[rlug] Re: Urgenta!!!

Patrascu Eugeniu Thu, 20 Feb 2003 23:03:22 -0800

On Fri, 2003-02-21 at 04:06, Dragosh M. wrote:
> Man,
> 
> #1 chill out.
> 
> #2 upgradeaza IMEDIAT tot ce tine de ssh/ssl
> 
> #3 opreste ftp-ul
> 
> #4 vezi pe ce porturi asculta rootkitul daca s-a instalat asa ceva
> si taie din firewall conexiunile spre acele porturi
> 
> vezi www.chkrootkit.org
> http://freshmeat.net/redir/chkrootkit/20715/url_tgz/chkrootkit.tar.gz
> 
> rapid poti incerca updatedb ; locate adore
> 
> #5 daca nu te descurci ma over sa te ajut remote si/sau sa iti fac un
> cont de upload al fisierelor tale importante la mine.
>


ai uitat #6: Get a consultant ;)

> 
> On Fri, 2003-02-21 at 03:51, Laurentiu STEFAN wrote:
> > 
> > UN HAKER mi-a intrat in server.
> > Cand am vazut (banuit) ca e cineva i-am dat reboot.
> > Nu imi mai mergea httpd-ul, squid-ul, samba si draq mai stie ce nu mai merge.
> > Vreau sa refac sa mearga doar squid-ul, samba si iptraf-ul pt. moment
> > 
> > Am obesrvat ca in /var/log sunt foarte putine fisiere.
> > 
> > HELP HELP HELP!!!
> > 
> > Daca poate rog pe cineva sa imi faca un cont de FTP cu configuratiile necesare sa 
>le copii si eu in al meu.
> > Sau sa imi spuneti comenzile pe care sa le dau.
> > Sa reistalez din nou nu este o obtiune in acest moment.
> > 
> > La httpd la restart imi dadea eroarea:
> > [root@....]# service httpd start
> > Starting httpd: fopen: No such file or directory
> > httpd: could not open error log file /var/log/httpd/error_log.                     
>                                      [FAILED]
> > 
> > Am facut in /var/log directorul httpd.
> > I-am dat drepturi pentru apache si tot nu merge.
> > Cred ca trebie sa mai fac vre-un director.
> > 
> > Acuma in /var/log/httpd/error_log
> > [Fri Feb 21 02:38:24 2003] [notice] Apache/1.3.20 (Unix)  (Red-Hat/Linux) 
>mod_ssl/2.8.4 OpenSSL/0.9.6b DAV/1.0.2 PHP/4.0.6 mod_perl/1.24_01 configured -- 
>resuming normal operations
> > [Fri Feb 21 02:38:24 2003] [notice] suEXEC mechanism enabled (wrapper: 
>/usr/sbin/suexec)
> > 
> > ES! La Squid mi-a mers sa ii refac log-ul la httpd nu stiu ce are
> > 
> > DACA POATE CINEVA SA MA AJUTE II RAMAN DATOR!!!
> > 
> > - sa refac httpd/apache-ul (sau sa instalez alt server web)
> > - sa reconfigurez firewall-ul sa las doar serviciile utile deschise din exterior - 
>etho (DNS, Mail, WWW) si din interior, sshd, ftp, squid, samba, mail, www, dns - eth1
> > - pt. iptraf cred ca il voi reinstala.
> > 
> > ==============================
> > 
> > root      1203  0.0  0.2  2140  316 ?        SN   00:59   0:00 //bin/sh
> > root      1895  0.0  0.2  1476  332 ?        SN   01:05   0:00 /sbin/syslogd -m 0
> > root      1899  0.0  0.0  2264    4 ?        SN   01:05   0:00 /usr/sbin/xinetd 
>-reuse
> > root      2361  0.1  1.0  3468 1244 ?        S    01:08   0:00 /usr/sbin/sshd
> > root      2364  0.0  1.0  2452 1256 pts/0    S    01:08   0:00 -bash
> > root      2833  0.0  0.8  2188  968 ?        SN   01:13   0:00 ftp 
>ftp.polarhome.com
> > 
> > ftp ftp.polarhome.com - nu este data de mine
> > //bin/sh ???
