Linux-Misc Digest #56, Volume #28 Thu, 7 Jun 01 22:13:02 EDT
Contents:
Questionable packets, need help (Leonard Evens)
Re: "no rule to make bzimage" (Raj Rijhwani)
Re: can't umount /usr (busy?) (Raj Rijhwani)
root pop-up (Charles P Koerner)
Re: Questionable packets, need help (Tr��tm�n)
Re: Questionable packets, need help ("Ian Jones")
Re: newly exposed to linux server with 98 clients (John Hasler)
Re: Getting Plan 9 kernel source (Jan Schaumann)
Re: Questionable packets, need help, P.S. (Leonard Evens)
Re: XFree86 resolution (Dances With Crows)
Re: root pop-up ("Jay")
Re: How disable (setterm blank, powerdown, powersave) on system console? (David
Efflandt)
Re: fetchmail config problem (Floyd Davidson)
Re: GROUP TAKEOVER IN PROGRESS ("pilgrim")
Re: rc.local file. (Steve Martin)
Printing problem: selecting input tray (Pim)
----------------------------------------------------------------------------
From: Leonard Evens <[EMAIL PROTECTED]>
Crossposted-To: redhat.general,comp.os.linux.security
Subject: Questionable packets, need help
Date: Thu, 07 Jun 2001 19:11:07 -0500
One of our users got a complaint from a distant site that
his machine was sending packets which the remote site's firewall
was rejecting. The person at the remote site wanted to know
why. tcpdump, which we are just now learning to use, confirmed
out machine was sending packets out to a variety of sites.
We reinstalled the OS after formatting the disk and ran it without
the /home partition mounted. But that did not resolve the problem,
tcpdump still showed packets being sent out. We also tried some
other measures I won't go into here. But after some further
investigation, we saw that each time there was an incoming (icmp)
packet, our machine just responded to the (apparent)
ip address of the source machine. It is quite possible, perhaps
even likely, that this was the case all along, since we could find
no evidence of tampering in the first place.
I can envision two possibilities here. (1) The source machines
had been compromised and were all aiming an attack at our machine
(which was running a web server). (2) Someone was sending packets
with many false ip addresses to our machine which was responding.
We would appreciate any comments on what may be happening, and
any ideas for countermeasures.
As a postscript, let me add that several machines on our campus
had web sites atacked and made to post anti Chinese obscenities.
But that had not happened to the machine discussed above.
--
Leonard Evens [EMAIL PROTECTED] 847-491-5537
Dept. of Mathematics, Northwestern Univ., Evanston, IL 60208
------------------------------
From: [EMAIL PROTECTED] (Raj Rijhwani)
Subject: Re: "no rule to make bzimage"
Date: Fri, 08 Jun 2001 01:23:53 +0100 (BST)
Reply-To: [EMAIL PROTECTED]
On 6 Jun, in article
<9flbnq$4jj1d$[EMAIL PROTECTED]> [EMAIL PROTECTED]
wrote:
> Tom Edelbrok <[EMAIL PROTECTED]> wrote:
> > But when I do a "make bzimage" (to create a disk copy of the kernel) I get
> > the message:
> Shouldn't be "make bzImage" (note the capital I) ?
It should indeed.
--
Raj Rijhwani (umtsb5/16) | This is the voice of the Mysterons...
[EMAIL PROTECTED] | ... We know that you can hear us Earthmen
http://www.rijhwani.org/raj/ | "Lieutenant Green: Launch all Angels!"
------------------------------
From: [EMAIL PROTECTED] (Raj Rijhwani)
Subject: Re: can't umount /usr (busy?)
Date: Fri, 08 Jun 2001 01:26:27 +0100 (BST)
Reply-To: [EMAIL PROTECTED]
On Wednesday, in article <9fkq09$n42$[EMAIL PROTECTED]>
[EMAIL PROTECTED] "Eric" wrote:
> > Yesterday I was working on a Linux server (formerly RedHat 6.2 but
> > with new kernel) to update a Web Site that is hosted there, then I
> > decided to update the kernel (since I was at it).
