Re: Tonight I got hacked.
On Thu, Oct 17, 2002 at 11:38:19AM +0200, linux power wrote: > Tonight I finally got hacked. > [...] > So now I'am back again to windows XP. And that should anyway not be > so difficult to hack. Actually, expect XP to more easily hacked. Getting and keeping Linux secure isn't that hard. But first, copy off data from your current machine (not programs, only non-executable data), and completely wipe your disk. Do not reuse any passwords you used on the cracked machine; assume those passwords are known to bad persons. Reinstall Red Hat 7.3 (8.0 is too new, hold off unless you have a good reason to want 8.0), and immediately install all the 7.3 updates from Red Hat. Feel free to use what services you want to use, feel free to install everything. Yes, for really paranoia, one wants a beat back machine with nearly nothing on it, but you probably are not a big enough target to make that worth it. Follow these rules and you will do well: 1) Let Red Hat configure your machine, they do a pretty good job of setting up a secure machine. Be careful of making configuration changes that you don't understand, you might open up a security hole. 2) Keep your machine up to date! There are security holes that have been discovered in Red Hat 7.3, and there have been free fixes posted on the internet. Use them! (There have been holes in MS Windows discovered too, but MS is much slower about fixing them.) Once you have your machine up to date, there will be more holes discovered--get those updates too. At some point this cycle might slow down and it might be possible to keep a machine secure without constantly updating it, but we aren't there yet. Stay up to date! 3) Don't reuse passwords from elsewhere, nor from your cracked machine. If you have one password you use on every damn web site on the internet, then if one of them has leaky security or is crooked, your password is no longer trustworthy. Many say you need to change your password every few weeks. I say nonsense, better to pick a secure password (after you install Red Hat run the "passwd" command, it will warn you if you have a poor password) and keep your password secure. Good luck, don't be afraid, instead be cautious and thoughtful. -kb -- redhat-list mailing list unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Kazaa Lite Fun: was, RE: Tonight I got hacked.
On Sat, Oct 19, 2002 at 11:21:22AM +0800, Edward Dekkers wrote: > Just wanted to mention that on our network, when Kazaa Lite is run (throught > the Linux box), portsentry hack attempts increase at least 5-fold. This is > not coincidence IMNSHO. A person I know on another home network was > completely rootkitted, and virii installed on all 3 client PCs even with > Norton's installed on the client PCs, and portsentry and tripwire on the > Linux box. Hm, but - see other thread - neither portsentry nor tripwire are tools to prevent these things, I thought? > Kazaa seems to 'open' the boxes substantially. No idea how exactly - but I > can't ignore the results here. Question would be: Does it touch or circumvent the firewall rules, and if so: How? Is this client run with root privileges? Cheerio, Thomas -- http://www.netmeister.org/news/learn2quote.html ...'cause only lusers quote signatures! Thomas Ribbrock | http://www.ribbrock.org | ICQ#: 15839919 "You have to live on the edge of reality - to make your dreams come true!" -- redhat-list mailing list unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Kazaa Lite Fun: was, RE: Tonight I got hacked.
Hi all. Somebody, plz send me some link for kazaa to download. thenks - Original Message - From: Bill Holland To: '[EMAIL PROTECTED]' Sent: Friday, October 18, 2002 9:32 AM Subject: Kazaa Lite Fun: was, RE: Tonight I got hacked. Kazaa and Kazaa Lite both have an option for disabling the downloading of files that "might contain trojans". The difference is, Kazaa protects you by enabling that option, and Kazaa Lite does not. So after using Kazaa for a while, I switched to Kazaa Lite - and assumed the same default was used. It isn't. My Win2k box was so hosed after running a single VBS file, I had to re-install the OS. Microsoft compounds the problem by hiding known file extensions, so "your.hacked.jpg.vbs" becomes "your.hacked.jpg" The good news was, I took advantage of the opportunity to make a linux partition on that machine. - bill -Original Message-From: linux power [mailto:[EMAIL PROTECTED]]Sent: Friday, October 18, 2002 3:29 AMTo: [EMAIL PROTECTED]Subject: RE: Tonight I got hacked. It happend when a client machine was connected to KaZaa through the Linux server and stored data on the server. Joe Polk <[EMAIL PROTECTED]> wrote: You are correct, sort of. While it's true nothing can initiate a connectionfrom the outside, a client on the inside can. It's not what you might think,either. Yes, a trojan could do it, but Internet Explore can as well. So toocan things like Gator and other spyware. Though for the most part you aresecure from root attacks by and large, be aware your clients within your lancan initiate contact with the outside world and these connections can alsoinvite danger.<>-- Original Message ---From: Bill Holland <[EMAIL PROTECTED]>To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>Sent: Thu, 17 Oct 2002 18:11:41 -0400Subject: RE: Tonight I got hacked.> If I have a little $60 Netgear router, and provide no services > through it - do I have to worry about all this stuff? Its my >! understanding that no ports are being forwarded, so nothing can get > through. Or am I mistaken?> > - bill> > -Original Message-> From: Todd A. Jacobs [mailto:[EMAIL PROTECTED]]> Sent: Thursday, October 17, 2002 4:30 PM> To: RedHat List> Subject: Re: Tonight I got hacked.> > On Thu, 17 Oct 2002, linux power wrote:> > > I thought I had a good iptables firewall, but not good enough. Well> > anyway it tooks a couple of months before it happend-> > A firewall is insufficient in and of itself. All a firewall does is > allow or block access to certain ports. It doesn't control what kind > of traffic flows through those sockets: that's up to the application > or its application-layer proxy to sort out.> > If you want your system to be secure, you need to install a firewall > of course, but you also need to disabl! e unnecessary services,> tighten access controls, limi! t privelege, monitor log files, and > many other tasks. "Security is a process, not a product."> > I don't think it's been updated for psyche yet, but take a look at > the bastille hardening scripts and see what you can learn. At a > minimum, you should:> > - Only install packages you know you'll need. Avoid "everything plus> the kitchen sink" installs.> - Use ntsysv to remove services you don't use or understand.> - Make heavy use of /etc/hosts.deny and /etc/hosts.allow to restrict> access.> - Disable xinetd unless you *really* need it. If you do, disable > any of its child services that you don't explicitly need. -> Install portsentry. - Configure tripwire and READ the reports. > - Install logsentry and READ the reports.> > Switching to Windows will not solve your problem, since Windows has > even more exploits than Linux and is much harder to secur! e and > monitor. And even if you choose to do so, the list of tasks isn't > really all that different: lock it down, and then monitor, monitor, monitor.> > There is no quick fix for security. If you insist on looking for one,> you *will* get hacked again, regardless of the OS you choose to use.> > -- > "The only thing that helps me maintain my slender grip on reality is > the friendship I share with my collection of singing potatoes."> > - Holly, JMC Vessel *Red Dwar
Re: AW: Tripwire (Re: Tonight I got hacked.)
Sorry. My fault. Anyway. So many thanks for your answers. Ernest E Vogelsinger <[EMAIL PROTECTED]> wrote: At 14:30 19.10.2002, linux power said:[snip]>I dont know how to read it. Its encrypted.[snip] Hey - I already told you in the same mail:>> twprint -m r -r |less>O Ernest E. Vogelsinger(\) ICQ# 13394035^ http://home.no.net/~knutove/knut_ove_hauge_kuren.htmYahoo! Mail har fått nytt utseende Nytt design, enklere å bruke, alltid tilgang til Adressebok, Kalender og Notisbok
Re: AW: Tripwire (Re: Tonight I got hacked.)
At 14:30 19.10.2002, linux power said: [snip] >I dont know how to read it. Its encrypted. [snip] Hey - I already told you in the same mail: >> twprint -m r -r |less >O Ernest E. Vogelsinger (\)ICQ# 13394035 ^ -- redhat-list mailing list unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: AW: Tripwire (Re: Tonight I got hacked.)
I dont know how to read it. Its encrypted. --- Ernest E Vogelsinger <[EMAIL PROTECTED]> skrev: > At 21:53 18.10.2002, linux power said: > [snip] > >I'am new to tripwire so I dont know exactly how to > use > >it. I have build the databse with tripwire -m i > >and tried the check with tripwire -m c > >But when I ran tripwire -m u I got an error message > >about a file it couldnt find. > > The file it is looking for is the latest tripwire > report file, usually > located in /var/lib/tripwire/report/, named > -mmdd-hhmmss.twr. Just use > your tab key to locate > the latest report. > > >Also I dont know how the intruder detection works.I > >even know if tripwire is running or shall be > running > >like a deamon, or the user must himself run the > check > >regulary. > > When installing tripwire it usually installs itself > as a cron job to be run > round midnight. Check /etc/cron.daily for a file > named tripwire-check. > > >I have not give any email address to be notified > cause > >I dont use sendmail. > > If root cannot be mailed to then your first issue > after entering the office > and getting yourself some coffee should be to > analyze the latest tripwire > report file (location see above): > twprint -m r -r |less > > HTH, > >>O Ernest E. Vogelsinger >(\)ICQ# 13394035 > ^ > > > > -- > redhat-list mailing list > unsubscribe > mailto:redhat-list-request@;redhat.com?subject=unsubscribe > https://listman.redhat.com/mailman/listinfo/redhat-list = http://home.no.net/~knutove/knut_ove_hauge_kuren.htm __ Se den nye Yahoo! Mail på http://no.yahoo.com/ Nytt design, enklere å bruke, alltid tilgang til Adressebok, Kalender og Notisbok -- redhat-list mailing list unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: AW: Tripwire (Re: Tonight I got hacked.)
