Ahhh, You mean hacked as in crack...sorry got confused there!! Well I have stupidly had my hosting server (hosted by flexihostings.net) hacked several times but never needed a re-install, but these where just website hacks, the company once had the server hacked big time, but it was then down for a day while they sorted it out, they tend to always be doing maintenence on it so I assume it must be pretty secure at the moment!! Never had to re-install it myself though. Jo On 12/8/05, Paul Taylor wrote:

On Thursday 08 December 2005 20:45, linuxgirlie wrote:

...

Oh, not a server but my home linux computer gets re-installed all the time, luckly I have a server!! I just love to fiddle!!

Indeed, that's a given with Linux, especially with so many tasty distros to try.

...

At work though 2 of my 8 servers need re-installing as they are running Mandrake 10 and you can no longer get updates!!

Not quite what I had in mind. I have an ISP running all of my client web sites on a Fedora server (I run a web hosting and design company with my 6th form as part of their AVCE - now GCE Applied). It locked up on Tuesday as all the sites run Mambo/MySQL. After a lot of hair pulling, shouting etc at my ISP they sent me a message today that the server had been hacked "probably" and that I had to ftp all the files somewhere and re-install the server OS. I am appalled and I wonder if this is something common with "reputable" ISPs?

Paul

...

Jo

On 12/8/05, Paul Taylor wrote:

...

HI all:

How many people on the list have had a Linux server hacked to the point that it needs to be reinstalled?

Paul -- Sizofik a Ninila' Siyakhona? ポール

-- To unsubscribe, e-mail: suse-linux-uk-schools-unsubscribe@suse.com For additional commands, e-mail: suse-linux-uk-schools-help@suse.com

-- Please do not send me Microsoft Office attachments. See http://www.gnu.org/philosophy/no-word-attachments.html

Karoshi: http://www.karoshi.org.uk Karoshi@Home: http://www.karoshiathome.org.uk

-- Sizofik a Ninila' Siyakhona? ポール

-- To unsubscribe, e-mail: suse-linux-uk-schools-unsubscribe@suse.com For additional commands, e-mail: suse-linux-uk-schools-help@suse.com

-- Please do not send me Microsoft Office attachments. See http://www.gnu.org/philosophy/no-word-attachments.html Karoshi: http://www.karoshi.org.uk Karoshi@Home: http://www.karoshiathome.org.uk

--- Paul Taylor wrote:

On Friday 09 December 2005 22:34, Thomas Adam wrote:

...

Do you mean this from the point of the computer being compromised maliciously, or via your own tinkering? If the former, then never. If that latter, then only once.

A bit of both perhaps. My ISP told me that some critical system files had been damaged by hackers which caused the system to segfault on normal mode.

I still fail to see how they could have arrived at that conclusion logically, seeing as they would need to examine a lot more factors than just a cursive-by-proxy diagnosis. No, I am still very much of the opinion that crackers haven't done much, but that the computer _possibly_ has some form of inherent hardware failure. Tracking that down is often time-consuming, and benefits from experience, and general observations over a period of time, depending on the hardware that's assumed to have failed.

I could log on in recovery moe and get my data files. I'm not sure however

if the hacking was caused by my liberal application of open source files on

the server without detailed security oversight.

The dichotomy you have, Paul, is that _suggestion_ of crackers invading your machine has been brought to the forefront, when, on the other hand, it could just simply be hardware failure. If you really do suspect that your machine has been compromised, then your safest bet is to backup ALL of your pertinent data, and reinstall. But consider for the moment, the effects this will have. Even if you are successful in doing just that, what's to say that reinstalling the machine's OS is going to fix whatever exploit was present to have caused it in the first place? I've alluded already for the need of a firewall -- is there such a setup in place, for the routed traffic to pass through one? If not, that's the first thing you should do -- and I can assist with that where necessary (essentially -- using IPTables). Backing up the data from a supposed infected machine may well mean (depending on what was exploited) that you also backup infected files. This is unlikely, but it could happen. There are a few general things you need to consider though. I'll go through some of them for you. Assume for the moment, that this machine hadn't been cracked, and was just being reinstalled for some reason. The data you would backup (to preserve persistency) would most likely be: /etc/ /home/ /usr/local/ You move all of that to another partition, or CD, or what have you. Then you reinstall, and you move all of that data back. Aside from having to play about with making sure the UID/GID mappings from the old /etc/{shadow,passwd} files matched the permissions for the files already created (the process of this is another email topic in its own right, and serves only as a theoretical concept in this context) -- it's also possible that you've moved an existing (and infected) account with you. So in situations like this, I would go as far as to employ a rigourous approach of: 1. For all Sixth-form students, allow login. 2. For anyone else, set their shell to 'rbash', or some such