> > After recompilation I give the "reboot" command...then the system
> > complained that he can't umount /usr because it was "busy" (??!!).
> > Using fuser seems that nobody is using it but the kernel
> > (/usr root kernel mount /usr).
> I don't know fuser, but doesn't lsof show anything either?
fuser provides alist of the individual processes actively using the file
addressed. However, if that file is actually a directory, it doesn't
necessarily show the usage of below that point.
--
Raj Rijhwani (umtsb5/16) | This is the voice of the Mysterons...
[EMAIL PROTECTED] | ... We know that you can hear us Earthmen
http://www.rijhwani.org/raj/ | "Lieutenant Green: Launch all Angels!"
------------------------------
From: Charles P Koerner <[EMAIL PROTECTED]>
Subject: root pop-up
Date: Fri, 08 Jun 2001 00:37:44 GMT
Used to be whenever I could only get something done as "root" I got a
pop-up saying this must be done as root only and it gave me a means to
put roots pssword in.
Now this feature is gone.
Anyone know about this and how I can get it back?
Charles P Koerner
------------------------------
From: mik�@tr��tm�n.org (Tr��tm�n)
Crossposted-To: redhat.general,comp.os.linux.security
Subject: Re: Questionable packets, need help
Date: 7 Jun 2001 20:44:35 -0400
Leonard Evens <[EMAIL PROTECTED]> graced us with the following:
>I can envision two possibilities here. (1) The source machines
>had been compromised and were all aiming an attack at our machine
>(which was running a web server). (2) Someone was sending packets
>with many false ip addresses to our machine which was responding.
>
>We would appreciate any comments on what may be happening, and
>any ideas for countermeasures.
What type of packets were hitting the distant firewall? Were they icmp
packets? If so - what type of icmp? It is possible someone was sending
source forged packets to your server, which was responding normally to
them. If you don't require icmp responses, use a chain or table to drop
all icmp to stop the packets. The same attack could be done with tcp and
udp - a simple DOS attack. There really isn't much you can do to stop it
unfortunately.
--
______________________________
Mike Troutman
http://www.troutman.org
http://www.zen-data.com
------------------------------
From: "Ian Jones" <[EMAIL PROTECTED]>
Crossposted-To: redhat.general,comp.os.linux.security
Subject: Re: Questionable packets, need help
Date: Thu, 7 Jun 2001 17:43:48 -0700
=====BEGIN PGP SIGNED MESSAGE=====
Hash: SHA1
"Leonard Evens" <[EMAIL PROTECTED]> wrote
> One of our users got a complaint from a distant site that
> his machine was sending packets which the remote site's firewall
> was rejecting. The person at the remote site wanted to know
> why. tcpdump, which we are just now learning to use, confirmed
> out machine was sending packets out to a variety of sites.
>
> We reinstalled the OS after formatting the disk and ran it without
> the /home partition mounted. But that did not resolve the problem,
> tcpdump still showed packets being sent out. We also tried some
> other measures I won't go into here. But after some further
> investigation, we saw that each time there was an incoming (icmp)
> packet, our machine just responded to the (apparent)
> ip address of the source machine. It is quite possible, perhaps
> even likely, that this was the case all along, since we could find
> no evidence of tampering in the first place.
>
> I can envision two possibilities here. (1) The source machines
> had been compromised and were all aiming an attack at our machine
> (which was running a web server). (2) Someone was sending packets
> with many false ip addresses to our machine which was responding.
>
> We would appreciate any comments on what may be happening, and
> any ideas for countermeasures.
Without seeing a packet dump of the traffic in question, it is hard to be
of much assistance. You might want to insert a network IDS onto the segment
where this is going on and see if you can figure it out. Stick a snort node
in there and the standard (or rather, included basic) ruleset will probably
catch and report your traffic to you if it is malicious. Of course, tcpdump
is doing pretty much the same thing, but it's filtering (selection)
abilities are much more primitive.