Thank you very much for the answers. --- Ernest E Vogelsinger <[EMAIL PROTECTED]> skrev: > At 21:53 18.10.2002, linux power said: > [snip] > >I'am new to tripwire so I dont know exactly how to > use > >it. I have build the databse with tripwire -m i > >and tried the check with tripwire -m c > >But when I ran tripwire -m u I got an error message > >about a file it couldnt find. > > The file it is looking for is the latest tripwire > report file, usually > located in /var/lib/tripwire/report/, named > -mmdd-hhmmss.twr. Just use > your tab key to locate > the latest report. > > >Also I dont know how the intruder detection works.I > >even know if tripwire is running or shall be > running > >like a deamon, or the user must himself run the > check > >regulary. > > When installing tripwire it usually installs itself > as a cron job to be run > round midnight. Check /etc/cron.daily for a file > named tripwire-check. > > >I have not give any email address to be notified > cause > >I dont use sendmail. > > If root cannot be mailed to then your first issue > after entering the office > and getting yourself some coffee should be to > analyze the latest tripwire > report file (location see above): > twprint -m r -r |less > > HTH, > >>O Ernest E. Vogelsinger >(\)ICQ# 13394035 > ^ > > > > -- > redhat-list mailing list > unsubscribe > mailto:redhat-list-request@;redhat.com?subject=unsubscribe > https://listman.redhat.com/mailman/listinfo/redhat-list = http://home.no.net/~knutove/knut_ove_hauge_kuren.htm __ Se den nye Yahoo! Mail på http://no.yahoo.com/ Nytt design, enklere å bruke, alltid tilgang til Adressebok, Kalender og Notisbok -- redhat-list mailing list unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Kazaa Lite Fun: was, RE: Tonight I got hacked.
Thanks for the hints Edward. --- Edward Dekkers <[EMAIL PROTECTED]> skrev: > > Kazaa and Kazaa Lite both have an option for > disabling the downloading of > > files that "might contain trojans". The > difference is, Kazaa protects you > > by enabling that option, and Kazaa Lite does not. > So after using Kazaa > for > > a while, I switched to Kazaa Lite - and assumed > the same default was used. > > > > Just wanted to mention that on our network, when > Kazaa Lite is run (throught > the Linux box), portsentry hack attempts increase at > least 5-fold. This is > not coincidence IMNSHO. A person I know on another > home network was > completely rootkitted, and virii installed on all 3 > client PCs even with > Norton's installed on the client PCs, and portsentry > and tripwire on the > Linux box. > > Kazaa seems to 'open' the boxes substantially. No > idea how exactly - but I > can't ignore the results here. > > Regards, > > --- > Edward Dekkers (Director) > Triple D Computer Services P/L > > > > > -- > redhat-list mailing list > unsubscribe > mailto:redhat-list-request@;redhat.com?subject=unsubscribe > https://listman.redhat.com/mailman/listinfo/redhat-list = http://home.no.net/~knutove/knut_ove_hauge_kuren.htm __ Se den nye Yahoo! Mail på http://no.yahoo.com/ Nytt design, enklere å bruke, alltid tilgang til Adressebok, Kalender og Notisbok -- redhat-list mailing list unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: AW: Tripwire (Re: Tonight I got hacked.)
On Fri, Oct 18, 2002 at 09:53:29PM +0200, linux power wrote: > I'am new to tripwire so I dont know exactly how to use > it. I have build the databse with tripwire -m i > and tried the check with tripwire -m c > But when I ran tripwire -m u I got an error message > about a file it couldnt find. > Also I dont know how the intruder detection works.I > even know if tripwire is running or shall be running > like a deamon, or the user must himself run the check > regulary. > I have not give any email address to be notified cause > I dont use sendmail. Check the Official Redhat Linuc Configuration Guide. There is an entire chapter dedicated to Tripwire. And it's quite easy to follow. Cheers, -- Javier Gostling Ingeniero de Sistemas Virtualia S.A. [EMAIL PROTECTED] Fono: +56 (2) 202-6264 x 130 Fax: +56 (2) 342-8763 Av. Kennedy 5757, of 1502 Las Condes Santiago Chile msg92193/pgp0.pgp Description: PGP signature
Re: Kazaa Lite Fun: was, RE: Tonight I got hacked.
> Kazaa and Kazaa Lite both have an option for disabling the downloading of > files that "might contain trojans". The difference is, Kazaa protects you > by enabling that option, and Kazaa Lite does not. So after using Kazaa for > a while, I switched to Kazaa Lite - and assumed the same default was used. Just wanted to mention that on our network, when Kazaa Lite is run (throught the Linux box), portsentry hack attempts increase at least 5-fold. This is not coincidence IMNSHO. A person I know on another home network was completely rootkitted, and virii installed on all 3 client PCs even with Norton's installed on the client PCs, and portsentry and tripwire on the Linux box. Kazaa seems to 'open' the boxes substantially. No idea how exactly - but I can't ignore the results here. Regards, --- Edward Dekkers (Director) Triple D Computer Services P/L -- redhat-list mailing list unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Firewalls, recommend Re: AW: Tripwire (Re: Tonight I got hacked.)
Please recommend a excellent firewall . On Friday, October 18, 2002, at 03:25 PM, Mitchell Wright wrote: On 10/18/02 4:31 PM, "Javier Gostling" <[EMAIL PROTECTED]> wrote: On Fri, Oct 18, 2002 at 09:53:29PM +0200, linux power wrote: I'am new to tripwire so I dont know exactly how to use it. I have build the databse with tripwire -m i and tried the check with tripwire -m c But when I ran tripwire -m u I got an error message about a file it couldnt find. Also I dont know how the intruder detection works.I even know if tripwire is running or shall be running like a deamon, or the user must himself run the check regulary. I have not give any email address to be notified cause I dont use sendmail. Check the Official Redhat Linuc Configuration Guide. There is an entire chapter dedicated to Tripwire. And it's quite easy to follow. Cheers, Also, check out the sourceforge site for tripwire. They have a fairly good (100page) documentation file. Its located under the files area... This may sound obvious but there is also a documentation link. I gave it a read through in full - its worth the time. Mitchell -- redhat-list mailing list unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: AW: Tripwire (Re: Tonight I got hacked.)
At 21:53 18.10.2002, linux power said: [snip] >I'am new to tripwire so I dont know exactly how to use >it. I have build the databse with tripwire -m i >and tried the check with tripwire -m c >But when I ran tripwire -m u I got an error message >about a file it couldnt find. The file it is looking for is the latest tripwire report file, usually located in /var/lib/tripwire/report/, named -mmdd-hhmmss.twr. Just use your tab key to locate the latest report. >Also I dont know how the intruder detection works.I >even know if tripwire is running or shall be running >like a deamon, or the user must himself run the check >regulary. When installing tripwire it usually installs itself as a cron job to be run round midnight. Check /etc/cron.daily for a file named tripwire-check. >I have not give any email address to be notified cause >I dont use sendmail. If root cannot be mailed to then your first issue after entering the office and getting yourself some coffee should be to analyze the latest tripwire report file (location see above): twprint -m r -r |less HTH, >O Ernest E. Vogelsinger (\)ICQ# 13394035 ^ -- redhat-list mailing list unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: AW: Tripwire (Re: Tonight I got hacked.)
On 10/18/02 4:31 PM, "Javier Gostling" <[EMAIL PROTECTED]> wrote: > On Fri, Oct 18, 2002 at 09:53:29PM +0200, linux power wrote: > >> I'am new to tripwire so I dont know exactly how to use >> it. I have build the databse with tripwire -m i >> and tried the check with tripwire -m c >> But when I ran tripwire -m u I got an error message >> about a file it couldnt find. >> Also I dont know how the intruder detection works.I >> even know if tripwire is running or shall be running >> like a deamon, or the user must himself run the check >> regulary. >> I have not give any email address to be notified cause >> I dont use sendmail. > > Check the Official Redhat Linuc Configuration Guide. There is an entire > chapter dedicated to Tripwire. And it's quite easy to follow. > > Cheers, Also, check out the sourceforge site for tripwire. They have a fairly good (100page) documentation file. Its located under the files area... This may sound obvious but there is also a documentation link. I gave it a read through in full - its worth the time. Mitchell -- redhat-list mailing list unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: AW: Tripwire (Re: Tonight I got hacked.)
I'am new to tripwire so I dont know exactly how to use it. I have build the databse with tripwire -m i and tried the check with tripwire -m c But when I ran tripwire -m u I got an error message about a file it couldnt find. Also I dont know how the intruder detection works.I even know if tripwire is running or shall be running like a deamon, or the user must himself run the check regulary. I have not give any email address to be notified cause I dont use sendmail. --- Bret Hughes <[EMAIL PROTECTED]> skrev: > On Fri, 2002-10-18 at 11:26, linux power wrote: > > > > Its easy for a hacker to find out if you have > tripwire installed and then locate the > > database file and then delete it. > > Which in and of itself provides one of the main > functions of the > service. Intrusion Dectection. I have not been > hacked since I have > been using tripwire but if it were to tell me that > sommehitng has been > changed I think I will be more inclined to use it a > a signal to rebuild > the box rather than fix only what it tells me. It > is after all a > tripwire with hopefull noisy cans hanging on it so > when someone hits it > I'll know. > > Bret > > > > -- > redhat-list mailing list > unsubscribe > mailto:redhat-list-request@;redhat.com?subject=unsubscribe > https://listman.redhat.com/mailman/listinfo/redhat-list = http://home.no.net/~knutove/knut_ove_hauge_kuren.htm __ Se den nye Yahoo! Mail på http://no.yahoo.com/ Nytt design, enklere å bruke, alltid tilgang til Adressebok, Kalender og Notisbok -- redhat-list mailing list unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: AW: Tripwire (Re: Tonight I got hacked.)
On Vie 18 Oct 2002 16:01, Bret Hughes wrote: > On Fri, 2002-10-18 at 11:26, linux power wrote: > > Its easy for a hacker to find out if you have tripwire installed and then > > locate the database file and then delete it. > > Which in and of itself provides one of the main functions of the > service. Intrusion Dectection. I have not been hacked since I have > been using tripwire but if it were to tell me that sommehitng has been > changed I think I will be more inclined to use it a a signal to rebuild > the box rather than fix only what it tells me. It is after all a > tripwire with hopefull noisy cans hanging on it so when someone hits it > I'll know. Doesn't fam do the same that tripewire does? -- Porqué usar una base de datos relacional cualquiera, si podés usar PostgreSQL? - Martín Marqués |[EMAIL PROTECTED] Programador, Administrador, DBA | Centro de Telematica Universidad Nacional del Litoral - -- redhat-list mailing list unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: AW: Tripwire (Re: Tonight I got hacked.)
