• Re: Security breach?

    From Aragorn@110:300/1.1 to All on Sat Jan 12 00:24:05 2013
    On Saturday 12 January 2013 00:07, Ohmster conveyed the following to comp.os.linux.security...

    Aragorn <stryder@telenet.be.invalid> wrote in news:kcq5hd$4fa$1@dont- email.me:

    [Ohmster wrote:]

    I read all this stuff and will keep it for an installation guide.
    Running all as read only would be a bit rough, but I do not change
    things that often and it may work. But how do you change things when
    you want to such as password or profile or something like that if it
    is mounted read only all the time?

    You remount it read/write, make the changes, sync the filesystem [*]
    and you remount it read-only again.


    [*] If necessary, flush all dirty buffers, like so...

    echo 3 > /proc/sys/vm/drop_caches

    This should be executed as root, of course.

    Ah, good looking out! You think that someone could look at my sudo
    find / - perm /6000 output? I saved it to text and would like for
    someone with experience to scan it with eyes and tell if anything is
    obvious. Post to newsgroup or not a good idea, Aragorn?

    You could always upload it to BitBucket or something of the likes.

    --
    = Aragorn =
    (registered GNU/Linux user #223157)

    --- MBSE BBS v0.95.13 (GNU/Linux-x86_64)
    * Origin: A noiseless patient Strider (110:300/1.1@linuxnet)
  • From Ohmster@110:300/1.1 to All on Sat Jan 12 00:48:21 2013
    Aragorn <stryder@telenet.be.invalid> wrote in news:kcq6um$fu0$1@dont-
    email.me:

    Ah, good looking out! You think that someone could look at my sudo
    find / - perm /6000 output? I saved it to text and would like for
    someone with experience to scan it with eyes and tell if anything is
    obvious. Post to newsgroup or not a good idea, Aragorn?

    You could always upload it to BitBucket or something of the likes.

    Yes, I could. And also upload it to my ISP personal web space and give
    link. Question is to do this on a public newsgroup. What do you think?

    I ran chkrootkit on the machine, offline, in run level 3, ditched the x windows, and found one infected item.

    Checking `blindshell' ...INFECTED (PORTS: 465)

    I don't know what blindshell is or if it can be removed safely. The locate command fails to locate such a file, even when used with the -i option. Any hope to remove this infection?

    --
    ~Ohmster

    --- MBSE BBS v0.95.13 (GNU/Linux-x86_64)
    * Origin: Ohm's Fish Market (110:300/1.1@linuxnet)
  • From Ohmster@110:300/1.1 to All on Sat Jan 12 01:07:41 2013
    Ohmster <root@dev.nul> wrote in
    news:XnsA145BF4232C47MyBigKitty@216.196.97.131:

    Checking `blindshell' ...INFECTED (PORTS: 465)

    I don't know what blindshell is or if it can be removed safely. The
    locate command fails to locate such a file, even when used with the -i option. Any hope to remove this infection?

    This is probably a false positive, checked on the web for it. Thanks for
    your help everybody. I sort of know what to do now.
    --
    ~Ohmster

    --- MBSE BBS v0.95.13 (GNU/Linux-x86_64)
    * Origin: Ohm's Fish Market (110:300/1.1@linuxnet)
  • From Bit Twister@110:300/1.1 to All on Sat Jan 12 01:08:39 2013
    On Fri, 11 Jan 2013 15:53:52 -0600, Ohmster wrote:

    Well, with selinux enabled, *nothing* works anymore. Not samba, ssh may
    have issues, httpd, ftpd, everything is broken and is a major hassle to
    get working again, if it is possible at all.

    Of course its possible, otherwise they would quit using it.

    Now I am sure that the
    people who wrote selinux did not mean to disable the entire daemon system and there must be some, clear documentation on how to make it work, but I cannot find it. No GUI or easy to understand docs that I can find.
    Pointers?

    Can not remember where I saw it, but there was some command line magic
    where you could ask it to tell you what you needed to get an application registered. Here are all my links. Text after the ! are comments/keywords
    I use to find stuff in my urls file. http://www.linuxnix.com/2012/09/basics-of-selinux-in-linux.html ! documentation http://ejohansson.se/archives/2007/11/04/selinux-subversion-and-mod_svn/ http://people.redhat.com/dwalsh/SELinux/Presentations/ManageRHEL5.pdf http://fedoraproject.org/wiki/SELinux http://www.redhatmagazine.com/2007/08/21/a-step-by-step-guide-to-building-a-new -selinux-policy-module/ ! howto http://www.it-observer.com/pdf/dl/demystifying_selinux.pdf ! security secure linux
    http://www.linuxdevcenter.com/pub/a/linux/excerpt/selnx_1/index.html ! documentation Adding Permissions Using SELinux



    Gotta be a rootkit or something.

    And there lies the rub. There is no telling what is installed unless
    you take the drive to another system and really dig into it.
    This assumes you know what you are doing and do not infect the new
    system.

    I would have to wipe and reinstall this system and I do not want to
    reinfect it. However, I have many config files that I will need, not to

    I find it much easier to create install/change scripts to modify
    config files. Old config files can dink up new releases. :(


    I have enabled mail in previous installs of Fedora, the whole thing was
    no good, my IP was blocked every step of the way for being a cable IP
    block. So much for mail server. I did use my ISP, Comcast as the mail
    agent, but this too was a disastor. They just do not want individuals running mail servers and I do understand why. Spam boxes were built and
    sold for this very reason and are totally banned.

    I use postfix. It sends in my id/pw then ships out any email in the queue.
    As far as my ISP is concerned, it looks like a dumb mail client sending
    a lot of email pretty fast.



    I read up a little on rkhunter and it seems to take the tripwire
    approach, meaning I would initially need a clean system to install it on, not much good once system is infected.

    You would be correct as far as infected bin/ files but it might find some malware files.


    Yes it is on the same LAN but I doubt it was cracked through the Windows
    7 machine which is up to date with Avast installed and updated.

    Heheheh, saw a report a few months ago indicating new malware app released every second. Your AV software has to catch a copy of malware, check it out, test detection logic, add to database.

    This
    machine never connects to Linux but for samba

    Yup, see some articles about samba shares used as attack vector

    when I want and ssh w/PuTTY when I need it.

    And that is malware can grab id/pw.


    You think the machine will power itself back on, all by itself or by
    remote command when it is not even turned on?
    I would sure like to see that!

    It is possible with Wake on demand nic and enabled in bios.

    But I will pull the cable if you think it prudent.

    All I am saying is the machine needs to be disconnected as long as it is infected. Malware could restart/bring up the network.


    I do want to be
    able to power it up and recsue my files though, and I would like to be
    able to do it with LAN access, if at all possible.

    Oh it is possible. And very possible for malware to get back on to the
    internet through your win box.

    How to do it? Pull
    cablemodem plug and run on LAN only while getting files or can I block
    just the Linux machine from Internet while running it?

    Pulling the cablemodem plug would prevent Internet access all right,
    assuming no wireless connections from any LAN systems.


    Any internet content, flash, pdf, gif, MP3, WMA, WMV, MP2,..., might
    contain malware.

    ...really. Oh this really bits. Any way to scan files for malware in
    Linux?

    You are missing the point. You are watching a youtube video and the
    streaming content contains the exploit.

    --- MBSE BBS v0.95.13 (GNU/Linux-x86_64)
    * Origin: A noiseless patient Spider (110:300/1.1@linuxnet)
  • From unruh@1:0/0 to All on Sat Jan 12 01:16:32 2013
    On 2013-01-11, Aragorn <stryder@telenet.be.invalid> wrote:
    On Friday 11 January 2013 22:57, Ohmster conveyed the following to comp.os.linux.security...

    Aragorn <stryder@telenet.be.invalid> wrote in
    news:kcq1l8$gph$1@dont-email.me:

    Really? I installed MintOS because it is supposed to be Redhat Linux
    Enterprise Edition without the money or phone support.

    I think you have put some people on the wrong foot here. That which
    you were advised to use as being a free RedHat EL clone is called
    CentOS, not MintOS.