...

One of the challenges I often set people, is to _fix_ their Linux box without reinstalling. It's a really good learning-curve, and through doing it, it's surprising at just how much one can learn. Of course, I realise that it isn't always that straight forward -- especially where the machine in question is in a critical environent.

I have done that on my home machine but was a bit nervy with a remote server. I also naively thought that paying someone to look after my server meant they would do just that. Their argument is that it was a root server that was managed by me (hence it was not very expensive).

...

Hardware failures though, tend to present themselves in many different ways -- but the precursor is usually where multiple applications that used to work, start to itermittently crash with SIGSERV or SIGABRT, or SEGFAULT.

The ISPs communiques seemed to point to a hardware failure which they claim

was caused by malicious intrusions. Having said that, the ISP is Amen and they had industrial action over the summer (I couldn't get any help for 2 months) due to their takeover by Claranet and sacking of lots of people. Could it have been a disgruntled ex... With the ability of hindsight, I would not use Amen again. The trouble is that I needed a cheap server so that my 6th formers could learn the trade.

They (me mostly) run a company to host and sell web sites to local schools,

charities and companies. It was meant to earn credit for various bits of coursework but grew bigger than I really could cope with a full teaching load. It is also too big and time consuming for me to move elsewhere. This latest incident has meant lots of candle burning for me which I could do without as January exam season approaches. :(

...

-- Thomas Adam

___________________________________________________________ Yahoo! Messenger - NEW crystal clear PC to PC calling worldwide with voicemail http://uk.messenger.yahoo.com

-- Sizofik a Ninila' Siyakhona? ポール

-- To unsubscribe, e-mail: suse-linux-uk-schools-unsubscribe@suse.com For additional commands, e-mail: suse-linux-uk-schools-help@suse.com

"The Linux Weekend Mechanic" -- http://linuxgazette.net "TAG Editor" -- http://linuxgazette.net "<shrug> We'll just save up your sins, Thomas, and punish you for all of them at once when you get better. The experience will probably kill you. :)" -- Benjamin A. Okopnik (Linux Gazette Technical Editor) ___________________________________________________________ Yahoo! Exclusive Xmas Game, help Santa with his celebrity party - http://santas-christmas-party.yahoo.net/

On Saturday 10 December 2005 14:32, Thomas Adam wrote:

Oops. I pressed the wrong button, and sent a partially-completed email. Here's the full version.

Alles ist frei

I still fail to see how they could have arrived at that conclusion logically, seeing as they would need to examine a lot more factors than just a cursive-by-proxy diagnosis. No, I am still very much of the opinion that crackers haven't done much, but that the computer _possibly_ has some form of inherent hardware failure.

I am of the same mind.

Tracking that down is often time-consuming, and benefits from experience, and general observations over a period of time, depending on the hardware that's assumed to have failed.

Hence I shied away from that this time.

The dichotomy you have, Paul, is that _suggestion_ of crackers invading your machine has been brought to the forefront, when, on the other hand, it could just simply be hardware failure. If you really do suspect that your machine has been compromised, then your safest bet is to backup ALL of your pertinent data, and reinstall.

Done, see above.

But consider for the moment, the effects this will have. Even if you are successful in doing just that, what's to say that reinstalling the machine's OS is going to fix whatever exploit was present to have caused it in the first place? I've alluded already for the need of a firewall -- is there such a setup in place, for the routed traffic to pass through one? If not, that's the first thing you should do -- and I can assist with that where necessary (essentially -- using IPTables).

