Re: Re: hacked: can't delete files
On Tuesday 23 August 2005 12:57, Alvin Oga wrote: personally... i think any hacked machine should be looked over carefully to be able to answer the following: - who broke in - how did they get in - why did they break in ( sometimes there's no answer ) - where they came from - obvious thing is to look at log files, but smart crackers will wipe out or clean the /var/log before they leave I do agree with your attitude on this. Unfortunately I do not see any chance of getting any kind of conviction on this sort of thing if it originates from another country. In this case the attacker is from Brazil (best guess, based on litter left by the cracker). We are based in Australia ans New Zealand. What are the chances of getting the brazilian police to do anything. As for the clean up, I discovered a script among this guy's litter which was a clean-up script to delete his log entries. I managed to alter this script slightly to do the opposite next time he tries it. I do not think there will be a next time for this guy though. He was only interested in a spam relay for a while. These guys are typically just script kiddies that try to make some bucks sending spam from otherpeoples machines. Cheers, Andreas
Re: Re: hacked: can't delete files
Jason Edson wrote: Didnt you post this like a week ago and get answers? Just curious if my mail reader is acting up. Sorry, I reposted after an initial search of the debian-user archive came up blank. Looks like it went through twice now. OOPs. Regards, Andreas
hacked: can't delete files
Hello, I have posted this user group with a similar problem in the past and have had great help, but this one seems to be a new problem: It looks like the affected machine has been rooted by a t0rn roootkit and then used to install a mail relay running on port 9020. This guy was pretty bold and rather cheeky, even creating a directory in his name in the roothome directory. In this directory he seems to also have left a file which seems to contain his hotmail address. This is only by the way. The REAL problem I am having is this: chkrootkit has given the following: Searching for suspicious files and dirs, it may take a while.../usr/lib/libsh/.bashrc /usr/lib/libsh/.backup /usr/lib/libsh/.sniff /usr/lib/libsh/.bash_history /usr/lib/libsh/.owned /lib/security/.config/usr/lib/libsh/.backup /usr/lib/libsh/.sniff /usr/lib/libsh/.owned /lib/security/.config Now the following: ns:~# cd /usr/lib/libshns:/usr/lib/libsh# ls -altotal 44drwxr-xr-x 6 root root 4096 Aug 21 08:38 .drwxr-xr-x 38 root root 12288 Aug 22 20:38 ..drwxr-xr-x 2 root root 4096 Aug 22 19:24 .backup-rw--- 1 root root 365 Aug 21 08:37 .bash_history-rwxr-xr-x 1 root root 1206 Apr 18 2003 .bashrcdrwxr-xr-x 2 root root 4096 Aug 22 19:24 .owneddrwxr-xr-x 2 root root 4096 Aug 22 19:24 .sniff-rwxr-xr-x 1 root root 2039 Aug 22 20:28 hidedrwxr-xr-x 2 root root 4096 Aug 22 19:24 utilz Also: ns:/usr/lib/libsh# lsattr *-- hidens:/usr/lib/libsh# lsattr .b*-- .bash_history-- .bashrc ns:/usr/lib/libsh# lsattr .-- ./utilz-- ./hide Now try to delete: ns:/usr/lib/libsh# rm -rf *rm: cannot unlink `hide': Permission deniedrm: cannot remove directory `utilz': Permission deniedns:/usr/lib/libsh# ls -altotal 44drwxr-xr-x 6 root root 4096 Aug 21 08:38 .drwxr-xr-x 38 root root 12288 Aug 22 20:38 ..drwxr-xr-x 2 root root 4096 Aug 22 19:24 .backup-rw--- 1 root root 365 Aug 21 08:37 .bash_history-rwxr-xr-x 1 root root 1206 Apr 18 2003 .bashrcdrwxr-xr-x 2 root root 4096 Aug 22 19:24 .owneddrwxr-xr-x 2 root root 4096 Aug 22 19:24 .sniff-rwxr-xr-x 1 root root 2039 Aug 22 20:28 hidedrwxr-xr-x 2 root root 4096 Aug 22 19:24 utilz So it seems that the immutable attribute is not set on either of these files, but they can not be deleted. Also if I copy this directory to another place it becomes "invisible". ie you don't see it with ls, but you can change to it with cd. Make sense? I have done a fresh re-install of all commands used above. And I will be complately rebuilding the compromised box, but I am still intrigued by this. Anybody like to have a go? Best regards, Andreas