    Sorry about the confusion, it is CentOS, 6.3. I did play around with
    MintOS and did not use it when I found out about CentOS. For whatever
    reason, MintOS stuck in my head but is not what is on the machine.
    Sorry.

    In fact, there is to my knowledge not even any distribution which
    would be called "MintOS", but there /is/ however a distribution named
    Mint, and it is not a RedHat clone, but an offshoot of Ubuntu, which
    itself is an offshoot of Debian.

    In other words, that which you are most likely running is CentOS 6.3.
    In the event of doubt, try this...

    I am, I am.

    [ -f /etc/release ] && cat /etc/release

    If you don't get any output, then you are most likely not running a
    RedHat clone.

    [22:50:32][localhost:/home/aragorn]
    [0][aragorn][$] > [ -f /etc/release ] && cat /etc/release
    Mageia release 1 (Official) for x86_64

    I cannot run that now as the machine is off. Usually I would do that
    in a putty ssh window and copy/paste the output here, but it is CentOS
    6.3.

    With Fedora, a totally new OS would come out every 6 month or sooner
    and that was just too much to bother with.

    Fedora is a bleeding edge testbed. It is not suitable for production
    usage.

    So, okay to reinstall CentOS 6.3 and use it? I did turn off selinux
    because nothing would work with it, no httpd, no ftpd, samba was
    impossible to run, and almost everything did not work until selinux
    was set to permissive.

    Reinstall, while formatting all filesystems. Then, immediately apply
    all updates to the system from the official repositories.

    I would also recommend a safe partitioning layout, as follows:

    - /boot
    - /
    - /usr
    - /opt
    - /var
    - /home
    - /srv (if normally present; not all distros use it)
    - /tmp (you can use a tmpfs for this instead of a disk partition)

    Well, I do not think this addresses safety. I have always found that
    creating partitions means I always pick the wrong size, and have huge
    amounts of space on one, and nothing on tthe other partition. The main
    division is between system installed stuff and user installed stuff ( /,
    /usr, vs /home, /usr/local) -- ie two partions (plus swap).



    If you're not sure about partition size requirements, use LVM2 for everything except /boot, / and /tmp - the latter because it's generally advised to keep that on a tmpfs, so that it lives in virtual memory.

    Then, after having applied all updates - and to be mildly reverted when applying updates in the future - you should also make sure that /boot,
    /opt and /usr are mounted read-only during normal operation. It won't
    stop an attacker, but it'll slow them down if the attacker is made of
    flesh and blood. It /will/ generally stop malware from trying to
    install a rootkit in an automated fashion.

    Also, use the following mount options - I'm leaving out the read-only
    part as this has to be manually toggled on and off by remounting after/before applying updates:

    - /boot : nodev,noexec
    - /usr : nodev
    - /home : nodev,nosuid [*]
    - /tmp : nodev,noexec
    - /opt : nodev
    - /srv : nodev
    - /var : nodev

    If you're really paranoid, you can also remount the root filesystem read-only after the boot sequence has completed. With GNU/Linux distributions using systemd as the SysV init system, this could be a
    little tricky as systemd does not read or execute /etc/rc.local, but
    with a traditional SysV init, you can remount the root filesystem read-
    only via /etc/rc.local.

    The system will bitch about it - e.g. on shutdown - and you won't be
    able to change anything in /etc after the root filesystem has been
    mounted read-only - e.g. adding user accounts or changing passwords -
    but for a fairly static configuration, it does work. I'm doing it here
    too, because there are a few buggy applications which (by
    misconfiguration) write junk to the root directory - it's a known
    problem in this particular distribution - and I got tired of having to
    clean out the root directory every day, so I used the blunt force
    approach of remounting "/" read-only.

    Lastly, and as you have also already been told a lot of times, don't run
    a graphical user interface on a production server. If you're only
    accessing the machine via ssh, then you can access it locally via a
    command line shell in a character mode virtual terminal anyway, so then
    you don't need to even install X11, let alone GNOME, KDE, XFCE, LXDE or whatever else have you.

    Note: If you run the system without a graphical user interface, then
    /tmp should be no larger than about 50 MB per user account. If you put
    /tmp on tmpfs, you can specify a maximum size at mount time (and thus
    also via /etc/fstab).


    [*] Better would be to have /home mounted "nodev,noexec" - "noexec"
    implies "nosuid" - but I'm specifying "nodev,nosuid" because you may
    want to run some custom-made scripts from your own user account from
    time to time.


    --- MBSE BBS v0.95.13 (GNU/Linux-x86_64)
    * Origin: The Kofo BBS MBSE - telnet://fido1.kofobbs.ne
  • From unruh@1:0/0 to All on Sat Jan 12 01:24:11 2013
    On 2013-01-11, Ohmster <root@dev.nul> wrote:
    unruh <unruh@invalid.ca> wrote in news:2R_Hs.22037$532.962@newsfe03.iad:

    [..]
    The second is to wipe the drive and reinstall the operating system,
    making sure you give yourself and all users strong passwords, and you
    change all ssh authorized hosts accounts. Then you restore all your old
    user files (eg home directlry, or other programs you installed). Then
    search through for any suid programs, especially suid root programs.
    (eg I had one /tmp/bananas that sas a suid root shell)
    find / -perm /6000

    Oh my, there is an awful lot of input. I will have to run this again and capture it to a text file. Huh, chrome sandbox had suid? How come? Let me run this more and find out how bad this is.

    I don't really know how to tell what should and should not have suid. I
    know that no browser sandbox should have it, and all the /bin /sbin/ and some others are alright, but there is a LOT of output from directories and even hard drives that should not have suid. I have backups of previous installations on other drives and they have suid too. /var/cache/.. has suid. This is bad. Do you think I can upload this for examination or might that not be prudent, unruh?

    Thank you unruh.

    You also have an rpm based machine.
    rpm -Va>/tmp/verify
    then look through that to see files which have changed since
    installation. ( third entry is a 5) Some should have changed
    (/etc/passwd for example) but some certainly should not.


    Note on the find command
    find / -perm /6000 -ls
    will give more information about the permissions and the files.
    The command looks for both suid and sgid files. The former are of
    course more dangerous. Not all may be owned by root, but most will be.




    --- MBSE BBS v0.95.13 (GNU/Linux-x86_64)
    * Origin: The Kofo BBS MBSE - telnet://fido1.kofobbs.ne
  • From unruh@1:0/0 to All on Sat Jan 12 01:26:41 2013
    On 2013-01-11, Ohmster <root@dev.nul> wrote:
    unruh <unruh@invalid.ca> wrote in news:2R_Hs.22037$532.962@newsfe03.iad:

    find / -perm /6000

    Who can look at this for me? I ran the find command and saved it to a text file. Although it is a tad long, it is alphbetical and stuff like /bin and /sbin should be alright. Is this something someone can help me with or best not to offer it? I do not want to "dump work on someone", just scan the
    list and mention anything that comes to mind.

    I can upload to personal web space or post to newsgroup. Good idea?

    Put it somewhere and someone may look at it. Primarily you should.
    If you find something that looks suspicious (any suid root file in /var,
    /tmp, /home, is probably bad) Also use rpm -qf <name of file> to see if
    rpm considers it suspicious.




    --- MBSE BBS v0.95.13 (GNU/Linux-x86_64)
    * Origin: The Kofo BBS MBSE - telnet://fido1.kofobbs.ne
  • From Bit Twister@110:300/1.1 to All on Sat Jan 12 01:26:45 2013
    On Fri, 11 Jan 2013 16:47:37 -0600, Ohmster wrote:

    I know
    what my OS is, but I do not use the name often and got distracted.

    I am not sure if your Linux OS is supported, security patch wise.

    You may need to consider some other OS.

    Here is a brief list of types of patches I am talking about. https://wiki.mageia.org/en/Mageia_2_Advisories

    Lots of malware is generated within 12 to 36 hours after a patch has
    been released.