On Fri, 2002-10-18 at 11:26, linux power wrote: > > Its easy for a hacker to find out if you have tripwire installed and then locate the > database file and then delete it. Which in and of itself provides one of the main functions of the service. Intrusion Dectection. I have not been hacked since I have been using tripwire but if it were to tell me that sommehitng has been changed I think I will be more inclined to use it a a signal to rebuild the box rather than fix only what it tells me. It is after all a tripwire with hopefull noisy cans hanging on it so when someone hits it I'll know. Bret -- redhat-list mailing list unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Kazaa Lite Fun: was, RE: Tonight I got hacked.
Ok. Thanks for your hint. Bill Holland <[EMAIL PROTECTED]> wrote: Kazaa and Kazaa Lite both have an option for disabling the downloading of files that "might contain trojans". The difference is, Kazaa protects you by enabling that option, and Kazaa Lite does not. So after using Kazaa for a while, I switched to Kazaa Lite - and assumed the same default was used. It isn't. My Win2k box was so hosed after running a single VBS file, I had to re-install the OS. Microsoft compounds the problem by hiding known file extensions, so "your.hacked.jpg.vbs" becomes "your.hacked.jpg" The good news was, I took advantage of the opportunity to make a linux partition on that machine. - bill -Original Message-From: linux power [mailto:[EMAIL PROTECTED]]Sent: Friday, October 18, 2002 3:29 AMTo: [EMAIL PROTECTED]Subject: RE: Tonight I got hacked. It happend when a client machine was connected to KaZaa through the Linux server and stored data on the server. Joe Polk <[EMAIL PROTECTED]> wrote: You are correct, sort of. While it's true nothing can initiate a connectionfrom the outside, a client on the inside can. It's not what you might think,either. Yes, a trojan could do it, but Internet Explore can as well. So toocan things like Gator and other spyware. Though for the most part you aresecure from root attacks by and large, be aware your clients within your lancan initiate contact with the outside world and these connections can alsoinvite danger.<>-- Original Message ---From: Bill Holland <[EMAIL PROTECTED]>To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>Sent: Thu, 17 Oct 2002 18:11:41 -0400Subject: RE: Tonight I got hacked.> If I have a little $60 Netgear router, and provide no services > through it - do I have to worry about all this stuff? Its my >! ! understanding that no ports are being forwarded, so nothing can get > through. Or am I mistaken?> > - bill> > -Original Message-> From: Todd A. Jacobs [mailto:[EMAIL PROTECTED]]> Sent: Thursday, October 17, 2002 4:30 PM> To: RedHat List> Subject: Re: Tonight I got hacked.> > On Thu, 17 Oct 2002, linux power wrote:> > > I thought I had a good iptables firewall, but not good enough. Well> > anyway it tooks a couple of months before it happend-> > A firewall is insufficient in and of itself. All a firewall does is > allow or block access to certain ports. It doesn't control what kind > of traffic flows through those sockets: that's up to the application > or its application-layer proxy to sort out.> > If you want your system to be secure, you need to install a firewall > of course, but you also need to disab! l! e unnecessary services,> tighten access controls, l! imi! t privelege, monitor log files, and > many other tasks. "Security is a process, not a product."> > I don't think it's been updated for psyche yet, but take a look at > the bastille hardening scripts and see what you can learn. At a > minimum, you should:> > - Only install packages you know you'll need. Avoid "everything plus> the kitchen sink" installs.> - Use ntsysv to remove services you don't use or understand.> - Make heavy use of /etc/hosts.deny and /etc/hosts.allow to restrict> access.> - Disable xinetd unless you *really* need it. If you do, disable > any of its child services that you don't explicitly need. -> Install portsentry. - Configure tripwire and READ the reports. > - Install logsentry and READ the reports.> > Switching to Windows will not solve your problem, since Windows has > even more exploits than Linux and is much harder to ! secur! e and > monitor. And even if you choose to do so, the list of tasks isn't > really all that different: lock it down, and then monitor, monitor, monitor.> > There is no quick fix for security. If you insist on looking for one,> you *will* get hacked again, regardless of the OS you choose to use.> > -- > "The only thing that helps me maintain my slender grip on reality is > the friendship I share with my collection of singing potatoes."> > - Holly, JMC Vessel *Red Dwarf*> > -- > redhat-list mailing list> unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe> https://listman.redhat.com/mailman/listinfo/redhat-list> > -- > redhat-list mailing list> unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe> https://listman.redhat.com/mailman/listinfo/redhat-list--- End of Original Message ! ---! -- redhat-list mailing listunsub! scribe ma! ilto:[EMAIL PROTECTED]?subject=unsubscribehttps://listman.redhat.com/mailman/listinfo/redhat-listhttp://home.no.net/~knutove/knut_ove_hauge_kuren.htm Yahoo! Mail har fått nytt utseende Nytt design, enklere å bruke, alltid tilgang til Adressebok, Kalender og Notisbokhttp://home.no.net/~knutove/knut_ove_hauge_kuren.htmPrøv betaversjonen av den nye Yahoo! Mail Nytt design, enklere å bruke, alltid tilgang til Adressebok, Kalender og Notisbok
Re: AW: Tripwire (Re: Tonight I got hacked.)
Its easy for a hacker to find out if you have tripwire installed and then locate the database file and then delete it. Ernest E Vogelsinger <[EMAIL PROTECTED]> wrote: > -Ursprungliche Nachricht-> Von: [EMAIL PROTECTED]> [mailto:[EMAIL PROTECTED]]Im Auftrag von Nick Lindsell> Gesendet: Freitag, 18. Oktober 2002 10:05> An: [EMAIL PROTECTED]> Betreff: Re: Tripwire (Re: Tonight I got hacked.)> > The Tripwire documentation suggests that the database be> held on a floppy which is then write-protected - should> prevent a blackhat getting to it.right, but when you're managing your servers from a remote location that's a bit of a hassle...>O Ernest E. Vogelsinger(\) ICQ# 13394035^ -- redhat-list mailing listunsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribehttps://listman.redhat.com/mailman/listinfo/redhat-listhttp://home.no.net/~knutove/knut_ove_hauge_kuren.ht! mYahoo! Mail har fått nytt utseende Nytt design, enklere å bruke, alltid tilgang til Adressebok, Kalender og Notisbok
Kazaa Lite Fun: was, RE: Tonight I got hacked.
Kazaa
and Kazaa Lite both have an option for disabling the downloading of files that
"might contain trojans". The difference is, Kazaa protects you by enabling
that option, and Kazaa Lite does not. So after using Kazaa for a while, I
switched to Kazaa Lite - and assumed the same default was used. It
isn't. My Win2k box was so hosed after running a single VBS file, I had to
re-install the OS. Microsoft compounds the problem by hiding known
file extensions, so "your.hacked.jpg.vbs" becomes
"your.hacked.jpg" The good news was, I took advantage of the
opportunity to make a linux partition on that machine.
-
bill
-Original Message-From: linux power
[mailto:[EMAIL PROTECTED]]Sent: Friday, October 18, 2002 3:29
AMTo: [EMAIL PROTECTED]Subject: RE: Tonight I got
hacked.
It happend when a client machine was connected to KaZaa through the Linux
server and stored data on the server.
Joe Polk <[EMAIL PROTECTED]> wrote:
You
are correct, sort of. While it's true nothing can initiate a
connectionfrom the outside, a client on the inside can. It's not what
you might think,either. Yes, a trojan could do it, but Internet Explore
can as well. So toocan things like Gator and other spyware. Though for
the most part you aresecure from root attacks by and large, be aware
your clients within your lancan initiate contact with the outside world
and these connections can alsoinvite
danger.<>-- Original Message
---From: Bill Holland <[EMAIL PROTECTED]>To:
"'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>Sent: Thu, 17 Oct
2002 18:11:41 -0400Subject: RE: Tonight I got hacked.> If I
have a little $60 Netgear router, and provide no services > through
it - do I have to worry about all this stuff? Its my >! understanding
that no ports are being forwarded, so nothing can get > through. Or
am I mistaken?> > - bill> > -Original
Message-> From: Todd A. Jacobs
[mailto:[EMAIL PROTECTED]]> Sent: Thursday, October 17, 2002 4:30
PM> To: RedHat List> Subject: Re: Tonight I got
hacked.> > On Thu, 17 Oct 2002, linux power wrote:>
> > I thought I had a good iptables firewall, but not good enough.
Well> > anyway it tooks a couple of months before it
happend-> > A firewall is insufficient in and of itself. All a
firewall does is > allow or block access to certain ports. It doesn't
control what kind > of traffic flows through those sockets: that's up
to the application > or its application-layer proxy to sort
out.> > If you want your system to be secure, you need to
install a firewall > of course, but you also need to disabl! e
unnecessary services,> tighten access controls, limi! t privelege,
monitor log files, and > many other tasks. "Security is a process,
not a product."> > I don't think it's been updated for psyche
yet, but take a look at > the bastille hardening scripts and see what
you can learn. At a > minimum, you should:> > - Only
install packages you know you'll need. Avoid "everything plus> the
kitchen sink" installs.> - Use ntsysv to remove services you don't
use or understand.> - Make heavy use of /etc/hosts.deny and
/etc/hosts.allow to restrict> access.> - Disable xinetd unless
you *really* need it. If you do, disable > any of its child services
that you don't explicitly need. -> Install portsentry. - Configure
tripwire and READ the reports. > - Install logsentry and READ the
reports.> > Switching to Windows will not solve your problem,
since Windows has > even more exploits than Linux and is much harder
to secur! e and > monitor. And even if you choose to do so, the list
of tasks isn't > really all that different: lock it down, and then
monitor, monitor, monitor.> > There is no quick fix for
security. If you insist on looking for one,> you *will* get hacked
again, regardless of the OS you choose to use.> > -- >
"The only thing that helps me maintain my slender grip on reality is
> the friendship I share with my collection of singing
potatoes."> > - Holly, JMC Vessel *Red Dwarf*> >
-- > redhat-list mailing list> unsubscribe
mailto:[EMAIL PROTECTED]?subject=unsubscribe>
https://listman.redhat.com/mailman/listinfo/redhat-list> > --
> redhat-list mailing list> unsubscribe
mailto:[EMAIL PROTECTED]?subject=unsubscribe>
https://listman.redhat.com/mailman/listinfo/redhat-list--- End of
Original Message ---! -- redhat-list mailing
listunsubscribe ma!
ilto:[EMAIL PROTECTED]?subject=unsubscribehttps://listman.redhat.com/mailman/listinfo/redhat-listhttp://home.no.net/~knutove/knut_ove_hauge_kuren.htm
Yahoo!
