Linux-Misc Digest #997, Volume #25 Tue, 10 Oct 00 12:13:03 EDT
Contents:
What shoud I use on redhat 7.0 IP-Masquerade or IPCHAINS??? ([EMAIL PROTECTED])
Re: can't login - hacked? (Lew Pitcher)
Re: can't login - hacked? (Leejay Wu)
100mb zip usb support ("C.M.Lewis")
Re: Does anyone have masquerading working on redhat 7.0 (Rod Smith)
Re: Filesystem question (Rod Smith)
Dialing in VPN with Linux ([EMAIL PROTECTED])
lp0 on fire (Carl Benson)
Re: can't login - hacked? (M. Buchenrieder)
Re: Equation Editors - AND STARMATH... (Radix)
Re: lp0 on fire (Villy Kruse)
Samba: Controlling printing from Windows clients (Oliver Battenfeld)
Re: Filesystem question ("David Quinn")
linux vs unix (ayan ray)
Re: can't login - hacked? ("Andrew N. McGuire ")
mgetty/ppp question ([EMAIL PROTECTED])
Re: linux vs unix (Andreas K�h�ri)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED]
Subject: What shoud I use on redhat 7.0 IP-Masquerade or IPCHAINS???
Date: Tue, 10 Oct 2000 13:03:50 GMT
What shoud I use on redhat 7.0 IP-Masquerade or IPCHAINS???
He is what I am trying to do.
I have one computer with a modem that I use to dail out to my ISP. I
just setup a network with two computer on it and I will like my other
computers on the network to see the internet??
If you got this working in redhat 7.0 please email me or if you have a
comment on the best way to do this please email me
Thanks
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Lew Pitcher)
Subject: Re: can't login - hacked?
Reply-To: [EMAIL PROTECTED]
Date: Tue, 10 Oct 2000 13:23:31 GMT
On Tue, 10 Oct 2000 11:14:36 GMT, [EMAIL PROTECTED] wrote:
>Hi Again,
>
>It just got worse - it is a hacker. I just saw in top that there were
>several processes running which I don't recognise and after updatedb
>and locate on the process name I found the intruder's directory which
>seems to indicate that this program is a packet sniffer!!
>
>HELP! What do I do now?? He obviously got root or else he couldn't
>run the packet sniffer. Is my just stopping his processes, deleting
>his directory and changing root and other passwords enough??
>
>Equally, how do I get all my normal telnet and FTP logins back??
>
>I seriously need the help of a security guru here :o)
I'm no security guru, but here's a few things to do...
1) Take the system to single user mode
(specifically, take it off the network _NOW_)
2) make a complete backup of the system (suspect directories, log files, etc.)
for the law enforcement forensics
3) wipe it clean (yes, everything
4) restore from last known-good backups
5) apply all known security patches
6) locate and close whatever hole the thief entered througn
7) _maybe_ put the system back onto the network
>L
>
>
>In article <8rusa5$pil$[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] wrote:
>> Hi All,
>>
>> I've just been told by one of my users that they couldn't login via
>FTP
>> to my RH6.2 box because they kept being told their password was
>> invalid. I have tried changing their password and the /etc/shadow
>file
>> shows that there has been a change, but still they can't login via
>> FTP. I then checked numerous other accounts and none of them can
>login
>> by FTP or telnet. I can only get in to the box by SSH now.
>>
>> This feels very like a hacker. I found an executable called wzap in
>> my /var/log directory and it seems to remove users from wtmp. I
>> haven't put it there ... is it part of a default install or signs of a
>> hacker.
>>
>> HELP!!
>>
>> Louis
>>
>> Sent via Deja.com http://www.deja.com/
>> Before you buy.
>>
>
>
>Sent via Deja.com http://www.deja.com/
>Before you buy.
Lew Pitcher
IT Consultant, Development Services
Toronto Dominion Bank Financial Group
(Opinions expressed are my own, not my employers')
------------------------------
From: Leejay Wu <[EMAIL PROTECTED]>
Subject: Re: can't login - hacked?
