Re: 8.0 on new hardware and a few errors, should I be worried?
On Saturday 27 February 2010 8:28:48 pm Dan Naumov wrote: Hello I've very recently finished installing 8.0-RELEASE on some new hardware and I noticed a few error messages that make me a bit uneasy. This is a snip from my dmesg: -- acpi0: SMCI on motherboard acpi0: [ITHREAD] acpi0: Power Button (fixed) acpi0: reservation of fee0, 1000 (3) failed acpi0: reservation of 0, a (3) failed acpi0: reservation of 10, bf60 (3) failed -- What do these mean and should I worry about it? The full DMESG can be viewed here: http://jago.pp.fi/temp/dmesg.txt You can ignore them. FreeBSD creates two psuedo-devices on x86 called apic0 and ram0. Their sole job is to reserve the memory ranges used by APIC devices and system RAM to prevent those address ranges being reused by anything else (such as PCI BARs). Many systems also reserve those ranges as a system resource via ACPI (or PnPBIOS for the non-ACPI case). What is happening is that the ACPI system resource driver isn't able to reserve these ranges because they are already claimed by apic0 and ram0. The important point is that some device claims them. It doesn't really matter which one does. -- John Baldwin ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
8.0 on new hardware and a few errors, should I be worried?
Hello I've very recently finished installing 8.0-RELEASE on some new hardware and I noticed a few error messages that make me a bit uneasy. This is a snip from my dmesg: -- acpi0: SMCI on motherboard acpi0: [ITHREAD] acpi0: Power Button (fixed) acpi0: reservation of fee0, 1000 (3) failed acpi0: reservation of 0, a (3) failed acpi0: reservation of 10, bf60 (3) failed -- What do these mean and should I worry about it? The full DMESG can be viewed here: http://jago.pp.fi/temp/dmesg.txt Additionally, while building a whole bunch of ports on this new system (about 30 or so, samba, ncftp, portaudit, bash, the usual suspects), I noticed the following in my logs during the build process: -- Feb 27 21:24:01 atombsd kernel: pid 38846 (try), uid 0: exited on signal 10 (core dumped) Feb 27 22:17:49 atombsd kernel: pid 89665 (conftest), uid 0: exited on signal 6 (core dumped) -- All ports seem to have built and installed succesfully. Again, what do these mean and should I worry about it? :) Thanks! - Sincerely, Dan Naumov ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: 8.0 on new hardware and a few errors, should I be worried?
On Sun, Feb 28, 2010 at 03:28:48AM +0200, Dan Naumov wrote: Additionally, while building a whole bunch of ports on this new system (about 30 or so, samba, ncftp, portaudit, bash, the usual suspects), I noticed the following in my logs during the build process: -- Feb 27 21:24:01 atombsd kernel: pid 38846 (try), uid 0: exited on signal 10 (core dumped) Feb 27 22:17:49 atombsd kernel: pid 89665 (conftest), uid 0: exited on signal 6 (core dumped) -- This is intentional/normal, believe it or not. It's by-design as part of some compiler tests that autoconf (or the software that uses autoconf) induces. Thanks, GNU! FreeBSD logs these to the console by default; the sysctl to control this behaviour is kern.logsigexit. -- | Jeremy Chadwick j...@parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
mysterious try process dumping core on 7.2-RELEASE ... worried ...
I see these two entries in my /var/log/messages: Nov 24 18:08:41 hostname kernel: pid 25901 (try), uid 0: exited on signal 10 (core dumped) Nov 24 18:10:29 hostname kernel: pid 35359 (try), uid 0: exited on signal 10 (core dumped) But I've never heard of a try binary, and 'which try' shows nothing ... When I search through my system, the only thing remotely resembling try is: /usr/ports/lang/perl5.8/work/perl-5.8.9/lib/Test/Simple/t/try.t I do see that my perl binary is dated: 0 lrwxr-xr-x 1 root wheel 24 Nov 24 18:12 /usr/bin/perl a few minutes after those error messages, so perhaps that is it ... Anyway, what is try.t, what is a .t file and if a try.t file core dumped, would I indeed see simply try in my logs, as above ? Thanks. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: mysterious try process dumping core on 7.2-RELEASE ... worried ...
