Hi Bart. Thanks for your reply.
Hello,
Try installing libgtkglarea first. That will solve the problem.
I do think I'm not quite sure what you mean with the package I have to install. I cannot find on the SuSE CD's. Could you please advise me ??. Thank you in advance.
Best regards,
Bart
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com
------------------------------------------------------- -- Mvh/Best regards/Vy73 de OZ4KK Erik Jakobsen - erik@urbakken.dk
k i've been going crazy i think someones been hacking into my webserver but i don't know how to be sure typing "last" at the command line returns a list of past logins but also on that list is reboot system boot 2.4.4-4GB [date] [time] (01:20) and my messages.log file is cleared to that date ie, i have no entries from before october 9th @ 11:49 the time this "reboot" happened does anyone know what's going on? any suggestions?
in /var/log are there any .gz files like messages-20011008.gz or similar? if so, then seems like the system got rebooted and the logs started over which is normal on a suse system. if these are not there when is the earliest date that shows a login. also, has /etc/inetd.conf been modified? did you have anything like proftpd or wuftpd or named or any other vunerable services? On Tue, 9 Oct 2001, gabriel wrote:
k i've been going crazy i think someones been hacking into my webserver but i don't know how to be sure
typing "last" at the command line returns a list of past logins but also on that list is
reboot system boot 2.4.4-4GB [date] [time] (01:20)
and my messages.log file is cleared to that date ie, i have no entries from before october 9th @ 11:49 the time this "reboot" happened
does anyone know what's going on? any suggestions?
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com
Chad Whitten Network/Systems Administrator neXband Communications chadwick@nexband.com
also, do an lsmod and see what modules are loaded? maybe do a "top" and see if you get a root prompt, do a netstat -a -n -c and see what all network traffic you have going out and in and do a port scan of your machine to see if any strange ports are open. On Tue, 9 Oct 2001, gabriel wrote:
k i've been going crazy i think someones been hacking into my webserver but i don't know how to be sure
typing "last" at the command line returns a list of past logins but also on that list is
reboot system boot 2.4.4-4GB [date] [time] (01:20)
and my messages.log file is cleared to that date ie, i have no entries from before october 9th @ 11:49 the time this "reboot" happened
does anyone know what's going on? any suggestions?
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com
Chad Whitten Network/Systems Administrator neXband Communications chadwick@nexband.com
"top" gave me a whole lot of information i didn't understand and there are no .gz files in the /var/log directory and lsmod didn't work... could this be from someone cutting the power and then restoring it?
From: <dog@intop.net> Date: Tue, 9 Oct 2001 16:40:51 -0500 (CDT) To: gabriel <dan@netgenetix.com> Cc: SuSE Linux E <suse-linux-e@suse.com> Subject: Re: [SLE] hack attempt?
also, do an lsmod and see what modules are loaded? maybe do a "top" and see if you get a root prompt, do a netstat -a -n -c and see what all network traffic you have going out and in and do a port scan of your machine to see if any strange ports are open.
On Tue, 9 Oct 2001, gabriel wrote:
k i've been going crazy i think someones been hacking into my webserver but i don't know how to be sure
typing "last" at the command line returns a list of past logins but also on that list is
reboot system boot 2.4.4-4GB [date] [time] (01:20)
and my messages.log file is cleared to that date ie, i have no entries from before october 9th @ 11:49 the time this "reboot" happened
does anyone know what's going on? any suggestions?
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com
Chad Whitten Network/Systems Administrator neXband Communications chadwick@nexband.com
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com
On Tue, Oct 09, 2001 at 03:00:24PM -0700, gabriel wrote:
"top" gave me a whole lot of information i didn't understand and there are no .gz files in the /var/log directory and lsmod didn't work...
could this be from someone cutting the power and then restoring it?
As pointed out Suse usually automatically rotates your logs for you and you should end up with compressed previous ones in your /var/log directory..unless this has been disabled somewhow. Also if the power was cut you may lose some messages depending on your syslog configuration (/etc/syslog.conf). If the entries have a "-" sign in front of them then syslogd delays the log entry writes, this is often done to stop heavy logging from affecting system performance..since otherwise syslogd flushes the writes on every entry. This does not really help solve your quest however... -- Regards Cliff
okay, top gave you what it was supposed to, a list of processes running on the machine. some root kits will put a trojan in top and when you run it you get a root prompt, thats why i suggested running it and seeing what happened. if lsmod didnt work, try /sbin/lsmod On Tue, 9 Oct 2001, gabriel wrote:
"top" gave me a whole lot of information i didn't understand and there are no .gz files in the /var/log directory and lsmod didn't work...
could this be from someone cutting the power and then restoring it?