I thought there was but now I suspect there wasn't. At least not a compete one. Oversight on my part.

Backing up the data from a supposed infected machine may well mean (depending on what was exploited) that you also backup infected files. This is unlikely, but it could happen. There are a few general things you need to consider though. I'll go through some of them for you.

I haven't done much on the machine for a while so I used an older, pre-exploit (??) version.

Assume for the moment, that this machine hadn't been cracked, and was just being reinstalled for some reason. The data you would backup (to preserve persistency) would most likely be:

/etc/ /home/ /usr/local/

You move all of that to another partition, or CD, or what have you. Then you reinstall, and you move all of that data back. Aside from having to play about with making sure the UID/GID mappings from the old /etc/{shadow,passwd} files matched the permissions for the files already created (the process of this is another email topic in its own right, and serves only as a theoretical concept in this context) -- it's also possible that you've moved an existing (and infected) account with you.

So in situations like this, I would go as far as to employ a rigourous approach of:

1. For all Sixth-form students, allow login. 2. For anyone else, set their shell to 'rbash', or some such.

Locking down "/tmp" has been something that people have been doing since the year dot, and you'll see numerous references to setting "noexec" on the /tmp partition (if you have split it out to be a partition -- always a good idea, IMO), or creating a loopback file to act as a partition so that you can still mount it with noexec.

But the problem with 'noexec' is that it is only effective as a 50% measure. The idea behind the 'noexec' mount option is to disallow users to run binary applications. The reason why this is most often applied to /tmp is that it's the one place (usually) that is world read, write, and executable. So I could place a program such as "wipeall" in /tmp. If you hadn't set 'noexec', I could run it:

/tmp/wipeall

... if you had, and I then try to:

/tmp/wipeall

... it would fail. But to get around that, is trivial. Assume it were a shell script:

/bin/sh /tmp/wipeall

would work, since the calling program is coming from /bin/sh -- which just exec()s /tmp/wipeall.

All sound advice I will have a go at.

That sounds like a quick money-spinner, and a very good getout clause.

Perhaps. Again, time is not on my side.

See above. I still disagree with their logic.

As do I.

:/ It's annoying, for sure. I didn't realise you were taking exams in

January. :)

Not me directly, but as bad as. I have 30 6th formers taking exams and in this age of league tables and value added, if they do poorly, I get the wagging finger of doubt. Who's be a teacher...technician...

-- Thomas Adam

___________________________________________________________ To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. http://uk.security.yahoo.com

-- Sizofik a Ninila' Siyakhona? ポール

--- Thomas Adam wrote:

What I like even more is that prior to OFSTED looking around the school, all the teachers are running around like headless chickens, desperately trying to pull the wool over the inspectors' eyes. It's pathetic. OFSTED should just turn up, and look around on a typical day... then see what happens.

I'm not defending the system at all, but this is "pretty much" the new OfSTED framework. We had 48hrs notice. There's only so much a school can sort in 48 hours, so... -- Matt ___________________________________________________________ Yahoo! Messenger - NEW crystal clear PC to PC calling worldwide with voicemail http://uk.messenger.yahoo.com

This really does piss me off. Leagues tables mean absolutely nothing in terms of good teaching quality. There was an interview with the headmaster of the primary school that came bottom of the recently-published league tables, on BBC Radio4. He was rather annoyed that his school has been "named and shamed" like this.