Date: Tue, 10 Oct 2000 09:36:51 -0400
Excerpts from netnews.comp.os.linux.misc: 10-Oct-100 Re: can't login -
hacked? by [EMAIL PROTECTED]
> It just got worse - it is a hacker. I just saw in top that
> there were several processes running which I don't recognise
> and after updatedb and locate on the process name I found the
> intruder's directory which seems to indicate that this
> program is a packet sniffer!!
>
> HELP! What do I do now?? He obviously got root or else he
> couldn't run the packet sniffer. Is my just stopping his
> processes, deleting his directory and changing root and other
> passwords enough??
No. You can't trust any program writeable by root, which with
fairly high probability is all of them.
a) Turn off all network services NOW. Best is to yank the cord,
probably, since it's possible to replace libc and the netkit
tools so that they hide daemons waiting to provide
rootshells.
b) Since a sniffer was running, alert the local users (either
directly, or through an admin) that their passwords have
probably been compromised, unless they were ALWAYS sent via
strong encryption *and* the keys were not accessible over the
wire or on any filesystem available to root on that machine.
c) Back up the system as-is, if you ever want to figure out how
entry was made, or whether any other systems were compromised.
d) Wipe all partitions and reinstall, but do NOT enable any
services yet, since you don't know how he got in.
Ideally, you have a supposedly clean machine and some mass
storage device like tape, Zip or LS120 so that you can
download updates on another machine and not need to plug into
the network yet, but that may not be an option.
e) Since you're using RH, visit their site. Check for updates,
and make sure you get ALL the security-related updates for
packages you have installed.
f) Do you intend to allow off-site logins? For instance, does
it make sense to you to allow telnets and FTPs from outside
your domain? Clamp down on connections that shouldn't be
allowed -- /etc/hosts.deny should be a decent starting place.
Look at
http://www.enteract.com/~lspitz/linux.html
for more useful info on securing Linux.
g) You should assume that passwords have been obtained -- thus,
the safest thing would be to lock all local accounts, and have
users contact you to obtain new ones...
Incidentally, all the above assumes you trust local users. If
you don't trust folks who get console access, you'll probably
need to password lilo, use the BIOS setup and perhaps boot
passwords, and so forth.
Likewise, you'll have to consider the implications of any data
stored there. Are passwords shared with stock trading accounts?
Are credit card numbers, PINs or customer IDs anywhere on the
system, like poorly-encrypted (if at all) cookies? You might
have bigger problems on your hand then FTP, depending.
> Equally, how do I get all my normal telnet and FTP logins
> back??
> I seriously need the help of a security guru here :o)
--
| [EMAIL PROTECTED] | the silly student |
|--------------------------| he writes really bad haiku |
| #include <stddiscl.h> | readers all go mad |
------------------------------
From: "C.M.Lewis" <[EMAIL PROTECTED]>
Subject: 100mb zip usb support
Date: Tue, 10 Oct 2000 14:36:01 +0100
Hi,
How? Presumably as everything is a file, I need the right file in the
right place. So where do I get the file and where do I stick it?
Chris Lewis
------------------------------
Reply-To: [EMAIL PROTECTED]
From: [EMAIL PROTECTED] (Rod Smith)
Subject: Re: Does anyone have masquerading working on redhat 7.0
Date: Tue, 10 Oct 2000 14:08:01 GMT
[Posted and mailed]
In article <8rt6l5$g1j$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] writes:
> Does anyone have masquerading working on redhat 7.0
>
> If so please email me I am thinking about setting it up
I've seen your query posted separately on three newsgroups now. I
replied to the first. In the future, please:
1) Restrict the number of newsgroups to which you post. One or possibly
two is sufficient for most posts.
2) If you must post to more than one newsgroup, crosspost rather than
multi-post. To crosspost, you normally just type two newsgroup names,
separated by commas, on the Newsgroups: line in your news reader.