    --- MBSE BBS v0.95.13 (GNU/Linux-x86_64)
    * Origin: A noiseless patient Spider (110:300/1.1@linuxnet)
  • From Ohmster@110:300/1.1 to All on Sat Jan 12 02:34:54 2013
    unruh <unruh@invalid.ca> wrote in news:L22Is.64415$LS5.15558@newsfe10.iad:

    You also have an rpm based machine.
    rpm -Va>/tmp/verify
    then look through that to see files which have changed since
    installation. ( third entry is a 5) Some should have changed
    (/etc/passwd for example) but some certainly should not.


    Note on the find command
    find / -perm /6000 -ls
    will give more information about the permissions and the files.
    The command looks for both suid and sgid files. The former are of
    course more dangerous. Not all may be owned by root, but most will be.

    Good idea. Man, I am getting so many I/O errors now that I cannot even run
    the find command anymore. But, I do have one that I made when you first suggested it. Look here:

    http://home.comcast.net/~theohmster/text/suid_out.txt

    The /mnt/media/... stuff is my two extra IDE drives, I do have copies of
    the previous system on them made with cp - a.

    Wow, this is more than I can do for one night, need to take a break. Thanks unruh.

    --
    ~Ohmster

    --- MBSE BBS v0.95.13 (GNU/Linux-x86_64)
    * Origin: Ohm's Fish Market (110:300/1.1@linuxnet)
  • From unruh@1:0/0 to All on Sat Jan 12 03:16:16 2013
    On 2013-01-12, Ohmster <root@dev.nul> wrote:
    unruh <unruh@invalid.ca> wrote in news:L22Is.64415$LS5.15558@newsfe10.iad:

    You also have an rpm based machine.
    rpm -Va>/tmp/verify
    then look through that to see files which have changed since
    installation. ( third entry is a 5) Some should have changed
    (/etc/passwd for example) but some certainly should not.


    Note on the find command
    find / -perm /6000 -ls
    will give more information about the permissions and the files.
    The command looks for both suid and sgid files. The former are of
    course more dangerous. Not all may be owned by root, but most will be.

    Good idea. Man, I am getting so many I/O errors now that I cannot even run the find command anymore. But, I do have one that I made when you first suggested it. Look here:

    http://home.comcast.net/~theohmster/text/suid_out.txt

    Not sure how you want us to respond since you have not given any return
    address or storage place. If you go to ftp://theory.physics.ubc.ca/outgoing/suid_out.txt
    I have listed those files I would have a second look at. Now many may be
    sgid rather than suid (eg games) but some may be suspicious.

    If they are owned by some package, you could save the current file and
    then do
    rpm -Uhv --force name.of.package.rpm
    and see if the current file is the same as the one in the package. If it
    is not, that makes it very suspicious. If it is not in any package, that
    also makes it suspicious.





    The /mnt/media/... stuff is my two extra IDE drives, I do have copies of
    the previous system on them made with cp - a.

    Wow, this is more than I can do for one night, need to take a break. Thanks unruh.


    --- MBSE BBS v0.95.13 (GNU/Linux-x86_64)
    * Origin: The Kofo BBS MBSE - telnet://fido1.kofobbs.ne
  • From Ohmster@110:300/1.1 to All on Sat Jan 12 04:04:23 2013
    unruh <unruh@invalid.ca> wrote in
    news:QH3Is.24294$tK1.12909@newsfe07.iad:

    Good idea. Man, I am getting so many I/O errors now that I cannot
    even run the find command anymore. But, I do have one that I made
    when you first suggested it. Look here:

    http://home.comcast.net/~theohmster/text/suid_out.txt

    Not sure how you want us to respond since you have not given any
    return address or storage place. If you go to ftp://theory.physics.ubc.ca/outgoing/suid_out.txt
    I have listed those files I would have a second look at. Now many may
    be sgid rather than suid (eg games) but some may be suspicious.

    If they are owned by some package, you could save the current file and
    then do
    rpm -Uhv --force name.of.package.rpm
    and see if the current file is the same as the one in the package. If
    it is not, that makes it very suspicious. If it is not in any package,
    that also makes it suspicious.


    Oh, I didn't even think of a return on the files. Sorry. I really do not
    want to put my email address in public anymore, not sure how to give
    return space, but I have methods, suggest? FTP, email, what?

    I did change the Linux box inittab to run level 3. It seems to be a
    remote desktop invasion, otherwise how could anyone run a browser like
    Firefox or Chrome remotely? I know, I know, I don't believe it myself but
    fool that I can be sometimes, I experimented with remote desktop and left
    it active. But I was sitting here, at 3 in the moring, saw the screen
    unblank, and there was Chrome, opened to a cash website, and the darned
    curser had already opened a dropdown box to make a selection. I swear to
    God, I saw it with my own two eyes, man. Not to mention the dumbass left browsers open for me to find the next morning to ebay and craigslist. I
    do not know if remote desktop would show in the syslog, I will check...

    OMG, look at this!

    Jan 11 04:44:24 paulspcworks bonobo-activation-server (paul-3096): could
    not associate with desktop session: Failed to connect to socket /tmp/dbus-Y6TnchxGrB: Connection refused

    Jan 11 18:30:48 paulspcworks pulseaudio[4316]: main.c: Unable to contact D-Bus: org.freedesktop.DBus.Error.NoServer: Failed to connect to socket /tmp/dbus-Vf18Oh88kp: Connection refused

    That is it for this day, checking messages-20121216, nothing. That is the
    only entry I see. Other message logs show no hits for "desktop".
    messages
    messages-20121216
    messages-20121223
    messages-20121230
    messages-20130106
    messagess

    Changing to run level 3 would block any remote desktop intrusion, but how
    did they get the password to begin with, and I did change the password
    and it made no difference, whatever exploit was found it must still be present. Strange. There must be remote desktop logs on linux somewhere.
    Linux logs *everything*, man.

    I do have BSD Games installed so you see things like phantasia, bsd-fbg,
    and others. Should they be suid, oh, you said sgid, is there a big
    difference with that? Okay, I will run the list down package by package
    and check them out. Thanks!

    --
    ~Ohmster

    --- MBSE BBS v0.95.13 (GNU/Linux-x86_64)
    * Origin: Ohm's Fish Market (110:300/1.1@linuxnet)
  • From unruh@1:0/0 to All on Sat Jan 12 06:44:46 2013
    On 2013-01-12, Ohmster <root@dev.nul> wrote:
    unruh <unruh@invalid.ca> wrote in
    news:QH3Is.24294$tK1.12909@newsfe07.iad:

    Good idea. Man, I am getting so many I/O errors now that I cannot
    even run the find command anymore. But, I do have one that I made
    when you first suggested it. Look here:

    http://home.comcast.net/~theohmster/text/suid_out.txt

    Not sure how you want us to respond since you have not given any
    return address or storage place. If you go to
    ftp://theory.physics.ubc.ca/outgoing/suid_out.txt
    I have listed those files I would have a second look at. Now many may
    be sgid rather than suid (eg games) but some may be suspicious.

    If they are owned by some package, you could save the current file and
    then do
    rpm -Uhv --force name.of.package.rpm
    and see if the current file is the same as the one in the package. If
    it is not, that makes it very suspicious. If it is not in any package,
    that also makes it suspicious.


    Oh, I didn't even think of a return on the files. Sorry. I really do not want to put my email address in public anymore, not sure how to give
    return space, but I have methods, suggest? FTP, email, what?

    I did change the Linux box inittab to run level 3. It seems to be a
    remote desktop invasion, otherwise how could anyone run a browser like Firefox or Chrome remotely? I know, I know, I don't believe it myself but fool that I can be sometimes, I experimented with remote desktop and left
    it active. But I was sitting here, at 3 in the moring, saw the screen unblank, and there was Chrome, opened to a cash website, and the darned curser had already opened a dropdown box to make a selection. I swear to God, I saw it with my own two eyes, man. Not to mention the dumbass left browsers open for me to find the next morning to ebay and craigslist. I
    do not know if remote desktop would show in the syslog, I will check...

    OMG, look at this!

    Uh, you told us that you had disconnected from the lan/wan. Now here you
    say you have not? Are you serious or are you playing us?



