Another possibility is bad memory -- if this is on an x86 machine with
non-parity memory (or even if it is) I'd recommend getting memtest86 from
http://www.memtest86.com/ and running it. Definitely do this if you can
reboot the machine and it appears to go back to the old checksum.
Jim
On Tue,
> "CB" == Chris Bond <[EMAIL PROTECTED]> writes:
CB> Did you update samba last night?
Not that I know of... Unless something updated it for me!
I am not (yet) running any scripts to auto-update my packages.
CB> - Original Message -
CB> From: "Jake Colman" <[EMAIL PROT
Did you update samba last night?
- Original Message -
From: "Jake Colman" <[EMAIL PROTECTED]>
To: "RedHat List" <[EMAIL PROTECTED]>
Sent: Tuesday, January 08, 2002 1:32 PM
Subject: Have I Been Hacked?
>
> Last night's tripwire report shows me the following:
>
> Modified object name: /u
Please Ignore this messages... Just DNS Lookup Failed.
- Original Message -
From: "Mark Lo (3)" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Thursday, April 05, 2001 2:37 PM
Subject: Have I been Hacked !!!
> Hi,
>
> I am currently using Redhat Linux 6.2, a
On Tue, Mar 06, 2001 at 08:54:18AM -0500, Charles Galpin wrote:
>
> I do like the idea of some statistical analysis of the scans though,
> like how many times each unique port number was triggered, top
> offending IPs etc, but this could be gleaned periodically from the
> logfiles directly.
I f
On Tue, 6 Mar 2001, Bret Hughes wrote:
> Athough haveing written that I get irritated enough with the
> logcheck stuff telling me about the hits on the three firewalls I
> manage, I can't imagine how pissed I would get if each probe generated a
> seperate email. I have recently seen a big spike
Hi
I've a little problem with APACHE & CGI.
When APACHE passes the variable QUERY_STRING to a program, APACHE ( I think)
changes the whitespaces to plus (+).
For example:
FORM: AAA BBB
GCI: AAA++BBB
Is it correct?
If possible that APACHE leaves the whitespaces?
bye
Ste
Joshua Hirsh wrote:
>
> The information in the email pertaining to the user 'operator' was on the
> remote machine which had attempted to connect to Ben's portmap service.
>
> Because the remote machine had attempted the connection, a program on
> Ben's machine is setup to finger the remote acco
Hi Mike,
> I'd ask, however, for clarification from Ben, as to whether or not user
> "operator" has a password, no password at all, or the normal "*" in the
> password field.
If I understand Joshua correctly, this is finger information about the
attempting system. It seems as i
My bad...I didn't read thoroughly enough.
On Mon, 5 Mar 2001, Joshua Hirsh wrote:
> The information in the email pertaining to the user 'operator' was on the
> remote machine which had attempted to connect to Ben's portmap service.
>
> Because the remote machine had attempted the connection, a p
The information in the email pertaining to the user 'operator' was on the
remote machine which had attempted to connect to Ben's portmap service.
Because the remote machine had attempted the connection, a program on
Ben's machine is setup to finger the remote account that is attempting the
connec
Perhaps.
I'd ask, however, for clarification from Ben, as to whether or not user
"operator" has a password, no password at all, or the normal "*" in the
password field. If user "operator" has the * in the password field, user
"operator" should not be able to log into pts/1 or pts/2, would you no
Hey Folks,
Theres a bit of information that you all seemed to over look here.. The
email that Ben Ocean had forwarded to the list was generated by a program
that was watching connections to his local machine.
The email was triggered by... (read the subject.) Thats right. A portmap
probe to his
At 03:52 PM 3/4/2001 -0400, you wrote:
>I'd be inclined to say no.
<*sigh*> Well, I feel better now. Thanks for your help :))
BenO
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
On Sun, Mar 04, 2001 at 12:30:32PM -0800, Ben Ocean wrote:
>
> Well, *did* they get in, or do we know? Did they get in as far as
> tty1 and stop cold? Or, since they apparently logged in as root, did
> they gain access to the entire box through tty1? If they did, how
> should I go about protectin
On Sun, 04 Mar 2001 12:30:32 -0800, Ben Ocean wrote:
>thewebsons:/apache/vhosts/downloads/chkrootkit-0.22# ps ax | grep
>"/usr/local/sb
>in/s"|more
> 661 ?S 0:07 /usr/local/sbin/sshd
> 3849 ?S 0:00 /usr/local/sbin/sshd
> 4232 ?S 0:00 /usr/local/sbin/ssh
At 03:21 PM 3/4/2001 -0400, you wrote:
>Run a "ps ax | grep "/usr/local/sbin/s" By doing the ps ax, it will
>not display the usernames, and will give you more of the process
>name. Also note that it's not necessarily you that may have run the
>process...many daemon processes run whenever they ru
On Sun, 04 Mar 2001 12:04:25 -0800, Ben Ocean wrote:
>At 02:45 PM 3/4/2001 -0400, you wrote:
>>You'd need to do a ps aux to get a list of everything, and if you do
>>a ps aux | grep root, you'll get every process currently run by root,
>>unless "ps" has been compromised.
