Good news guys. I will send this as a new topic so that it doesn't get missed.
We got sidetracked and got to discussing colortail. It is a simple little
tool for graphically coloring information. It doesn't compile in Mandrake
9.0. It gives errors. I've been in contact with the author and he
: Saturday, 30 November 2002 1:11 AM
To: [EMAIL PROTECTED]
Subject: [expert] Hack attack analysis
Well guys... it has been 5 years since somone got in. They finally did it.
I've been using the floppy disk coyote linux for years now. They aren't
keeping up it seems and the last update I got
On Friday 29 November 2002 11:57 pm, James Sparenberg wrote:
On Fri, 2002-11-29 at 22:53, Lorne wrote:
Thanks. That is an excellent idea! Now I have to try to remember how to
keep the tail of a log constantly writing to the monitor. I KNOW I can do
it, just so long since I have, I forget
On Saturday 30 November 2002 12:00 am, Vox wrote:
This time Lorne [EMAIL PROTECTED]
becomes daring and writes:
Thanks. That is an excellent idea! Now I have to try to remember how to
keep the tail of a log constantly writing to the monitor. I KNOW I can do
it, just so long since I have, I
but
trouble and ran out of time.
rgds
Frank
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Lorne
Sent: Saturday, 30 November 2002 1:11 AM
To: [EMAIL PROTECTED]
Subject: [expert] Hack attack analysis
Well guys... it has been 5 years since somone got
On November 30, 2002 09:58 am, Lorne wrote:
snip
OOH! I like that too! I imagine you can tell it key words to color?
Here catch:
http://www.student.hk-r.se/~pt98jan/colortail.html
for the app's 'homepage'.
Regards;
--
Charlie
Edmonton,AB,Canada
Registered user 244963 at
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Lorne
Sent: Sunday, 1 December 2002 1:28 AM
To: [EMAIL PROTECTED]
Subject: Re: [expert] Hack attack analysis
On Saturday 30 November 2002 04:17 am, Franki wrote:
Two good tools for stopping hacks from
This time Lorne [EMAIL PROTECTED]
becomes daring and writes:
On Saturday 30 November 2002 12:00 am, Vox wrote:
This time Lorne [EMAIL PROTECTED]
becomes daring and writes:
Thanks. That is an excellent idea! Now I have to try to remember how to
keep the tail of a log constantly writing
This time Charlie [EMAIL PROTECTED]
becomes daring and writes:
On November 30, 2002 09:58 am, Lorne wrote:
snip
OOH! I like that too! I imagine you can tell it key words to color?
Here catch:
http://www.student.hk-r.se/~pt98jan/colortail.html
for the app's 'homepage'.
Cool! :) Now
On Saturday 30 November 2002 11:13 am, Charlie wrote:
On November 30, 2002 09:58 am, Lorne wrote:
snip
OOH! I like that too! I imagine you can tell it key words to color?
Here catch:
http://www.student.hk-r.se/~pt98jan/colortail.html
got it. Looking at it now.
for the app's 'homepage'.
On Saturday 30 November 2002 12:05 pm, Vox wrote:
Yes, that's that :) What I do is:
- turn everything back to white (too many damn colors make it hard to
notice things for me...the default config is a pain for my eyes)
- Mark the name of my workstation in a dark color (same with
This posts warrants another posting. For all of you that are new to
security, i.e. firewalls, services binding to ports, and os level
securtity, these are good suggestions. Good job, Franki.