    Jan 11 04:44:24 paulspcworks bonobo-activation-server (paul-3096): could
    not associate with desktop session: Failed to connect to socket /tmp/dbus-Y6TnchxGrB: Connection refused

    Jan 11 18:30:48 paulspcworks pulseaudio[4316]: main.c: Unable to contact D-Bus: org.freedesktop.DBus.Error.NoServer: Failed to connect to socket /tmp/dbus-Vf18Oh88kp: Connection refused

    That is it for this day, checking messages-20121216, nothing. That is the only entry I see. Other message logs show no hits for "desktop".
    messages
    messages-20121216
    messages-20121223
    messages-20121230
    messages-20130106
    messagess

    Changing to run level 3 would block any remote desktop intrusion, but how did they get the password to begin with, and I did change the password
    and it made no difference, whatever exploit was found it must still be present. Strange. There must be remote desktop logs on linux somewhere. Linux logs *everything*, man.

    Of course. Probably the easiest was to log on as, oh say, guest, run a
    root shell and then su to you.


    I do have BSD Games installed so you see things like phantasia, bsd-fbg,
    and others. Should they be suid, oh, you said sgid, is there a big difference with that? Okay, I will run the list down package by package
    and check them out. Thanks!


    I have no idea which programs are really suspicious. And it is also
    possible that the attacker has made one of the system programs into his
    root shell.
    And all he needs is one, and one user breakin.



    --- MBSE BBS v0.95.13 (GNU/Linux-x86_64)
    * Origin: The Kofo BBS MBSE - telnet://fido1.kofobbs.ne
  • From Richard Kettlewell@110:300/1.1 to All on Sat Jan 12 10:23:40 2013
    Ohmster <root@dev.nul> writes:
    Richard Kettlewell <rjk@greenend.org.uk> wrote in

    It’s the first instance I’ve heard of in the Linux world but AIUI
    analogous attacks are common enough under Windows. That said since I
    now see that the OP can’t even reliably identify the OS they’re
    running, I’m not sure how much trust to put in anything else they’ve
    written here.

    It would be technically hard to achieve

    I disagree - the attacker just has to fire up a copy of x11vnc and
    they’re good to go.

    You have some weird characters in here buddy, cannot read all of it.

    They aren’t weird; your news client doesn’t support Unicode.

    --
    http://www.greenend.org.uk/rjk/

    --- MBSE BBS v0.95.13 (GNU/Linux-x86_64)
    * Origin: Anjou (110:300/1.1@linuxnet)
  • From Aragorn@110:300/1.1 to All on Sat Jan 12 12:13:00 2013
    On Saturday 12 January 2013 01:16, unruh conveyed the following to comp.os.linux.security...

    On 2013-01-11, Aragorn <stryder@telenet.be.invalid> wrote:

    [...]

    I would also recommend a safe partitioning layout, as follows:

    - /boot
    - /
    - /usr
    - /opt
    - /var
    - /home
    - /srv (if normally present; not all distros use it)
    - /tmp (you can use a tmpfs for this instead of a disk partition)

    Well, I do not think this addresses safety.

    Not directly, no, but having separate partitions offers you the ability
    to mount each and every one of them with different mount options. Read-
    only for some, nosuid or noexec for others, et al.

    I have always found that creating partitions means I always pick the
    wrong size, and have huge amounts of space on one, and nothing on tthe
    other partition. The main division is between system installed stuff
    and user installed stuff (/, /usr, vs /home, /usr/local) -- ie two
    partions (plus swap).

    The discrepancy in sizes is often due to differences in packaging
    between distributions. Some distros put stuff in /opt whereas others
    put the same stuff in /usr, et al. Some distros implement /srv for repositories such as /srv/www and /srv/ftp, whereas others put those
    under /var/www and /var/ftp. Anyway, you get the gist.

    This is why it's not a bad idea to use LVM2 logical volume management
    instead of conventional partitions for everything except /boot and the
    root filesystem. LVM2 allows for much more flexibility. One can upsize
    a filesystem, or move it to another disk, or take snapshots, et al.


    Note: As of Fedora 17, and in the upcoming RedHat and CentOS releases,
    as well as in all other upcoming RedHat-derivatives - e.g. in
    Mageia 3 - the /bin, /lib and /sbin directories are only symlinks
    to /usr/bin, /usr/lib and /usr/sbin. This means that if you're
    running your own custom kernel on those distributions with /usr
    on a separate filesystem, you will have to provide for an
    initramfs which mounts /usr (via busybox) before udev and systemd
    are started. Such systems cannot be booted to a working state
    anymore without an initramfs.

    --
    = Aragorn =
    (registered GNU/Linux user #223157)

    --- MBSE BBS v0.95.13 (GNU/Linux-x86_64)
    * Origin: A noiseless patient Strider (110:300/1.1@linuxnet)
  • From unruh@1:0/0 to All on Sat Jan 12 19:30:43 2013
    On 2013-01-12, Aragorn <stryder@telenet.be.invalid> wrote:
    On Saturday 12 January 2013 01:16, unruh conveyed the following to comp.os.linux.security...

    On 2013-01-11, Aragorn <stryder@telenet.be.invalid> wrote:

    ....
    Note: As of Fedora 17, and in the upcoming RedHat and CentOS releases,
    as well as in all other upcoming RedHat-derivatives - e.g. in
    Mageia 3 - the /bin, /lib and /sbin directories are only symlinks
    to /usr/bin, /usr/lib and /usr/sbin. This means that if you're
    running your own custom kernel on those distributions with /usr
    on a separate filesystem, you will have to provide for an
    initramfs which mounts /usr (via busybox) before udev and systemd
    are started. Such systems cannot be booted to a working state
    anymore without an initramfs.

    Despite the absurdidty of the process, another reason for having / and
    /usr on the same partition. Of course you should peel off /usr/local,
    since that is for user installed programs ( programs which will not be
    replaced by an installation). I tend to create a /local partition
    containing usrlocal and home to which /usr/local and /home are bind
    mounted from. That way I can wipe the / partition (containing /usr)
    while retaining special installed stuff and home partitions.



    --- MBSE BBS v0.95.13 (GNU/Linux-x86_64)
    * Origin: The Kofo BBS MBSE - telnet://fido1.kofobbs.ne
  • From Ohmster@110:300/1.1 to All on Sat Jan 12 23:29:53 2013
    unruh <unruh@invalid.ca> wrote in
    news:iL6Is.20389$KS4.4121@newsfe11.iad:

    I did change the Linux box inittab to run level 3. It seems to be a
    remote desktop invasion, otherwise how could anyone run a browser
    like Firefox or Chrome remotely? I know, I know, I don't believe it
    myself but fool that I can be sometimes, I experimented with remote
    desktop and left it active. But I was sitting here, at 3 in the
    moring, saw the screen unblank, and there was Chrome, opened to a
    cash website, and the darned curser had already opened a dropdown box
    to make a selection. I swear to God, I saw it with my own two eyes,
    man. Not to mention the dumbass left browsers open for me to find the
    next morning to ebay and craigslist. I do not know if remote desktop
    would show in the syslog, I will check...

    OMG, look at this!

    Uh, you told us that you had disconnected from the lan/wan. Now here
    you say you have not? Are you serious or are you playing us?

    Uh, no. That would not be wise. I cannot comfortably come here and ask
    for help, then disregard your advice. I put the box in run level 3, safer
    as one cannot run remote desktop, and shut off gnome remote desktop, then pulled the ethernet cable. I do have a client's web site on that server
    so I had turn it on with network, in run level 3 to retrieve his website.
    Then off comes the network cable again. But the future of this distro and
    even all of the hard drives is terminal. I have write pending sectors now
    on all three hard drives. Everything I read on this problem results in replacing the drives. There does not seem to be any fix for this issue.
    Even though the drives still work, it seems to be a harbinger of disastor
    and the drives must be replaced. Thus, the OS will be reinstalled anyway.
    The good news is that many of these drives can be replaced by the
    manufacturer if one contacts technical services.

