Linux-Misc Digest #526, Volume #27 Wed, 4 Apr 01 08:13:03 EDT
Contents:
Any help for XFree86-4.0.2? (OrangeDino)
PLEASE HELP!, MY LINUX have been HACKED~ (Leo)
Re: PLEASE HELP!, MY LINUX have been HACKED~ (Leo)
Re: PLEASE HELP!, MY LINUX have been HACKED~ ([EMAIL PROTECTED])
KDE 2 on RH 7 set up to use switchdsk... (Guy Parry)
Re: Shell script questions... (Cedric ROUX)
Re: mail reader ("Darryl L. Pierce")
Re: PLEASE HELP!, MY LINUX have been HACKED~ ("Sander")
Re: migrating /home from / (Jean-David Beyer)
Re: netscape default preferences question (Jean-David Beyer)
FAT CR/LF conversion ("Chris West")
Root cannot login ("Dennis")
Re: FAT CR/LF conversion ([EMAIL PROTECTED])
Re: Stupid Mistakes (Stanislaw Flatto)
Re: FAT CR/LF conversion (Christopher Albert)
Re: PLEASE HELP!, MY LINUX have been HACKED~ (Christopher Albert)
----------------------------------------------------------------------------
From: OrangeDino <[EMAIL PROTECTED]>
Subject: Any help for XFree86-4.0.2?
Date: Wed, 04 Apr 2001 17:46:46 +0800
I have upgraded my XFree86-3.3.6 to 4.0.2 with rpms for Redhat Linux.
But it does not contain any driver for my display card (SiS 6326) and it
can only use the SVGA X-server of 3.3.6 to drive my card. Is it the
XFree86-4.0.x rpms for Redhat does not contain any display driver and
you should use the 3.3.6 X-server as driver?
Anyway if I startx, only gnome can be startup while kde2.1 cannot. Even
in gnome I cannot run any kde application.
When I exit X-window, it cannot startx again before I reboot.
It said that there is error with the font path "unix:\7100".
I use the XFree86-4.0.2 rpms for Redhat 6.x.
Can anyone give some ideas what wrong with me.
Thanks for your kindly concern!
------------------------------
Date: Wed, 04 Apr 2001 18:38:49 +0800
From: Leo <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Crossposted-To: alt.os.linux,alt.linux,comp.os.linux.help,comp.os.linux
Subject: PLEASE HELP!, MY LINUX have been HACKED~
Dear all,
Today I turn on my linux and I recieved a mail from sendmail regarding
a failed message posted to
someone in @sina.com . SO i check it out and it basically it says the
following:
========== Forwarded message ==========
Date: Wed, 4 Apr 2001 03:15:21 +0800
From: Mail Delivery Subsystem <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Warning: could not send message for past 4 hours
**********************************************
** THIS IS A WARNING MESSAGE ONLY **
** YOU DO NOT NEED TO RESEND YOUR MESSAGE **
**********************************************
The original message was received at Tue, 3 Apr 2001 21:57:12 +0800
from root@localhost
----- The following addresses had transient non-fatal errors -----
[EMAIL PROTECTED]
----- Transcript of session follows -----
451 4.4.1 timeout writing message to smtp.hknet.com
[EMAIL PROTECTED] Deferred
Warning: message still undelivered after 4 hours
Will keep trying until message is 5 days old
After reading that message, I was curious because I never use ROOT to
send message out and aparently, that
"[EMAIL PROTECTED]" looks very unfamilar to me. So i am positive that I
didn't send such message. Inside the message
I found two attachment, one dat file and the other text file,..
Unfortunetly, when I read the text fileI see ALL the confidential
information all my system all pasted in there. The format looks
something like this:
/**************************HOST IP*****************************/
and then i see the whole ifconfig pasted here. then..
/**************************PS*********************************/
i see ps -aux, then
/**************************HISTORY***************************/
root's command history.. then
/************************HOSTS*****************************/
host file, AND EVEN
/************************PASSWD***************************/
passwd file , with ROOTS and all users' password unecrypted!!!!
