Hello all I have SuSE linux 7.2 installed on a P1 233Mhz for sometimes now I have seen scan on my system last night for some reason the system stop reponding unable to log. After a reset and log as single I have manage to recover the firewall file and the message file.. now I have also remount the system with remount rw , / now I can used it again .. but I still can't figure out what happend... I used reiserfs as my filesystem now how do I ask reiserfs to fix my drive so next time I reboot I will not have to manualy set it to rw I can include a the log file from my system Please need help badly..... I'm a fraid that my Linux have been compromise BTW I have firewall2 with ip_tables if you need more information Thanks in advance. ===== ,. \\|// - ? (o o) /======================oOOO=(_)OOo=====================\ email : ephlodur@rocketmail.com What we need is Awareness we can't get carelless. __________________________________________________ Do You Yahoo!? Yahoo! Greetings - Send FREE e-cards for every occasion! http://greetings.yahoo.com
On Wed, 27 Feb 2002 18:00:29 -0800 (PST) MindBender <ephlodur@rocketmail.com> wrote:
Please need help badly..... I'm a fraid that my Linux have been compromise BTW I have firewall2 with ip_tables
If you feel that you may have been cracked, then your only solution is to reinstall. You can never be sure just patching up your current system. Your real problem is where the problem came from. Password protect your lilo. Disable the cdrom &floppy boot and password protect the bios. Stop running things as root. Most hacks come from people you know, accessing your console when you don't suspect it. -- $|=1;while(1){print pack("h*",'75861647f302d4560275f6272797f3');sleep(1); for(1..16){for(8,32,8,7){print chr($_);}select(undef,undef,undef,.05);}}
This computer is mainly used as my Internet geteway I have ssh running for remote access and only one other person used that computer if you want to see the log file I can send it to you directly Thanks --- zentara <zentara@gypsyfarm.com> wrote:
On Wed, 27 Feb 2002 18:00:29 -0800 (PST) MindBender <ephlodur@rocketmail.com> wrote:
Please need help badly..... I'm a fraid that my Linux have been compromise BTW I have firewall2 with ip_tables
If you feel that you may have been cracked, then your only solution is to reinstall. You can never be sure just patching up your current system.
Your real problem is where the problem came from. Password protect your lilo. Disable the cdrom &floppy boot and password protect the bios. Stop running things as root.
Most hacks come from people you know, accessing your console when you don't suspect it.
-- $|=1;while(1){print
pack("h*",'75861647f302d4560275f6272797f3');sleep(1);
for(1..16){for(8,32,8,7){print chr($_);}select(undef,undef,undef,.05);}}
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com
===== ,. \\|// - ? (o o) /======================oOOO=(_)OOo=====================\ email : ephlodur@rocketmail.com What we need is Awareness we can't get carelless. __________________________________________________ Do You Yahoo!? Yahoo! Greetings - Send FREE e-cards for every occasion! http://greetings.yahoo.com
On Thursday 28 February 2002 14:44, MindBender wrote:
This computer is mainly used as my Internet geteway I have ssh running for remote access and only one other person used that computer if you want to see the log file I can send it to you directly
Question 1; why do you think you've been cracked? Question 2; do you have chkrootkit installed? (see http://www.chkrootkit.org/) If you've got chkrootkit installed, does it report anything as infected? If you think chkrootkit might have been tampered with (as all local files are under suspicion), have you downloaded a new copy of chkrootkit and installed and run it? (or run chkrootkit -p /<path of a trusted binary>) Question 3; have you considered running tripwire or COPS, or similar integrity-verification stuff? And the big question: Question 4; when did you last make any backups? If you have a good reason to believe that your system has been compromised, then it's time to wipe the drive and restore from backups, since any file could potentially be tampered with. Gideon.
On Thu, 28 Feb 2002 06:44:32 -0800 (PST) MindBender <ephlodur@rocketmail.com> wrote:
This computer is mainly used as my Internet geteway I have ssh running for remote access and only one other person used that computer if you want to see the log file I can send it to you directly
That is why you should just probably reinstall. You cannot trust the logs. You say your machine is your internet Gateway? So it's at a remote location? If so how do you know your machine was not booted from a floppy or cdrom by some "night-watchman"; that wouldn't showup in your logs. Or maybe some government program to monitor you was going on, and they messed up installing the trojan. I'm not saying it happened, just something to think about. Because that is what is going on out there. -- $|=1;while(1){print pack("h*",'75861647f302d4560275f6272797f3');sleep(1); for(1..16){for(8,32,8,7){print chr($_);}select(undef,undef,undef,.05);}}
I agree that anything can happen ... the other person that used my computer does not know much about computer and as now I have no fear for local attack I worrie more about the script kiddies on the internet scanning my system... if now I reinstall I don't learn anything by the way do you know the command to reiserfs to fix a trouble disk --- zentara <zentara@gypsyfarm.com> wrote:
On Thu, 28 Feb 2002 06:44:32 -0800 (PST) MindBender <ephlodur@rocketmail.com> wrote:
This computer is mainly used as my Internet geteway I have ssh running for remote access and only one other person used that computer if you want to see the log file I can send it to you directly
That is why you should just probably reinstall. You cannot trust the logs. You say your machine is your internet Gateway? So it's at a remote location? If so how do you know your machine was not booted from a floppy or cdrom by some "night-watchman"; that wouldn't showup in your logs. Or maybe some government program to monitor you was going on, and they messed up installing the trojan.
I'm not saying it happened, just something to think about. Because that is what is going on out there.