=====BEGIN PGP SIGNATURE=====
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
Comment: Making the world safe for geeks.
iQA/AwUBOyAfwcAVSpfzXItKEQL1pgCg3f+45N2iJqD2ZYthP7aP+earc90AoJBQ
u5Lokjfblo/acsJ/ilru9SJ7
=8zLn
=====END PGP SIGNATURE=====
------------------------------
From: John Hasler <[EMAIL PROTECTED]>
Subject: Re: newly exposed to linux server with 98 clients
Date: Thu, 7 Jun 2001 23:47:01 GMT
Dave Uhring writes:
> That's a school he is at. A "typing program" is most likely a tutorial.
A typing tutorial with network admin/database capability?
--
John Hasler
[EMAIL PROTECTED]
Dancing Horse Hill
Elmwood, Wisconsin
------------------------------
From: [EMAIL PROTECTED] (Jan Schaumann)
Subject: Re: Getting Plan 9 kernel source
Date: Fri, 08 Jun 2001 00:59:01 -0000
* Chen Wang wrote:
> Hi, anyone know how I can get a copy of the kernel
> source for Plan 9? Searching on google and lucent's
> website didn't yield any source code links.
Google didn't help you?
Try again:
http://www.google.com/search?q=plan+9+source+code
This brings me to
http://www.cs.bell-labs.com/plan9dist/
You could of course also just go to http://www.vitanuova.com and order the
distribution...
-Jan
--
Jan Schaumann <http://www.netmeister.org>
If you write something wrong enough, I'll be glad to make up a new
witticism just for you. -- Larry Wall
------------------------------
From: Leonard Evens <[EMAIL PROTECTED]>
Crossposted-To: redhat.general,comp.os.linux.security
Subject: Re: Questionable packets, need help, P.S.
Date: Thu, 07 Jun 2001 19:39:19 -0500
Leonard Evens wrote:
>
> One of our users got a complaint from a distant site that
> his machine was sending packets which the remote site's firewall
> was rejecting. The person at the remote site wanted to know
> why. tcpdump, which we are just now learning to use, confirmed
> out machine was sending packets out to a variety of sites.
>
> We reinstalled the OS after formatting the disk and ran it without
> the /home partition mounted. But that did not resolve the problem,
> tcpdump still showed packets being sent out. We also tried some
> other measures I won't go into here. But after some further
> investigation, we saw that each time there was an incoming (icmp)
> packet, our machine just responded to the (apparent)
> ip address of the source machine. It is quite possible, perhaps
> even likely, that this was the case all along, since we could find
> no evidence of tampering in the first place.
>
> I can envision two possibilities here. (1) The source machines
> had been compromised and were all aiming an attack at our machine
> (which was running a web server). (2) Someone was sending packets
> with many false ip addresses to our machine which was responding.
>
> We would appreciate any comments on what may be happening, and
> any ideas for countermeasures.
>
> As a postscript, let me add that several machines on our campus
> had web sites atacked and made to post anti Chinese obscenities.
> But that had not happened to the machine discussed above.
>
> --
>
> Leonard Evens [EMAIL PROTECTED] 847-491-5537
> Dept. of Mathematics, Northwestern Univ., Evanston, IL 60208
I should add that the incoming packets involved daytime, which
in fact was not activated on our machine.
--
Leonard Evens [EMAIL PROTECTED] 847-491-5537
Dept. of Mathematics, Northwestern Univ., Evanston, IL 60208
------------------------------
From: [EMAIL PROTECTED] (Dances With Crows)
Subject: Re: XFree86 resolution
Reply-To: [EMAIL PROTECTED]
Date: 08 Jun 2001 01:10:17 GMT
On Thu, 07 Jun 2001 12:37:42 -0000, Chad Lemmen staggered into the Black
Sun and said:
>Dave Uhring <[EMAIL PROTECTED]> wrote:
>> Chad Lemmen wrote:
>>>
>>> Using XFree86 4.0.2 and Caldera eDesktop 2.4. I ran XFree86
>>> -configure to generate a XF86Config file, but there is no video
>>> resolutions listed in the file that was generated. The X server
>>> works, but how does it know what resolution to use "800x600"
>>> "1024x768" etc... ?
