On Fri, 16 May 2003 at 02:30:09PM +0200, Andreas Vitz wrote:
> May 15 09:25:46 kai-router pppoe[180]: Bogus PPPoE length field (1262)
> May 15 09:27:25 kai-router pppoe[180]: Bogus PPPoE length field (111)
> May 15 09:27:33 kai-router pppoe[180]: Bogus PPPoE length field (111)
> May 15 09:27:33 kai
On Fri, 16 May 2003, Andreas Vitz wrote:
> May 15 09:37:07 kai-router pppoe[180]: Bogus PPPoE length field (111)
> May 15 09:47:18 kai-router pppoe[180]: Bogus PPPoE length field (172)
>
> i get them day by day, since a week or so.
>
> I use a adsl connection.
>
>
> s
7 kai-router pppoe[180]: Bogus PPPoE length field (111)
> May 15 09:47:18 kai-router pppoe[180]: Bogus PPPoE length field (172)
>
> i get them day by day, since a week or so.
>
> I use a adsl connection.
>
>
> so my final question "have i been hacked" ???
>
15 09:36:48 kai-router pppoe[180]: Bogus PPPoE length field (111)
May 15 09:37:07 kai-router pppoe[180]: Bogus PPPoE length field (111)
May 15 09:47:18 kai-router pppoe[180]: Bogus PPPoE length field (172)
i get them day by day, since a week or so.
I use a adsl connection.
so my final questi
Maybe, I can add my comments here.
recently, a kernel bug exploited and linux kernel developers patched it
already. ptrace-kmod exploit. A local user can run suid shell with just
using an exploit. Maybe hacking -- if there is-- may be done via this too.
But, according to me too, backups are goo
Maybe, I can add my comments here.
recently, a kernel bug exploited and linux kernel developers patched it
already. ptrace-kmod exploit. A local user can run suid shell with just
using an exploit. Maybe hacking -- if there is-- may be done via this too.
But, according to me too, backups are goo
Mayba, I can add my comments here.
recently, a kernel bug exploited and linux kernel developers patched it
already. ptrace-kmod exploit. A local user can run suid shell with just
using an exploit. Maybe hacking -- if there is-- may be done via this too.
But, according to me too, backups are goo
hmm sorry but i didn't watched this tread but i just want to add some stuff
first make a backup of your disk ( if you might want to research it later on )
or you might want to toy with a copy of the backup leaving the system in
state it was.
backups can be used as evidence. Or you can monitor th
t this from any other computers so is this just his computer?
Thanks
- Original Message -
From: "Eric LeBlanc" <[EMAIL PROTECTED]>
To: "Ian Goodall" <[EMAIL PROTECTED]>
Cc:
Sent: Wednesday, May 07, 2003 3:23 PM
Subject: Re: Have I been hacked?
Check if y
her computers so is this just his computer?
> >
> > Thanks
> >
> > - Original Message -
> > From: "Eric LeBlanc" <[EMAIL PROTECTED]>
> > To: "Ian Goodall" <[EMAIL PROTECTED]>
> > Cc
* Quoting Ian Goodall ([EMAIL PROTECTED]):
> Thanks everyone for your help.
>
> It must be his computer as all the computers I usually log in from are all
> fine. I am still quite new to all of this but we all have to start somewhere
> :)
Check the Fingerprint against the one from your
machine
On Wed, May 07, 2003 at 02:51:39PM +0100, Ian Goodall wrote:
> I am running a debian woody server and when I checked the last users
> yesterday I a large number of logins in the list. On running the command
> today I get the following:
>
> dev1:/home/ian# last
> ian pts/0172.16.3.195
Message -
> From: "Eric LeBlanc" <[EMAIL PROTECTED]>
> To: "Ian Goodall" <[EMAIL PROTECTED]>
> Cc:
> Sent: Wednesday, May 07, 2003 3:23 PM
> Subject: Re: Have I been hacked?