I use redhat 7 and i'm sure i have shadow + md5 password enabled.
If anyone have any idea what's going wrong , please let me know and how
am i getting the file. I know that
sina provide freemail service but it has an extension of sinaman.com or
sinagirl.com, but NOT sina.com
is that why i am getting the mail bounced back???
Any help would be appreciated. Thank you very much !
Leo
------------------------------
Date: Wed, 04 Apr 2001 18:45:00 +0800
From: Leo <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Crossposted-To: alt.os.linux,alt.linux,comp.os.linux.help,comp.os.linux
Subject: Re: PLEASE HELP!, MY LINUX have been HACKED~
One more thing after i read the email, I checked my log file (
/var/log/message ) to see what happened. Apparently, i have lost ALL the
stuff before date APRIL 3rd ( day of mail send )... So i couldn't trace
what happened, Although information from my other
logfiles still exists, i.e. my "loginlog" I cannot find any clue from
there. =(
THanks
Leo wrote:
> Dear all,
>
> Today I turn on my linux and I recieved a mail from sendmail regarding
> a failed message posted to
> someone in @sina.com . SO i check it out and it basically it says the
> following:
>
> ---------- Forwarded message ----------
> Date: Wed, 4 Apr 2001 03:15:21 +0800
> From: Mail Delivery Subsystem <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Warning: could not send message for past 4 hours
>
> **********************************************
> ** THIS IS A WARNING MESSAGE ONLY **
> ** YOU DO NOT NEED TO RESEND YOUR MESSAGE **
> **********************************************
>
> The original message was received at Tue, 3 Apr 2001 21:57:12 +0800
> from root@localhost
>
> ----- The following addresses had transient non-fatal errors -----
> [EMAIL PROTECTED]
>
> ----- Transcript of session follows -----
> 451 4.4.1 timeout writing message to smtp.hknet.com
> [EMAIL PROTECTED] Deferred
> Warning: message still undelivered after 4 hours
> Will keep trying until message is 5 days old
>
> After reading that message, I was curious because I never use ROOT to
> send message out and aparently, that
> "[EMAIL PROTECTED]" looks very unfamilar to me. So i am positive that I
> didn't send such message. Inside the message
> I found two attachment, one dat file and the other text file,..
> Unfortunetly, when I read the text fileI see ALL the confidential
> information all my system all pasted in there. The format looks
> something like this:
>
> /**************************HOST IP*****************************/
> and then i see the whole ifconfig pasted here. then..
> /**************************PS*********************************/
> i see ps -aux, then
> /**************************HISTORY***************************/
> root's command history.. then
> /************************HOSTS*****************************/
> host file, AND EVEN
> /************************PASSWD***************************/
> passwd file , with ROOTS and all users' password unecrypted!!!!
>
> I use redhat 7 and i'm sure i have shadow + md5 password enabled.
>
> If anyone have any idea what's going wrong , please let me know and how
> am i getting the file. I know that
> sina provide freemail service but it has an extension of sinaman.com or
> sinagirl.com, but NOT sina.com
> is that why i am getting the mail bounced back???
>
> Any help would be appreciated. Thank you very much !
> Leo
------------------------------
From: [EMAIL PROTECTED]
Crossposted-To: alt.os.linux,alt.linux,comp.os.linux.help,comp.os.linux
Subject: Re: PLEASE HELP!, MY LINUX have been HACKED~
Date: 4 Apr 2001 10:55:03 GMT
In comp.os.linux.misc Leo <[EMAIL PROTECTED]> wrote:
> One more thing after i read the email, I checked my log file (
> /var/log/message ) to see what happened. Apparently, i have lost ALL the
> stuff before date APRIL 3rd ( day of mail send )... So i couldn't trace
Looks like somebody have installed some trojan that tryied to
mail out information about your system.