I would, as well, add another level or step: this would include file
security, and rootkit checking. To
I'll second chrootkit. I actually use it pro-actively on all of my
servers and re-actively on ones people suspect have been hacked and want
me to test. It has found problems and from what one of my friends tells
me ... a hacker (They managed to find a salesman who was creating his
own network
On Saturday 30 November 2002 03:27 pm, James Sparenberg wrote:
I'll second chrootkit. I actually use it pro-actively on all of my
servers and re-actively on ones people suspect have been hacked and want
me to test. It has found problems and from what one of my friends tells
me ... a hacker
On Sat, 2002-11-30 at 15:48, Carroll Grigsby wrote:
On Saturday 30 November 2002 03:27 pm, James Sparenberg wrote:
I'll second chrootkit. I actually use it pro-actively on all of my
servers and re-actively on ones people suspect have been hacked and want
me to test. It has found problems
On Saturday 30 November 2002 07:17 pm, James Sparenberg wrote:
On Sat, 2002-11-30 at 15:48, Carroll Grigsby wrote:
On Saturday 30 November 2002 03:27 pm, James Sparenberg wrote:
I'll second chrootkit. I actually use it pro-actively on all of my
servers and re-actively on ones people
On Sat, 2002-11-30 at 17:13, Carroll Grigsby wrote:
On Saturday 30 November 2002 07:17 pm, James Sparenberg wrote:
On Sat, 2002-11-30 at 15:48, Carroll Grigsby wrote:
On Saturday 30 November 2002 03:27 pm, James Sparenberg wrote:
I'll second chrootkit. I actually use it pro-actively on
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Saturday 30 November 2002 7:13 pm, Carroll Grigsby wrote:
On Saturday 30 November 2002 07:17 pm, James Sparenberg wrote:
On Sat, 2002-11-30 at 15:48, Carroll Grigsby wrote:
On Saturday 30 November 2002 03:27 pm, James Sparenberg wrote:
On Sat, 30 Nov 2002 11:13:19 -0700, you wrote:
Here catch:
http://www.student.hk-r.se/~pt98jan/colortail.html
I tried to install colortail and found it required regex.
Found gnu regex-0.12.tar.gz, but it wont compile, it says it carnt find
ecircle. Any ideas for a fix or is there a Mdk regex
On Saturday 30 November 2002 06:49 pm, Gary wrote:
On Sat, 30 Nov 2002 11:13:19 -0700, you wrote:
Here catch:
http://www.student.hk-r.se/~pt98jan/colortail.html
I tried to install colortail and found it required regex.
Found gnu regex-0.12.tar.gz, but it wont compile, it says it carnt find
On Sun, Dec 01, 2002 at 12:49:46PM +1100, Gary wrote:
On Sat, 30 Nov 2002 11:13:19 -0700, you wrote:
Here catch:
http://www.student.hk-r.se/~pt98jan/colortail.html
I tried to install colortail and found it required regex.
Found gnu regex-0.12.tar.gz, but it wont compile, it says it
I am kind of confused. I just rebuilt my mandrake security firewall. Snort
didn't install correctly. It did on the second attempt. Now the system has
been up for 4 hours approximately and it looks like perhaps I'm already in
trouble!?!?!?!
/snort/portscan.log:Nov 30 17:15:03 xxx.3.247.xxx:1024
Sometimes I get reports from Snort of port scans coming from my own
machine.I wonder what's up?
Mike
On Saturday 30 November 2002 10:26 pm, you wrote:
I am kind of confused. I just rebuilt my mandrake security firewall. Snort
didn't install correctly. It did on the second attempt. Now the
On Sat, 30 Nov 2002, Lorne wrote:
I am kind of confused. I just rebuilt my mandrake security firewall. Snort
didn't install correctly. It did on the second attempt. Now the system has
been up for 4 hours approximately and it looks like perhaps I'm already in
trouble!?!?!?!
On Sat, 2002-11-30 at 19:26, Lorne wrote:
I am kind of confused. I just rebuilt my mandrake security firewall. Snort
didn't install correctly. It did on the second attempt. Now the system has
been up for 4 hours approximately and it looks like perhaps I'm already in
trouble!?!?!?!
Well guys... it has been 5 years since somone got in. They finally did it.
I've been using the floppy disk coyote linux for years now. They aren't
keeping up it seems and the last update I got was in January. The first clue
was zone alarm on my boys box popped up some denials. Regrettably, I
second send Sorry, I used an old subject and I'm guessing no one saw it
earlier. I'd like to try again.
Since I wrote this earlier today, I gave up on openbsd without the cdrom. I
decided to look at Mandrake security. Has anyone played with it and how
secure is it really? It is a snap to
This time Lorne [EMAIL PROTECTED]
becomes daring and writes:
second send Sorry, I used an old subject and I'm guessing no one saw it
earlier. I'd like to try again.
Since I wrote this earlier today, I gave up on openbsd without the cdrom. I
decided to look at Mandrake security. Has
This time Lorne [EMAIL PROTECTED]
becomes daring and writes:
second send Sorry, I used an old subject and I'm guessing no one saw it
earlier. I'd like to try again.