hacked: can't delete files
Hello, I have posted this user group with a similar problem in the past and have had great help, but this one seems to be a new problem: It looks like the affected machine has been rooted by a t0rn roootkit and then used to install a mail relay running on port 9020. This guy was pretty bold and rather cheeky, even creating a directory in his name in the roothome directory. In this directory he seems to also have left a file which seems to contain his hotmail address. This is only by the way. The REAL problem I am having is this: chkrootkit has given the following: Searching for suspicious files and dirs, it may take a while.../usr/lib/libsh/.bashrc /usr/lib/libsh/.backup /usr/lib/libsh/.sniff /usr/lib/libsh/.bash_history /usr/lib/libsh/.owned /lib/security/.config/usr/lib/libsh/.backup /usr/lib/libsh/.sniff /usr/lib/libsh/.owned /lib/security/.config Now the following: ns:~# cd /usr/lib/libshns:/usr/lib/libsh# ls -altotal 44drwxr-xr-x 6 root root 4096 Aug 21 08:38 .drwxr-xr-x 38 root root 12288 Aug 22 20:38 ..drwxr-xr-x 2 root root 4096 Aug 22 19:24 .backup-rw--- 1 root root 365 Aug 21 08:37 .bash_history-rwxr-xr-x 1 root root 1206 Apr 18 2003 .bashrcdrwxr-xr-x 2 root root 4096 Aug 22 19:24 .owneddrwxr-xr-x 2 root root 4096 Aug 22 19:24 .sniff-rwxr-xr-x 1 root root 2039 Aug 22 20:28 hidedrwxr-xr-x 2 root root 4096 Aug 22 19:24 utilz Also: ns:/usr/lib/libsh# lsattr *-- hidens:/usr/lib/libsh# lsattr .b*-- .bash_history-- .bashrc ns:/usr/lib/libsh# lsattr .-- ./utilz-- ./hide Now try to delete: ns:/usr/lib/libsh# rm -rf *rm: cannot unlink `hide': Permission deniedrm: cannot remove directory `utilz': Permission deniedns:/usr/lib/libsh# ls -altotal 44drwxr-xr-x 6 root root 4096 Aug 21 08:38 .drwxr-xr-x 38 root root 12288 Aug 22 20:38 ..drwxr-xr-x 2 root root 4096 Aug 22 19:24 .backup-rw--- 1 root root 365 Aug 21 08:37 .bash_history-rwxr-xr-x 1 root root 1206 Apr 18 2003 .bashrcdrwxr-xr-x 2 root root 4096 Aug 22 19:24 .owneddrwxr-xr-x 2 root root 4096 Aug 22 19:24 .sniff-rwxr-xr-x 1 root root 2039 Aug 22 20:28 hidedrwxr-xr-x 2 root root 4096 Aug 22 19:24 utilz So it seems that the immutable attribute is not set on either of these files, but they can not be deleted. Also if I copy this directory to another place it becomes "invisible". ie you don't see it with ls, but you can change to it with cd. Make sense? I have done a fresh re-install of all commands used above. And I will be complately rebuilding the compromised box, but I am still intrigued by this. Anybody like to have a go? Best regards, Andreas
root is unable to change file permissions!
Hello Debain Users, We have an interesting phenomenon occuring on one of our servers. We have noticed that two files in the /bin directory have had their executable permissions removed and we are unable to chmod the files as root. current file permissions: -rw-r--r-- 1 root root 35464 May 31 13:02 /bin/login -rw-r--r-- 1 root root 54152 Aug 29 2001 /bin/netstat when trying to change permissions: ns:~# whoamiroot ns:~# iduid=0(root) gid=0(root) groups=0(root) ns:~# chmod 755 /bin/loginchmod: changing permissions of `/bin/login': Operation not permitted We have tried doing the same thing from the rescue disc login prompt. same outcome. This seems to be a serious security issue. Root user seems to have lost control of some files. Other files can be changed using the above commands. Any ideas? Best regards, Andreas Hatz
Re: Re: root is unable to change file permissions!