This sends ONE message, but it's readable in all the newsgroups you
list, thus saving bandwidth and readers' time.
--
Rod Smith, [EMAIL PROTECTED]
http://www.rodsbooks.com
Author of books on Linux & multi-OS configuration
------------------------------
Reply-To: [EMAIL PROTECTED]
From: [EMAIL PROTECTED] (Rod Smith)
Subject: Re: Filesystem question
Date: Tue, 10 Oct 2000 14:15:51 GMT
[Posted and mailed]
In article <8ruidm$fpn$[EMAIL PROTECTED]>,
"David Quinn" <[EMAIL PROTECTED]> writes:
> I have a 6Gb drive which I have added to an existing linux box. I want it
> to be FAT32 so I used cfdisk to create a primary partition on it of type 0C
> (Win95 Fat32 (LBA)).
>
> If I run fsconf, it reports it as a vfat drive of size 6197M.
Try df. That'll report the filesystem size. I'm not familiar with
fsconf.
> It is shared through Samba but the Windows client reports it as an NTFS
This is normal. Linux claims to be sharing NTFS filesystems, no matter
what it's actually using. You can change this with the fstype smb.conf
parameter, but there should be no need to do so.
> volume of size 3.77Gb. I though it may just be windows misrepresenting it
> so I filled it with files and it does run out of space at 3.77Gb.
>
> Is there a maximum size for a fat32 partition on Linux? Is it Samba that's
> misrepresenting it or windows? Or have I chosen the wrong filesystem for
> the partition?
AFAIK, it should not be maxing out at 3.77GB, nor is there a 3.77GB
limit to FAT32 partitions. My hunch is that the filesystem was created
incorrectly, but I can't be sure of that. Another possibility is that
this is a client limitation (you don't say which variety of Windows
you're using as a client).
One other question: Why are you using FAT32? The main reason for doing
this is if the system dual-boots into Windows and you want access to the
files in both OSs. Using FAT32 provides *NO* benefits of which I'm aware
when sharing the partition via Samba, and in fact it provides several
drawbacks. Unless you want to share the filesystem with another OS on
the SAME computer, I'd suggest you re-do it as ext2fs, or perhaps
ReiserFS or XFS.
--
Rod Smith, [EMAIL PROTECTED]
http://www.rodsbooks.com
Author of books on Linux & multi-OS configuration
------------------------------
From: [EMAIL PROTECTED]
Subject: Dialing in VPN with Linux
Date: Tue, 10 Oct 2000 14:26:40 GMT
I have been given a Secure ID key to dial into the VPN of my employer.
What is the method for doing this on Redhat 6.1? I understand it
is similar to PPP but I need to enter the SecureID which is periodically
changed. Any help would be greatly appreciated.
Of course, Linux is not supported here. If I fail to do this
with Linux, I will have to get a Windows installed (I
already posted about this), which I would rather not do.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Carl Benson <[EMAIL PROTECTED]>
Subject: lp0 on fire
Date: Tue, 10 Oct 2000 07:39:24 -0700
Logcheck running on my network log archiver had this to say
this morning:
Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Oct 10 06:55:10 cachalot kernel: lp0 on fire
Anyone seen this before? Obviously, nothing is on fire. Is
this just a little joke embedded in the kernel? Have I been
hacked?
It's freshly re-installed RedHat 6.2 (kernel 2.2.14-05, I
think).
--
Carl Benson
------------------------------
From: [EMAIL PROTECTED] (M. Buchenrieder)
Subject: Re: can't login - hacked?
Date: Tue, 10 Oct 2000 12:58:29 GMT
[EMAIL PROTECTED] writes:
>Hi Again,
>It just got worse - it is a hacker. I just saw in top that there were
>several processes running which I don't recognise and after updatedb
>and locate on the process name I found the intruder's directory which
>seems to indicate that this program is a packet sniffer!!