From: <dog@intop.net> Date: Tue, 9 Oct 2001 16:40:51 -0500 (CDT) To: gabriel <dan@netgenetix.com> Cc: SuSE Linux E <suse-linux-e@suse.com> Subject: Re: [SLE] hack attempt?
also, do an lsmod and see what modules are loaded? maybe do a "top" and see if you get a root prompt, do a netstat -a -n -c and see what all network traffic you have going out and in and do a port scan of your machine to see if any strange ports are open.
On Tue, 9 Oct 2001, gabriel wrote:
k i've been going crazy i think someones been hacking into my webserver but i don't know how to be sure
typing "last" at the command line returns a list of past logins but also on that list is
reboot system boot 2.4.4-4GB [date] [time] (01:20)
and my messages.log file is cleared to that date ie, i have no entries from before october 9th @ 11:49 the time this "reboot" happened
does anyone know what's going on? any suggestions?
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com
Chad Whitten Network/Systems Administrator neXband Communications chadwick@nexband.com
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com
Chad Whitten Network/Systems Administrator neXband Communications chadwick@nexband.com
dog@intop.net writes:
okay, top gave you what it was supposed to, a list of processes running on the machine. some root kits will put a trojan in top and when you run it you get a root prompt, thats why i suggested running it and seeing what happened. if lsmod didnt work, try /sbin/lsmod
What happened on my system, was top filtered out the processes that the hacker was running, so I never saw them. Almost all the basic binaries had been replaced with versions that filtered this stuff. I originally discovered the offending processing by running 'lsof', which will show you file locks. I saw one in the list that looked funny, and started to investigate. That is when I discovered that ls, top, had been replaced. I was scratching my head for while, trying to figure out what was going on. Rebooting the system locked me out entirely. I could not replace the affected binaries because they had modified the ext2 flags. I ended reinstalling, because it would have been too much trouble to undo what had been done. As far as I could tell, all the hackers were doing was running an IRC server.
On Tue, 9 Oct 2001, gabriel wrote:
"top" gave me a whole lot of information i didn't understand and there are no .gz files in the /var/log directory and lsmod didn't work...
could this be from someone cutting the power and then restoring it?
From: <dog@intop.net> Date: Tue, 9 Oct 2001 16:40:51 -0500 (CDT) To: gabriel <dan@netgenetix.com> Cc: SuSE Linux E <suse-linux-e@suse.com> Subject: Re: [SLE] hack attempt?
also, do an lsmod and see what modules are loaded? maybe do a "top" and see if you get a root prompt, do a netstat -a -n -c and see what all network traffic you have going out and in and do a port scan of your machine to see if any strange ports are open.
On Tue, 9 Oct 2001, gabriel wrote:
k i've been going crazy i think someones been hacking into my webserver but i don't know how to be sure
typing "last" at the command line returns a list of past logins but also on that list is
reboot system boot 2.4.4-4GB [date] [time] (01:20)
and my messages.log file is cleared to that date ie, i have no entries from before october 9th @ 11:49 the time this "reboot" happened
does anyone know what's going on? any suggestions?
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com
Chad Whitten Network/Systems Administrator neXband Communications chadwick@nexband.com
On October 10, 2001 11:13 am, Jesse Marlin wrote:
dog@intop.net writes:
okay, top gave you what it was supposed to, a list of processes running on the machine. some root kits will put a trojan in top and when you run it you get a root prompt, thats why i suggested running it and seeing what happened. if lsmod didnt work, try /sbin/lsmod
What happened on my system, was top filtered out the processes that the hacker was running, so I never saw them. Almost all the basic binaries had been replaced with versions that filtered this stuff. I originally discovered the offending processing by running 'lsof', which will show you file locks. I saw one in the list that looked funny, and started to investigate. That is when I discovered that ls, top, had been replaced. I was scratching my head for while, trying to figure out what was going on. Rebooting the system locked me out entirely. I could not replace the affected binaries because they had modified the ext2 flags. I ended reinstalling, because it would have been too much trouble to undo what had been done. As far as I could tell, all the hackers were doing was running an IRC server.