George Sanders wrote: I see these two entries in my /var/log/messages: Nov 24 18:08:41 hostname kernel: pid 25901 (try), uid 0: exited on signal 10 (core dumped) Nov 24 18:10:29 hostname kernel: pid 35359 (try), uid 0: exited on signal 10 (core dumped) But I've never heard of a try binary, and 'which try' shows nothing ... I believe this is generated by autoconf as one of its tests of OS behaviour. As such it's harmless. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Given this evidence, should I be worried that I may have been hacked
Once I opened up SSH to the outside world, my machine has been hammered once or twice a day most days, with username failures. None of the usernames would fit a username on my system (except root), and I have ssh set to deny root logins, and only use SSH2. Additionally, I have the following in my login.access (only active entry, the name have been changed on this, but the three names would appear as 3 and four character random alphabetical strings): -:ALL EXCEPT wrbc crr aqp:ALL EXCEPT local As of the 9th, I've only seen one set of blatant/brute-force attempt at my ssh server. It's interesting, but the major drop in attempts has me more worried than the attempts (could this drop off be because they no longer need to hack me? Could they have hacked me an that be the reason why?) How worried should I be, and what's the best recourse for this? Thanks, -Jim Stapleton ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Given this evidence, should I be worried that I may have been hacked
Jim Stapleton schrieb: Once I opened up SSH to the outside world, my machine has been hammered once or twice a day most days, with username failures. None of the usernames would fit a username on my system (except root), and I have ssh set to deny root logins, and only use SSH2. Additionally, I have the following in my login.access (only active entry, the name have been changed on this, but the three names would appear as 3 and four character random alphabetical strings): -:ALL EXCEPT wrbc crr aqp:ALL EXCEPT local As of the 9th, I've only seen one set of blatant/brute-force attempt at my ssh server. It's interesting, but the major drop in attempts has me more worried than the attempts (could this drop off be because they no longer need to hack me? Could they have hacked me an that be the reason why?) How worried should I be, and what's the best recourse for this? On a system I administer I put SSH to a non-standard port (in this case 1234) and the brute force attempts has gone away since then. I suggest you trying that. Besides, you can change to RSA/DSA auth, which is more secure. Regards, Gabor ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Given this evidence, should I be worried that I may have been hacked
I have DSA. I will change it to a nonstandard port, but I was wondering what your oppinion on a good way to check if this is the result of me being hacked, or just someone loosing interest. On 4/14/07, Gabor Kovesdan [EMAIL PROTECTED] wrote: Jim Stapleton schrieb: Once I opened up SSH to the outside world, my machine has been hammered once or twice a day most days, with username failures. None of the usernames would fit a username on my system (except root), and I have ssh set to deny root logins, and only use SSH2. Additionally, I have the following in my login.access (only active entry, the name have been changed on this, but the three names would appear as 3 and four character random alphabetical strings): -:ALL EXCEPT wrbc crr aqp:ALL EXCEPT local As of the 9th, I've only seen one set of blatant/brute-force attempt at my ssh server. It's interesting, but the major drop in attempts has me more worried than the attempts (could this drop off be because they no longer need to hack me? Could they have hacked me an that be the reason why?) How worried should I be, and what's the best recourse for this? On a system I administer I put SSH to a non-standard port (in this case 1234) and the brute force attempts has gone away since then. I suggest you trying that. Besides, you can change to RSA/DSA auth, which is more secure. Regards, Gabor ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Given this evidence, should I be worried that I may have been hacked
In response to Jim Stapleton [EMAIL PROTECTED]: Once I opened up SSH to the outside world, my machine has been hammered once or twice a day most days, with username failures. None of the usernames would fit a username on my system (except root), and I have ssh set to deny root logins, and only use SSH2. Additionally, I have the following in my login.access (only active entry, the name have been changed on this, but the three names would appear as 3 and four character random alphabetical strings): -:ALL EXCEPT wrbc crr aqp:ALL EXCEPT local As of the 9th, I've only seen one set of blatant/brute-force attempt at my ssh server. It's interesting, but the major drop in attempts has me more worried than the attempts (could this drop off be because they no longer need to hack me? Could they have hacked me an that be the reason why?) How worried should I be, and what's the best recourse for this? The drop is more likely coincidence than anything else, although you may have blocked things to the point where they don't get logged anymore. These breakin attempts are bots. While I don't know for sure, I seriously doubt that botnet gathering crooks discuss with each other which machines they've already broken and thus don't attempt to break them a second time. I don't expect the drop off is related. Personally, I just had 3 such attempts last night, compared to none over the course of several days. It's just a matter of how busy the botnet people are on any given day. You should install/run samhain or something similar to monitor activity so you know if something unauthorized has changed. That's the only real way to know if you've successfully been broken or not. -- Bill Moran http://www.potentialtech.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Given this evidence, should I be worried that I may have been hacked
