Mailinglist Archive: opensuse-edu (21 mails)

< Previous Next >
Re: [suse-linux-uk-schools] straw poll
  • From: Thomas Adam <thomas_adam16@xxxxxxxxx>
  • Date: Sat, 10 Dec 2005 14:23:21 +0000 (UTC)
  • Message-id: <20051210142301.98541.qmail@xxxxxxxxxxxxxxxxxxxxxxxxxxx>

--- Paul Taylor <ptaylor@xxxxxxxxxxx> wrote:

> On Friday 09 December 2005 22:34, Thomas Adam wrote:
> > Do you mean this from the point of the computer being compromised
> > maliciously, or via your own tinkering? If the former, then never. If
> > that latter, then only once.
> >
> A bit of both perhaps. My ISP told me that some critical system files had
> been damaged by hackers which caused the system to segfault on normal mode.

I still fail to see how they could have arrived at that conclusion logically,
seeing as they would need to examine a lot more factors than just a
cursive-by-proxy diagnosis. No, I am still very much of the opinion that
crackers haven't done much, but that the computer _possibly_ has some form of
inherent hardware failure.

Tracking that down is often time-consuming, and benefits from experience, and
general observations over a period of time, depending on the hardware that's
assumed to have failed.

> I could log on in recovery moe and get my data files. I'm not sure however
> if the hacking was caused by my liberal application of open source files on
> the server without detailed security oversight.

The dichotomy you have, Paul, is that _suggestion_ of crackers invading your
machine has been brought to the forefront, when, on the other hand, it could
just simply be hardware failure. If you really do suspect that your machine
has been compromised, then your safest bet is to backup ALL of your pertinent
data, and reinstall.

But consider for the moment, the effects this will have. Even if you are
successful in doing just that, what's to say that reinstalling the machine's
OS is going to fix whatever exploit was present to have caused it in the
first place? I've alluded already for the need of a firewall -- is there
such a setup in place, for the routed traffic to pass through one? If not,
that's the first thing you should do -- and I can assist with that where
necessary (essentially -- using IPTables).

Backing up the data from a supposed infected machine may well mean (depending
on what was exploited) that you also backup infected files. This is
unlikely, but it could happen. There are a few general things you need to
consider though. I'll go through some of them for you.

Assume for the moment, that this machine hadn't been cracked, and was just
being reinstalled for some reason. The data you would backup (to preserve
persistency) would most likely be:


You move all of that to another partition, or CD, or what have you. Then you
reinstall, and you move all of that data back. Aside from having to play
about with making sure the UID/GID mappings from the old /etc/{shadow,passwd}
files matched the permissions for the files already created (the process of
this is another email topic in its own right, and serves only as a
theoretical concept in this context) -- it's also possible that you've moved
an existing (and infected) account with you.

So in situations like this, I would go as far as to employ a rigourous
approach of:

1. For all Sixth-form students, allow login.
2. For anyone else, set their shell to 'rbash', or some such

> > One of the challenges I often set people, is to _fix_ their Linux box
> > without reinstalling. It's a really good learning-curve, and through
> > doing it, it's surprising at just how much one can learn. Of course,
> > I realise that it isn't always that straight forward -- especially
> > where the machine in question is in a critical environent.
> >
> I have done that on my home machine but was a bit nervy with a remote
> server.
> I also naively thought that paying someone to look after my server meant
> they
> would do just that. Their argument is that it was a root server that was
> managed by me (hence it was not very expensive).
> > Hardware failures though, tend to present themselves in many different
> > ways -- but the precursor is usually where multiple applications that
> > used to work, start to itermittently crash with SIGSERV or SIGABRT, or
> >
> The ISPs communiques seemed to point to a hardware failure which they claim
> was caused by malicious intrusions. Having said that, the ISP is Amen and
> they had industrial action over the summer (I couldn't get any help for 2
> months) due to their takeover by Claranet and sacking of lots of people.
> Could it have been a disgruntled ex...
> With the ability of hindsight, I would not use Amen again. The trouble is
> that I needed a cheap server so that my 6th formers could learn the trade.
> They (me mostly) run a company to host and sell web sites to local schools,
> charities and companies. It was meant to earn credit for various bits of
> coursework but grew bigger than I really could cope with a full teaching
> load. It is also too big and time consuming for me to move elsewhere.
> This
> latest incident has meant lots of candle burning for me which I could do
> without as January exam season approaches. :(
> > -- Thomas Adam
> >
> >
> >
> >
> >
> > ___________________________________________________________
> > Yahoo! Messenger - NEW crystal clear PC to PC calling worldwide with
> > voicemail
> --
> Sizofik a Ninila' Siyakhona? ポール
> --
> To unsubscribe, e-mail: suse-linux-uk-schools-unsubscribe@xxxxxxxx
> For additional commands, e-mail: suse-linux-uk-schools-help@xxxxxxxx

"The Linux Weekend Mechanic" --
"TAG Editor" --

"<shrug> We'll just save up your sins, Thomas, and punish
you for all of them at once when you get better. The
experience will probably kill you. :)"

-- Benjamin A. Okopnik (Linux Gazette Technical Editor)

Yahoo! Exclusive Xmas Game, help Santa with his celebrity party -

< Previous Next >