Mail har fått nytt utseende Nytt design, enklere å bruke, alltid tilgang til Adressebok,
Kalender og Notisbok
AW: Tripwire (Re: Tonight I got hacked.)
> -Ursprungliche Nachricht- > Von: [EMAIL PROTECTED] > [mailto:redhat-list-admin@;redhat.com]Im Auftrag von Nick Lindsell > Gesendet: Freitag, 18. Oktober 2002 10:05 > An: [EMAIL PROTECTED] > Betreff: Re: Tripwire (Re: Tonight I got hacked.) > > The Tripwire documentation suggests that the database be > held on a floppy which is then write-protected - should > prevent a blackhat getting to it. right, but when you're managing your servers from a remote location that's a bit of a hassle... >O Ernest E. Vogelsinger (\)ICQ# 13394035 ^ -- redhat-list mailing list unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Tonight I got hacked.
> I use ProFTP and I have had pretty good results. mee too, I've been using it for more than 2 1/2 years now, and it works great!!! another good one is vsftpd, it's the one Red Hat uses on it's ftp servers.. regards, juaid -- redhat-list mailing list unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Tonight I got hacked.
On Thu, Oct 17, 2002 at 01:42:25PM +0200, linux power wrote: > Well. The problem is that they have attemped to do so several times. > > And its not done by a school child. My iptables firewall is to good > for that. wrong answer. Even worse, you were probably had by a self propagating worm, ie by a script. The odds are the script got you either because of a service you are running with a well known vulnerability that was not updated, or a service was running you were not aware of. The best firewall script in the world does not help against these. How did he get in? -- Hal Burgiss -- redhat-list mailing list unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Tonight I got hacked.
On Thu, 2002-10-17 at 06:42, linux power wrote: > > Well. The problem is that they have attemped to do so several times. > And its not done by a school child. My iptables firewall is to good for that. I have to say something here. With this attitude you will probably get nailed again. You have been given some very sound advice from some very experienced users but in spite of that you sem to think that an iptables firewall should be enough. I submit that be definition it is not or we would not be having this conversation. I was hacked on my home firewall a couple of years ago because I had an old version of sendmail running. I did not even know it was running. so I did not bother to update it. I am a firm believer in dedicated firewall machines as you mentioned. The one at my house is a P90 IBM box I got off ebay a couple of years ago for < $90 shipping included. I now run tripwire, portsentry and have logcheck send me emails from the 5 firewalls I currently maintain and can tell you that each of these boxes get banged on daily on numerous ports. I subscribe to several security lists so hopefully I become aware of exploits early and can take corrective action. I not only disable but rpm -e anything that I think I can get along without. I only run ssh with protocol 2, dsa key required ad no root login. Certainly no email, ftp, X, chat server or any of that sort of stuff. There is probably more I could do and will as I continue to learn about this morass called computer security. Really wading into this stuff is a great way to learn about the internals of the os and the various services and protocols that they run on. up2date is a good service as is subscribing to lists like the redhat-watch, linux-security and a few others I cant think of right now. In case you missed the point, good security is multi-layered. There are a number of good security howtos out there I suggest you read a few. An old mentor of mine told me on several occations that if you keep hearing the same thing from different sources you should probably pay attention. Sound advice IMNSHO. HTH Bret -- redhat-list mailing list unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
RE: Tonight I got hacked.
Are u sure? I have no time to expriment. Ismael Touama <[EMAIL PROTECTED]> wrote: Hi,TirpWire is doing the stuff you want,ism-Message d'origine-De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]De lapart de linux powerEnvoyé : jeudi 17 octobre 2002 11:55À : [EMAIL PROTECTED]Objet : Re: Tonight I got hacked.Wiil you go through all the system scripts and find out which is beenchanged?If you think you are so damm good so tell me what to do?"Robert P. J. Day" <[EMAIL PROTECTED]>wrote:On Thu, 17 Oct 2002, linux power wrote:> Tonight I finally got hacked. I'am connected to internet throug ADSL.> Online all the time. I noticed it because the logging in iptables was> turned off. It is impossible to turn it on again. I still got the> warning about --log-prefix which is the right prefix to the logfile.> Masquerade to the LAN compute! rs is also turned off. They have changed> some scripts to do all this. The linux paradox. All is scripts that> could be changed.>> So now I'am back again to windows XP. And that should anyway not be so> difficult to hack.Perhaps I reorganize my systems and buy an old PC and> install linux and use it only as a server whit nothing else installed so> it will be easy to format when I've been visited.i'm not sure someone who gets hacked and solves the prob! lem by switchingback to windows xp should be using an email address of "linux power."just my $0.02.rday--redhat-list mailing listunsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribehttps://listman.redhat.com/mailman/listinfo/redhat-listhttp://home.no.net/~knutove/knut_ove_hauge_kuren.htmYahoo! Mail har fått nytt utseendeNytt design, enklere å bruke, alltid tilgang til Adressebok, Kalender og! Notisbok-- redhat-list mailing listunsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribehttps://listman.redhat.com/mailman/listinfo/redhat-listhttp://home.no.net/~knutove/knut_ove_hauge_kuren.htmPrøv betaversjonen av den nye Yahoo! Mail Nytt design, enklere å bruke, alltid tilgang til Adressebok, Kalender og Notisbok
Re: Tonight I got hacked.
Hi. I've come to the same conclusion. I had to reinstall. I thought I had a good iptables firewall, but not good enough. Well anyway it tooks a couple of months before it happend- Thomas Ribbrock <[EMAIL PROTECTED]> wrote: On Thu, Oct 17, 2002 at 11:55:06AM +0200, linux power wrote:> > Wiil you go through all the system scripts and find out which is been changed?> If you think you are so damm good so tell me what to do?That's *very* simple: Save your personal data, wipe the drive and reinstall.Once the machine was hacked, there is *no* (and I mean *no*) other way, asthere is *no* way to know exactly what has been changed.What's even *more* important is to think about what went wrong, e.g.: Wereyou up-to-date with all updates issued from Red Hat? What ports were open?Which services running? How was your firewall set up (if you had one)?Things like that might be important for the future.Cheerio,Thomas-- http://www.netmeister.org/news/learn2quote.html...'cause only lusers quote signatures!Thomas Ribbrock | http://www.ribbr! ock.org | ICQ#: 15839919"You have to live on the edge of reality - to make your dreams come true!"-- redhat-list mailing listunsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribehttps://listman.redhat.com/mailman/listinfo/redhat-listhttp://home.no.net/~knutove/knut_ove_hauge_kuren.htmYahoo! Mail har fått nytt utseende Nytt design, enklere å bruke, alltid tilgang til Adressebok, Kalender og Notisbok
Re: Tonight I got hacked.
On Thu, Oct 17, 2002 at 06:11:41PM -0400, Bill Holland wrote: > > If I have a little $60 Netgear router, and provide no services through it - > do I have to worry about all this stuff? Its my understanding that no ports > are being forwarded, so nothing can get through. Or am I mistaken? So long as NO ports are being forwarded, you're mostly okay. Your biggest vulnerability is running an executable locally that makes a connection to the outside world. Never open an attachment, run only trusted executables, and sleep well. .../Ed -- Ed Wilts, Mounds View, MN, USA mailto:ewilts@;ewilts.org Member #1, Red Hat Community Ambassador Program -- redhat-list mailing list unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Tonight I got hacked.
lp> Hi. I've come to the same conclusion. I had to reinstall. lp> I thought I had a good iptables firewall, but not good enough. Well lp> anyway it tooks a couple of months before it happend- But this time, install TripWire. It's damned good and will let you know _exactly_ what was changed and when. -- Jake Colman Principia Partners LLC Phone: (201) 209-2467 Harborside Financial Center Fax: (201) 946-0320 902 Plaza Two E-mail: [EMAIL PROTECTED] Jersey City, NJ 07311 www.principiapartners.com -- redhat-list mailing list unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
RE: Tonight I got hacked.
You are correct, sort of. While it's true nothing can initiate a connection from the outside, a client on the inside can. It's not what you might think, either. Yes, a trojan could do it, but Internet Explore can as well. So too can things like Gator and other spyware. Though for the most part you are secure from root attacks by and large, be aware your clients within your lan can initiate contact with the outside world and these connections can also invite danger. <> -- Original Message --- From: Bill Holland <[EMAIL PROTECTED]> To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> Sent: Thu, 17 Oct 2002 18:11:41 -0400 Subject: RE: Tonight I got hacked. > If I have a little $60 Netgear router, and provide no services > through it - do I have to worry about all this stuff? Its my > understanding that no ports are being forwarded, so nothing can get > through. Or am I mistaken? > > - bill > > -Original Message- > From: Todd A. Jacobs [mailto:nospam@;codegnome.org] > Sent: Thursday, October 17, 2002 4:30 PM > To: RedHat List > Subject: Re: Tonight I got hacked. > > On Thu, 17 Oct 2002, linux power wrote: > > > I thought I had a good iptables firewall, but not good enough. Well > > anyway it tooks a couple of months before it happend- > > A firewall is insufficient in and of itself. All a firewall does is > allow or block access to certain ports. It doesn't control what kind > of traffic flows through those sockets: that's up to the application > or its application-layer proxy to sort out. > > If you want your system to be secure, you need to install a firewall > of course, but you also need to disable unnecessary services, > tighten access controls, limit privelege, monitor log files, and > many other tasks. "Security is a process, not a product." > > I don't think it's been updated for psyche yet, but take a look at > the bastille hardening scripts and see what you can learn. At a > minimum, you should: > > - Only install packages you know you'll need. Avoid "everything plus > the kitchen sink" installs. > - Use ntsysv to remove services you don't use or understand. > - Make heavy use of /etc/hosts.deny and /etc/hosts.allow to restrict > access. > - Disable xinetd unless you *really* need it. If you do, disable > any of its child services that you don't explicitly need.- > Install portsentry.- Configure tripwire and READ the reports. > - Install logsentry and READ the reports. > > Switching to Windows will not solve your problem, since Windows has > even more exploits than Linux and is much harder to secure and > monitor. And even if you choose to do so, the list of tasks isn't > really all that different: lock it down, and then monitor, monitor, monitor. > > There is no quick fix for security. If you insist on looking for one, > you *will* get hacked again, regardless of the OS you choose to use. > > -- > "The only thing that helps me maintain my slender grip on reality is > the friendship I share with my collection of singing potatoes." > > - Holly, JMC Vessel *Red Dwarf* > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe > https://listman.redhat.com/mailman/listinfo/redhat-list > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe > https://listman.redhat.com/mailman/listinfo/redhat-list --- End of Original Message --- -- redhat-list mailing list unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Tripwire (Re: Tonight I got hacked.)