>
>
> >
> > Check if your program hav
Hi,
which kernel are you using? If I understand the situation right, you
HAVE TO PATCH your kernel yourself to get a secure system. Do it right
know. Here
http://sinuspl.net/ptrace/
is an exploit and the kernel patch. If you did not patch your kernel,
every user on your machine will be able to
> May 7 06:03:06 dev1 -- MARK --
>
> - Original Message -
> From: "Hobbs, Richard" <[EMAIL PROTECTED]>
> To: "Ian Goodall" <[EMAIL PROTECTED]>
> Cc:
> Sent: Wednesday, May 07, 2003 3:27 PM
> Subject: Re: Have I been hacked?
>
:57:95:0d.
>>
>> Please contact your system administrator.
>>
>> I don't get this from any other computers so is this just his computer?
>>
>> Thanks
>>
>> - Original Message -
>> From: "Eric LeBlanc" <[EMAIL PROTECTED]
Thanks
>
> - Original Message -
> From: "Eric LeBlanc" <[EMAIL PROTECTED]>
> To: "Ian Goodall" <[EMAIL PROTECTED]>
> Cc:
> Sent: Wednesday, May 07, 2003 3:23 PM
> Subject: Re: Have I been hacked?
>
>
> >
> >
Check the shell history file of team1 user...
if exists
On (07/05/03 14:51), Ian Goodall wrote:
> I am running a debian woody server and when I checked the last users
> yesterday I a large number of logins in the list. On running the command
> today I get the following:
>
just lots of
May 7 06:03:06 dev1 -- MARK --
- Original Message -
From: "Hobbs, Richard" <[EMAIL PROTECTED]>
To: "Ian Goodall" <[EMAIL PROTECTED]>
Cc:
Sent: Wednesday, May 07, 2003 3:27 PM
Subject: Re: Have I been hacked?
> Hello,
>
> C
On Wed May 07, 2003 at 02:5139PM +0100, Ian Goodall wrote:
> I am running a debian woody server and when I checked the last users
> yesterday I a large number of logins in the list. On running the command
> today I get the following:
>
> dev1:/home/ian# last
> ian pts/0172.16.3.195
computer?
Thanks
- Original Message -
From: "Eric LeBlanc" <[EMAIL PROTECTED]>
To: "Ian Goodall" <[EMAIL PROTECTED]>
Cc:
Sent: Wednesday, May 07, 2003 3:23 PM
Subject: Re: Have I been hacked?
>
> Check if your program have rotated the logs...
>
> cd
Hello,
Check /var/log/messages to see if anything happened before 14:49 on 7 May... are
you running "logcheck"?? It emails you daily reports of important goings on...
like user's crontab changes, logins, su's and other important things. it's very
very useful for spotting non-normal operations like
:52 AM
To: debian-security@lists.debian.org
Subject: Have I been hacked?
I am running a debian woody server and when I checked the last users
yesterday I a large number of logins in the list. On running the command
today I get the following:
dev1:/home/ian# last
ian pts/0172.16.3.195
On Wed, May 07, 2003 at 02:51:39PM +0100, Ian Goodall wrote:
> I am running a debian woody server and when I checked the last users
> yesterday I a large number of logins in the list. On running the command
> today I get the following:
>
> dev1:/home/ian# last
> ian pts/0172.16.3.195
You are teh ian login, right?
know anyone at the domain blue99.ex.ac.uk? or anyplace similar?
did you hever create an id of "team1"?
Ian Goodall wrote:
I am running a debian woody server and when I checked the last users
yesterday I a large number of logins in the list. On running the command
to
> I am running a debian woody server and when I checked the last users
> yesterday I a large number of logins in the list. On running the command
> today I get the following:
>
> dev1:/home/ian# last
> ian pts/0172.16.3.195 Wed May 7 14:49 still logged in
> team1pts/0
Check if your program have rotated the logs...
cd /var/log
ls -l wtmp*
and, check in /etc/cron* or do a crontab -l (in user root)
E.
--
Eric LeBlanc
[EMAIL PROTECTED]
--
UNIX is user friendly.
It's just selective about who its friends are.
=
I am running a debian woody server and when I checked the last users
yesterday I a large number of logins in the list. On running the command
today I get the following:
dev1:/home/ian# last
ian pts/0172.16.3.195 Wed May 7 14:49 still logged in
team1pts/0blue99.ex.ac
28 matches
Mail list logo