>>>
>>> I can't seem to cut and paste right now so I cant past the "Screen"
>>> section of XF86Config so here is just one display setting
>>>
>>> SubSection "Display"
>>> Depth 8
>>> EndSubSection
>>>
>>> This is all it has for each depth setting. There is no Modes, which
>>> I thought it was set the resolution. So how is the resolution being
>>> set?
>>>
>
>> The server is aware of your monitor and selects the maximum size
>> display which the monitor is capable of displaying. You want
>> ModeLines, you can add them and the server will use them.
>
>I noticed that my system Caldera 2.4 has two XF86Config files. One in
>/etc/XF86Config and one it /etc/X11/XF86Config. The one in /etc has
>modes lines. I think both files are being used. I'm not sure if this
>is specific to Caldera or not. Also after I install XFree86 by running
>the Xinstall.sh script and I type xdpyinfo to see what version I'm now
>running it show 4.0.2 or 4.1.0 (I've tried both versions). The problem
>is that it defaults to a real high resolution so I go into XF86Setup to
>change it to 800x600. After doing this xdpyinfo show my version at
>3.3.6, which is what Caldera 2.4 ships with. Why is the version number
>switching back after running XF86Setup? This brings me to my main
>problem right after the install of a new version of XFree86 I can do X
>:1 to get a second X session, but after running XF86Setup I'mnot
>allowed to run a second X session as a normal user(must be root). It
>seems by running XF86Setup some of the configuration files are being
>overwrittenby the old version. Any ideas what could be going on here?
XF86Setup is *only* for X version 3.x . To configure X 4.x correctly,
use xf86cfg. If Caldera does things like SuSE, then /etc/XF86Config is
the config file for X 3.3.6 and /etc/X11/XF86Config is the config file
for X 4.x . You don't need to use any external program to change which
modes are available under any X program. Take a look at
/etc/X11/XF86Config and you will find a section like so:
Subsection "Display"
Depth 8
Modes "640x480" "800x600" "1024x768" "1280x1024"
EndSubsection
Subsection "Display"
Depth 16
Modes "640x480" "800x600" "1024x768" "1280x1024"
EndSubsection
Subsection "Display"
Depth 24
Modes "1280x1024" "1024x768" "640x480" "320x240
EndSubsection
I use 24-bit color and have a 19" monitor, so 1280x1024 is the preferred
resolution for me. Edit the appropriate Modes line under the Depth you
prefer, and make sure that "800x600" is the first mode on the line, and
that no modes larger than that are present on that line unless you like
the virtual screen functionality of X (many people don't, some love it.)
The X 4.x config files do not generally have modelines in them; X 4.x
likes to use standard VESA modes if it can. Generally, the only time
you will need modelines in an X 4.x config file is if you like to use
weird resolutions like 320x240....
--
Matt G|There is no Darkness in Eternity/But only Light too dim for us to see
Brainbench MVP for Linux Admin / Outside of a dog, a book is a man's best
http://www.brainbench.com / friend. Inside of a dog, it's too dark
=============================/ to read. ==Groucho Marx
------------------------------
From: "Jay" <[EMAIL PROTECTED]>
Subject: Re: root pop-up
Date: Fri, 08 Jun 2001 01:24:24 GMT
No I noticed that also. However someone posted a suggestion to use sudo.
It works really well from the command line except when you want to use "
more ". Otherwise in Gnome I get the pop-up for Linuxconf and Gnorpm.
"Charles P Koerner" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
>
> Used to be whenever I could only get something done as "root" I got a
> pop-up saying this must be done as root only and it gave me a means to
> put roots pssword in.