    Jan 11 04:44:24 paulspcworks bonobo-activation-server (paul-3096):
    could not associate with desktop session: Failed to connect to socket
    /tmp/dbus-Y6TnchxGrB: Connection refused

    Jan 11 18:30:48 paulspcworks pulseaudio[4316]: main.c: Unable to
    contact D-Bus: org.freedesktop.DBus.Error.NoServer: Failed to connect
    to socket /tmp/dbus-Vf18Oh88kp: Connection refused

    That is it for this day, checking messages-20121216, nothing. That is
    the only entry I see. Other message logs show no hits for "desktop".
    messages
    messages-20121216
    messages-20121223
    messages-20121230
    messages-20130106
    messagess

    Changing to run level 3 would block any remote desktop intrusion, but
    how did they get the password to begin with, and I did change the
    password and it made no difference, whatever exploit was found it
    must still be present. Strange. There must be remote desktop logs on
    linux somewhere. Linux logs *everything*, man.

    Of course. Probably the easiest was to log on as, oh say, guest, run a
    root shell and then su to you.

    Brrr! That is chilling as you make it sound so easy. This really pisses
    me off, to get hacked like this. But with the drives failing it would be
    best to redo the entire thing.

    I do have BSD Games installed so you see things like phantasia,
    bsd-fbg, and others. Should they be suid, oh, you said sgid, is there
    a big difference with that? Okay, I will run the list down package by
    package and check them out. Thanks!


    I have no idea which programs are really suspicious. And it is also
    possible that the attacker has made one of the system programs into
    his root shell.
    And all he needs is one, and one user breakin.

    I was just grasping at straws, unruh. There seems to be no practical way
    to fix this. One always has hope, but mine is all but gone for this
    system now. You really did help me a lot and wised me up to the dangers
    of an unsecured system. Next time, I want to leave selinux in place as restrictive and find a way to enable my httpd, smbd, ftpd, ntpd, and all
    the rest. That will be an mf'ing challenge that I am not looking forward
    to. If you know of any "Selinux, how to for the not so totally dumb
    dummy" (God I hate those dummy books!), please pass it along. Selinux is
    so hard for me to figure out, but it might have made the difference in
    this case. Now I will install tripwire and rkhunter while clean to
    further protect against these attacks. This I learnd from you and BT this
    time around, thank you very much!

    You are a good guy, unruh. And yes, I am a bit dense and stubborn at
    times, but in the end, who is it that was right and who is it that has to
    come around? Your efforts were not in vain. Thanks Unruh.

    --
    ~Ohmster

    --- MBSE BBS v0.95.13 (GNU/Linux-x86_64)
    * Origin: Ohm's Fish Market (110:300/1.1@linuxnet)
  • From Ohmster@110:300/1.1 to All on Sat Jan 12 23:31:08 2013
    Richard Kettlewell <rjk@greenend.org.uk> wrote in news:87k3ri3gbn.fsf@araminta.anjou.terraraq.org.uk:

    You have some weird characters in here buddy, cannot read all of it.

    They aren Tt weird; your news client doesn Tt support Unicode.

    Ohhhh! I wonder if Xnews supports Unicode? I will have to dig into it. I
    like to use slrn but with my linux box unsecured now, that is not an
    option. Thanks Richard.

    --
    ~Ohmster

    --- MBSE BBS v0.95.13 (GNU/Linux-x86_64)
    * Origin: Ohm's Fish Market (110:300/1.1@linuxnet)
  • From Ohmster@110:300/1.1 to All on Sat Jan 12 23:36:46 2013
    Ohmster <root@dev.nul> wrote in news:XnsA146B228691F0MyBigKitty@ 216.196.97.131:

    They aren Tt weird; your news client doesn Tt support Unicode.

    Ohhhh! I wonder if Xnews supports Unicode? I will have to dig into it. I like to use slrn but with my linux box unsecured now, that is not an
    option. Thanks Richard.


    Ugh, Xnews does not do Unicode. Darn it. Will have to put up with it until
    I can get slrn back. Wonder if it has been ported to Windows? Will look
    into it. Thanks for the heads up, Richard.


    --
    ~Ohmster

    --- MBSE BBS v0.95.13 (GNU/Linux-x86_64)
    * Origin: Ohm's Fish Market (110:300/1.1@linuxnet)
  • From Bit Twister@110:300/1.1 to All on Sun Jan 13 04:01:39 2013
    On Sat, 12 Jan 2013 16:29:53 -0600, Ohmster wrote:

    this case. Now I will install tripwire and rkhunter while clean to
    further protect against these attacks.

    I tried tripwire awhile back. A bit complicated for me. That is why
    I went with http://sourceforge.net/projects/aide

    Installed it, ran aide --init, rebooted, ran aide --check
    appended changed files to bottom of /etc/aide.conf with leading !
    to keep aide from warning about them after reboots.

    Then added /home and whatnot and have a fair amount of confidence
    all is well.

    The su - root is good advice. My /etc/ssh/sshd_config has
    PermitRootLogin without-password
    which means I can not log in with a password, but I can get in if I
    have correctly setup authorized_keys,public/private keys in /root/.ssh.

    I also have tcpwrappers installed. That saved my butt a few days
    ago when the firewall did not start up. Started getting emails from
    root about ssh attempts when cracker was attempting brute force log into
    root account. That made me check the firewall.

    Here is a copy of my tcpwrappers /etc/hosts.(allow,deny) files.
    $ cat /etc/hosts.allow
    #************ Start of hosts.allow. ***************************************
    #
    # hosts.allow This file describes the names of the hosts which are
    # allowed to use the local INET services, as decided
    # by the '/usr/sbin/tcpd' server.
    #
    #
    # Created by /local/bin/hostx_changes
    #
    # After changing this file
    #
    #
    ALL: .home.test, 127.0.0. 192.168.1.100,192.168.1.200,192.168.1.132,10.0.2. 169.254.1.
    #
    # 192.168.1.100,192.168.1.200,192.168.1.132: LAN_RANGE
    # 10.0.2: VBOX_GUEST_RANGE
    # 169.254.1: HDHOMERUN_RANGE
    #
    # found/generated in/from /etc/shorewall/params by /local/bin/hostx_changes
    #
    #************ End of hosts.allow. ***************************************

    $ cat /etc/hosts.deny
    #************ Start of hosts.deny ***************************************
    # hosts.deny This file describes the names of the hosts which are
    # *not* allowed to use the local INET services, as decided
    # by the '/usr/sbin/tcpd' server.
    #


    ALL: ALL:\
    spawn ( \
    /bin/echo -e "\n\
    TCP Wrappers\: Connection Refused\n\
    By\: $(uname -n)\n\
    Process\: %d (pid %p)\n\
    \n\
    User\: %u\n\
    Host\: %c\n\
    Date\: $(date)\n\
    " | /bin/mail -s \"$(uname -n)\" root ) & : DENY

    #*********************** end host.deny ********************************

    --- MBSE BBS v0.95.13 (GNU/Linux-x86_64)
    * Origin: A noiseless patient Spider (110:300/1.1@linuxnet)
  • From GangGreene@110:300/1.1 to All on Sun Jan 13 13:24:17 2013
    On Sun, 13 Jan 2013 03:01:39 +0000, Bit Twister wrote:

    On Sat, 12 Jan 2013 16:29:53 -0600, Ohmster wrote:

    this case. Now I will install tripwire and rkhunter while clean to
    further protect against these attacks.

    I tried tripwire awhile back. A bit complicated for me. That is why I
    went with http://sourceforge.net/projects/aide

    If you are using a rpm based distro then rpm -V -a is your friend.

    --- MBSE BBS v0.95.13 (GNU/Linux-x86_64)
    * Origin: A noiseless patient Spider (110:300/1.1@linuxnet)
  • From Aragorn@110:300/1.1 to All on Sun Jan 13 14:45:06 2013
    On Saturday 12 January 2013 23:36, Ohmster conveyed the following to comp.os.linux.security...

    Ohmster <root@dev.nul> wrote in news:XnsA146B228691F0MyBigKitty@ 216.196.97.131:

    They aren� Tt weird; your news client doesn� Tt support Unicode.