I suggest you re-install your machine to get rid of the
trojan and other rootkit that could be in your machine.
I also suggest some good readings about security and
firewalling.
Davide
------------------------------
From: Guy Parry <[EMAIL PROTECTED]>
Subject: KDE 2 on RH 7 set up to use switchdsk...
Date: Wed, 04 Apr 2001 20:57:39 +1000
Could someone who has installed KDE 2 on a RH 7.0 distro please give
me a little help? I've gotten all the required rpm's on my HDD
without any hassles, but I've since found 3 differing posts on how to
do the rest to get it to run.
One says to edit .xinitrc, but of course, RH 7 uses .Xclients
instead. I would like to do it so I can change from Gnome to KDE
using good ol' Switchdesk at the console(!)...rather than having to
edit a file/s manually every time I want to change managers...
tia...
------------------------------
From: Cedric ROUX <[EMAIL PROTECTED]>
Crossposted-To: comp.unix.shell,comp.lang.awk
Subject: Re: Shell script questions...
Date: Wed, 04 Apr 2001 12:58:43 +0200
Hi Jerome,
sed -n -e '/ERROR/,/^/p' -e '/Display/,/^/p' < file.txt
seems to work fine to me.
See you,
Cedric.
MEYER wrote:
> Hi everyone
>
> I'm written a little script, like:
> ...
> while read line
> do
> sed -n '/ERROR/,/^/p'
> done < $1
> ...
>
> This loops take two lines, the first is where a ERROR words occurs and
> second it take the next line!
> Now, I want to take the ERROR words (like yet) OR the Display words and the
> next line.
> As anyone a idea how can I make the sed script for ERROR OR Display?
> is it like : sed -n '/ERROR || Display/,/^/p' ??? but it doesn't running???
> Thanks a lot for your answers,
>
> Jerome
------------------------------
From: "Darryl L. Pierce" <[EMAIL PROTECTED]>
Subject: Re: mail reader
Date: Wed, 4 Apr 2001 07:12:25 -0400
Charles Herman <[EMAIL PROTECTED]> wrote:
> I am looking for a mail reader for Linux, any suggestions.
Mutt. I use it. I love it. =)
--
/**
* @author Darryl L. Pierce <[EMAIL PROTECTED]>
* @see The InfoBahn Offramp <http://welcome.to/mcpierce>
* @quote "Too often we confuse effort and progress."
* - Fred Brooks, _The Mythical Man-Month_
*/
------------------------------
From: "Sander" <[EMAIL PROTECTED]>
Crossposted-To: alt.os.linux,alt.linux,comp.os.linux.help,comp.os.linux
Subject: Re: PLEASE HELP!, MY LINUX have been HACKED~
Date: Wed, 04 Apr 2001 11:21:04 GMT
I got hacked once, several times actually. See:
http://www.cert.org/nav/recovering.html
check /etc/inetd.conf and /etc/xinetd.d if there are lines starting with a
strange port (>1024) granting them root access.
Build yourself a firewall with ipchains, log all outgoing denied traffic and
mail it to a trusted host.
Basicly what I did whas wipping all (!!) vulnarable boxes on my network (7),
close down the internetconnection, and started building from the ground.
Only install the things you need. SSH rather than telnet, no rsh, no
sendmail if you can use balsa or something similar etc. No DNS either. It is
a lot of work, but once you've so, you got a very managable network. If you
get hacked again, you can be pretty sure what they've hacked.
I wiped everything because these guys are way out my leage and probably left
themselfes five rootkits and one decoy for you to find. You're happy because
you found the decoy and consider your system clean again.
I hate 'm.