However if you have this _and_ are root _and have gained shell access you _can_ update the tripwire database after making your changes. The only thing a good sysop will notice, however, is the last modification time of the tripwire database, and that possibly some items it had in alert state are missing. I always change some file in /root _after_ tripwire -u to have this "marker" in the notification list. The Tripwire documentation suggests that the database be held on a floppy which is then write-protected - should prevent a blackhat getting to it. Just my 0.02 euros >O Ernest E. Vogelsinger (\)ICQ# 13394035 ^ -- redhat-list mailing list unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Tripwire (Re: Tonight I got hacked.)
At 09:25 18.10.2002, Thomas Ribbrock said: [snip] >On Thu, Oct 17, 2002 at 01:29:53PM -0700, Todd A. Jacobs wrote: >[...] >> - Install portsentry. >> - Configure tripwire and READ the reports. >> - Install logsentry and READ the reports. >[...] > >The one thing I don't understand here is: How can these tools help against a >dedicated cracker who will simply manipulate these tools once he has root >access to the machine?? As far as I can see, *anything* that's *on* the >machine itself is fair game once you have root access, is it not? [snip] root access is only half the way. Tripwire uses PGP security to generate a hash on all monitored items, and keeps these hashes in its own database, secured with PGP sign and encryption. Yo uneed at least the right PGP key to unlock the database. However if you have this _and_ are root _and have gained shell access you _can_ update the tripwire database after making your changes. The only thing a good sysop will notice, however, is the last modification time of the tripwire database, and that possibly some items it had in alert state are missing. I always change some file in /root _after_ tripwire -u to have this "marker" in the notification list. >O Ernest E. Vogelsinger (\)ICQ# 13394035 ^ -- redhat-list mailing list unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
RE: Tonight I got hacked.
ditch the wu-ftpd and use VSFTPD. MHO -matt chapman -Original Message- From: Eric Wood [mailto:eric@;interplas.com] Sent: Thu 10/17/2002 8:58 AM To: [EMAIL PROTECTED] Cc: Subject: Re: Tonight I got hacked. Look, you're asking us for help and if you can't put any time into it then why are you here? Anyway, I will say that I believe I got hacked while running wu-ftpd on RH 7.3. wu-ftpd make the second time on two different versions of RH. I'll never use wu-ftpd again. -eric wood - Original Message - From: linux power <mailto:linuxpower2002@;yahoo.no> Are u sure? I have no time to expriment. <>--- The information contained in this e-mail message is intended solely for the recipient(s) and may contain privileged information. Tampering with or altering the contents of this message is prohibited. This information is the same as any written document and may be subject to all rules governing public information according to Florida Statutes. Any message that falls under Chapter 119 shall not be altered in a manner that misrepresents the activities of Orange County Public Schools. [References: Florida State Constitution I.24, Florida State Statutes Chapter 119, and OCPS Management Directive A-9.] If you have received this message in error, or are not the named recipient notify the sender and delete this message from your computer.
RE: Tonight I got hacked.
If I have a little $60 Netgear router, and provide no services through it - do I have to worry about all this stuff? Its my understanding that no ports are being forwarded, so nothing can get through. Or am I mistaken? - bill -Original Message- From: Todd A. Jacobs [mailto:nospam@;codegnome.org] Sent: Thursday, October 17, 2002 4:30 PM To: RedHat List Subject: Re: Tonight I got hacked. On Thu, 17 Oct 2002, linux power wrote: > I thought I had a good iptables firewall, but not good enough. Well > anyway it tooks a couple of months before it happend- A firewall is insufficient in and of itself. All a firewall does is allow or block access to certain ports. It doesn't control what kind of traffic flows through those sockets: that's up to the application or its application-layer proxy to sort out. If you want your system to be secure, you need to install a firewall of course, but you also need to disable unnecessary services, tighten access controls, limit privelege, monitor log files, and many other tasks. "Security is a process, not a product." I don't think it's been updated for psyche yet, but take a look at the bastille hardening scripts and see what you can learn. At a minimum, you should: - Only install packages you know you'll need. Avoid "everything plus the kitchen sink" installs. - Use ntsysv to remove services you don't use or understand. - Make heavy use of /etc/hosts.deny and /etc/hosts.allow to restrict access. - Disable xinetd unless you *really* need it. If you do, disable any of its child services that you don't explicitly need. - Install portsentry. - Configure tripwire and READ the reports. - Install logsentry and READ the reports. Switching to Windows will not solve your problem, since Windows has even more exploits than Linux and is much harder to secure and monitor. And even if you choose to do so, the list of tasks isn't really all that different: lock it down, and then monitor, monitor, monitor. There is no quick fix for security. If you insist on looking for one, you *will* get hacked again, regardless of the OS you choose to use. -- "The only thing that helps me maintain my slender grip on reality is the friendship I share with my collection of singing potatoes." - Holly, JMC Vessel *Red Dwarf* -- redhat-list mailing list unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Tonight I got hacked.
From: "Robert P. J. Day" <[EMAIL PROTECTED]> > i'm pretty sure that i read somewhere that, while wu-ftpd > still ships with red hat 8.0, vsftpd is now the recommended > server. can anyone clarify this? wu-ftpd it's widely used (or was..) I suppose that that's the reason RH still ships it in it's distributions.. but wu-ftpd is very fond of bugs, I would never use it!!! as I said in a prevoius mail, vsftpd is very good, very light weight, and it's the one RH uses on it's ftp servers maybe it lacks many features other ftpd's have, but it's good anyway regards, juaid -- redhat-list mailing list unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
RE: Tonight I got hacked.
Title: RE: Tonight I got hacked. Red Hat 8 does ship with both vsftpd and wu-ftpd, but will not install the latter by default. I considered using vsftpd on my RH 7.2 box at home- according to the site, SANS and IBM have sung its praises as well, but twoftpd has been working wonderfully for me so far, and I get thousands of requests daily from my fellow Class-B and C'ers searching for holes in web, mail, or ftp software... no luck, you measly script-kiddies. :) RTM -Original Message- From: Robert P. J. Day [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 17, 2002 11:26 AM To: [EMAIL PROTECTED] Subject: Re: Tonight I got hacked. On Thu, 17 Oct 2002, Joe Giles wrote: > I use ProFTP and I have had pretty good results. i'm pretty sure that i read somewhere that, while wu-ftpd still ships with red hat 8.0, vsftpd is now the recommended server. can anyone clarify this? rday -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Tonight I got hacked.
On 10/17/02 6:18 AM, "Thomas Ribbrock" <[EMAIL PROTECTED]> wrote: > On Thu, Oct 17, 2002 at 11:55:06AM +0200, linux power wrote: >> >> Wiil you go through all the system scripts and find out which is been >> changed? >> If you think you are so damm good so tell me what to do? > > That's *very* simple: Save your personal data, wipe the drive and reinstall. > Once the machine was hacked, there is *no* (and I mean *no*) other way, as > there is *no* way to know exactly what has been changed. > > What's even *more* important is to think about what went wrong, e.g.: Were > you up-to-date with all updates issued from Red Hat? What ports were open? > Which services running? How was your firewall set up (if you had one)? > Things like that might be important for the future. > > Cheerio, > > Thomas I know the pain of a security breach. Even worse is the realization that it was probably some kid that had no idea what they were really doing, just following some instructions they got on irc and using someone else's programs. The reality is, that nothing is secure, unless you pull that Ethernet cable out of the wall. Switching back to XP is your prerogative, but, your chances of a future breach are actually higher with it. Lock down your system, learn about firewalls, learn about NIDS, learn about apps like Tripwire, keep your system patched all the time as soon as you here about a patch. These things will not secure you 100%, but they raise the bar past script kiddies at least. This is my technique. Someone has to be very good to hack a system that is carefully set up and maintained. This by default means the numbers of people with that level of skill are few. So, you have to consider why someone at that level would attack you and to what end? If someone can achieve root almost anywhere at anytime, there are far more interesting things to do I am sure. Plus, guys (and girls) with that level of skill are not trolling around port scanning ip addresses hoping to find some weakness. So, chances are they will never come to your computer. I guess what I am trying to say is, don't be disheartened by a breach. If anything, its like getting your stripes... At least one of them anyways :-) -- redhat-list mailing list unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Tonight I got hacked.
On Thu, Oct 17, 2002 at 01:42:25PM +0200, linux power wrote: > > Well. The problem is that they have attemped to do so several times. > And its not done by a school child. My iptables firewall is to good for that. Do you have any idea where they got in? If you had a working firewall, the only way in would have been a broken service somewhere (short of a trojan, that is) - did you have anything running on that box? Mail? Webserver? Cheerio, Thomas -- http://www.netmeister.org/news/learn2quote.html ...'cause only lusers quote signatures! Thomas Ribbrock | http://www.ribbrock.org | ICQ#: 15839919 "You have to live on the edge of reality - to make your dreams come true!" -- redhat-list mailing list unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Tonight I got hacked.