>
>
> Now this feature is gone.
>
> Anyone know about this and how I can get it back?
>
> Charles P Koerner
>
------------------------------
From: [EMAIL PROTECTED] (David Efflandt)
Subject: Re: How disable (setterm blank, powerdown, powersave) on system console?
Date: Fri, 8 Jun 2001 01:46:02 +0000 (UTC)
Reply-To: [EMAIL PROTECTED]
On 7 Jun 2001 16:00:15 -0700, wb0gaz <[EMAIL PROTECTED]> wrote:
> I want to disable blank/powerdown on the console of my RH7-based
> linux box; I understand the /sbin/console program is what's serving
> the main CRT but I don't see where to tell it about these parameters
> so it will stay on continuously which is what I want. Previous
> post on this subject referred me to setterm which looks just like
> what I want, but I can't figure out where to plug the options in!
Run setterm with whatever options from /etc/rc.d/rc.local (or whatever
script runs miscellanious boot commands if that changed). I do that to
set powersave during blank, so you should be able to do it from there to
unset anything.
--
David Efflandt (Reply-To is valid) http://www.de-srv.com/
http://www.autox.chicago.il.us/ http://www.berniesfloral.net/
http://cgi-help.virtualave.net/ http://hammer.prohosting.com/~cgi-wiz/
------------------------------
From: Floyd Davidson <[EMAIL PROTECTED]>
Subject: Re: fetchmail config problem
Date: 07 Jun 2001 16:57:38 -0800
[EMAIL PROTECTED] (Larry Ebbitt) wrote:
>>>hey, just doing my job. If you have another position available
>>>for me let me know. Thanks for the info though...
>>
>> Being paid to do it does NOT make it any more appropriate.
>> Ukpeagvik (Barrow, Alaska) [EMAIL PROTECTED]
>
>We don't know that it's sapm. It may well be notifications to
>customers. I get many from Lexmark and amazon.com, for instance,
>that go to thousands of others.
That is true... except the wording sounded like it, and I do
note that he didn't deny it either.
--
Floyd L. Davidson <http://www.ptialaska.net/~floyd>
Ukpeagvik (Barrow, Alaska) [EMAIL PROTECTED]
------------------------------
From: "pilgrim" <[EMAIL PROTECTED]>
Crossposted-To: alt.drugs.pot,comp.lang.javascript,comp.lang.perl.misc,comp.lang.python
Subject: Re: GROUP TAKEOVER IN PROGRESS
Date: Fri, 8 Jun 2001 11:57:35 +1000
Mr Kohler,
I am only new at this so please excuse the mistypes -
<script Language=Jscript>
var Kohler = new Object();
var Kohler.personality = new array[11]
var Kohler.dick.size="needle";
Kohler.gofuck("yourself");
</script>
Like I said, I'm only new at this.
------------------------------
From: Steve Martin <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Crossposted-To: alt.os.linux,comp.os.linux.setup
Subject: Re: rc.local file.
Date: Thu, 07 Jun 2001 21:56:03 -0400
serafim wrote:
> Quite common is to add your own module loading commands just befor the
> end
> of rc.local.
You might also put your desired module loading commands into a file
called "rc.modules"; this file is executed (if present) by rc.sysinit.
------------------------------
From: [EMAIL PROTECTED] (Pim)
Subject: Printing problem: selecting input tray
Date: Fri, 08 Jun 2001 02:04:33 GMT
Hello,
I want to be able to print a postscript file, selecting from which
sheet feeder of my HP LJ 2100 the paper should come from. Does anyone
know how to do this? I know the PCL escape sequence to do this, so if
I could get gs to print that sequence it should work, but don't know
how to do such a thing.
Thanks,
pim
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to comp.os.linux.misc.
Linux may be obtained via one of these FTP sites:
ftp.funet.fi pub/Linux
tsx-11.mit.edu pub/linux
sunsite.unc.edu pub/Linux
End of Linux-Misc Digest
******************************