Leo <[EMAIL PROTECTED]> schreef in berichtnieuws
[EMAIL PROTECTED]
> One more thing after i read the email, I checked my log file (
> /var/log/message ) to see what happened. Apparently, i have lost ALL the
> stuff before date APRIL 3rd ( day of mail send )... So i couldn't trace
> what happened, Although information from my other
> logfiles still exists, i.e. my "loginlog" I cannot find any clue from
> there. =(
>
> THanks
>
> Leo wrote:
>
> > Dear all,
> >
> > Today I turn on my linux and I recieved a mail from sendmail regarding
> > a failed message posted to
> > someone in @sina.com . SO i check it out and it basically it says the
> > following:
> >
> > ---------- Forwarded message ----------
> > Date: Wed, 4 Apr 2001 03:15:21 +0800
> > From: Mail Delivery Subsystem <[EMAIL PROTECTED]>
> > To: [EMAIL PROTECTED]
> > Subject: Warning: could not send message for past 4 hours
> >
> > **********************************************
> > ** THIS IS A WARNING MESSAGE ONLY **
> > ** YOU DO NOT NEED TO RESEND YOUR MESSAGE **
> > **********************************************
> >
> > The original message was received at Tue, 3 Apr 2001 21:57:12 +0800
> > from root@localhost
> >
> > ----- The following addresses had transient non-fatal errors -----
> > [EMAIL PROTECTED]
> >
> > ----- Transcript of session follows -----
> > 451 4.4.1 timeout writing message to smtp.hknet.com
> > [EMAIL PROTECTED] Deferred
> > Warning: message still undelivered after 4 hours
> > Will keep trying until message is 5 days old
> >
> > After reading that message, I was curious because I never use ROOT to
> > send message out and aparently, that
> > "[EMAIL PROTECTED]" looks very unfamilar to me. So i am positive that I
> > didn't send such message. Inside the message
> > I found two attachment, one dat file and the other text file,..
> > Unfortunetly, when I read the text fileI see ALL the confidential
> > information all my system all pasted in there. The format looks
> > something like this:
> >
> > /**************************HOST IP*****************************/
> > and then i see the whole ifconfig pasted here. then..
> > /**************************PS*********************************/
> > i see ps -aux, then
> > /**************************HISTORY***************************/
> > root's command history.. then
> > /************************HOSTS*****************************/
> > host file, AND EVEN
> > /************************PASSWD***************************/
> > passwd file , with ROOTS and all users' password unecrypted!!!!
> >
> > I use redhat 7 and i'm sure i have shadow + md5 password enabled.
> >
> > If anyone have any idea what's going wrong , please let me know and how
> > am i getting the file. I know that
> > sina provide freemail service but it has an extension of sinaman.com or
> > sinagirl.com, but NOT sina.com
> > is that why i am getting the mail bounced back???
> >
> > Any help would be appreciated. Thank you very much !
> > Leo
>
------------------------------
From: Jean-David Beyer <[EMAIL PROTECTED]>
Subject: Re: migrating /home from /
Date: Wed, 04 Apr 2001 07:34:00 -0400
Christian Huebner wrote:
>
> "Sudhakar R." wrote:
> >
> > I currently have /home residing on / and would like to make more room on
> > my / partition. So I've decided to use fips to shrink my windows
> > partition and free up some space on my hard disk where I can put
> > /home. Can someone please detail the necessary steps that I shud
> > follow.
> >
> > I can work with fips and free up some space on my harddisk. How do I go
> > about formatting this new space into an ext2 filesystem and then how do I
> > migrate /home to this new partition.
>
> You need to do the following steps:
>
> 1) Backup your home directory or better your whole disk.
>
> 2) Use fdisk to create a new partition in the space you freed using fips.
> Be sure to set the partition type right.
>
> 3) Use mkfs to create an ext2-filesystem on the new partition.
>
> 4) Mount the new ext2-Filesystem to /mnt.
>
> 5) Transfer your data. I dont recomment using cp or mv. I suggest using
> tar instead. ( cd /home; tar cf - * |(cd /mnt; tar xvf -) )
I suggest something like
find /home -print | cpio -p /mnt/home
(but better do man find and man cpio first).