> > /usr/sbin/sshd ???
> > syslogd ???
> > 
> > Mesaj de la syslogd@Perlea
> > perlea
> > 
> > 
> > Dupa ceva timp am mai dat ps -aux
> > root      2921  0.0  0.8  2304 1060 ?        SN   01:17   0:00 ftp ftp.netfirms.com
> > 
> > Pe iptraf ce imi apare ciudat este:
> > ip28-43-171-209.toro1.na.psigh.com:64572        >     218     324244 CLOSED  eth0
> > Perlea.Ro:1139                                  >     202      10504 CLOSED  eth0
> > 
> > Perlea.Ro:ftp                                   >      54       2491 --A-    eth0
> > 202.65.134.210:40391                            >      53       2124 -PA-    eth0
> > 
> > 
> > ====================================================================
> > 
> > Configuratia mea de firewall:
> > 
> > echo "Inceput configurare firewall"
> > #
> > /sbin/ipchains -A input -s 0/0 -d 193.231.113.125 53 -p udp -i eth0 -j ACCEPT
> > /sbin/ipchains -A input -s 0/0 -d 193.231.113.125 53 -p tcp -i eth0 -j ACCEPT
> > /sbin/ipchains -A output -d 0/0 -s 193.231.113.125 53 -p udp -i eth0 -j ACCEPT
> > /sbin/ipchains -A output -d 0/0 -s 193.231.113.125 53 -p tcp -i eth0 -j ACCEPT
> > /sbin/ipchains -A input -s 0/0 -d 0/0 53 -p tcp -i eth0 -j ACCEPT
> > /sbin/ipchains -A input -s 0/0 -d 0/0 22 -p tcp -i eth0 -j ACCEPT
> > /sbin/ipchains -A input -s 0/0 -d 0/0 21 -p tcp -i eth0 -j ACCEPT
> > #
> > /sbin/ipchains -A output -d 0/0 -s 193.231.113.125 80 -p tcp -i eth0 -j ACCEPT
> > /sbin/ipchains -A input -s 0/0 -d 193.231.113.125 80 -p tcp -i eth0 -j ACCEPT
> > #
> > /sbin/ipchains -A input -s 0/0 -d 0/0 25 -p tcp -y -j ACCEPT
> > /sbin/ipchains -A input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT
> > #
> > /sbin/ipchains -A input -s 0/0 67:68 -d 0/0 67:68 -p udp -i eth0 -j ACCEPT
> > /sbin/ipchains -A input -s 0/0 67:68 -d 0/0 67:68 -p udp -i eth1 -j ACCEPT
> > #
> > /sbin/ipchains -A input -s 0/0 -d 0/0 -i lo -j ACCEPT
> > /sbin/ipchains -A input -s 0/0 -d 0/0 -i eth1 -j ACCEPT
> > #
> > /sbin/ipchains -A input -p tcp -s 0/0 -d 0/0 6666:7000 -i eth0 -j REJECT
> > /sbin/ipchains -A output -p tcp -d 0/0 -s 0/0 6666:7000 -i eth0 -j REJECT
> > #
> > /sbin/ipchains -A input -p tcp -s 0/0 -d 193.231.113.125 8081 -i eth0 -j REJECT
> > /sbin/ipchains -A output -p tcp -d 0/0 -s 193.231.113.125 8081 -i eth0 -j REJECT
> > /sbin/ipchains -A input -p tcp -s 0/0 -d 193.231.113.125 2000 -i eth0 -j REJECT
> > /sbin/ipchains -A output -p tcp -d 0/0 -s 193.231.113.125 2000 -i eth0 -j REJECT
> > /sbin/ipchains -A input -p tcp -s 0/0 -d 193.231.113.125 4000 -i eth0 -j REJECT
> > /sbin/ipchains -A output -p tcp -d 0/0 -s 193.231.113.125 4000 -i eth0 -j REJECT
> > /sbin/ipchains -A input -p tcp -s 0/0 -d 193.231.113.125 443 -i eth0 -j REJECT
> > /sbin/ipchains -A output -p tcp -d 0/0 -s 193.231.113.125 443 -i eth0 -j REJECT
> > #
> > /sbin/ipchains -A input -p tcp -s 192.168.2.0/24 -d 0/0 6666:7000 -i eth0 -j REJECT
> > #/sbin/ipchains -A output -p tcp -d 192.168.2.0/24 -s 0/0 6666:6670 -i eth0 -j 
>REJECT
> > #
> > #/sbin/ipchains -A input -p tcp -s 0/0 -d 193.231.113.125 8080 -i eth0 -j REJECT