Hello Robert, when running lsattr I get mostly -- with a few exceptions: ns:/bin# lsattr suSiadAc-- /bin/ls suSiadAc-- /bin/login suSiadAc-- /bin/netstat suSiadAc-- /bin/ps also, ns:/bin# lsattr /sbin suSiadAc-- /sbin/ifconfig Doesn't look too good for security. I have done a chattr -ASacdistu on all relevant directories, but I aggree that this is a short term fix only. Thanks all who gave advice on this one. Learnt something new after almost 10 years of linux sysadmin. Cheers, Andreas
Re: Re: root is unable to change file permissions!
Hello Jurgen, Thanks for the tip re the chkrootkit. There are a couple of warnings: Searching for t0rn's v8 defaults... Possible t0rn v8 (or variation) rootkit installedChecking `lkm'... You have 3 process hidden for ps commandWarning: Possible LKM Trojan installed This is great info, but now I need to find a way to get rid of them. Cheers, Andreas
Re: More Dpkg Broken errors
You should just run the command apt-get --fix-broken install without any package names. Also make shure you have done apt-get update recently. It is almost never worth re-installing just because of a small problem :) Kieren Diment wrote: I tried Andreas' suggestion, and this is what happens: # apt-get --fix-broken remove procmail Reading Package Lists... Done Building Dependency Tree... Done The following packages will be REMOVED: procmail 0 packages upgraded, 0 newly installed, 1 to remove and 1 not upgraded. Need to get 0B of archives. After unpacking 236kB will be freed. Do you want to continue? [Y/n] (Reading database ... EXT2-fs warning (device ide0(3,2)): ext2_free_inode: bit already cleared for inode 20506 EXT2-fs warning (device ide0(3,2)): ext2_free_inode: bit already cleared for inode 20512 EXT2-fs warning (device ide0(3,2)): ext2_free_inode: bit already cleared for inode 21010 EXT2-fs warning (device ide0(3,2)): ext2_free_inode: bit already cleared for inode 20574 EXT2-fs warning (device ide0(3,2)): ext2_free_inode: bit already cleared for inode 20576 EXT2-fs warning (device ide0(3,2)): ext2_free_inode: bit already cleared for inode 23665 dpkg: error processing procmail (--remove): files list file for package `procmail' contains empty filename Errors were encountered while processing: procmail Processing was halted because there were too many errors. E: Sub-process /usr/bin/dpkg returned an error code (1) Can anyone advise how to fix please. I'm running potato with Kernel 2.2.17. Am I going to have to reinstall (please no)? TIA Kieren Diment (original message and reply below) Kieren Diment wrote: I was trying to install LyX, with dpkg -i lyx*.deb, but was told that libforms0.89 was not installed. So after that I kept making errors, downloading libforms-bin and installing that by mistake, downloading libforms and Lyx for the wrong Architecture (Mk68 and Sparc) by mistake. I finally got the correct deb files on my local machine and tried (as root) # dpkg -i libforms0.89_0.89-9.deb and got the following error message Selecting previously deselected package libforms0.89. (Reading database ... dpkg: error processing libforms0.89_0.89-9.deb (--install): files list file for package `procmail' contains empty filename Errors were encountered while processing: libforms0.89_0.89-9.deb Processing was halted because there were too many errors. The same error was generated when I tried a-t-get remove procmail (thought that re-installing procmail might cure the problem), and now my system is un-upgradeable. Can anyone help me fix dpkg. I just found that I was making too many trpoes with LaTeX commands and not identifying them until it was too late, , and I would like an easier life with LxY. Thanks in advance. Kd On Thu, May 17, 2001 at 08:17:26PM +1000, Andreas Hatz wrote: Have you tried: # apt-get --fix-broken remove # apt-get --fix-broken install ? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cp binary cd to hd