>
> 6) Erase all data in /home. Did I tell you to backup your home directory
> or even better, your whole disk?
>
> 7) Unmount your new home partition from /mnt and mount it to /home to
> test it.
>
> 8) If it works, add a line to /etc/fstab to make it mount automatically
> on boot time.
>
> If you have major problems understanding this I suggest you find someone
> to do it with you or your data might get hurt.
>
> Chris
>
> --
>
> Christian Huebner - [EMAIL PROTECTED]
--
.~. Jean-David Beyer Registered Linux User 85642.
/V\ Registered Machine 73926.
/( )\ Shrewsbury, New Jersey http://counter.li.org
^^-^^ 7:30am up 2 days, 14:20, 3 users, load average: 1.45, 1.86, 1.61
------------------------------
From: Jean-David Beyer <[EMAIL PROTECTED]>
Subject: Re: netscape default preferences question
Date: Wed, 04 Apr 2001 07:45:26 -0400
Neil Zanella wrote:
>
> Hello,
>
> I am running netscape 4.76 on Linux. Is there a file where I can set
> the system wide default home page which comes up when a user selects
> New -> Navigator Window? Each user can set this with Edit ->
> Preferences -> Navigator -> Location but I would like to specify
> something other than http://home.netscape.com/ as the default.
> I have seen this done on Windows computers. Is this possible on
> Linux and how can one do this? I have looked at the files
> /usr/lib/netscape/bookmark.htm and
> /usr/doc/netscape-common-4.76/Netscape.ad
> but these files were not helpful in accomplishing this task.
>
You might look around in /opt/netscape/defaults/pref (where it is on
my machine); I suspect, without trying it, that all.js might be the
one.
--
.~. Jean-David Beyer Registered Linux User 85642.
/V\ Registered Machine 73926.
/( )\ Shrewsbury, New Jersey http://counter.li.org
^^-^^ 7:40am up 2 days, 14:30, 3 users, load average: 1.96, 1.60, 1.51
------------------------------
From: "Chris West" <[EMAIL PROTECTED]>
Subject: FAT CR/LF conversion
Date: Wed, 4 Apr 2001 12:47:03 +0100
I have a floppy disk wich I mount using:
mount -tvfat /dev/fd0 /mnt/floppy -oconv=auto
When I copy a text file (file.log) to the floppy using cp, the NL->CR/LF
conversion isn't performed, the destination file is identical to the source
file.
Am I right in thinking this conversion should be performed for cp?
If so, any ideas what I'm doing wrong?
[kernel 2.4.1, cp (GNU fileutils) 4.0x]
------------------------------
From: "Dennis" <[EMAIL PROTECTED]>
Subject: Root cannot login
Date: Wed, 4 Apr 2001 15:46:39 +0400
Hi
I have come across a RedHat 6.0 server with the following problem:
Root or any user can't login.
At the prompt, I get this error message after putting the username :
"/usr/bin/tklogin : No such file or directory"
It does not even prompt for the password
Web & Mail services are functioning
How can I solve this?
Thanks
Rgds
Dennis
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: FAT CR/LF conversion
Date: 4 Apr 2001 11:56:31 GMT
Chris West <[EMAIL PROTECTED]> wrote:
> I have a floppy disk wich I mount using:
> mount -tvfat /dev/fd0 /mnt/floppy -oconv=auto
wasn't -o conv=auto (with space in between) ?
> Am I right in thinking this conversion should be performed for cp?
Teorically yes
> If so, any ideas what I'm doing wrong?
only the 'space' thing (if it isn't a mistype).
Davide
------------------------------
From: Stanislaw Flatto <[EMAIL PROTECTED]>
Subject: Re: Stupid Mistakes
Date: Wed, 04 Apr 2001 22:12:07 +1000
Working as root has its merits.
Have fun.
Stanislaw.
Slack user from Ulladulla.