Jim Stapleton schrieb: I have DSA. I will change it to a nonstandard port, but I was wondering what your oppinion on a good way to check if this is the result of me being hacked, or just someone loosing interest. Well, I think the latter. If you have an up-to-date system with up-to-date packages, you should not be too much worried, I think brute-force is useless if one uses strong passwords. I'd check auth-log and the output of last(1) if that says something, but you can never be sure. So I'd say just be happy, that they stopped trying, but don't give up the regular maintainence so that your system be as secure as it can be. :) Oh, and you can try port-knocking as well to secure the sshd port. If you don't know what it is, just google for it. Gabor ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Given this evidence, should I be worried that I may have been hacked
Jim Stapleton wrote: I have DSA. I will change it to a nonstandard port, but I was wondering what your oppinion on a good way to check if this is the result of me being hacked, or just someone loosing interest. If you are hacked, then something might or might not be going on your system (check for unusual stuff, like rise in number of processes, or disk usage, or network traffic, and think about it). You know how your system behave on day to day, do you? Nevertheless generally speaking, 99.99% of these brute attempts to get ssh access is coming from various zombies, blindly trying out port 22, that's why the port change is usual advice. There are easier ways on how to get inside than just bruteforcing via login credentials wild guessing. For example take unsecured web server with some full-of-bugs content management system. Exploiting a vulnerability will allow someone (this time definitely not a zombie) to get into the system and go forward with any dark actions he/she might have in the mind. nice sunny weekend, Martin ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Given this evidence, should I be worried that I may have been hacked
--On April 14, 2007 7:25:46 AM -0400 Jim Stapleton [EMAIL PROTECTED] wrote: Once I opened up SSH to the outside world, my machine has been hammered once or twice a day most days, with username failures. None of the usernames would fit a username on my system (except root), and I have ssh set to deny root logins, and only use SSH2. Additionally, I have the following in my login.access (only active entry, the name have been changed on this, but the three names would appear as 3 and four character random alphabetical strings): -:ALL EXCEPT wrbc crr aqp:ALL EXCEPT local As of the 9th, I've only seen one set of blatant/brute-force attempt at my ssh server. It's interesting, but the major drop in attempts has me more worried than the attempts (could this drop off be because they no longer need to hack me? Could they have hacked me an that be the reason why?) How worried should I be, and what's the best recourse for this? I have a *lot* of experience with hacked boxes. They all share at least one of three things in common: 1) Not patched up to date 2) Incorrectly (or not at all) configured 3) Weak or default passwords Those three things are the cause of almost every breakin I've seen. The first is by far the greatest reason for breakins. The second and third are less frequently but still often the case. It is not at all uncommon to find a box running unpatched and unconfigured services that its owner had no idea were running. If you have any of the above conditions, then you have something to be concerned about. If you don't, then the reduction in attacks is most likely pure coincidence. If you don't want your computer broken into: 1) Keep it patched and up to date at *all* times. Eternal vigilance is the watchword. 2) Disable *and* remove all services you do not intend to run. Don't install a program if you aren't going to be using it. 3) If you want to play around with something, configure it to respond to localhost *only* or restrict access to known IP addresses. 4) *Always* change default passwords and *never* use weak passwords. A weak password is defined as a password that does not use special characters. Period. Alphanumeric passwords can resist brute force attacks for approximately one week using modern computers. Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/
Worried ...
My security run output reported mydomain.co.uk login failures: Sep 13 23:43:01 3bsd sshd[2066]: error: Bind to port 22 on 192.168.x.x failed: Address already in use. I dont remember Puttying in last night and this am there is a problme with the WiFi Access Point ? Have I been cracked ? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Worried ...
No worries (from the security side). This error means that SSH daemon cannot start because the port 22 is already use by another program (probably another SSH daemon). So it is likely that you try to start several versions of SSH daemon or some program uses port 22 and starts before SSH daemon. --Rein Graham Bentley wrote: My security run output reported mydomain.co.uk login failures: Sep 13 23:43:01 3bsd sshd[2066]: error: Bind to port 22 on 192.168.x.x failed: Address already in use. I dont remember Puttying in last night and this am there is a problme with the WiFi Access Point ? Have I been cracked ? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Worried ...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 well, there is a possibility that he got hacked, its a common tactic to use a port of another program for a shell of some kind. but we cannot tell, as long as we dont get further info from you, graham. informations like: what else does the syslog says, a list of used ports and the programs running on them, etc... Greetings Oliver Leitner Technical Staff http://www.shells.at Rein Kadastik wrote: No worries (from the security side). This error means that SSH daemon cannot start because the port 22 is already use by another program (probably another SSH daemon). So it is likely that you try to start several versions of SSH daemon or some program uses port 22 and starts before SSH daemon. --Rein Graham Bentley wrote: My security run output reported mydomain.co.uk login failures: Sep 13 23:43:01 3bsd sshd[2066]: error: Bind to port 22 on 192.168.x.x failed: Address already in use. I dont remember Puttying in last night and this am there is a problme with the WiFi Access Point ? Have I been cracked ? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDJ/f/WvEVE8MtwbgRAiykAJ9tjKjY09DujWxGMLdomaNRA9jaGQCfUg3l fw6yok2OyLmQJnc0tL37dy8= =bz+Q -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]