The first thing I do when I suspect something is type: rpm -V ps That will tell you if ps or top were changed or replaced, a very common thing in rootkits. In fact, I try to keep everything on my system in the RPM database specifically so that I can rpm -V it. Oh, BTW: everybody (and I mean EVERYBODY!) should have scanlogd installed and running. The package is in the sec diskset and you have to set START_SCANLOGD="yes" in rc.config. Every once in a while grep /var/log/messages for scanlogd messages and look at the following messages. It doesn't take a lot of time and it's worth it for the peace of mind alone. The vast majority of hack attempts follow a portscan... -- James Oakley Engineering - SolutionInc Ltd. joakley@solutioninc.com http://www.solutioninc.com
On Thursday 11 October 2001 16.36, James Oakley wrote:
On October 10, 2001 11:13 am, Jesse Marlin wrote:
dog@intop.net writes:
okay, top gave you what it was supposed to, a list of processes running on the machine. some root kits will put a trojan in top and when you run it you get a root prompt, thats why i suggested running it and seeing what happened. if lsmod didnt work, try /sbin/lsmod
What happened on my system, was top filtered out the processes that the hacker was running, so I never saw them. Almost all the basic binaries had been replaced with versions that filtered this stuff. I originally discovered the offending processing by running 'lsof', which will show you file locks. I saw one in the list that looked funny, and started to investigate. That is when I discovered that ls, top, had been replaced. I was scratching my head for while, trying to figure out what was going on. Rebooting the system locked me out entirely. I could not replace the affected binaries because they had modified the ext2 flags. I ended reinstalling, because it would have been too much trouble to undo what had been done. As far as I could tell, all the hackers were doing was running an IRC server.
The first thing I do when I suspect something is type:
rpm -V ps
That will tell you if ps or top were changed or replaced, a very common thing in rootkits.
Unless of course rpm has been changed or replaced :) Rule of thumb: if you suspect a breakin, don't trust *any* tools on that computer. Disconnect, and mount drives readonly on a machine that's never been exposed to the net in any way.
In fact, I try to keep everything on my system in the RPM database specifically so that I can rpm -V it.
Won't help you, if the rpm database is on the compromised system. Put it on a CD immediately after installation, before going on the net.
Oh, BTW: everybody (and I mean EVERYBODY!) should have scanlogd installed and running. The package is in the sec diskset and you have to set START_SCANLOGD="yes" in rc.config. Every once in a while grep /var/log/messages for scanlogd messages and look at the following messages. It doesn't take a lot of time and it's worth it for the peace of mind alone. The vast majority of hack attempts follow a portscan...
regards Anders
On October 11, 2001 11:54 am, Anders Johansson wrote:
The first thing I do when I suspect something is type:
rpm -V ps
That will tell you if ps or top were changed or replaced, a very common thing in rootkits.
Unless of course rpm has been changed or replaced :) Rule of thumb: if you suspect a breakin, don't trust *any* tools on that computer. Disconnect, and mount drives readonly on a machine that's never been exposed to the net in any way.
I was going to mention this, actually. We have one good thing going for us: disparate distros/versions. Installing an RPM meant for another distro may often fail, especially Red Hat ones which tend to be pretty reckless with the %prein and %postin. There's also the naming of pre-reqs, and the versions of the pre-reqs themselves. You are right about not trusting *anything* but you have to be sure that you have a problem in the first place. You can't realistically take out a critical server every time you think something *might* be amiss. It's probably best to analyse backups of that machine.
Won't help you, if the rpm database is on the compromised system. Put it on a CD immediately after installation, before going on the net.
I had not thought of doing that before. I know SuSE makes backups, though. I'll have to start doing that. -- James Oakley Engineering - SolutionInc Ltd. joakley@solutioninc.com http://www.solutioninc.com
On October 11, 2001 12:47 pm, tabanna wrote:
On Thu, 11 Oct 2001, James Oakley wrote:
The first thing I do when I suspect something is type:
rpm -V ps
my resulting output is :-
.M . . . . /usr/X11R6/bin/xcpustate
Is this a correct result ?
Maybe, maybe not. It means that the permissions have changed. This may be due to the permissions script (easy, paranoid, and secure set it to root.root 755 by default) but you should check it manually with: ls -l /usr/X11R6/bin/xcpustate Hopefully, the SUID bit is not set and the perms are as above. If not, I suggest looking further. Interestingly enough, that file does not even exist on my system. It's not part of the ps package in SuSE 7.2. Check out the output of 'rpm -qi ps' and see if it came from SuSE. What's the build host? Mine is amdsim4.suse.de. Check the info against the RPM from your installation source. Maybe there's a new kit that uses RPM (a scary thought)... Then again, maybe I'm just being paranoid... -- James Oakley Engineering - SolutionInc Ltd. joakley@solutioninc.com http://www.solutioninc.com
participants (9)
-
Anders Johansson -
Cliff Sarginson -
dog@intop.net -
Erik Jakobsen -
gabriel -
James Oakley -
Jesse Marlin -
tabanna -
Togan Muftuoglu