-- $|=1;while(1){print
pack("h*",'75861647f302d4560275f6272797f3');sleep(1);
for(1..16){for(8,32,8,7){print chr($_);}select(undef,undef,undef,.05);}}
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com
===== ,. \\|// - ? (o o) /======================oOOO=(_)OOo=====================\ email : ephlodur@rocketmail.com What we need is Awareness we can't get carelless. __________________________________________________ Do You Yahoo!? Yahoo! Greetings - Send FREE e-cards for every occasion! http://greetings.yahoo.com
On Thu, 28 Feb 2002 09:25:47 -0800 (PST) MindBender <ephlodur@rocketmail.com> wrote:
my system... if now I reinstall I don't learn anything by the way do you know the command to reiserfs to fix a trouble disk
It's reiserfsck , probably use it with the -x option. Look at man reiserfsck. If you are worried about script-kiddies, maybe you should watch what ports open up after you get her back running. I use a simple script called "claymore" to do md5sum's of all important files, it's alot easier than Tripwire. You really should use something like that, so you can run integrity checks of your files. -- $|=1;while(1){print pack("h*",'75861647f302d4560275f6272797f3');sleep(1); for(1..16){for(8,32,8,7){print chr($_);}select(undef,undef,undef,.05);}}
Thanks a lot .. I will install claymore . will keep up update --- zentara <zentara@gypsyfarm.com> wrote:
On Thu, 28 Feb 2002 09:25:47 -0800 (PST) MindBender <ephlodur@rocketmail.com> wrote:
my system... if now I reinstall I don't learn anything by the way do you know the command to reiserfs to fix a trouble disk
It's reiserfsck , probably use it with the -x option. Look at man reiserfsck.
If you are worried about script-kiddies, maybe you should watch what ports open up after you get her back running.
I use a simple script called "claymore" to do md5sum's of all important files, it's alot easier than Tripwire. You really should use something like that, so you can run integrity checks of your files.
-- $|=1;while(1){print
pack("h*",'75861647f302d4560275f6272797f3');sleep(1);
for(1..16){for(8,32,8,7){print chr($_);}select(undef,undef,undef,.05);}}
===== ,. \\|// - ? (o o) /======================oOOO=(_)OOo=====================\ email : ephlodur@rocketmail.com What we need is Awareness we can't get carelless. __________________________________________________ Do You Yahoo!? Yahoo! Greetings - Send FREE e-cards for every occasion! http://greetings.yahoo.com
At 08:29 02/28/2002 -0500, zentara wrote:
On Wed, 27 Feb 2002 18:00:29 -0800 (PST) MindBender <ephlodur@rocketmail.com> wrote:
Please need help badly..... I'm a fraid that my Linux have been compromise BTW I have firewall2 with ip_tables
If you feel that you may have been cracked, then your only solution is to reinstall. You can never be sure just patching up your current system.
Your real problem is where the problem came from. Password protect your lilo. Disable the cdrom &floppy boot and password protect the bios. Stop running things as root.
Most hacks come from people you know, accessing your console when you don't suspect it.
/snip/ Q1: How do you password protect LILO? Why should you have to do this, unless you have a saboteur on site? Oh, I guess I see: you are assuming someone has physical access. Q2: If you disable cdrom & floppy boot, and you have trouble, aren't you up the creek? --doug
On Thu, 28 Feb 2002 19:12:31 -0500 Doug McGarrett <dougmack@i-2000.com> wrote:
Most hacks come from people you know, accessing your console when you don't suspect it.
/snip/
Q1: How do you password protect LILO? Why should you have to do this, unless you have a saboteur on site? Oh, I guess I see: you are assuming someone has physical access.
In the /etc/lilo.conf file you can set a global password and a password for each image. If the global password is set, and you put "restricted" in each kernel image, then you are prompted for a password if someone tries to boot with ' linux single' or 'linux init=/binsh'. Q2: If you disable cdrom & floppy boot, and you have trouble,
aren't you up the creek?
No because you know the bios password, and if needed, can reset it to boot from cdrom or floppy if the need arises. It's a minor inconvenience, but protects you from unauthorized boots. -- $|=1;while(1){print pack("h*",'75861647f302d4560275f6272797f3');sleep(1); for(1..16){for(8,32,8,7){print chr($_);}select(undef,undef,undef,.05);}}
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 28 February 2002 02:00, MindBender wrote:
Hello all I have SuSE linux 7.2 installed on a P1 233Mhz for sometimes now I have seen scan on my system last night for some reason the system stop reponding unable to log. After a reset and log as single I have manage to recover the firewall file and the message file.. now I have also remount the system with remount rw , / now I can used it again .. but I still can't figure out what happend... I used reiserfs as my filesystem now how do I ask reiserfs to fix my drive so next time I reboot I will not have to manualy set it to rw I can include a the log file from my system
Please need help badly..... I'm a fraid that my Linux have been compromise
BTW I have firewall2 with ip_tables
if you need more information
Have you tried installing LIDS? Tom - -- At the source of every error which is blamed on the computer you will find at least two human errors, including the error of blaming it on the computer. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8f9I6AEYnIVU7X9IRAuyMAJ9z6V/Vs7vnmRO5pbDAh8yhrMUjGgCcCID2 0yYRslnsKyRY9XckIKFD6Vo= =vYxN -----END PGP SIGNATURE-----
participants (5)
-
Doug McGarrett -
Gideon Hallett -
MindBender -
Tom Wesley -
zentara