>HELP! What do I do now?? He obviously got root or else he couldn't
>run the packet sniffer.
[...]
A) You want to read and post security-related items to the
appropriate group comp.os.linux.security .
B) You want to take that box offline. Now.
C) You want to backup the users' data (in case you didn't do
it before).
D) You want to completely wipe out the compromised system and
reinstall from a known-to-be-clean source.
Since you have dialup users, this is likely to be an ISP box.
Take it offline immediately before worse damage may result from
the successfull hack of your box. Take into account that Deja
lists the originating IP number in your postings; it probably doesn't
take a genius to find out where the compromised box is.
Michael
--
Michael Buchenrieder * [EMAIL PROTECTED] * http://www.muc.de/~mibu
Lumber Cartel Unit #456 (TINLC) & Official Netscum
Note: If you want me to send you email, don't munge your address.
------------------------------
From: Radix <[EMAIL PROTECTED]>
Crossposted-To: alt.os.linux
Subject: Re: Equation Editors - AND STARMATH...
Date: Tue, 10 Oct 2000 12:04:01 -0230
Thank you for all replies... I'm compiling TeXmacs now...
Take care...
--
-Trevor
======================
"That's all right, I still got my guitar"...
-James Marshall Hendrix (11/27/1942-09/18/1970)
------------------------------
From: [EMAIL PROTECTED] (Villy Kruse)
Subject: Re: lp0 on fire
Date: 10 Oct 2000 14:50:55 GMT
On Tue, 10 Oct 2000 07:39:24 -0700, Carl Benson <[EMAIL PROTECTED]> wrote:
>Logcheck running on my network log archiver had this to say
>this morning:
>
>
>Unusual System Events
>=-=-=-=-=-=-=-=-=-=-=
>Oct 10 06:55:10 cachalot kernel: lp0 on fire
>
>Anyone seen this before? Obviously, nothing is on fire. Is
>this just a little joke embedded in the kernel? Have I been
>hacked?
>
It's a joke. Look for the message in linux/drivers/char/lp.c
>It's freshly re-installed RedHat 6.2 (kernel 2.2.14-05, I
>think).
>
Reminds me of "FLAMING ERROR" desplayd on some Fujitsu printer's
display panel.
Villy
------------------------------
From: Oliver Battenfeld <[EMAIL PROTECTED]>
Subject: Samba: Controlling printing from Windows clients
Date: Tue, 10 Oct 2000 17:01:47 +0200
Hi,
just got my stone-age Deskjet 510 working on my LAN server. Windows
clients can print via a Samba share (Sidenote: Does anyone know, why
this only works using the HPDJ 510 Windows driver instead of using a
Postscript printer driver, which is suggested by the Samba Howto ?).
Problem: How to control the printing process from the Windows clients.
It would at least be necessary to be able to remove the job from the
queue, so that the printer stops (with as little delay as possible). Is
that possible with Samba/LPRng/Linux ? Any extra tools maybe ?
TIA !
--
Ciao,
Oliver
------------------------------
From: "David Quinn" <[EMAIL PROTECTED]>
Subject: Re: Filesystem question
Date: Tue, 10 Oct 2000 16:02:28 +0100
Thanks Rod
Your question about why I'm doing it this way has cleared my mind!
Being a linux newbie, I was working under the impression that the unix file
systems did not support spaces in filenames wheras Windows does. So I
created the partion in FAT32 so that windows applications would be able to
save files correctly.
Having done some further investigation it appears my assumption is wrong!
So my problem can clearly be solved by simply replacing the FAT32 partition
with a standard Linux one.
However, I never like to leave problems unresolved so if anyone has any
explanation for the probelm with sharing my FAT 32 partition, I'd still be
interested to know why it didn't work.
Thanks again Rod
David Quinn
------------------------------
From: ayan ray <[EMAIL PROTECTED]>
Subject: linux vs unix
Date: Tue, 10 Oct 2000 15:30:06 -0000
every where i look i see a lot of comparisons between NT and linux/unix.
i have a project in which i have to compare unix and linux. it would be
great if someone is weeling to help me thanks.