cp -d will work, but I reckon cp --archive (same as cp -dpR) is better for these purposes. (as always, a look at the man page is informative :) I did this exact same thing to install onto an old laptop without a cdrom drive. Only I created some virtual hosts in my apache conf file and just added them to the sources.list on the laptop. that way you don't have to set up nfs everytime you need to install new packages on the laptop. eg. VirtualHost binary-1 DocumentRoot /var/local/binary-1/ ServerName binary-1 /VirtualHost VirtualHost binary-2 DocumentRoot /var/local/binary-2/ ServerName binary-2 /VirtualHost VirtualHost binary-3 DocumentRoot /var/local/binary-3/ ServerName binary-3 /VirtualHost you then need to add the hostnames (binary-1, binary-2 etc.) to you hosts file and then put the relvant lines in the sources.list on your laptop.: deb http://binary-1/debian stable main contrib non-free ... Jaye Inabnit ke6sls wrote: Hello, I have 2 cdroms (one is a writer) and three 2.2.r3 binary disks I wanted to work into an nfs for a lap top I'm putzing with. I have several 5gb partitions on my second drive. Thought I'd just cp binary #3 disk to that partition. I watched as it filled the drive. Question, how does a disk that can only hold 750mb of data fill a 5gb partition? :| I'm completely at a loss. It just *seemed* so simple. tia -- Jaye Inabnit\ARS ke6sls/TELE: USA-707-442-6579\/A GNU-Debian linux user Email: [EMAIL PROTECTED] WEB: http://www.qsl.net/ke6sls ICQ: 12741145 If it's stupid, but works, it ain't stupid. SHOUT JUST FOR FUN. Free software, in a free world, for a free spirit. Please Support freedom! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: PHP
Try the following: for problem 1): Try deleting the mime types application/x-httpd-php... (or similar) from your applications in your Netscape preferences. It seems to me when netscape is faced with a php script that is sent as source by the server (ie without the correct headers) it adds the mime type to the helper applications list. for 2): install the package php3-mysql using # apt-get install php3-mysql Also, why are you using php3? I am running php4 for all our php scripts, works fine. Plus if you add other extensions to the list... AddType application/x-httpd-php .php .php3 .asp it will make apache parse all these extensions as php scripts. So php3 scripts will work under php4 and we can now disguise php scripts as asp scripts to fool would be crackers (only for a little while at least). hope that helps, Andreas Keneth wrote: Hi b3, Apache can exceute php file externsion now. But I still have two problems: 1) I added the lines below into httpd.conf, howvever it ask me to download the *.php3 file instead of running it. AddType application/x-httpd-php3 .php3 .php #AddType application/x-httpd-php3-source .phps 2) I have mysql_connect script, but it said Fatal error: Call to unsupported or undefined function mysql_connect() in /var/www/t.php on line 6 Keneth Hi Keneth, The php3 and php3-mysql packages are for version 3 of php. The packages I mentioned are for version 4. If you want to use version 3, and NOT version 4, then you have the correct packages. If you want to upgrade to php4, install the ones I mentioned. I'm unfamiliar with the tweaks needed to activate the php3 packages, as I haven't installed them myself. I know the php4 packages pretty well, though =) There are basically 2 things you should have to do, to make sure that your apache install recognizes your version of php. The first is to make sure you're loading the php modules. In httpd.conf, look for a line resembling the following: LoadModule php4_module /usr/lib/apache/1.3/libphp4.so (this is the php4 module - yours might be libphp3.so or libphp.so) Make sure it's uncommented. Next, look for the following section: # For example, the PHP 3.x module (not part of the Apache # distribution - see http://www.php.net) will typically use: # #AddType application/x-httpd-php3 .php3 #AddType application/x-httpd-php3-source .phps # # And for PHP 4.x, use: # AddType application/x-httpd-php .php AddType application/x-httpd-php-source .phps (here I have the php4 entries uncommented, but you can see the php3 ones above it, commented out in my case. In your case you'll probably want the php3 ones active, and the php4 ones uncommented.) After making sure everything is correct, stop apache with: # /etc/init.d/apache stop Verify that it's indeed stopped (ps aux | grep apache) and restart it with: # /etc/init.d/apache start Now, in your apache docroot (default on Debian seems to be /var/www) make a file called phpinfo.php3 (or phpinfo.php if you upgrade to php4) containing the following: ? phpinfo(); ? Save it, then bring it up in a browser with: http://localhost/phpinfo.php3 If all goes well, you should see the php information page, which can tell you all sorts of nifty things about your installation. If all doesn't go well, let us know what happens. -b3 On Thu, May 17, 2001 at 09:39:36AM +0800, Keneth wrote: I found that PHP3 and PHP3-MYSQL installed in DSELECT, should I remove them and install