> > #/sbin/ipchains -A input -p tcp -s 0/0 -d 193.231.113.125 1139 -i eth0 -j REJECT
> > /sbin/ipchains -A input -p tcp -s 0/0 -d 193.231.113.125 21 -i eth0 -j REJECT
> > /sbin/ipchains -A input -p tcp -s 0/0 -d 193.231.113.125 22 -i eth0 -j REJECT
> > #/sbin/ipchains -A output -p tcp -s 0/0 -d 193.231.113.125 8080 -i eth0 -j REJECT
> > #
> > #/sbin/ipchains -A input -p tcp -s 0/0 -d 0/0 0:1023 -y -j REJECT
> > #/sbin/ipchains -A input -p tcp -s 0/0 -d 0/0 2049 -j REJECT
> > #/sbin/ipchains -A input -p udp -s 0/0 -d 0/0 0:1023 -j REJECT
> > #/sbin/ipchains -A input -p udp -s 0/0 -d 0/0 2049 -j REJECT
> > #/sbin/ipchains -A input -p tcp -s 0/0 -d 0/0 6000:6009 -j REJECT
> > #/sbin/ipchains -A input -p tcp -s 0/0 -d 0/0 7100 -j REJECT
> > #/sbin/ipchains -A input -p tcp -s 0/0 -d 0/0 1139 -j REJECT
> > #
> > echo "Forward Start"
> > echo "1" > /proc/sys/net/ipv4/ip_forward
> > /sbin/ipchains -A forward -s 192.168.2.0/24 -d 192.168.2.0/24 -j ACCEPT
> > /sbin/ipchains -A forward -s 193.231.113.0/24 -d 0/0 -j ACCEPT
> > #/sbin/ipchains -A forward -s 192.168.2.0/24 -d 0/0 -j MASQ
> > 
> > echo "Masqarading CCPIL IP's"
> > #Centrul Creatiei
> > /sbin/ipchains -A forward -s 192.168.2.127/255.255.255.255 -d 0/0 -j MASQ
> > /sbin/ipchains -A forward -s 192.168.2.150/255.255.255.255 -d 0/0 -j MASQ
> > /sbin/ipchains -A forward -s 192.168.2.155/255.255.255.255 -d 0/0 -j MASQ
> > /sbin/ipchains -A forward -s 192.168.2.157/255.255.255.255 -d 0/0 -j MASQ
> > 
> > echo "Masqarading CCUIP IP's"
> > #Centrul Cultural
> > /sbin/ipchains -A forward -s 192.168.2.56/255.255.255.255 -d 0/0 -j MASQ
> > /sbin/ipchains -A forward -s 192.168.2.100/255.255.255.255 -d 0/0 -j MASQ
> > /sbin/ipchains -A forward -s 192.168.2.110/255.255.255.255 -d 0/0 -j MASQ
> > /sbin/ipchains -A forward -s 192.168.2.156/255.255.255.255 -d 0/0 -j MASQ
> > 
> > echo "Masqarading DPCCPN IP's"
> > #Inspectorat
> > /sbin/ipchains -A forward -s 192.168.2.32/255.255.255.255 -d 0/0 -j MASQ
> > /sbin/ipchains -A forward -s 192.168.2.163/255.255.255.255 -d 0/0 -j MASQ
> > 
> > echo "Masqarading BJI IP's"
> > #BJI
> > /sbin/ipchains -A forward -s 192.168.2.43/255.255.255.255 -d 0/0 -j MASQ
> > /sbin/ipchains -A forward -s 192.168.2.222/255.255.255.255 -d 0/0 -j MASQ
> > echo "Sfarsit configurare firewall"
> > 
> > --
> > Pentru dezabonare, trimiteti mail la 
> > [EMAIL PROTECTED] cu subiectul 'unsubscribe rlug'.
> > REGULI, arhive si alte informatii: http://www.lug.ro/mlist/
> > 
> > 
> 
> -- 
> I/O error while opening .signature file
> 
> --
> Pentru dezabonare, trimiteti mail la 
> [EMAIL PROTECTED] cu subiectul 'unsubscribe rlug'.
> REGULI, arhive si alte informatii: http://www.lug.ro/mlist/
> 
> 
-- 
Patrascu Eugeniu

Any views or opinions presented within this e-mail are solely those 
of the author and do not necessarily represent those of any company,
unless otherwise specifically stated.


--
Pentru dezabonare, trimiteti mail la 
[EMAIL PROTECTED] cu subiectul 'unsubscribe rlug'.
REGULI, arhive si alte informatii: http://www.lug.ro/mlist/

[rlug] Re: Urgenta!!!

Raspunde prin e-mail lui