--
Posted via CNET Help.com
http://www.help.com/
------------------------------
From: "Andrew N. McGuire " <[EMAIL PROTECTED]>
Subject: Re: can't login - hacked?
Date: Tue, 10 Oct 2000 10:31:42 -0500
On Tue, 10 Oct 2000, [EMAIL PROTECTED] quoth:
> Hi Again,
>
> It just got worse - it is a hacker. I just saw in top that there were
> several processes running which I don't recognise and after updatedb
> and locate on the process name I found the intruder's directory which
> seems to indicate that this program is a packet sniffer!!
>
> HELP! What do I do now?? He obviously got root or else he couldn't
> run the packet sniffer. Is my just stopping his processes, deleting
> his directory and changing root and other passwords enough??
>
> Equally, how do I get all my normal telnet and FTP logins back??
>
> I seriously need the help of a security guru here :o)
Game over, you lost. Pull the plug on the machine, format and reinstall.
Perhaps read up on some host-hardening techniques during the install.
Sorry to be so blunt, and give you such bad news, but there is really
no other way. Oh yes, remember, any backups you made are probably
tainted as well.
Good Luck!
anm
--
package News::NNTPClient;use subs q;warn;;sub warn{0}package main;use
News::NNTPClient;$;=News::NNTPClient->new();($==>$$)=($;->group(($|||
((<comp.lang.perl.misc>)))));for$)(<$=>..<$$>){map{$\=v12;die 1?qq{$1
}:q--while s<^.+(j..T .{6}(r) p.R. .{5}\2).+>[$1]mig}$;->article($))}
------------------------------
From: [EMAIL PROTECTED]
Subject: mgetty/ppp question
Date: Tue, 10 Oct 2000 15:29:21 GMT
I have a dsl connection to the internet that is always on. What I want
to do is to enable our sales reps to be able to dial into our Linux
server and access the internetthrough our dsl connection.
The first thing I did was set up mgetty. I am able to dial in from a
Windows 98 machine using hyperterminal and log into the Linux server. I
am assuming from that mgetty is working fine.
I now want to set up mgetty to work with ppp so that our sales reps can
use our office as an ISP so to speak using a dial up networking
connection from their Windows computers.
I have downloaded and read how to documents for setting up mgetty and
ppp, but I am not able to make it work. I have read the
/var/log/messages file and the following is after every login attempt:
"login:FAILED LOGIN 1 FROM (null) FOR /AutoPPP/, User not known to the
underlying authentication module"
I also get 3 more similar type messages, except that there is garbage
after the FOR....
I would appreciate it if anyone could help me out or point me in the
right direction.
Thank you.
Scott
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
Subject: Re: linux vs unix
From: Andreas K�h�ri <[EMAIL PROTECTED]>
Date: 10 Oct 2000 17:44:26 +0100
In article <[EMAIL PROTECTED]>,
ayan ray <[EMAIL PROTECTED]> wrote:
>every where i look i see a lot of comparisons between NT and linux/unix.
>i have a project in which i have to compare unix and linux. it would be
>great if someone is weeling to help me thanks.
Try comparing GNU/Linux with one of the BSDs (e.g. with NetBSD, the
one that runs on most platforms AFAIK).
See <URL:http://www.bsd.org/> and <URL:http://www.linuxdoc.org/> for
more info.
/A
--
Andreas K�h�ri,
Uppsala University, Sweden.
=============================={ "free", as in "software" --> www.gnu.org
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and comp.os.linux.misc) via:
Internet: [EMAIL PROTECTED]
Linux may be obtained via one of these FTP sites:
ftp.funet.fi pub/Linux
tsx-11.mit.edu pub/linux
sunsite.unc.edu pub/Linux
End of Linux-Misc Digest
******************************
