. And I've moved the ssh port to > another non-standard port (and configured the sshd config file > to listen on that port, of course) so that I can still log in > remotely if needed. I'll probably leave it like that after the > dust has settled from this as well > > While this level of paranoia is not for everybody, it works > > for me. > > Unfortunately, I'm paranoid enough about this kind of thing to > realize that it's needed. I just hate the time it takes to do > it :-/> Good luck with this. > > > > HTH, > > DGO > > Thanks. And do fill me in on Tripwire; you've got me curious. > >--Dave > > > > > Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] how to acknowledge changes to msec
gikoreno wrote on Sat, Jul 27, 2002 at 03:50:43PM -0400 : > > When I look into /var/log/messages I get various of the following: > "Security Warning: There are modifications for port listening on your machine :" A system that is under some load will list false listening ports because some process is listening for a reply to some packet that it sent out. Bear that in mind while trying to figure out if there's something wrong. Blue skies... Todd -- Todd Lyons -- MandrakeSoft, Inc. http://www.mandrakesoft.com/ UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things. -- Doug Gwyn Cooker Version mandrake-release-9.0-0.2mdk Kernel 2.4.18-21mdk msg56569/pgp0.pgp Description: PGP signature
Re: [expert] how to acknowledge changes to msec
Thanks Todd, I'll keep that in mind (hadn't thought about it). gikoreno --- On Sun 07/28, Todd Lyons < [EMAIL PROTECTED] > wrote: From: Todd Lyons [mailto: [EMAIL PROTECTED]] To: [EMAIL PROTECTED] Date: Sat, 27 Jul 2002 23:33:29 -0700 Subject: Re: [expert] how to acknowledge changes to msec > gikoreno wrote on Sat, Jul 27, 2002 at 03:50:43PM -0400 : > > > > When I look into /var/log/messages I get various of the following: > > "Security Warning: There are modifications for port listening on > your machine :" > > A system that is under some load will list false listening ports because > some process is listening for a reply to some packet that it sent out. > Bear that in mind while trying to figure out if there's something wrong. > > Blue skies... Todd > -- > Todd Lyons -- MandrakeSoft, Inc. http://www.mandrakesoft.com/ > UNIX was not designed to stop you from doing stupid things, because > that would also stop you from doing clever things. -- Doug Gwyn >Cooker Version mandrake-release-9.0-0.2mdk Kernel 2.4.18-21mdk > Join Excite! - http://www.excite.comThe most personalized portal on the Web!
[expert] quota patch in kernel?
Hi everyone: I looked in the XFS (SGI) mailing lists and found the following links to be useful: http://marc.theaimsgroup.com/?l=linux-xfs&m=101697728801467&w=2 http://marc.theaimsgroup.com/?l=linux-xfs&m=101701227031491&w=2 http://marc.theaimsgroup.com/?l=linux-xfs&m=101701969005112&w=2 http://marc.theaimsgroup.com/?l=linux-xfs&m=101902864819725&w=2 Are these patches applied in the MDK 8.2? If they are not, then that's what was causing my problems. In that case, are any updates on the quota tools planned to be released to solve this problem (for MDK 8.2)? (users not being able to check their quota on an XFS filesystem). Thanks in advance for the reply, gikoreno Join Excite! - http://www.excite.comThe most personalized portal on the Web!
Re: [expert] Hack attack or not?
civileme grabbed a keyboard and wrote: > > Well, you noted I was very terse in my message. I hate to be the bearer > of bad news. But first try > Put in CD#1 > cd /mnt/cdrom > rpm -ivh --force basesystem-8.2-1mdk.i586.rpm > > This will generally blow away anything done to /bin /sbin or /lib > > Use the now good ls and rgrep tools to scan other directories for > martians--if you see any, by God, push the button. Thanks for the suggestion. I'll do that. Although at this point, I'm rattled enough by what happened that I'm probably going to be likely to push the button, regardless. Like that one reply I got said, "if you're not sure, wipe." Even if I *don't* find anything, I'm going to constantly be wondering if I just missed something > If you are in an unfriendly environment it is time to consider a > separate firewall machine between you and the web. Mandrake SNF is > exceptionally conservative, not even allowing a DMZ, and is configurable > from inside via a web browser. MNF is coming soon and will have > stateful firewalling which is an additional degree of security. As mentioned in a previous reply to another, I'm behind a DSL broadband router, which effectively acts as a firewall. If I don't tell it to forward a particular incoming port to the Linux machine, the packet is quietly dropped on the floor. > Now as to how this may happen, have you ever connected via ftp? Or > downloaded by http? There is a way (and damned near undetectable if you > are more than a few hops from both client and server) to desynchronize > the ends of a TCP connection and become a machine in the middle, acting > as server to the client and client to the server. (There is also > another way of doing this with https, sometimes called > Man-in-the-middle.) These are very sophisticated attacks run by > knowledgeable blackhats and not by script kiddies. Sounds like it. Just FYI, I usually don't do much web browsing from the Linux machine itself. I do most of that (as well as my FTPing) from my Win98SE box. I use the Linux box to provide me with a small news server (leafnode), squid and sleezeball (HTTP/FTP caching proxy and ad banner filter), mail server (postfix, which is configured to recognize the Win98SE's box's IP address as friendly for relay) and web server (the latest Apache RPM from one of the Mandrake security update mirrors). The only FTPing that I've really been doing directly from the Linux box has been via rpmdrake to get a security update, or to grab an RPM from rpmfind.net once in a while. So I'm still at something of a loss regarding how this could have happened, assuming that a breach has occurred. That's the bitch of it - the not knowing aspect. I may well be wiping and reinstalling my system for nothing, but I won't be sure that I'm not hacked until I've done so. And like I said, I've turned off ports 20-22 forwarding from the DSL router to the Linux box. So assuming that someone has figured out a way to login to my machine, I've closed the door on their being able to access it. Now unless the person wants to scan 65,535 ports looking for where I moved the sshd port to, he won't be able to get in, and hopefully will just go away. > To avoid such problems, > > NEVER accept self-signed certirficates. > > NEVER download pure binaries--download source unless it is something > like a full iso. > > Grab md5sums for what you do download from a different mirror (and check > them). Don't download isos for which there are no md5sums available. > (Exception: Really old stuff or really new--crackers are unlikely to > have infected copise to supply. Good advise, all around. Thanks! --Dave -- David Guntner GEnie: Just say NO! http://www.akaMail.com/pgpkey/davidg or key server for PGP Public key Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