    Ohhhh! I wonder if Xnews supports Unicode? I will have to dig into
    it. I like to use slrn but with my linux box unsecured now, that is
    not an option. Thanks Richard.

    Ugh, Xnews does not do Unicode. Darn it. Will have to put up with it
    until I can get slrn back. Wonder if it has been ported to Windows?

    Yes, most likely it has been, but so have most other GNU/Linux-specific newsreaders, such as Pan, Sylpheed Claws, et al. You can also use
    Thunderbird as a newsreader, albeit that it wasn't really intended as
    such and may lack some functionality compared to a real newsreader.

    That said, a popular newsreader for Windows appears to be Forte Agent,
    and as I understand it, it does do Unicode.

    --
    = Aragorn =
    (registered GNU/Linux user #223157)

    --- MBSE BBS v0.95.13 (GNU/Linux-x86_64)
    * Origin: A noiseless patient Strider (110:300/1.1@linuxnet)
  • From Bit Twister@110:300/1.1 to All on Sun Jan 13 15:51:10 2013
    On Sun, 13 Jan 2013 07:24:17 -0500, GangGreene wrote:
    On Sun, 13 Jan 2013 03:01:39 +0000, Bit Twister wrote:

    On Sat, 12 Jan 2013 16:29:53 -0600, Ohmster wrote:

    this case. Now I will install tripwire and rkhunter while clean to
    further protect against these attacks.

    I tried tripwire awhile back. A bit complicated for me. That is why I
    went with http://sourceforge.net/projects/aide

    If you are using a rpm based distro then rpm -V -a is your friend.

    But not your best friend. 8-)

    It will not tell you about any new applications installed by some other method.

    What if the cracker used rpm to install malware? :-(

    --- MBSE BBS v0.95.13 (GNU/Linux-x86_64)
    * Origin: A noiseless patient Spider (110:300/1.1@linuxnet)
  • From GangGreene@110:300/1.1 to All on Sun Jan 13 16:45:20 2013
    On Sun, 13 Jan 2013 14:51:10 +0000, Bit Twister wrote:

    On Sun, 13 Jan 2013 07:24:17 -0500, GangGreene wrote:
    On Sun, 13 Jan 2013 03:01:39 +0000, Bit Twister wrote:

    On Sat, 12 Jan 2013 16:29:53 -0600, Ohmster wrote:

    this case. Now I will install tripwire and rkhunter while clean to
    further protect against these attacks.

    I tried tripwire awhile back. A bit complicated for me. That is why I
    went with http://sourceforge.net/projects/aide

    If you are using a rpm based distro then rpm -V -a is your friend.

    But not your best friend. 8-)

    It will not tell you about any new applications installed by some other method.

    What if the cracker used rpm to install malware? :-(

    It will show if any installed file has changed from the original rpm file
    (s). From that information you will know what "system files" have been compromised. Then you can determine if a rootkit has been installed. If
    you find compromised system files then you know that you must format and re-install with out a doubt. At this time I would not care what other
    files have been installed.


    --- MBSE BBS v0.95.13 (GNU/Linux-x86_64)
    * Origin: A noiseless patient Spider (110:300/1.1@linuxnet)
  • From Jim Beard@1:0/0 to All on Sun Jan 13 18:21:35 2013
    On 01/13/2013 10:45 AM, GangGreene wrote:
    On Sun, 13 Jan 2013 14:51:10 +0000, Bit Twister wrote:

    On Sun, 13 Jan 2013 07:24:17 -0500, GangGreene wrote:
    On Sun, 13 Jan 2013 03:01:39 +0000, Bit Twister wrote:

    On Sat, 12 Jan 2013 16:29:53 -0600, Ohmster wrote:

    this case. Now I will install tripwire and rkhunter while clean to
    further protect against these attacks.

    I tried tripwire awhile back. A bit complicated for me. That is why I
    went with http://sourceforge.net/projects/aide

    If you are using a rpm based distro then rpm -V -a is your friend.

    But not your best friend. 8-)

    It will not tell you about any new applications installed by some other
    method.

    What if the cracker used rpm to install malware? :-(

    It will show if any installed file has changed from the original rpm file (s). From that information you will know what "system files" have been compromised. Then you can determine if a rootkit has been installed.

    Not if "the original rpm file(s)" were installed by the cracker,
    using rpm.

    If you find compromised system files then you know that you must format and re-install with out a doubt. At this time I would not care what other
    files have been installed.

    You swing from one extreme (ignore that crackers can use rpm) to
    the other (any compromised system files means you must format and
    re-install with out a doubt). I favor the format/re-install, but
    after an attempt to track down what was actually done, to aid in
    future defense if nothing else.



    --
    UNIX is not user unfriendly; it merely
    expects users to be computer-friendly.

    --- MBSE BBS v0.95.13 (GNU/Linux-x86_64)
    * Origin: The Kofo BBS MBSE - telnet://fido1.kofobbs.ne
  • From GangGreene@110:300/1.1 to All on Sun Jan 13 18:59:09 2013
    On Sun, 13 Jan 2013 12:21:35 -0500, Jim Beard wrote:

    On 01/13/2013 10:45 AM, GangGreene wrote:
    On Sun, 13 Jan 2013 14:51:10 +0000, Bit Twister wrote:

    On Sun, 13 Jan 2013 07:24:17 -0500, GangGreene wrote:
    On Sun, 13 Jan 2013 03:01:39 +0000, Bit Twister wrote:

    On Sat, 12 Jan 2013 16:29:53 -0600, Ohmster wrote:

    this case. Now I will install tripwire and rkhunter while clean to >>>>>> further protect against these attacks.

    I tried tripwire awhile back. A bit complicated for me. That is why
    I went with http://sourceforge.net/projects/aide

    If you are using a rpm based distro then rpm -V -a is your friend.

    But not your best friend. 8-)

    It will not tell you about any new applications installed by some
    other method.

    What if the cracker used rpm to install malware? :-(

    It will show if any installed file has changed from the original rpm
    file (s). From that information you will know what "system files" have
    been compromised. Then you can determine if a rootkit has been
    installed.

    Not if "the original rpm file(s)" were installed by the cracker, using
    rpm.

    Oh please

    I don't wear a tin foil hats like you do.
    Isn't it a stretch that a cracker would breakin, upload some rpm files,
    install them, then burn a dvd with the new rpms and the offer to give you
    the dvd at no charge?
    If you would accept that dvd you shouldn't be offering services on the internet in the first place.


    If you find compromised system files then you know that you must format
    and re-install with out a doubt. At this time I would not care what
    other files have been installed.

    You swing from one extreme (ignore that crackers can use rpm) to the
    other (any compromised system files means you must format and re-install
    with out a doubt). I favor the format/re-install, but after an attempt
    to track down what was actually done, to aid in future defense if
    nothing else.

    No I am not going to go farther after knowing that system files are compromised. That is enough for me to format and re-install.



    --- MBSE BBS v0.95.13 (GNU/Linux-x86_64)
    * Origin: A noiseless patient Spider (110:300/1.1@linuxnet)
  • From unruh@1:0/0 to All on Sun Jan 13 21:35:16 2013
    On 2013-01-13, Bit Twister <BitTwister@mouse-potato.com> wrote:
    On Sat, 12 Jan 2013 16:29:53 -0600, Ohmster wrote:

    this case. Now I will install tripwire and rkhunter while clean to
    further protect against these attacks.

    I tried tripwire awhile back. A bit complicated for me. That is why
    I went with http://sourceforge.net/projects/aide

    Installed it, ran aide --init, rebooted, ran aide --check
    appended changed files to bottom of /etc/aide.conf with leading !
    to keep aide from warning about them after reboots.

    Then added /home and whatnot and have a fair amount of confidence
    all is well.

    Of course the cracker can disable aide.


    The su - root is good advice. My /etc/ssh/sshd_config has
    PermitRootLogin without-password
    which means I can not log in with a password, but I can get in if I
    have correctly setup authorized_keys,public/private keys in /root/.ssh.