Since I wrote this earlier today, I gave up on openbsd without the cdrom. I
decided to look at Mandrake security. Has
Thanks. That is an excellent idea! Now I have to try to remember how to keep
the tail of a log constantly writing to the monitor. I KNOW I can do it, just
so long since I have, I forget the syntax. :)
On Friday 29 November 2002 11:41 pm, Vox wrote:
This time Lorne [EMAIL PROTECTED]
becomes
This time Vox [EMAIL PROTECTED]
becomes daring and writes:
I hate sympa...silly thing insists on breaking
signatures...somebody should put it out of our misery.
Vox
--
Think of the Linux community as a niche economy isolated by its beliefs. Kind
of like the Amish,
On Fri, 2002-11-29 at 22:53, Lorne wrote:
Thanks. That is an excellent idea! Now I have to try to remember how to keep
the tail of a log constantly writing to the monitor. I KNOW I can do it, just
so long since I have, I forget the syntax. :)
tail -f name_of.log
James
On Friday 29
On Fri, 2002-11-29 at 22:50, Vox wrote:
This time Lorne [EMAIL PROTECTED]
becomes daring and writes:
second send Sorry, I used an old subject and I'm guessing no one saw it
earlier. I'd like to try again.
Since I wrote this earlier today, I gave up on openbsd without the cdrom. I
This time Lorne [EMAIL PROTECTED]
becomes daring and writes:
Thanks. That is an excellent idea! Now I have to try to remember how to keep
the tail of a log constantly writing to the monitor. I KNOW I can do it, just
so long since I have, I forget the syntax. :)
tail -f /var/log/messages
This time James Sparenberg [EMAIL PROTECTED]
becomes daring and writes:
On Fri, 2002-11-29 at 22:50, Vox wrote:
This time Lorne [EMAIL PROTECTED]
becomes daring and writes:
second send Sorry, I used an old subject and I'm guessing no one saw it
earlier. I'd like to try again.
On Fri, 2002-11-29 at 23:06, Vox wrote:
This time James Sparenberg [EMAIL PROTECTED]
becomes daring and writes:
On Fri, 2002-11-29 at 22:50, Vox wrote:
This time Lorne [EMAIL PROTECTED]
becomes daring and writes:
second send Sorry, I used an old subject and I'm guessing no
PlugHead grabbed a keyboard and wrote:
Not sure what you mean by more complicated, but you may want to check out
the freeware windoze program PuTTY. Besides being a d*mn good terminal
emulator (a little painful to configure--but love that full screen mode), I
believe it has a keygen
I installed ckrootkit and its reports includes:
ROOTDIR is `/'
snip
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Locale/.packlist
/usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Net/.packlist
On Tue, 30 Jul 2002 20:15:43 -0400
PlugHead [EMAIL PROTECTED](by way of PlugHead
[EMAIL PROTECTED]) wrote:
(* Another post to expert, another dropped message... *)
On Monday 29 July 2002 10:56 pm, David Guntner wrote:
I aggee with you that security through obscurity is no
security at
On Tue Jul 30, 2002 at 09:04:39PM -0700, David Guntner wrote:
[...]
I hope that makes sense for a very quick-n-dirty response.
Yea, it did, actually. Unfortunately, it's more complicated for some of
the people that I've given access to my box to deal with, so as much as I'd
like to
Not sure what you mean by more complicated, but you may want to check out
the freeware windoze program PuTTY. Besides being a d*mn good terminal
emulator (a little painful to configure--but love that full screen mode), I
believe it has a keygen utility bundled with it.
-Jason
On Wednesday
On Mon Jul 29, 2002 at 07:56:32PM -0700, David Guntner wrote:
I'm also going to make sure that my FTP server and sshd server are
listening to non-standard ports, to make it harder for someone to find an
access point.
This is trivial. An nmap scan will give an attacker an idea
(* Another post to expert, another dropped message... *)
On Monday 29 July 2002 10:56 pm, David Guntner wrote:
I aggee with you that security through obscurity is no security at all.
However, adding obscurity as a layer on top of existing security certainly
doesn't hurt anything. :-)
Indeed,
Vincent Danen grabbed a keyboard and wrote:
My suggestions: Disable FTP. Use scp or sftp. Protocol2 is a good
start, but enforce key-based logins only (ie. disable password
authentication). This way no one can attempt to brute force your
system, they have to have a key, and know it's
On Monday 29 July 2002 10:56 pm, David Guntner wrote:
I aggee with you that security through obscurity is no security at all.