the deb you mentioned? PIVO Very odd. Did you install apache/php/mysql from source, or from debs? IIRC, when installing the debs (at least in unstable) it asks to run apacheconf to set things up. I do remember having to go in and manually set the mime-type config for .php files, however. I don't recall having to touch the Add/LoadModule lines (although it'd be a good idea to check) Here's the general set of debs I have apt install: apache php4 php4-dev php4-imap php4-gd php4-mysql mysql-server libapache-mod-perl libapache-dbi-perl libdbi-perl libdbd-mysql-perl I think that's everything - if you don't want mod_perl, you can leave out the last four pretty safely. -b3 On Wed, May 16, 2001 at 05:09:21PM +0800, Keneth wrote: The line has been added! and I feel that there is something wrong with the httpd.conf. I added manually below code by myself, but doesnt seem to load the php modules AddModule php4_module mod_php4.c LoadModule php4_module /usr/local/apache/modules/libphp4.so Besides I coudlnt find libphp.so after following the install guide come with the PHP-4.0.5 too. I am using Apache_1.3.19 and mysql. Could you help? From: Kevin Ross [EMAIL PROTECTED] To: Keneth [EMAIL
Re: [offtopic] recommendation on resources (books, websites) on object oriented programming?
Just install perl-5.005-doc and do $ man perltoot Walter Tautz wrote: Just wondering if there are any books that explain in detail with real-world (non-trivial) examples just what the OOP is about and why it might be a good idea to use it. I have no particular preference for languages, rather concepts should be emphasized although I wouldn't mind a material that leans towards python, C++ and Java. Any thoughts. -walter -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Dpkg broken.
Have you tried: # apt-get --fix-broken remove # apt-get --fix-broken install ? Kieren Diment wrote: I was trying to install LyX, with dpkg -i lyx*.deb, but was told that libforms0.89 was not installed. So after that I kept making errors, downloading libforms-bin and installing that by mistake, downloading libforms and Lyx for the wrong Architecture (Mk68 and Sparc) by mistake. I finally got the correct deb files on my local machine and tried (as root) # dpkg -i libforms0.89_0.89-9.deb and got the following error message Selecting previously deselected package libforms0.89. (Reading database ... dpkg: error processing libforms0.89_0.89-9.deb (--install): files list file for package `procmail' contains empty filename Errors were encountered while processing: libforms0.89_0.89-9.deb Processing was halted because there were too many errors. The same error was generated when I tried a-t-get remove procmail (thought that re-installing procmail might cure the problem), and now my system is un-upgradeable. Can anyone help me fix dpkg. I just found that I was making too many trpoes with LaTeX commands and not identifying them until it was too late, , and I would like an easier life with LxY. Thanks in advance. Kd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
automated install/re-install from status file or package list
Does anybody know of a good way of using an old /var/lib/dpkg/status file to quickly reinstall debian. I would like to be able to do this to reduce the amount of time it takes me to re-build a machine after an attack or for installing all the same packages as another web server instead of choosing all packages manually. I have tried the following (rather clumsy) method: # grep -B1 -e install ok /var/lib/dpkg/status \|grep Package: |cut -d -f2 installed.packages # apt-get install `cat installed.packages` This does not work as well as I first thought. plenty of broken packages This is a functionality of apt-get that would come in very handy I think. cheers, Andreas
Re: Upgrade from 2.2.r2 to 2.2r3 ?
Put the line deb http://ftp.au.debian.org/pub/debian Debian2.2r3 main contrib non-free into your /etc/apt/sources.list and do an apt-get update; apt-get upgrade This is for an Australian server, but you get the idea. cheers, Andreas Darren Wyn Rees wrote: Would someone please advise me what's the best way to upgrade from 2.2r2 to 2.2r3. I haven't really had the chance to use the older release properly, and I don't see the economic sense of buying a complete new set of Linux disks. -- S+M is outta the question, have you got a better suggestion I'm fed up of waving my right hand - rat salad www.ratsalad.co.uk -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