>
>This is what came fro
At 02:45 PM 3/4/2001 -0400, you wrote:
>Just a straight "ps" will only show you your active tasks from your
>current session.
>
>You'd need to do a ps aux to get a list of everything, and if you do
>a ps aux | grep root, you'll get every process currently run by root,
>unless "ps" has been compro
On Sun, 04 Mar 2001 11:39:39 -0800, Ben Ocean wrote:
>> >>tty1 is your primary console, on the physical machine.
>> >
>> >Please tell me how this relates to my concern.
>>
>>Don't be snippy about it, now.
>
>Hell, I ain't being snippy! It's an honest question.
>
>>If tty1 is the primary physical
At 02:32 PM 3/4/2001 -0400, you wrote:
>On Sun, 04 Mar 2001 11:19:41 -0800, Ben Ocean wrote:
>
> >At 02:06 PM 3/4/2001 -0500, you wrote:
> >>Let me rethink that.
> >>
> >>tty1 is your primary console, on the physical machine.
> >
> >Please tell me how this relates to my concern.
>
>Don't be snippy
On Sun, 04 Mar 2001 11:19:41 -0800, Ben Ocean wrote:
>At 02:06 PM 3/4/2001 -0500, you wrote:
>>Let me rethink that.
>>
>>tty1 is your primary console, on the physical machine.
>
>Please tell me how this relates to my concern.
Don't be snippy about it, now.
If tty1 is the primary physical consol
At 02:06 PM 3/4/2001 -0500, you wrote:
>Let me rethink that.
>
>tty1 is your primary console, on the physical machine.
Please tell me how this relates to my concern.
>Is anyone else aware of any rootkits that point the physical tty's at
>something virtual?
What do you mean by this question?
TIA
Let me rethink that.
tty1 is your primary console, on the physical machine.
Is anyone else aware of any rootkits that point the physical tty's at
something virtual?
On Sun, 4 Mar 2001, Ben Ocean wrote:
> Hi;
> I just received this email:
>
> >Date: Sun, 4 Mar 2001 09:42:56 -0800
> >From: bin <
The IP is from a system in Greece.
unless you have a friend or a user in Greece, I'd say yes, you've been
hacked.
On Sun, 4 Mar 2001, Ben Ocean wrote:
> Hi;
> I just received this email:
>
> >Date: Sun, 4 Mar 2001 09:42:56 -0800
> >From: bin <[EMAIL PROTECTED]>
> >To: [EMAIL PROTECTED]
> >Subje
>On Thu, 2 Mar 2000, Vidiot wrote:
>
>> >On Wed, 1 Mar 2000, Ed Lazor wrote:
>> >>
>> >> How did you run the searches? I typed "ADMROCKS" and none of those places
>> >> brought anything up.
>> >
>> >/var/named/ADMROCKS
>>
>> What kind of search engine doesn't report "/var/named/ADMROCKS" from
>If someone for a short moment has access to your private pgp key, they
>*may* bring a copy back home without your knowledge. Especially if it's
>someone you can only trust to do you bad things. This may or may not
>happen with your (or anyone else's) knowledge. What about if we ten
>years from no
On Thu, 2 Mar 2000, Vidiot wrote:
> >> How did you run the searches? I typed "ADMROCKS" and none of those places
> >> brought anything up.
> >
> >/var/named/ADMROCKS
>
> What kind of search engine doesn't report "/var/named/ADMROCKS" from a
> keyword of "ADMROCKS". One would have to know the
On Thu, 2 Mar 2000, Vidiot wrote:
> >On Wed, 1 Mar 2000, Ed Lazor wrote:
> >>
> >> How did you run the searches? I typed "ADMROCKS" and none of those places
> >> brought anything up.
> >
> >/var/named/ADMROCKS
>
> What kind of search engine doesn't report "/var/named/ADMROCKS" from a
> keywo
Vidiot,
If someone for a short moment has access to your private pgp key, they
*may* bring a copy back home without your knowledge. Especially if it's
someone you can only trust to do you bad things. This may or may not
happen with your (or anyone else's) knowledge. What about if we ten
years fro
>Another thing to think about:
>
>If ever there were some private pgp keys on a compromised machine, those
>pgp keys are to be considered as compromised as well.
>
>It's hard (to say the least) to crack pgp encryped data, but the private
>key is more easy (though not trivial) to break. Of course,
Another thing to think about:
If ever there were some private pgp keys on a compromised machine, those
pgp keys are to be considered as compromised as well.
