On Thu, 06 Dec 2007 09:50:58 -0500
Billy Holmes [EMAIL PROTECTED] wrote:
also look for entries where is says eth0 has entered promiscuous
mode
- that's a sure fire sign you've been hacked.. unless you're running
a virtual machine with a bridge, or your own packet sniffer/traffic
monitor
On Thu, 6 Dec 2007 10:44:35 -0800
Grant [EMAIL PROTECTED] wrote:
I'm going
to try 2006.1 and Knoppix.
- Grant
You don't use minimals, grant? I'm surprised. I would never put a
liveCD in a computer if I could avoid it, myself.
--
[EMAIL PROTECTED] mailing list
I'm going
to try 2006.1 and Knoppix.
- Grant
You don't use minimals, grant? I'm surprised. I would never put a
liveCD in a computer if I could avoid it, myself.
What do you mean?
- Grant
--
[EMAIL PROTECTED] mailing list
On Thursday 13 December 2007, Dan Farrell wrote:
On Thu, 06 Dec 2007 09:50:58 -0500
Billy Holmes [EMAIL PROTECTED] wrote:
also look for entries where is says eth0 has entered promiscuous
mode
- that's a sure fire sign you've been hacked.. unless you're running
a virtual machine with a
Quoting Grant [EMAIL PROTECTED]:
also look for strange kernel modules
How can I do that?
One way is to test what's in your /lib/modules with what's in your
kernel source:
[cmds]
(cd /lib/modules/$( uname -r )/build/; find -type f -name '*.ko')|sort
/tmp/t1
(cd /lib/modules/$(
Quoting Grant [EMAIL PROTECTED]:
If I wasn't hacked, this kind of strange behavior would have to be a
hardware or filesystem problem right? What are the best ways to check
for that? Just fsck?
dmesg, /var/log/syslog and /var/log/messages. Look for IDE or SATA
timeouts, or kernel panics.
If I wasn't hacked, this kind of strange behavior would have to be a
hardware or filesystem problem right? What are the best ways to check
for that? Just fsck?
dmesg, /var/log/syslog and /var/log/messages. Look for IDE or SATA
timeouts, or kernel panics.
Nothing in the logs jumps out
Quoting Grant [EMAIL PROTECTED]:
make: *** No rule to make target `menuconfig'. Stop.
what does ls show?
perhaps your HDD has decided to retire early?
or a hacker deleted a lot of your stuff?
or /usr/src/linux - points to something else
what's in /usr/src ?
--
[EMAIL PROTECTED] mailing
make: *** No rule to make target `menuconfig'. Stop.
what does ls show?
# ls -l
total 7652
-rw-r--r-- 1 root root18693 Nov 30 10:26 COPYING
-rw-r--r-- 1 root root91435 Nov 30 10:26 CREDITS
drwxr-xr-x 64 root root12288 Nov 30 10:26 Documentation
-rw-r--r-- 1 root root 1530
That last email was all wrong. It was output from my laptop. Here is
the stuff from my router.
make: *** No rule to make target `menuconfig'. Stop.
what does ls show?
# ls -l
total 5732
-rw-r--r-- 1 root root 150641 Apr 17 2007 Module.symvers
-rw-r--r-- 1 root root 928127 Apr 17
Quoting Grant [EMAIL PROTECTED]:
# ls -l
notice in /usr/src/linux, you have much fewer files (not dirs), than
you do on your laptop. Something deleted them.
The vmlinux, Module.symvers, and System.map are all generated files.
So it looks like something deleted those files while your
# ls -l
notice in /usr/src/linux, you have much fewer files (not dirs), than
you do on your laptop. Something deleted them.
The vmlinux, Module.symvers, and System.map are all generated files.
So it looks like something deleted those files while your kernel was
being compiled?
Very,
# ls -l
notice in /usr/src/linux, you have much fewer files (not dirs), than
you do on your laptop. Something deleted them.
The vmlinux, Module.symvers, and System.map are all generated files.
So it looks like something deleted those files while your kernel was
being compiled?
On Wednesday 05 December 2007, Billy Holmes wrote:
Quoting Grant [EMAIL PROTECTED]:
$ ssh [EMAIL PROTECTED]
Read from socket failed: Connection reset by peer
what is 0.1 ? is that your router? as in a gentoo system acting as a
router?