    I am never quite sure which is better. The problem with passwordless
    login is that once the cracker has one machine he has all of them. There
    is no barrier between machines at all.


    I also have tcpwrappers installed. That saved my butt a few days
    ago when the firewall did not start up. Started getting emails from
    root about ssh attempts when cracker was attempting brute force log into
    root account. That made me check the firewall.

    I have a program that runs every 5 min, and checks /etc/messages for
    failed root logins from addresses, and puts them into /etc/hosts.allow
    to deny access from those IP addresses that have had a certain number of
    root ssh attempt failures.

    --- MBSE BBS v0.95.13 (GNU/Linux-x86_64)
    * Origin: The Kofo BBS MBSE - telnet://fido1.kofobbs.ne
  • From unruh@1:0/0 to All on Sun Jan 13 21:40:27 2013
    On 2013-01-13, GangGreene <GangGreene@example.com> wrote:
    On Sun, 13 Jan 2013 12:21:35 -0500, Jim Beard wrote:

    On 01/13/2013 10:45 AM, GangGreene wrote:
    On Sun, 13 Jan 2013 14:51:10 +0000, Bit Twister wrote:

    On Sun, 13 Jan 2013 07:24:17 -0500, GangGreene wrote:
    On Sun, 13 Jan 2013 03:01:39 +0000, Bit Twister wrote:

    On Sat, 12 Jan 2013 16:29:53 -0600, Ohmster wrote:

    this case. Now I will install tripwire and rkhunter while clean to >>>>>>> further protect against these attacks.

    I tried tripwire awhile back. A bit complicated for me. That is why >>>>>> I went with http://sourceforge.net/projects/aide

    If you are using a rpm based distro then rpm -V -a is your friend.

    But not your best friend. 8-)

    It will not tell you about any new applications installed by some
    other method.

    What if the cracker used rpm to install malware? :-(

    It will show if any installed file has changed from the original rpm
    file (s). From that information you will know what "system files" have
    been compromised. Then you can determine if a rootkit has been
    installed.

    Not if "the original rpm file(s)" were installed by the cracker, using
    rpm.

    Oh please

    I don't wear a tin foil hats like you do.
    Isn't it a stretch that a cracker would breakin, upload some rpm files, install them, then burn a dvd with the new rpms and the offer to give you the dvd at no charge?
    If you would accept that dvd you shouldn't be offering services on the internet in the first place.

    What are you talking about? What is this about and offer to burn a dvd?
    He has installed the files via rpm. rpm -Va will say that those files he installed are perfectly valid files. No need for a DVD.




    If you find compromised system files then you know that you must format
    and re-install with out a doubt. At this time I would not care what
    other files have been installed.

    You swing from one extreme (ignore that crackers can use rpm) to the
    other (any compromised system files means you must format and re-install
    with out a doubt). I favor the format/re-install, but after an attempt
    to track down what was actually done, to aid in future defense if
    nothing else.

    No I am not going to go farther after knowing that system files are compromised. That is enough for me to format and re-install.

    Assuming you actually know that the change was not intentional. For
    example, /etc/passwd is a system file. rpm -Va will tell you it has
    changed. Do you reinstall? If you did you would spend all your time reinstalling.
    And if the cracker came in via say the Java 7 breakin, would you keep rinstalling the same broken java?




    --- MBSE BBS v0.95.13 (GNU/Linux-x86_64)
    * Origin: The Kofo BBS MBSE - telnet://fido1.kofobbs.ne
  • From GangGreene@110:300/1.1 to All on Sun Jan 13 22:14:01 2013
    On Sun, 13 Jan 2013 20:40:27 +0000, unruh wrote:

    On 2013-01-13, GangGreene <GangGreene@example.com> wrote:
    On Sun, 13 Jan 2013 12:21:35 -0500, Jim Beard wrote:

    On 01/13/2013 10:45 AM, GangGreene wrote:
    On Sun, 13 Jan 2013 14:51:10 +0000, Bit Twister wrote:

    On Sun, 13 Jan 2013 07:24:17 -0500, GangGreene wrote:
    On Sun, 13 Jan 2013 03:01:39 +0000, Bit Twister wrote:

    On Sat, 12 Jan 2013 16:29:53 -0600, Ohmster wrote:

    this case. Now I will install tripwire and rkhunter while clean >>>>>>>> to further protect against these attacks.

    I tried tripwire awhile back. A bit complicated for me. That is
    why I went with http://sourceforge.net/projects/aide

    If you are using a rpm based distro then rpm -V -a is your friend.

    But not your best friend. 8-)

    It will not tell you about any new applications installed by some
    other method.

    What if the cracker used rpm to install malware? :-(

    It will show if any installed file has changed from the original rpm
    file (s). From that information you will know what "system files"
    have been compromised. Then you can determine if a rootkit has been
    installed.

    Not if "the original rpm file(s)" were installed by the cracker, using
    rpm.

    Oh please

    I don't wear a tin foil hats like you do.
    Isn't it a stretch that a cracker would breakin, upload some rpm files,
    install them, then burn a dvd with the new rpms and the offer to give
    you the dvd at no charge?
    If you would accept that dvd you shouldn't be offering services on the
    internet in the first place.

    What are you talking about? What is this about and offer to burn a dvd?
    He has installed the files via rpm. rpm -Va will say that those files he installed are perfectly valid files. No need for a DVD.



    rpm in this form will validate against the install rem db which could
    have been altered. If you use a dvd that has all the installed packages
    that is not subject to being altered so you get a good picture of what
    has been altered.

    Also just checking the package signing would reveal tampered rpm packages.



    If you find compromised system files then you know that you must
    format and re-install with out a doubt. At this time I would not
    care what other files have been installed.

    You swing from one extreme (ignore that crackers can use rpm) to the
    other (any compromised system files means you must format and
    re-install with out a doubt). I favor the format/re-install, but
    after an attempt to track down what was actually done, to aid in
    future defense if nothing else.

    No I am not going to go farther after knowing that system files are
    compromised. That is enough for me to format and re-install.

    Assuming you actually know that the change was not intentional. For
    example, /etc/passwd is a system file. rpm -Va will tell you it has
    changed. Do you reinstall? If you did you would spend all your time reinstalling.

    I gave you the benefit of using your brain, are you saying that I should
    not have?


    And if the cracker came in via say the Java 7 breakin, would you keep rinstalling the same broken java?




    No I would install a more easily cracked version, again use your brain.


    If you have the education of a two year old you should not be running
    services on the web.

    --- MBSE BBS v0.95.13 (GNU/Linux-x86_64)
    * Origin: A noiseless patient Spider (110:300/1.1@linuxnet)
  • From unruh@1:0/0 to All on Mon Jan 14 00:51:32 2013
    On 2013-01-13, GangGreene <GangGreene@example.com> wrote:
    On Sun, 13 Jan 2013 20:40:27 +0000, unruh wrote:

    On 2013-01-13, GangGreene <GangGreene@example.com> wrote:
    On Sun, 13 Jan 2013 12:21:35 -0500, Jim Beard wrote:

    If you find compromised system files then you know that you must
    format and re-install with out a doubt. At this time I would not
    care what other files have been installed.

    You swing from one extreme (ignore that crackers can use rpm) to the
    other (any compromised system files means you must format and
    re-install with out a doubt). I favor the format/re-install, but
    after an attempt to track down what was actually done, to aid in
    future defense if nothing else.

    No I am not going to go farther after knowing that system files are
    compromised. That is enough for me to format and re-install.

    Assuming you actually know that the change was not intentional. For
    example, /etc/passwd is a system file. rpm -Va will tell you it has
    changed. Do you reinstall? If you did you would spend all your time
    reinstalling.

    I gave you the benefit of using your brain, are you saying that I should
    not have?

    You were the one who said that Beard should not use his brain, that
    "after knowing that system files are compromised. that is enough for me
    to format and re-install" after Beard suggested that perhaps a bit of
    thought should go into it. Now you say that we should use our brain
    before automatically reinstalling. Which is it?



    And if the cracker came in via say the Java 7 breakin, would you keep
    rinstalling the same broken java?