It's hard (to say the least) to crack pgp encryped data, but the private
key is more easy (though not trivial) to break. Of course, this de
>On Wed, 1 Mar 2000, Ed Lazor wrote:
>>
>> How did you run the searches? I typed "ADMROCKS" and none of those places
>> brought anything up.
>
>/var/named/ADMROCKS
What kind of search engine doesn't report "/var/named/ADMROCKS" from a
keyword of "ADMROCKS". One would have to know the complet
On Wed, 1 Mar 2000, Ed Lazor wrote:
>
> > you could have searched at just about any search engine (lycos, excite,
> > google, altavista, etc, etc) and turned up information on this hack and
> > just about anything else for that matter.
> >
> > deja.com is good as well.
>
> How did you run the
On Thu, 2 Mar 2000, Jason Hirsch wrote:
> No lu ck there either :P
>
> no information exists using that keyword... i'm rather impressed,
> actually.
on which one? I searched excite and it turned up hits on
/var/named/ADMROCKS, so did google and altavista
>
> jason
>
> --
> Jason Hir
> > Altavista.comt - ADMROCKS- no hits.
> > Lycos.com - ADMROCKS- no hits.
> > excite.com - ADMROCKS- no hits.
Personally, I'd say subscribe to Bugtraq and lurk. ADMROCKS showed
its face there .. oh probably 2 weeks ago.
--
Duncan Hill Sapere aude
One net to rule them all,
I'd say:
1) Subscribe to the redhat-announce-list
2) Use http://mindit.netmind.com to track any changes to both
a) http://www.redhat.com/support/errata/rh61-errata-security.html
b) http://www.redhat.com/support/errata/rh61-errata-bugfixes.html
That way you should be among the first ones
>> There were a whole shit-load of files that got changed. ls is one of them
>> that was changed. Get that put back and then go look at /tmp.
>> In there you
>> will find rk and rki. In the rk directory you will find rkinstall. It
>> contains a list of all the files that got changed.
>
>I must
>>From everyone's advice, I found that the hacker had replaced the login
>binaries and was having passwords stored in /dev/ttypx. Several programs
>had been modified as well. Everything has been fixed / updated and
>passwords
>changed. Now I'm moving forward to setting up a firewall and all tha
> 'redhat-watch' for updates. Also, there is 'linux-security' (IIRC)
> that is hosted by RH. You would have seen this on both of these. Both
> are low volume. Somewhere on redhat.com there is a lists of lists.
Thanks for the info. I did some checking and figured I'd report the
results:
[EMAI
> you could have searched at just about any search engine (lycos, excite,
> google, altavista, etc, etc) and turned up information on this hack and
> just about anything else for that matter.
>
> deja.com is good as well.
How did you run the searches? I typed "ADMROCKS" and none of those place
> I don't know about how badly you got hacked etc. But I will tell you
> this. If you don't format the drive and start over you will never know
> 100% if you are free of these hackers.
Definitely true. I'm planning on rebuilding the machine from scratch
as soon as possible.
--
To unsubscri
No lu ck there either :P
no information exists using that keyword... i'm rather impressed,
actually.
jason
--
Jason Hirsch, ChemEng/Chemistry
Make it myself? But I'm a physical organic chemist!
Visit the Dorm Room Life may never
http://icdweb.cc.purdue.edu/~hirsch Gi
On Wed, Mar 01, 2000 at 09:04:18PM -0800, Ed Lazor wrote:
> Through this process, a few things have come to mind. Is there
> someplace I could have gone to do a search on ADMROCKS to discover
> this hack? Also, does RedHat have a mailing list that announces
> when updates are released to fix pro
On Thu, 2 Mar 2000, Jason Hirsch wrote:
> Actually-
>
> Altavista.comt - ADMROCKS- no hits.
> Lycos.com - ADMROCKS- no hits.
> excite.com - ADMROCKS- no hits.
>
> I think you get the point-
> Redhat.com, linuxgazette.com- no hits.
umm, search for /var/named/ADMROCKS
>
> Not exactly alot of
Actually-
Altavista.comt - ADMROCKS- no hits.
Lycos.com - ADMROCKS- no hits.
excite.com - ADMROCKS- no hits.
I think you get the point-
Redhat.com, linuxgazette.com- no hits.
Not exactly alot of fun if I want to actually attack my own box to see if
i'm proof
I like it when I buy MS product
Brian <[EMAIL PROTECTED]> writes:
> On Wed, 1 Mar 2000, Ed Lazor wrote:
>
> >
> > Through this process, a few things have come to mind. Is there someplace
> > I could have gone to do a search on ADMROCKS to discover this hack? Also,
> > does RedHat have a mailing list that announces when upda
On Wed, 1 Mar 2000, Ed Lazor wrote:
>
> > There were a whole shit-load of files that got changed. ls is one of them
> > that was changed. Get that put back and then go look at /tmp.