Have you tried temporarily disabling the firewall on
$ ssh [EMAIL PROTECTED]
Read from socket failed: Connection reset by peer
what is 0.1 ? is that your router? as in a gentoo system acting as a router?
Yep, Gentoo system acting as a firewall/router/print server.
- Grant
--
[EMAIL PROTECTED] mailing list
Quoting Grant [EMAIL PROTECTED]:
$ ssh [EMAIL PROTECTED]
Read from socket failed: Connection reset by peer
what is 0.1 ? is that your router? as in a gentoo system acting as a router?
--
[EMAIL PROTECTED] mailing list
Quoting Grant [EMAIL PROTECTED]:
I don't see how that could be because I was able to log in when the
system was freshly booted yesterday. I'll grab a monitor and keyboard
from the garage, have a look, and report back here.
when I have problems with ssh, I run another instance in debug mode:
I don't see how that could be because I was able to log in when the
system was freshly booted yesterday. I'll grab a monitor and keyboard
from the garage, have a look, and report back here.
when I have problems with ssh, I run another instance in debug mode:
In one terminal
Grant wrote:
I'm on the box now and it's quite non-functional. ctrl+alt+del prints
INIT: cannot execute /sbin/shutdown. I'm going to do a hard reset
and we'll see what happens.
That's very strange. Memory test? Can you read the logs when it comes
back up?
--
Randy Barlow
I don't see how that could be because I was able to log in when the
system was freshly booted yesterday. I'll grab a monitor and keyboard
from the garage, have a look, and report back here.
when I have problems with ssh, I run another instance in debug mode:
In one
Quoting Grant [EMAIL PROTECTED]:
I'm on the box now and it's quite non-functional. ctrl+alt+del prints
INIT: cannot execute /sbin/shutdown. I'm going to do a hard reset
and we'll see what happens.
Since it's acting as your firewall, there's a very large possibility
that your machine was
On Wednesday 05 December 2007, Billy Holmes wrote:
Quoting Grant [EMAIL PROTECTED]:
I don't see how that could be because I was able to log in when the
system was freshly booted yesterday. I'll grab a monitor and keyboard
from the garage, have a look, and report back here.
when I have
I'm on the box now and it's quite non-functional. ctrl+alt+del prints
INIT: cannot execute /sbin/shutdown. I'm going to do a hard reset
and we'll see what happens.
Since it's acting as your firewall, there's a very large possibility
that your machine was compromised. That doesn't mean
$ ssh [EMAIL PROTECTED]
Read from socket failed: Connection reset by peer
what is 0.1 ? is that your router? as in a gentoo system acting as a
router?
Have you tried temporarily disabling the firewall on 192.168.0.1 and checking
the tcpwrappers for any deny all directives which
Quoting Mick [EMAIL PROTECTED]:
Have you tried temporarily disabling the firewall on 192.168.0.1 and checking
the tcpwrappers for any deny all directives which knock your client out when
it tries to connect?
I was about to suggest that.
if you can ssh to localhost via 0.1, then it's a
On Wednesday 05 December 2007, Billy Holmes wrote:
[snip...]
maybe use portage to check that all the binaries on your computer
match to what portage thinks it should be.
How do you do that?
--
Regards,
Mick
signature.asc
Description: This is a digitally signed message part.
I'm on the box now and it's quite non-functional. ctrl+alt+del prints
INIT: cannot execute /sbin/shutdown. I'm going to do a hard reset
and we'll see what happens.
Since it's acting as your firewall, there's a very large possibility
that your machine was compromised. That doesn't mean
On Wed, 5 Dec 2007 21:35:05 +, Mick wrote:
maybe use portage to check that all the binaries on your computer
match to what portage thinks it should be.
How do you do that?
equery check cat/pkg
--
Neil Bothwick
It's not a bug, it's tradition!
signature.asc
Description: PGP
Grant wrote:
If I wasn't hacked, this kind of strange behavior would have to be a
hardware or filesystem problem right? What are the best ways to check
for that? Just fsck?
You can also boot the gentoo live CD into the memory test. At the
beginning when it prompts you for which kernel, you
29 matches
Mail list logo