On Thu, Oct 17, 2002 at 01:06:41PM +0200, linux power wrote: > Are u sure? I have no time to expriment. It's damn good at telling you if something in your system has been changed. But it only works if you configure it from a known sane state, so the tripwire system recognizes how your system is "supposed" to be. The idea of having a second small system serving as a firewall is very helpful. My advice here would be: 1. Install new firewall system, but keep it offline. 2. Download all errata which apply to said system on a second machine. 3. Apply these errata (You can use a CD to take them to the new system. 4. Configure your system to your hearts content, specially the iptables rules and tripwire. 5. Back it up in offline media!!! 6. Get it online, register it to RHN and setup a cron job to apply all errata on a daily basis. 7. check the systems logs regularly. Firewalls are not plug'n'forget devices. This should get you a long way beyond your unfriendly neighborbood script kiddie, and in case of an indident, you can always restore from the backup you made saving yourself the trouble of reconfiguring the firewall again. Cheers, -- Javier Gostling Ingeniero de Sistemas Virtualia S.A. [EMAIL PROTECTED] Fono: +56 (2) 202-6264 x 130 Fax: +56 (2) 342-8763 Av. Kennedy 5757, of 1502 Las Condes Santiago Chile msg91965/pgp0.pgp Description: PGP signature
Re: Tonight I got hacked.
No firewall is perfect. I've been hacked. One of the most important things you can do right now (if you haven't already re-installed) is to try to learn the point of entry (what was hacked). For me it was rpc.statd. I found a non-root user with UID 0 one day, and realized what had been done. If you send more info about what you had running perhaps we can assist in figuring it out? How did you find out you'd been hacked? Were there any new users in /etc/passwd? +++ linux power [RedHat] [Thu, Oct 17, 2002 at 01:42:25PM +0200]: > > Well. The problem is that they have attemped to do so several times. > And its not done by a school child. My iptables firewall is to good for that. > Mitchell Wright <[EMAIL PROTECTED]> wrote:On 10/17/02 6:18 AM, "Thomas Ribbrock" >wrote: > > > On Thu, Oct 17, 2002 at 11:55:06AM +0200, linux power wrote: > >> > >> Wiil you go through all the system scripts and find out which is been > >> changed? > >> If you think you are so damm good so tell me what to do? > > > > That's *very* simple: Save your personal data, wipe the drive and reinstall. > > Once the machine was hacked, there is *no* (and I mean *no*) other way, as > > there is *no* way to know exactly what has been changed. > > > > What's even *more* important is to think about what went wrong, e.g.: Were > > you up-to-date with all updates issued from Red Hat? What ports were open? > > Which services running? How was your firewall set up (if you had one)? > > Things like that might be important for the future. > > > > Cheerio, > > > > Thomas > > I know the pain of a security breach. Even worse is the realization that it > was probably some kid that had no idea what they were really doing, just > following some instructions they got on irc and using someone else's > programs. > > The reality is, that nothing is secure, unless you pull that Ethernet cable > out of the wall. Switching back to XP is your prerogative, but, your chances > of a future breach are actually higher with it. > > Lock down your system, learn about firewalls, learn about NIDS, learn about > apps like Tripwire, keep your system patched all the time as soon as you > here about a patch. These things will not secure you 100%, but they raise > the bar past script kiddies at least. > > This is my technique. Someone has to be very good to hack a system that is > carefully set up and maintained. This by default means the numbers of people > with that level of skill are few. So, you have to consider why someone at > that level would attack you and to what end? If someone can achieve root > almost anywhere at anytime, there are far more interesting things to do I am > sure. Plus, guys (and girls) with that level of skill are not trolling > around port scanning ip addresses hoping to find some weakness. So, chances > are they will never come to your computer. > > I guess what I am trying to say is, don't be disheartened by a breach. If > anything, its like getting your stripes... At least one of them anyways :-) > > > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe > https://listman.redhat.com/mailman/listinfo/redhat-list > > http://home.no.net/~knutove/knut_ove_hauge_kuren.htm > Yahoo! Mail har fått nytt utseende > Nytt design, enklere å bruke, alltid tilgang til Adressebok, Kalender og Notisbok -- // Andrew MacKenzie | http://www.edespot.com // Your system which soared // So freely on gliding wings // now hangs, frozen and blue msg91952/pgp0.pgp Description: PGP signature
Re: Tonight I got hacked.
Same here. Ramen anyone? <> -- Original Message --- From: "Eric Wood" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thu, 17 Oct 2002 08:58:32 -0400 Subject: Re: Tonight I got hacked. > Look, you're asking us for help and if you can't put any time into > it then why are you here? > > Anyway, I will say that I believe I got hacked while running wu-ftpd > on RH 7.3. wu-ftpd make the second time on two different versions > of RH. I'll never use wu-ftpd again. > > -eric wood > > - Original Message - > From: linux power > > Are u sure? I have no time to expriment. --- End of Original Message --- -- redhat-list mailing list unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Tonight I got hacked.
I did not see this come thru and since I took the time to write I dug it out of my sent folder and it here it is. BTW my maillog shows it was sent ok to mx1.redhat.com at 9:52. Oh well. Bret On Thu, 2002-10-17 at 09:47, Bret Hughes wrote: > On Thu, 2002-10-17 at 06:42, linux power wrote: > > > > Well. The problem is that they have attemped to do so several times. > > And its not done by a school child. My iptables firewall is to good for that. > > I have to say something here. With this attitude you will probably get > nailed again. You have been given some very sound advice from some very > experienced users but in spite of that you sem to think that an iptables > firewall should be enough. I submit that be definition it is not or we > would not be having this conversation. > > I was hacked on my home firewall a couple of years ago because I had an > old version of sendmail running. I did not even know it was running. so > I did not bother to update it. > > I am a firm believer in dedicated firewall machines as you mentioned. > The one at my house is a P90 IBM box I got off ebay a couple of years > ago for < $90 shipping included. > > I now run tripwire, portsentry and have logcheck send me emails from the > 5 firewalls I currently maintain and can tell you that each of these > boxes get banged on daily on numerous ports. I subscribe to several > security lists so hopefully I become aware of exploits early and can > take corrective action. I not only disable but rpm -e anything that I > think I can get along without. I only run ssh with protocol 2, dsa key > required ad no root login. Certainly no email, ftp, X, chat server or > any of that sort of stuff. > > There is probably more I could do and will as I continue to learn about > this morass called computer security. Really wading into this stuff is > a great way to learn about the internals of the os and the various > services and protocols that they run on. > > up2date is a good service as is subscribing to lists like the > redhat-watch, linux-security and a few others I cant think of right now. > > In case you missed the point, good security is multi-layered. There are > a number of good security howtos out there I suggest you read a few. > > An old mentor of mine told me on several occations that if you keep > hearing the same thing from different sources you should probably pay > attention. Sound advice IMNSHO. > > > HTH > > Bret -- redhat-list mailing list unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Tonight I got hacked.
Regardless of how up2date your system is, it can be exploited if not secured. You say your fw was tight. What did you have open? Were you serving ftp or someother service? I've been hacked, and yes as someone has pointed out it's like earning your stripes. Then again, the other day I thought I'd been hacked when in fact it was a problem with mod_ssl. Take some time and dig. Get a LIDS package. Use products like Tripwire. You'll know if alot has changed at least, and what. Run chkrootkit occassionally to see if, and what, rootkit may have been loaded. Yes these are reactive but at least you'll learn. If you have only a few services open (ports) then you narrow down the possibilities. You can't wu-ftp exploit a server that doesn't serve ftp for instance. Try to find hardened alternatives to services where possible. Don't be too discouraged. Reinstall Linux, tighten it up even more, learn and adapt. At least with linux you see the anomolies. In Windows you're likely to not know you're hacked until files go missing. <> -- Original Message --- From: linux power <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Sent: Thu, 17 Oct 2002 13:42:25 +0200 (CEST) Subject: Re: Tonight I got hacked. > Well. The problem is that they have attemped to do so several times. > And its not done by a school child. My iptables firewall is to good > for that. Mitchell Wright <[EMAIL PROTECTED]> wrote:On 10/17/02 > 6:18 AM, "Thomas Ribbrock" wrote: > > > On Thu, Oct 17, 2002 at 11:55:06AM +0200, linux power wrote: > >> > >> Wiil you go through all the system scripts and find out which is been > >> changed? > >> If you think you are so damm good so tell me what to do? > > > > That's *very* simple: Save your personal data, wipe the drive and reinstall. > > Once the machine was hacked, there is *no* (and I mean *no*) other way, as > > there is *no* way to know exactly what has been changed. > > > > What's even *more* important is to think about what went wrong, e.g.: Were > > you up-to-date with all updates issued from Red Hat? What ports were open? > > Which services running? How was your firewall set up (if you had one)? > > Things like that might be important for the future. > > > > Cheerio, > > > > Thomas > > I know the pain of a security breach. Even worse is the realization > that it was probably some kid that had no idea what they were really > doing, just following some instructions they got on irc and using > someone else's programs. > > The reality is, that nothing is secure, unless you pull that > Ethernet cable out of the wall. Switching back to XP is your > prerogative, but, your chances of a future breach are actually > higher with it. > > Lock down your system, learn about firewalls, learn about NIDS, > learn about apps like Tripwire, keep your system patched all the > time as soon as you here about a patch. These things will not secure > you 100%, but they raise the bar past script kiddies at least. > > This is my technique. Someone has to be very good to hack a system > that is carefully set up and maintained. This by default means the > numbers of people with that level of skill are few. So, you have to > consider why someone at that level would attack you and to what end? > If someone can achieve root almost anywhere at anytime, there are > far more interesting things to do I am sure. Plus, guys (and girls) > with that level of skill are not trolling around port scanning ip > addresses hoping to find some weakness. So, chances are they will > never come to your computer. > > I guess what I am trying to say is, don't be disheartened by a > breach. If anything, its like getting your stripes... At least one > of them anyways :-) > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe > https://listman.redhat.com/mailman/listinfo/redhat-list > > http://home.no.net/~knutove/knut_ove_hauge_kuren.htm > Yahoo! Mail har fått nytt utseende > Nytt design, enklere å bruke, alltid tilgang til Adressebok, > Kalender og Notisbok --- End of Original Message --- -- redhat-list mailing list unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Tonight I got hacked.