> > In there you
> > will find rk and rki. In the rk directory you will find rkinstall. It
> > contains a list
On Wed, 1 Mar 2000, Ed Lazor wrote:
>
> Through this process, a few things have come to mind. Is there someplace
> I could have gone to do a search on ADMROCKS to discover this hack? Also,
> does RedHat have a mailing list that announces when updates are released
> to fix problems like this?
> There were a whole shit-load of files that got changed. ls is one of them
> that was changed. Get that put back and then go look at /tmp.
> In there you
> will find rk and rki. In the rk directory you will find rkinstall. It
> contains a list of all the files that got changed.
I must have
> Finding out what else has been done is not exactly a trivial task. If
> whoever did this isn't totally braindead, he edited .history and logfiles
> to hide traces. (But then it seems to be someone stupid because he didn't
> remove the ADMROCKS file).
I was very lucky to have noticed that folde
Hi =)
>
> On Wed, 1 Mar 2000, Fred Herman wrote:
>
> > You have been hacked. See:
> >
> > http://www.cert.org/current/current_activity.html#bind
> >
> > You need to disconnect your box. Unless you're expert, reformat the
> > hard drive and re-install. Make sure your patches are up to date. T
>On Wed, 1 Mar 2000, M. Erickson wrote:
>
>> No need to reformat, toss that windows paradigm aside, learn a new way of
>> dealing with things like this! Just update BIND, XFS, and check through
>> all your .history/.bash_history files and find out what else has been
>> done..
>
>Finding out what e
>No need to reformat, toss that windows paradigm aside, learn a new way of
>dealing with things like this! Just update BIND, XFS, and check through
>all your .history/.bash_history files and find out what else has been
>done.. just replace those, and you should be back in busines.
>
>I suggest you
On Wed, 1 Mar 2000, M. Erickson wrote:
> On Wed, 1 Mar 2000, Fred Herman wrote:
>
> > You have been hacked. See:
> >
> > http://www.cert.org/current/current_activity.html#bind
> >
> > You need to disconnect your box. Unless you're expert, reformat the
> > hard drive and re-install. Make sur
On Wed, 1 Mar 2000 [EMAIL PROTECTED] wrote:
> I got hit with a very obvious script attack a last week that was fairly
> easy to track (although I still reinstalled just to make sure). As
> script kiddies aren't known for creative attacks it might be the
> same. Check your /usr/login and make su
I got hit with a very obvious script attack a last week that was fairly
easy to track (although I still reinstalled just to make sure). As
script kiddies aren't known for creative attacks it might be the
same. Check your /usr/login and make sure its around 20132 in size and
it's change date isn'
On Wed, 1 Mar 2000, M. Erickson wrote:
> No need to reformat, toss that windows paradigm aside, learn a new way of
> dealing with things like this! Just update BIND, XFS, and check through
> all your .history/.bash_history files and find out what else has been
> done..
Finding out what else has
>
> I suspect that I've been hacked. I found a directory titled "ADMROCKS" in
> /var/named owned by root and I know that I didn't create it. Does anyone
> recognize this?
http://www.cert.org/advisories/CA-99-14-bind.html
The "nxt" one
It's not a major root kit, but serious enough to wher
On Wed, 1 Mar 2000, Fred Herman wrote:
> You have been hacked. See:
>
> http://www.cert.org/current/current_activity.html#bind
>
> You need to disconnect your box. Unless you're expert, reformat the
> hard drive and re-install. Make sure your patches are up to date. This
> exploit is fixed
You have been hacked. See:
http://www.cert.org/current/current_activity.html#bind
You need to disconnect your box. Unless you're expert, reformat the
hard drive and re-install. Make sure your patches are up to date. This
exploit is fixed by updating the bind rpm's. See:
http://www.redhat.c
There is a kernel patch which allows you (AFAIR) to limit access to certain
files and directories by _all_ users (including root). After making sure
your system is not hacked, consider running Tripwire (or a free clone) and
then installing the kernel patch & using it to protect the Tripwire
execut
On Mon, 15 Nov 1999, George Lenzer wrote:
> The question; Is there a decent RedHat only security list that may keep me
> abreast of the latest exploits and provide more security info than this list
> can?
>
message footer from Redhat linux-security list;
---
On Mon, Nov 15, 1999 at 08:42:37AM -0500, George Lenzer wrote:
> This past week I ran into some problems on my RedHat 6.0 IP Masq box at
> home. I was no longer able to 'ssh' to the machine and my friends were
> unable to connect to the Quake3test server with any reliability. (They
> could co
64 matches
Mail list logo