However, adding obscurity as a layer on top of existing security certainly
doesn't hurt anything. :-)
Indeed, if someone were doing a bulk scan of ip address blocks,
On Tuesday 30 July 2002 08:15 pm, PlugHead wrote:
(* Another post to expert, another dropped message... *)
Hmmm... Apparently I wasn't patient enough. Sorry for the dupes... :}
=
No one was avoiding him, it was just that an apparent random Brownian
motion was gently
On Tuesday 30 July 2002 08:39 pm, David Guntner wrote:
Ooooh, that sounds promising. I'll have to look into that. Is it
particularly hard to make sure that your key is available to those you want
to access the system?
I presume that even with the system key, they *do* still have to login
On Tue Jul 30, 2002 at 05:39:11PM -0700, David Guntner wrote:
My suggestions: Disable FTP. Use scp or sftp. Protocol2 is a good
start, but enforce key-based logins only (ie. disable password
authentication). This way no one can attempt to brute force your
system, they have to have a
Vincent Danen grabbed a keyboard and wrote:
[...]
I hope that makes sense for a very quick-n-dirty response.
Yea, it did, actually. Unfortunately, it's more complicated for some of
the people that I've given access to my box to deal with, so as much as I'd
like to go that route, I don't
On Sun, 28 Jul 2002 23:27:11 -0500
J. Craig Woods [EMAIL PROTECTED] wrote:
James Sparenberg wrote:
On the subject of Crackers. Note this IP block owned by ATT
12.234.0.0/24 If been getting hit heavily from there by a
number of compromised M$ boxes. I've alerted ATT but so far
no
James Sparenberg wrote on Mon, Jul 29, 2002 at 08:50:24PM -0700 :
On the subject of Crackers. Note this IP block owned by ATT
12.234.0.0/24 If been getting hit heavily from there by a number
You're making the assumption that those boxes are actually owned by ATT.
In reality it's probably a
On Mon, 29 Jul 2002 13:20:52 -0700
Todd Lyons [EMAIL PROTECTED] wrote:
James Sparenberg wrote on Mon, Jul 29, 2002 at 08:50:24PM -0700
: On the subject of Crackers. Note this IP block owned by ATT
12.234.0.0/24 If been getting hit heavily from there by a
number
You're making the
On Tue, 30 Jul 2002 16:06:02 -0700
James Sparenberg [EMAIL PROTECTED] wrote:
On Mon, 29 Jul 2002 13:20:52 -0700
Todd Lyons [EMAIL PROTECTED] wrote:
James Sparenberg wrote on Mon, Jul 29, 2002 at 08:50:24PM
-0700: On the subject of Crackers. Note this IP block owned
by ATT
On Sun Jul 28, 2002 at 10:17:41PM -0700, David Guntner wrote:
Thanks to all for the suggestions of snort and tripwire. Once I get my
system back up on its feet, I plan on installing both to keep an eye on my
system.
Both are extremely good tools and should be a part of everyone's
overall
At 08:24 PM 7/30/02, you wrote:
On Tue, 30 Jul 2002 16:06:02 -0700
James Sparenberg [EMAIL PROTECTED] wrote:
On Mon, 29 Jul 2002 13:20:52 -0700
Todd Lyons [EMAIL PROTECTED] wrote:
James Sparenberg wrote on Mon, Jul 29, 2002 at 08:50:24PM
-0700: On the subject of Crackers. Note this
On Mon, 29 Jul 2002 22:20:04 -0400
David Relson [EMAIL PROTECTED] wrote:
At 08:24 PM 7/30/02, you wrote:
On Tue, 30 Jul 2002 16:06:02 -0700
James Sparenberg [EMAIL PROTECTED] wrote:
On Mon, 29 Jul 2002 13:20:52 -0700
Todd Lyons [EMAIL PROTECTED] wrote:
James Sparenberg wrote on
Vincent Danen grabbed a keyboard and wrote:
On Sun Jul 28, 2002 at 10:17:41PM -0700, David Guntner wrote:
I'm also going to make sure that my FTP server and sshd server are
listening to non-standard ports, to make it harder for someone to find an
access point.
This is trivial. An
civileme grabbed a keyboard and wrote:
Well, you noted I was very terse in my message. I hate to be the bearer
of bad news. But first try
Put in CD#1
cd /mnt/cdrom
rpm -ivh --force basesystem-8.2-1mdk.i586.rpm
This will generally blow away anything done to /bin /sbin or /lib
Use
James Sparenberg grabbed a keyboard and wrote:
If you find Tripwire a bit much to install you might look at
Snort (from freshmeat) it's a little less of a hassle to install
and is on par with the free version of TripWire.