    No I would install a more easily cracked version, again use your brain.

    But how would you know that they broke in via Java if you do not spend
    time tracking done what was actually done?




    If you have the education of a two year old you should not be running services on the web.

    Agreed.

    --- MBSE BBS v0.95.13 (GNU/Linux-x86_64)
    * Origin: The Kofo BBS MBSE - telnet://fido1.kofobbs.ne
  • From GangGreene@110:300/1.1 to All on Mon Jan 14 15:59:51 2013
    On Sun, 13 Jan 2013 23:51:32 +0000, unruh wrote:

    On 2013-01-13, GangGreene <GangGreene@example.com> wrote:
    On Sun, 13 Jan 2013 20:40:27 +0000, unruh wrote:

    On 2013-01-13, GangGreene <GangGreene@example.com> wrote:
    On Sun, 13 Jan 2013 12:21:35 -0500, Jim Beard wrote:

    If you find compromised system files then you know that you must
    format and re-install with out a doubt. At this time I would not
    care what other files have been installed.

    You swing from one extreme (ignore that crackers can use rpm) to the >>>>> other (any compromised system files means you must format and
    re-install with out a doubt). I favor the format/re-install, but
    after an attempt to track down what was actually done, to aid in
    future defense if nothing else.

    No I am not going to go farther after knowing that system files are
    compromised. That is enough for me to format and re-install.

    Assuming you actually know that the change was not intentional. For
    example, /etc/passwd is a system file. rpm -Va will tell you it has
    changed. Do you reinstall? If you did you would spend all your time
    reinstalling.

    I gave you the benefit of using your brain, are you saying that I
    should not have?

    You were the one who said that Beard should not use his brain, that
    "after knowing that system files are compromised. that is enough for me
    to format and re-install" after Beard suggested that perhaps a bit of
    thought should go into it. Now you say that we should use our brain
    before automatically reinstalling. Which is it?



    And if the cracker came in via say the Java 7 breakin, would you keep
    rinstalling the same broken java?




    No I would install a more easily cracked version, again use your brain.

    But how would you know that they broke in via Java if you do not spend
    time tracking done what was actually done?


    If I only expose mail to the internet which service was compromised?

    Or

    If I only expose joomla to the internet which service was compromised?




    If you have the education of a two year old you should not be running
    services on the web.

    Agreed.


    --- MBSE BBS v0.95.13 (GNU/Linux-x86_64)
    * Origin: A noiseless patient Spider (110:300/1.1@linuxnet)
  • From unruh@1:0/0 to All on Mon Jan 14 18:39:20 2013
    On 2013-01-14, GangGreene <GangGreene@example.com> wrote:
    On Sun, 13 Jan 2013 23:51:32 +0000, unruh wrote:

    On 2013-01-13, GangGreene <GangGreene@example.com> wrote:
    On Sun, 13 Jan 2013 20:40:27 +0000, unruh wrote:

    On 2013-01-13, GangGreene <GangGreene@example.com> wrote:
    On Sun, 13 Jan 2013 12:21:35 -0500, Jim Beard wrote:

    But how would you know that they broke in via Java if you do not spend
    time tracking done what was actually done?


    If I only expose mail to the internet which service was compromised?

    He did not. He said that he was using it as an http server.
    He said he was using ssh. And he probably had a bunch of other services
    as well.


    Or

    If I only expose joomla to the internet which service was compromised?

    I really do not care about your hypotheticals. IF those had been the
    only services exposed, then suspicion rests with them. But they were
    not. And knowing what the only services are IS part of the
    "investigating". Also the cracker could have gotten in some other way (
    eg an email trojan) and installed a service you did not know your system
    was running.


    If you have the education of a two year old you should not be running
    services on the web.

    Agreed.


    --- MBSE BBS v0.95.13 (GNU/Linux-x86_64)
    * Origin: The Kofo BBS MBSE - telnet://fido1.kofobbs.ne
  • From GangGreene@110:300/1.1 to All on Mon Jan 14 22:16:12 2013
    On Mon, 14 Jan 2013 17:39:20 +0000, unruh wrote:

    On 2013-01-14, GangGreene <GangGreene@example.com> wrote:
    On Sun, 13 Jan 2013 23:51:32 +0000, unruh wrote:

    On 2013-01-13, GangGreene <GangGreene@example.com> wrote:
    On Sun, 13 Jan 2013 20:40:27 +0000, unruh wrote:

    On 2013-01-13, GangGreene <GangGreene@example.com> wrote:
    On Sun, 13 Jan 2013 12:21:35 -0500, Jim Beard wrote:

    But how would you know that they broke in via Java if you do not spend
    time tracking done what was actually done?


    If I only expose mail to the internet which service was compromised?

    He did not. He said that he was using it as an http server.
    He said he was using ssh. And he probably had a bunch of other services
    as well.


    Or

    If I only expose joomla to the internet which service was compromised?

    I really do not care about your hypotheticals. IF those had been the
    only services exposed, then suspicion rests with them. But they were
    not. And knowing what the only services are IS part of the
    "investigating". Also the cracker could have gotten in some other way (
    eg an email trojan) and installed a service you did not know your system
    was running.


    OK YOUR FUCKING RIGHT.....YOUR ALWAYS FUCKING RIGHT

    Are you OK now? Is it good for you?

    No wonder usenet is dead.

    The only ones here are ALWAYS FUCKING RIGHT and everyone else is wrong.

    So much for the possiablilty of having a discussion.

    Time to shutdown to usenet server, there is nothing of value left here.



    --- MBSE BBS v0.95.13 (GNU/Linux-x86_64)
    * Origin: A noiseless patient Spider (110:300/1.1@linuxnet)
  • From unruh@1:0/0 to All on Mon Jan 14 22:48:51 2013
    On 2013-01-14, GangGreene <GangGreene@example.com> wrote:
    On Mon, 14 Jan 2013 17:39:20 +0000, unruh wrote:

    On 2013-01-14, GangGreene <GangGreene@example.com> wrote:
    On Sun, 13 Jan 2013 23:51:32 +0000, unruh wrote:

    On 2013-01-13, GangGreene <GangGreene@example.com> wrote:
    On Sun, 13 Jan 2013 20:40:27 +0000, unruh wrote:

    On 2013-01-13, GangGreene <GangGreene@example.com> wrote:
    On Sun, 13 Jan 2013 12:21:35 -0500, Jim Beard wrote:

    But how would you know that they broke in via Java if you do not spend >>>> time tracking done what was actually done?


    If I only expose mail to the internet which service was compromised?

    He did not. He said that he was using it as an http server.
    He said he was using ssh. And he probably had a bunch of other services
    as well.


    Or

    If I only expose joomla to the internet which service was compromised?

    I really do not care about your hypotheticals. IF those had been the
    only services exposed, then suspicion rests with them. But they were
    not. And knowing what the only services are IS part of the
    "investigating". Also the cracker could have gotten in some other way (
    eg an email trojan) and installed a service you did not know your system
    was running.


    OK YOUR FUCKING RIGHT.....YOUR ALWAYS FUCKING RIGHT

    Oh, dear me. You make black and white statements, and when someone calls
    you on them, you run off in a snit.
    You are giving advice to people. That advice should be useful and
    accurate, especially when you contradict other's advice.


    Are you OK now? Is it good for you?

    No wonder usenet is dead.

    It is still tremendously useful. I usually learn something new ever day.


    The only ones here are ALWAYS FUCKING RIGHT and everyone else is wrong.

    No, just some people are sometimes wrong. Correction of mistakes is
    precisely one of the strengths of usenet. As Raymond says, for many eyes
    all mistakes are shallow.


    So much for the possiablilty of having a discussion.

    Discussion? Where was the discussion? You made blanket statements and
    when someone else tried to discuss those with you you go into a snit.



    Time to shutdown to usenet server, there is nothing of value left here.

    Bye Bye.




    --- MBSE BBS v0.95.13 (GNU/Linux-x86_64)
    * Origin: The Kofo BBS MBSE - telnet://fido1.kofobbs.ne