On Thu, 17 Oct 2002, linux power wrote: > I thought I had a good iptables firewall, but not good enough. Well > anyway it tooks a couple of months before it happend- A firewall is insufficient in and of itself. All a firewall does is allow or block access to certain ports. It doesn't control what kind of traffic flows through those sockets: that's up to the application or its application-layer proxy to sort out. If you want your system to be secure, you need to install a firewall of course, but you also need to disable unnecessary services, tighten access controls, limit privelege, monitor log files, and many other tasks. "Security is a process, not a product." I don't think it's been updated for psyche yet, but take a look at the bastille hardening scripts and see what you can learn. At a minimum, you should: - Only install packages you know you'll need. Avoid "everything plus the kitchen sink" installs. - Use ntsysv to remove services you don't use or understand. - Make heavy use of /etc/hosts.deny and /etc/hosts.allow to restrict access. - Disable xinetd unless you *really* need it. If you do, disable any of its child services that you don't explicitly need. - Install portsentry. - Configure tripwire and READ the reports. - Install logsentry and READ the reports. Switching to Windows will not solve your problem, since Windows has even more exploits than Linux and is much harder to secure and monitor. And even if you choose to do so, the list of tasks isn't really all that different: lock it down, and then monitor, monitor, monitor. There is no quick fix for security. If you insist on looking for one, you *will* get hacked again, regardless of the OS you choose to use. -- "The only thing that helps me maintain my slender grip on reality is the friendship I share with my collection of singing potatoes." - Holly, JMC Vessel *Red Dwarf* -- redhat-list mailing list unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Tonight I got hacked.
Look, you're asking us for help and if you can't put any time into it then why are you here? Anyway, I will say that I believe I got hacked while running wu-ftpd on RH 7.3. wu-ftpd make the second time on two different versions of RH. I'll never use wu-ftpd again. -eric wood - Original Message - From: linux power Are u sure? I have no time to expriment.
Re: Tonight I got hacked.
Thanks for the hints. I have run up2date and at least updated the kernel, iptables and a few other packages. But still I cant turn the firewall logging on.That mean I have in my rules when testing for badflags a log instruction that log eventually badflags combinations 15 times a minute. Here I must give the --log-prefix /var/log/badflags. And that worked before I got hacked, but afterwards I get this log warning about the prefix as if the path to the logfile is not valid. "Todd A. Jacobs" <[EMAIL PROTECTED]> wrote: On Thu, 17 Oct 2002, linux power wrote:> I thought I had a good iptables firewall, but not good enough. Well> anyway it tooks a couple of months before it happend-A firewall is insufficient in and of itself. All a firewall does is allow or block access to certain ports. It doesn't control what kind of traffic flows through those sockets: that's up to the application or its application-layer proxy to sort out.If you want your system to be secure, you need to install a firewall ofcourse, but you also need to disable unnecessary services, tighten accesscontrols, limit privelege, monitor log files, and many other tasks. "Security is a process, not a product."I don't think it's been updated for psyche yet, but take a look at the bastille hardening scripts and see what you can learn. At a minimum, you should:- Onl! y install packages you know you'll need. Avoid "everything plusthe kitchen sink" installs.- Use ntsysv to remove services you don't use or understand.- Make heavy use of /etc/hosts.deny and /etc/hosts.allow to restrictaccess.- Disable xinetd unless you *really* need it. If you do, disable anyof its child services that you don't explicitly need.- Install portsentry.- Configure tripwire and READ the reports.- Install logsentry and READ the reports.Switching to Windows will not solve your problem, since Windows has even more exploits than Linux and is much harder to secure and monitor. And even if you choose to do so, the list of tasks isn't really all that different: lock it down, and then monitor, monitor, monitor.There is no quick fix for security. If you insist on looking for one, you*will* get hacked again, regardless of the OS you choose to use.-- "The only thing that helps me maintain my slen! der grip on reality is thefriendship I share with my coll! ection of singing potatoes."- Holly, JMC Vessel *Red Dwarf*-- redhat-list mailing listunsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribehttps://listman.redhat.com/mailman/listinfo/redhat-listhttp://home.no.net/~knutove/knut_ove_hauge_kuren.htmYahoo! Mail har fått nytt utseende Nytt design, enklere å bruke, alltid tilgang til Adressebok, Kalender og Notisbok
Tripwire (Re: Tonight I got hacked.)
On Thu, Oct 17, 2002 at 01:29:53PM -0700, Todd A. Jacobs wrote: [...] > - Install portsentry. > - Configure tripwire and READ the reports. > - Install logsentry and READ the reports. [...] The one thing I don't understand here is: How can these tools help against a dedicated cracker who will simply manipulate these tools once he has root access to the machine?? As far as I can see, *anything* that's *on* the machine itself is fair game once you have root access, is it not? Cheerio, Thomas -- http://www.netmeister.org/news/learn2quote.html ...'cause only lusers quote signatures! Thomas Ribbrock | http://www.ribbrock.org | ICQ#: 15839919 "You have to live on the edge of reality - to make your dreams come true!" -- redhat-list mailing list unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
RE: Tonight I got hacked.
It happend when a client machine was connected to KaZaa through the Linux server and stored data on the server. Joe Polk <[EMAIL PROTECTED]> wrote: You are correct, sort of. While it's true nothing can initiate a connectionfrom the outside, a client on the inside can. It's not what you might think,either. Yes, a trojan could do it, but Internet Explore can as well. So toocan things like Gator and other spyware. Though for the most part you aresecure from root attacks by and large, be aware your clients within your lancan initiate contact with the outside world and these connections can alsoinvite danger.<>-- Original Message ---From: Bill Holland <[EMAIL PROTECTED]>To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>Sent: Thu, 17 Oct 2002 18:11:41 -0400Subject: RE: Tonight I got hacked.> If I have a little $60 Netgear router, and provide no services > through it - do I have to worry about all this stuff? Its my >! understanding that no ports are being forwarded, so nothing can get > through. Or am I mistaken?> > - bill> > -Original Message-> From: Todd A. Jacobs [mailto:[EMAIL PROTECTED]]> Sent: Thursday, October 17, 2002 4:30 PM> To: RedHat List> Subject: Re: Tonight I got hacked.> > On Thu, 17 Oct 2002, linux power wrote:> > > I thought I had a good iptables firewall, but not good enough. Well> > anyway it tooks a couple of months before it happend-> > A firewall is insufficient in and of itself. All a firewall does is > allow or block access to certain ports. It doesn't control what kind > of traffic flows through those sockets: that's up to the application > or its application-layer proxy to sort out.> > If you want your system to be secure, you need to install a firewall > of course, but you also need to disabl! e unnecessary services,> tighten access controls, limi! t privelege, monitor log files, and > many other tasks. "Security is a process, not a product."> > I don't think it's been updated for psyche yet, but take a look at > the bastille hardening scripts and see what you can learn. At a > minimum, you should:> > - Only install packages you know you'll need. Avoid "everything plus> the kitchen sink" installs.> - Use ntsysv to remove services you don't use or understand.> - Make heavy use of /etc/hosts.deny and /etc/hosts.allow to restrict> access.> - Disable xinetd unless you *really* need it. If you do, disable > any of its child services that you don't explicitly need. -> Install portsentry. - Configure tripwire and READ the reports. > - Install logsentry and READ the reports.> > Switching to Windows will not solve your problem, since Windows has > even more exploits than Linux and is much harder to secur! e and > monitor. And even if you choose to do so, the list of tasks isn't > really all that different: lock it down, and then monitor, monitor, monitor.> > There is no quick fix for security. If you insist on looking for one,> you *will* get hacked again, regardless of the OS you choose to use.> > -- > "The only thing that helps me maintain my slender grip on reality is > the friendship I share with my collection of singing potatoes."> > - Holly, JMC Vessel *Red Dwarf*> > -- > redhat-list mailing list> unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe> https://listman.redhat.com/mailman/listinfo/redhat-list> > -- > redhat-list mailing list> unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe> https://listman.redhat.com/mailman/listinfo/redhat-list--- End of Original Message ---! -- redhat-list mailing listunsubscribe ma! ilto:[EMAIL PROTECTED]?subject=unsubscribehttps://listman.redhat.com/mailman/listinfo/redhat-listhttp://home.no.net/~knutove/knut_ove_hauge_kuren.htmYahoo! Mail har fått nytt utseende Nytt design, enklere å bruke, alltid tilgang til Adressebok, Kalender og Notisbok
Re: Tonight I got hacked.
On Thu, Oct 17, 2002 at 11:55:06AM +0200, linux power wrote: > > Wiil you go through all the system scripts and find out which is been changed? > If you think you are so damm good so tell me what to do? That's *very* simple: Save your personal data, wipe the drive and reinstall. Once the machine was hacked, there is *no* (and I mean *no*) other way, as there is *no* way to know exactly what has been changed. What's even *more* important is to think about what went wrong, e.g.: Were you up-to-date with all updates issued from Red Hat? What ports were open? Which services running? How was your firewall set up (if you had one)? Things like that might be important for the future. Cheerio, Thomas -- http://www.netmeister.org/news/learn2quote.html ...'cause only lusers quote signatures! Thomas Ribbrock | http://www.ribbrock.org | ICQ#: 15839919 "You have to live on the edge of reality - to make your dreams come true!" -- redhat-list mailing list unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Tonight I got hacked.
On Thu, Oct 17, 2002 at 11:38:19AM +0200, linux power wrote: > > Tonight I finally got hacked. If your system was kept up to date, you would be the first report I've seen of someone getting hacked. It's critical for all Internet-accessible servers to be kept current with OS patches. Red Hat provides for a *free* up2date service. You absolutely must use it or an equivalent service to keep your packages current. -- Ed Wilts, Mounds View, MN, USA mailto:ewilts@;ewilts.org Member #1, Red Hat Community Ambassador Program -- redhat-list mailing list unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Tonight I got hacked.