So what if he came bottom? That bears nothing on the teaching ability of the staff. There's plenty of other factors that are considered, such as the funding of the school. Heck, it was a tiny primary school... ***The trick to use with OFSTED is that used by my sister who owns/runs a couple of infant schools/after school care units. Know the OFSTED rules so well that you can pull the inspectors to pieces if they so much as open

I heard that one too. Equally interesting that the head of the top primary said it was nonsense on stilts as well. ***Indeed, We tend to come top in the county and we're dropping the tests. As a private school the reason for taking part is to give a bench-mark against other schools, however jaundice the scheme is, it's all that many parents can use as a barometer. We complain every year in the papers how unfair it is, despite topping out. their mouths - she's even had one sacked! ;-) But then she runs her schools to a much higher standard than OFSTED demand. One is private the other was purpose built for a local council, so she sees both sides although neither are in 'deprived' areas. It is easy to blame the victim though. Many schools come low down on the tables because of low "value added". According to the faceless bureaucrats, a child's score on various tests determines their place in life.It also determines how many GCSEs they get or how high their levels are. ***Yes, it's about time that we started taking the long view in education and prepare people for jobs other than lawyers, chemists, pop-stars and footballers - oh, but that's okay, we can import all the menial workers we need and keep our own kids on social benefit until they die. Problem is that these people who are in an underclass at school become part of the criminal/fraudulent underclass that we spend the rest of our lives paying for and trying to "deal" with. When we should have "dealt" with them years before and helped them to be self-confident, socially aware individuals, with an understanding of their own strengths. If students do not get these results, then the school has not added value so is no good. I agree with you that it stinks. However, it conveniently masks the wider social issues that underpin poor performance from students like where they live and what their parent's do for a living etc. That is costly, blaming and shaming and working teachers like dogs to meet semi-meaningless targets is far cheaper and easier to manage. The only target I have ever set myself in teaching is how many young people I turn into decent adults. I see that as the only meaningful "target". I don't see it on any tables though.

What I like even more is that prior to OFSTED looking around the school, all the teachers are running around like headless chickens, desperately trying to pull the wool over the inspectors' eyes. It's pathetic. OFSTED should just turn up, and look around on a typical day... then see what happens. ***I also have to agree with Adam, there should not be any warning given of inspections since this skews even further in favour of the better off schools who can react to the tip-off, allowing what amounts to social destruction to continue unabated.

Of course, I realise that that is only one facet to the overall metric

Yes, smoke and mirrors is very much the name of the game. In most schools I have worked in the senior management either bully staff to do work for students or physically do it themselves. *** :-) Didn't one of Charlie's boy's have problems because of this - allegedly! I have been to far too many inset days where the focus is the magic "C/D borderline". If you could potentially achieve a grade C if staff dictate a lot to you by forcing you to stay in after school, you're worthy. If you will never get a C, and therefore never affect the league tables, then you can *&%$ off. I think it is sickening. many senior staff I have worked with do not give a damn about how hard little X worked to get their G or E. ***All we are doing is depriving children of their childhood with this obsession for tables. When my son's prep school tried to brow-beat my wife and I into coaching boy for his stats (he was already in the top stream), I told the school that although I didn't agree with homework at his age, we will support them fully in their efforts to educate boy, but I would not be party to pressurising him for the glory of the staff or the school. Even after his sats, they weren't happy with his high score that he obtained off his own back. I remember his teacher telling me that boy was 1 mark short off the next band in his English and she was going to appeal! (not to me!) We all know that when you turn the heat off in the hot-house environment, the blue-greens and the slimes slide back to their natural levels! Let's not burst their bubbles or burn them out before they begin to understand what potential they truly have. This mania is endemic. It always amuses me how the grades are given in reports. (I wrote our reporting system so I see a lot of reports) Wow, boy is truly remarkable, he was only average in political geography for this terms report, for everything else he was way above average - cool! Good boy! But then in the same breath they tell me he likes to chat in class! So is he not being stretched (even in the express maths set) or are the teachers flattering themselves? maybe we need to have insets on statistics and logic? Oh yes, and chalk throwing techniques, I think my boy would chat less if he had to keep a weather eye out for low flying gypsum ;-) Sorry, didn't someone have a puter to rebuild? ;-) that

OFSTED use in determining where on the league table to put the school, but even so, the league table does absolutely nothing in helping anyone determine what the school's ability to _teach_ is like.

As I said above, the league tables I believe are more based on how much higher your students achieve in various metrics than the number crunchers have predicted. The only real value of league tables is as a guide for middle class parents to decide where to buy their new or second home.

-- Thomas Adam