Skylar Thompson wrote:
> I made two very stupid mistake today by resizing partitions (I have
> Win98 and OS/2 3 in addition to RedHat 6.1) without making a rescue
> floppy or a backup (the backup was next on my list actually, and
> the floppy was forgotten about soon after the installation and
> configurationended late at night).
>
> Well, now the kernel cannot be found, and I am stuck with a dilapidated
> system on the Linux Central RedHat 6.1 distribution CD. I can mount my
> system, but I cannot get LILO to print out the kernel location information;
> it keeps on saying that /dev/sdb5 cannot be found even though I used
> that to mount that partition in the first place. I plan on trying to make
> a backup tomorrow and install a new system and get everything
> straightened out with the new kernel. If that fails, I guess I would have
> to wipe my current installation and start over from scratch, but I would
> like to avoid that.
>
> Can anyone offer any help?
>
> --Skylar Thompson ([EMAIL PROTECTED])
>
> `All that is gold does not glitter/Not all who wander are lost
> The old that is strong does not wither/Deep roots are not reached by the frost
> From the ashes a fire shall be woken/A light from the shadows shall spring
> Renewed shall be blade that was broken/The crownless again shall be king.'
------------------------------
From: Christopher Albert <[EMAIL PROTECTED]>
Subject: Re: FAT CR/LF conversion
Date: Wed, 04 Apr 2001 13:59:47 +0200
Chris West wrote:
>
> I have a floppy disk wich I mount using:
>
> mount -tvfat /dev/fd0 /mnt/floppy -oconv=auto
>
> When I copy a text file (file.log) to the floppy using cp, the NL->CR/LF
> conversion isn't performed, the destination file is identical to the source
> file.
>
> Am I right in thinking this conversion should be performed for cp?
> If so, any ideas what I'm doing wrong?
>
> [kernel 2.4.1, cp (GNU fileutils) 4.0x]
AFAIK, cp does'nt do such conversions. You can get unix2dos, make the
conversion and then copy.
Chris
------------------------------
From: Christopher Albert <[EMAIL PROTECTED]>
Crossposted-To: alt.os.linux,alt.linux,comp.os.linux.help,comp.os.linux
Subject: Re: PLEASE HELP!, MY LINUX have been HACKED~
Date: Wed, 04 Apr 2001 14:07:15 +0200
Leo wrote:
>
> Dear all,
>
> Today I turn on my linux and I recieved a mail from sendmail regarding
> a failed message posted to
> someone in @sina.com . SO i check it out and it basically it says the
> following:
>
> ---------- Forwarded message ----------
> Date: Wed, 4 Apr 2001 03:15:21 +0800
> From: Mail Delivery Subsystem <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Warning: could not send message for past 4 hours
>
> **********************************************
> ** THIS IS A WARNING MESSAGE ONLY **
> ** YOU DO NOT NEED TO RESEND YOUR MESSAGE **
> **********************************************
>
> The original message was received at Tue, 3 Apr 2001 21:57:12 +0800
> from root@localhost
>
> ----- The following addresses had transient non-fatal errors -----
> [EMAIL PROTECTED]
>
Leo,
Your compromised. Sorry, time for mkfs and a fresh install.
Get your box off line--it is being used to attack others.
You can look at
http://www.cert.org/tech_tips/root_compromise.html
And to find out more about the "adore" worm that is on your system you
can see:
http://www.sans.org/y2k/adore.htm
At that link there is an "adorefind" program which will find and
eliminate the adore worm, but frankly you cant really be sure if that is
all there is. SInce the sans posting a few days ago, adore could have
mutated. Reformat, and reinstall after you have read some security docs.
Chris
P.S: Please don't multi-post
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to comp.os.linux.misc.
Linux may be obtained via one of these FTP sites:
ftp.funet.fi pub/Linux
tsx-11.mit.edu pub/linux
sunsite.unc.edu pub/Linux
End of Linux-Misc Digest
******************************
