Potential Virus or System Message?
Hi, I got this weird message, when I left my email through Telnet/Pine running when I left my house. --- + N 15 Apr 27 Dixie H. Brunson(2,892) Cialis Soft Tabs - Super Viagra + N 16 Apr 27 Garry Martin(2,769) Get it up again + N 17 Apr 27 Candy King (9,592) Info Package: Altoids Vending + N 18 Apr 28 Ariel N. McFadden (2,839) Remember the old days? + N 19 Apr 28 EyeQ (15,740) Increase reading speed comprehension Broadcast Message from root (???) on log3 Sun May 1 06:00:01... ? HelpFldrList P PrevMsg - PrevPage D Delete The system will be shut down in 1 minute N NextMsg Spc NextPage U Undelete F Forward just because Broadcast Message from root (???) on log3 Sun May 1 06:00:32... The system will be shut down in 30 seconds just because Broadcast Message from root (???) on log3 Sun May 1 06:00:52... THE SYSTEM IS BEING SHUT DOWN NOW ! ! ! Log off now or risk your files being damaged just because Connection closed by foreign host. You have new mail in /var/mail/selam [EMAIL PROTECTED]:~$ Of course, nothing happened... at least I'm pretty sure (I'm a relative newbie, therefore don't have a great understand of all things Linux). Is this normal? should I be concerned? Is something in my system that I should get rid of? I'm currently running Testing on XFree86, on a pentium classic Aptiva computer (from 1996). Any info I can get would be helpful. Thanks. F.J.
Re: Potential Virus or System Message?
Incoming from Faithful John: I got this weird message, when I left my email through Telnet/Pine running when I left my house. + N 15 Apr 27 Dixie H. Brunson(2,892) Cialis Soft Tabs - Super Viagra + N 16 Apr 27 Garry Martin(2,769) Get it up again + N 17 Apr 27 Candy King (9,592) Info Package: Altoids Vending + N 18 Apr 28 Ariel N. McFadden (2,839) Remember the old days? + N 19 Apr 28 EyeQ (15,740) Increase reading speed comprehension Broadcast Message from root (???) on log3 Sun May 1 06:00:01... ? HelpFldrList P PrevMsg - PrevPage D Delete The system will be shut down in 1 minute N NextMsg Spc NextPage U Undelete F Forward just because Broadcast Message from root (???) on log3 Sun May 1 06:00:32... The system will be shut down in 30 seconds just because Broadcast Message from root (???) on log3 Sun May 1 06:00:52... THE SYSTEM IS BEING SHUT DOWN NOW ! ! ! Log off now or risk your files being damaged just because Connection closed by foreign host. You have new mail in /var/mail/selam [EMAIL PROTECTED]:~$ I'd say someone got in, and they got in far enough to shutdown the machine, which generally means root. Time to reinstall. Next time, go through the ps fax list, and anything that shouldn't be running, disable it. Of course, nothing happened... at least I'm pretty sure (I'm a Your box may be alright, or it may now be a zombie spam host. Pore over the logs in /var/log and see if you can find out how they got in. Install chkrootkit and see what it says. However, I'd give up on it. There's no telling what they left behind or replaced. -- Any technology distinguishable from magic is insufficiently advanced. (*)http://www.spots.ab.ca/~keeling Please don't Cc: me. - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Potential Virus or System Message?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 s. keeling wrote: Incoming from Faithful John: I got this weird message, when I left my email through Telnet/Pine running when I left my house. I'd say someone got in, and they got in far enough to shutdown the machine, which generally means root. Time to reinstall. Next time, go through the ps fax list, and anything that shouldn't be running, disable it. Uh, I'd say he had a telnet session opened to a remote host, and that remote host shutdown. Doesn't have anything to do with his box. - -- /phil -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (MingW32) iD8DBQFCdQFyGbd/rBLcaFwRAqw7AKCpH+/ipvHSIYX7KFoFuCnS07qeqgCgm1gp 0HF56fT8ydISuY9jalXq91U= =ZI+A -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Potential Virus or System Message?
Incoming from Phil Dyer: s. keeling wrote: Incoming from Faithful John: I got this weird message, when I left my email through Telnet/Pine running when I left my house. I'd say someone got in, and they got in far enough to shutdown the Uh, I'd say he had a telnet session opened to a remote host, and that Yup. Missed that. I thought the messages were coming from his own box. -- Any technology distinguishable from magic is insufficiently advanced. (*)http://www.spots.ab.ca/~keeling Please don't Cc: me. - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Potential Virus or System Message?
On 5/1/05, s. keeling [EMAIL PROTECTED] wrote: Incoming from Phil Dyer: s. keeling wrote: Incoming from Faithful John: I got this weird message, when I left my email through Telnet/Pine running when I left my house. I'd say someone got in, and they got in far enough to shutdown the Uh, I'd say he had a telnet session opened to a remote host, and that Yup. Missed that. I thought the messages were coming from his own box. I had figured that it might have been a shut down by the remote host, as it happens all the time with that system. However, I had never seen that message before. Usually it simply just turned off, and when I tried to do something it would tell me it's been shutdown. The just because is what gave me cause for concern. So this gives me a second question. I'm pretty sure that I disabled the remote access ability stuff (though I'm not 100% on that at this moment). Is there a chance someone could still get into my system in any way and do anything? (e.g.if firewalls disabled) My impression was that linux was immune to viruses and resistance to personal attacks since you needed a root password to do any sort of real changes. F.J.
Re: Potential Virus or System Message?
Incoming from Faithful John: So this gives me a second question. I'm pretty sure that I disabled the remote access ability stuff (though I'm not 100% on that at this moment). Is there a chance someone could still get into my system in Certainly. What are you running that you don't need to? sshd and weak passwords? ftpd, telnetd, are you allowing remote shell commands? Those and many more can easily bite you. Disable (preferably) or secure them. -- Any technology distinguishable from magic is insufficiently advanced. (*)http://www.spots.ab.ca/~keeling Please don't Cc: me. - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Potential Virus or System Message?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Faithful John said: So this gives me a second question. I'm pretty sure that I disabled the remote access ability stuff (though I'm not 100% on that at this moment). Is there a chance someone could still get into my system in any way and do anything? (e.g.if firewalls disabled) My impression was that linux was immune to viruses and resistance to personal attacks since you needed a root password to do any sort of real changes. more complicated than they need root to get me. escalation of privileges, where a user gets onto your box via some sort of non-root user thru apache, ssh or whatever and then gains root via some local program that is vulnerable. You should run a portscan on yourself with nmap or similar. If you don't have access to another box, you can go to somewhere like dshield.org and run a portscan. Always good to do when setting up a new box. good learning when you get to say what in the heck is that port open for? - -- /phil -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (MingW32) iD8DBQFCdV0KGbd/rBLcaFwRAjM3AKCFEADz5GwK2j7u7O2773Z/HHgSkQCgqP6n pknLL8zBFzsIdyie5hlmaEs= =6JVa -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