Ah, it's a fresh meat product. :-)
Thanks, James. I'll go over
James Sparenberg wrote:
David
If you find Tripwire a bit much to install you might look at
Snort (from freshmeat) it's a little less of a hassle to install
and is on par with the free version of TripWire.
James
Apples and oranges: they are two *completely* different programs.
On Monday 29 July 2002 02:10 am, James Sparenberg wrote:
David
If you find Tripwire a bit much to install you might look at
Snort (from freshmeat) it's a little less of a hassle to install
and is on par with the free version of TripWire.
James
Maybe you ment something like AIDE? Snort
On Sun, 28 Jul 2002 14:18:54 -0500
J. Craig Woods [EMAIL PROTECTED] wrote:
James Sparenberg wrote:
David
If you find Tripwire a bit much to install you might look
at Snort (from freshmeat) it's a little less of a hassle to
install and is on par with the free version of
On the subject of Crackers. Note this IP block owned by ATT
12.234.0.0/24 If been getting hit heavily from there by a number
of compromised M$ boxes. I've alerted ATT but so far no answer,
(it is Sunday though). So for the moment I'm blocking the entire
IP block. . It's coming from NJ. See
James Sparenberg wrote:
DrJung,
Your are again as you very often are, correct. However I
suggested Snort because it is a possible intrusion that he has,
not just a changed file. Tripwire doesn't tell you for example
where the intruder is coming from. I find this to be a lot more
James Sparenberg wrote:
On the subject of Crackers. Note this IP block owned by ATT
12.234.0.0/24 If been getting hit heavily from there by a number
of compromised M$ boxes. I've alerted ATT but so far no answer,
(it is Sunday though). So for the moment I'm blocking the entire
IP block.
Thanks to all for the suggestions of snort and tripwire. Once I get my
system back up on its feet, I plan on installing both to keep an eye on my
system.
I'm also going to make sure that my FTP server and sshd server are
listening to non-standard ports, to make it harder for someone to find
Hi,
This morning, I ran chkrootkit on my ML 8.2 system, and everything turned
up with the usual nothing found message, except the last one. It came
up:
Checking 'sniffer'... Checking 'wted'... 2 deletions found between {time}
and {time}
(The {time} is just me saving myself some typing -
David Guntner wrote:
Hi,
This morning, I ran chkrootkit on my ML 8.2 system, and everything turned
up with the usual nothing found message, except the last one. It came
up:
Checking 'sniffer'... Checking 'wted'... 2 deletions found between {time}
and {time}
(The {time} is just me saving
David Guntner wrote:
Hi,
This morning, I ran chkrootkit on my ML 8.2 system, and everything turned
up with the usual nothing found message, except the last one. It came
up:
Checking 'sniffer'... Checking 'wted'... 2 deletions found between {time}
and {time}
(The {time} is just me
civileme grabbed a keyboard and wrote:
David Guntner wrote:
Checking 'sniffer'... Checking 'wted'... 2 deletions found between {time}
and {time}
Question: Based on this, is my system likely to have been compromised or
not? For that matter, what's wted?
wted -- wtmp editor
On Saturday 27 July 2002 14:18, David Guntner Wrote Thusly:
civileme grabbed a keyboard and wrote:
David Guntner wrote:
Checking 'sniffer'... Checking 'wted'... 2 deletions found between
{time} and {time}
Question: Based on this, is my system likely to have been compromised
or
David Oberbeck grabbed a keyboard and wrote:
On Saturday 27 July 2002 14:18, David Guntner Wrote Thusly:
Any other thoughts on the subject? Or is it just time to push the
button, Max? (Probably no one will get the joke, but I'm sure you
understand the meaning... :)
Up Max,
David Guntner wrote:
civileme grabbed a keyboard and wrote:
David Guntner wrote:
Checking 'sniffer'... Checking 'wted'... 2 deletions found between {time}
and {time}
Question: Based on this, is my system likely to have been compromised or
not? For that matter, what's wted?
wted -- wtmp
David
If you find Tripwire a bit much to install you might look at
Snort (from freshmeat) it's a little less of a hassle to install
and is on par with the free version of TripWire.
James
On Sat, 27 Jul 2002 16:52:00 -0700 (PDT)
David Guntner [EMAIL PROTECTED] wrote:
David Oberbeck
74 matches
Mail list logo