Well. The problem is that they have attemped to do so several times. And its not done by a school child. My iptables firewall is to good for that. Mitchell Wright <[EMAIL PROTECTED]> wrote: On 10/17/02 6:18 AM, "Thomas Ribbrock" <[EMAIL PROTECTED]>wrote:> On Thu, Oct 17, 2002 at 11:55:06AM +0200, linux power wrote:>> >> Wiil you go through all the system scripts and find out which is been>> changed?>> If you think you are so damm good so tell me what to do?> > That's *very* simple: Save your personal data, wipe the drive and reinstall.> Once the machine was hacked, there is *no* (and I mean *no*) other way, as> there is *no* way to know exactly what has been changed.> > What's even *more* important is to think about what went wrong, e.g.: Were> you up-to-date with all updates issued from Red Hat? What ports were open?> Which services running? How was your firewall set up (if you had one)?> Things like that might be important for the future.> > Cheeri! o,> > ThomasI know the pain of a security breach. Even worse is the realization that itwas probably some kid that had no idea what they were really doing, justfollowing some instructions they got on irc and using someone else'sprograms.The reality is, that nothing is secure, unless you pull that Ethernet cableout of the wall. Switching back to XP is your prerogative, but, your chancesof a future breach are actually higher with it.Lock down your system, learn about firewalls, learn about NIDS, learn aboutapps like Tripwire, keep your system patched all the time as soon as youhere about a patch. These things will not secure you 100%, but they raisethe bar past script kiddies at least.This is my technique. Someone has to be very good to hack a system that iscarefully set up and maintained. This by default means the numbers of peoplewith that level of skill are few. So, you have to consider why! someone atthat level would attack you and to what end? I! f someone can achieve rootalmost anywhere at anytime, there are far more interesting things to do I amsure. Plus, guys (and girls) with that level of skill are not trollingaround port scanning ip addresses hoping to find some weakness. So, chancesare they will never come to your computer.I guess what I am trying to say is, don't be disheartened by a breach. Ifanything, its like getting your stripes... At least one of them anyways :-)-- redhat-list mailing listunsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribehttps://listman.redhat.com/mailman/listinfo/redhat-listhttp://home.no.net/~knutove/knut_ove_hauge_kuren.htmYahoo! Mail har fått nytt utseende Nytt design, enklere å bruke, alltid tilgang til Adressebok, Kalender og Notisbok
Re: Tonight I got hacked.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ismael Touama wrote: | For some reason I never installed neither use. | But it's what I remain from what I read about | having a secure linux. | | ism | | -Message d'origine- | De : [EMAIL PROTECTED] [mailto:redhat-list-admin@;redhat.com]De la | part de linux power | Envoyé : jeudi 17 octobre 2002 13:07 | À : [EMAIL PROTECTED] | Objet : RE: Tonight I got hacked. | | | Are u sure? I have no time to expriment. Hello, Tripwire and aide, (it's open software brother) are easy to install and configure. Also try chkrootkit. I use aide and chkrootkit with good results (good luck perhaps??) ;-) Regards - -- Francisco Neira B. Administrador de Red Defensoria del Pueblo Lima, Peru, -05:00 UTC PGP Public Key at http://portal.defensoria.gob.pe/~fneira/llavepublica.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAj2uymkACgkQkGxqImhGCe6hYACfWtbKroAyPJ3hZpgJ5AD9FrKf wiEAn3srm3M0sexSr+n3krVNwPG3C0l5 =yhIQ -END PGP SIGNATURE- -- redhat-list mailing list unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Tonight I got hacked.
I use ProFTP and I have had pretty good results. -- Joe Giles [EMAIL PROTECTED] AOL: mcigiles --- Registered Linux User #264910 http://counter.li.org --- Joe Polk said: > > Same here. Ramen anyone? > > <> > > -- Original Message --- > From: "Eric Wood" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Thu, 17 Oct 2002 08:58:32 -0400 > Subject: Re: Tonight I got hacked. > >> Look, you're asking us for help and if you can't put any time into it >> then why are you here? >> >> Anyway, I will say that I believe I got hacked while running wu-ftpd >> on RH 7.3. wu-ftpd make the second time on two different versions of >> RH. I'll never use wu-ftpd again. >> >> -eric wood >> >> - Original Message - >> From: linux power >> >> Are u sure? I have no time to expriment. > --- End of Original Message --- > > > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe > https://listman.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Tonight I got hacked.
On Thu, 17 Oct 2002, Joe Giles wrote: > I use ProFTP and I have had pretty good results. i'm pretty sure that i read somewhere that, while wu-ftpd still ships with red hat 8.0, vsftpd is now the recommended server. can anyone clarify this? rday -- redhat-list mailing list unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
RE: Tonight I got hacked.
For some reason I never installed neither use. But it's what I remain from what I read about having a secure linux. ism -Message d'origine- De : [EMAIL PROTECTED] [mailto:redhat-list-admin@;redhat.com]De la part de linux power Envoyé : jeudi 17 octobre 2002 13:07 À : [EMAIL PROTECTED] Objet : RE: Tonight I got hacked. Are u sure? I have no time to expriment. Ismael Touama <[EMAIL PROTECTED]> wrote: Hi, TirpWire is doing the stuff you want, ism -Message d'origine- De : [EMAIL PROTECTED] [mailto:redhat-list-admin@;redhat.com]De la part de linux power Envoyé : jeudi 17 octobre 2002 11:55 À : [EMAIL PROTECTED] Objet : Re: Tonight I got hacked. Wiil you go through all the system scripts and find out which is been changed? If you think you are so damm good so tell me what to do? "Robert P. J. Day" wrote: On Thu, 17 Oct 2002, linux power wrote: > Tonight I finally got hacked. I'am connected to internet throug ADSL. > Online all the time. I noticed it because the logging in iptables was > turned off. It is impossible to turn it on again. I still got the > warning about --log-prefix which is the right prefix to the logfile. > Masquerade to the LAN compute! rs is also turned off. They have changed > some scripts to do all this. The linux paradox. All is scripts that > could be changed. > > So now I'am back again to windows XP. And that should anyway not be so > difficult to hack.Perhaps I reorganize my systems and buy an old PC and > install linux and use it only as a server whit nothing else installed so > it will be easy to format when I've been visited. i'm not sure someone who gets hacked and solves the prob! lem by switching back to windows xp should be using an email address of "linux power." just my $0.02. rday -- redhat-list mailing list unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list http://home.no.net/~knutove/knut_ove_hauge_kuren.htm Yahoo! Mail har fått nytt utseende Nytt design, enklere å bruke, alltid tilgang til Adressebok, Kalender og! Notisbok -- redhat-list mailing listunsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list http://home.no.net/~knutove/knut_ove_hauge_kuren.htm Prøv betaversjonen av den nye Yahoo! Mail Nytt design, enklere å bruke, alltid tilgang til Adressebok, Kalender og Notisbok -- redhat-list mailing list unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
RE: Tonight I got hacked.
Hi, TirpWire is doing the stuff you want, ism -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]De la part de linux power Envoyé : jeudi 17 octobre 2002 11:55 À : [EMAIL PROTECTED] Objet : Re: Tonight I got hacked. Wiil you go through all the system scripts and find out which is been changed? If you think you are so damm good so tell me what to do? "Robert P. J. Day" <[EMAIL PROTECTED]> wrote: On Thu, 17 Oct 2002, linux power wrote: > Tonight I finally got hacked. I'am connected to internet throug ADSL. > Online all the time. I noticed it because the logging in iptables was > turned off. It is impossible to turn it on again. I still got the > warning about --log-prefix which is the right prefix to the logfile. > Masquerade to the LAN computers is also turned off. They have changed > some scripts to do all this. The linux paradox. All is scripts that > could be changed. > > So now I'am back again to windows XP. And that should anyway not be so > difficult to hack.Perhaps I reorganize my systems and buy an old PC and > install linux and use it only as a server whit nothing else installed so > it will be easy to format when I've been visited. i'm not sure someone who gets hacked and solves the prob! lem by switching back to windows xp should be using an email address of "linux power." just my $0.02. rday -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list http://home.no.net/~knutove/knut_ove_hauge_kuren.htm Yahoo! Mail har fått nytt utseende Nytt design, enklere å bruke, alltid tilgang til Adressebok, Kalender og Notisbok -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Tonight I got hacked.
Wiil you go through all the system scripts and find out which is been changed? If you think you are so damm good so tell me what to do? "Robert P. J. Day" <[EMAIL PROTECTED]> wrote: On Thu, 17 Oct 2002, linux power wrote:> Tonight I finally got hacked. I'am connected to internet throug ADSL.> Online all the time. I noticed it because the logging in iptables was> turned off. It is impossible to turn it on again. I still got the> warning about --log-prefix which is the right prefix to the logfile.> Masquerade to the LAN computers is also turned off. They have changed> some scripts to do all this. The linux paradox. All is scripts that> could be changed.> > So now I'am back again to windows XP. And that should anyway not be so> difficult to hack.Perhaps I reorganize my systems and buy an old PC and> install linux and use it only as a server whit nothing else installed so> it will be easy to format when I've been visited.i'm not sure someone who gets hacked and solves the prob! lem by switchingback to windows xp should be using an email address of "linux power."just my $0.02.rday-- redhat-list mailing listunsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribehttps://listman.redhat.com/mailman/listinfo/redhat-listhttp://home.no.net/~knutove/knut_ove_hauge_kuren.htmYahoo! Mail har fått nytt utseende Nytt design, enklere å bruke, alltid tilgang til Adressebok, Kalender og Notisbok
Re: Tonight I got hacked.
On Thu, 17 Oct 2002, linux power wrote: > Tonight I finally got hacked. I'am connected to internet throug ADSL. > Online all the time. I noticed it because the logging in iptables was > turned off. It is impossible to turn it on again. I still got the > warning about --log-prefix which is the right prefix to the logfile. > Masquerade to the LAN computers is also turned off. They have changed > some scripts to do all this. The linux paradox. All is scripts that > could be changed. > > So now I'am back again to windows XP. And that should anyway not be so > difficult to hack.Perhaps I reorganize my systems and buy an old PC and > install linux and use it only as a server whit nothing else installed so > it will be easy to format when I've been visited. i'm not sure someone who gets hacked and solves the problem by switching back to windows xp should be using an email address of "linux power." just my $0.02. rday -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
