Re: Hacked server
Adding to what's been said so far (and if repeating please consider it as "double emphasis" :-) I'd recommend: 1. Do not run anything not needed on the server. Make sure to look not only in system services level but in the service level itself. E.g: run on the web server only what you need on it. I had a server hacked through some exploit in OpenWebMail application, revealed two weeks before the break in. This web mail application was only tested at the time, with no plans on implementation, but I still left it on the system... . If you do not need PHP, for example, remove/disable it altogether. If you do, carefully refer to security guides on the net. Yes, its all quite time consuming. 2. You must subscribe yourself to mailing lists dealing with security issues to get advisories on time (see (1) above for the reason). The minimum is from your distro (every distro has such) but I wouldn't settle for this only but subscribe also to mailing lists about the services on your system (again, system level services and more granular services like web applications and other stuff you have on this server). Boaz. Ori Idan wrote: A server I managed was hacked by a libian hacker. The only thing he did was changing the index.html of some web sites. The server is based on fedora core 2 running: httpd sendmail bind proftp (through xinetd) ssh Any ideas how he could have done it? What should I do to prevent such hackes in the future? -- Ori Idan = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: adding a third SATA drive
On Thursday 05 April 2007 09:26, Noam Meltzer wrote: > On 4/5/07, Shlomo Solomon <[EMAIL PROTECTED]> wrote: > > QUESTION #3 - While GOOGLing for this, I found some mentions of EVMS. I > > seem > > to remember that on a previous version of Mandriva I had disk-access > > problems > > until I un-installed EVMS. But now, I see that it's installed on my > > system. > > Do I need it and if so, why? > > AFAIK, EVMS stands for Enterprise Volume Management System. It is some > opensource project targeted at providing the sysadmin a consolidated way to > manage all the storage devices he has no matter what technology is used to > administer them. (LVM / MD / etc.) > I played around with this tool once, and as far as I recall, it takes > advantage of device-mapper in the process, though I can't remember how. << snip snip>> > In the bottom line, disabling device-mapper in some kernel hack did the > trick. Just be aware that if you run 'depmod -a' it will not sustain. (Same > goes for a kernel upgrade). > Best way is to understand where it is configured that your sdc devices > should be managed by device-mapper. (recursive grep on /etc is a good > start). > > Device mapper gives you the flexibility to manage your devices in an easier > way. It is modular and robust (bla bla). It can be used to encrypt your > devices, have LVM over them, and many other neat features. Anyhow, I don't > think that any of this "robust" features are speaking to you, because you > chose to partition all your disks into very small parts in a very > "hardcoded" way. > > - Noam As I wrote earlier, Noam pointed me in the right direction and I got all partitions mounted. However, he was also correct that: 1 - the link he pointed me to (it suggested commenting out some lines in modules.dep) was only a temporary hack 2 - on my system, I probably don't need device-mapper BUT, uninstalling dmsetup in Mandriva is apparently non-trivial, so I did a bit more research and decided to uninstall evms instead. I'm happy to say that this solved the problem. Again, thanks to all who helped, and of course especially to Noam who pointed me in the right direction. -- Shlomo Solomon http://the-solomons.net Sent by KMail (KDE 3.5.4) on LINUX Mandriva 2007 = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Hacked server
sendmail & bind are also bad for your mental health. Consider normal alternatives, or if you want to make sure no one is hacking your system through them, switch to qmail and djbdns. You will also need to install everything from scratch (and I suggest you init. your bios as well). If you want to do a real forensics, you'll need to freeze the system, and stop touching anything there. Not sure it'll help you a lot (you already know that the guy is from Libia, and I'm not sure you can ask the Libian police to arrest him for that). just my 2 euro cents, Orr. On 4/7/07, Ori Idan <[EMAIL PROTECTED]> wrote: A server I managed was hacked by a libian hacker. The only thing he did was changing the index.html of some web sites. The server is based on fedora core 2 running: httpd sendmail bind proftp (through xinetd) ssh Any ideas how he could have done it? What should I do to prevent such hackes in the future? -- Ori Idan -- Orr Dunkelman, [EMAIL PROTECTED], [EMAIL PROTECTED] "Any human thing supposed to be complete, must for that reason infallibly be faulty" -- Herman Melville, Moby Dick. Spammers: http://vipe.technion.ac.il/~orrd/spam.html GPG fingerprint: C2D5 C6D6 9A24 9A95 C5B3 2023 6CAB 4A7C B73F D0AA (This key will never sign Emails, only other PGP keys.)
Re: Hacked server
On Sunday, 8 בApril 2007 00:33, Ori Idan wrote: > A server I managed was hacked by a libian hacker. > The only thing he did was changing the index.html of some web sites. > > The server is based on fedora core 2 > running: > httpd > sendmail > bind > proftp (through xinetd) > ssh > > Any ideas how he could have done it? Based on your description, and on Internet statistics, I'd say: 1. Flawed PHP based application or code (photo album, forum, etc) 2. Flawed flash application (chat server) 3. Buggy apache. > What should I do to prevent such hackes in the future? Run a supported release of OS. Be careful what webapps you run on your web server. Keep them up-to-date. Try running them (including the web server itself) in chroot. While this wont help if your app is broken, at least the attacker will be locked into a a chrooted environment. Audit your server, run tripwire and look at the daily logs for binaries or files that were changed. Read online and printed material about basic system administration and security practices. Based on your questions, you need an overall understanding of how to run a system in a secure manner. --Ariel -- Ariel Biener *.il EFnet Admin PGP: http://www.tau.ac.il/~ariel/pgp.html To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Hacked server
On 08/04/07, Josh Zlatin-Amishav <[EMAIL PROTECTED]> wrote: On Sun, 8 Apr 2007, ik wrote: > I suggest, that you should scan for full open ports on your web site > (all the port range), to see if that person have an open "shell" on > your account. Good advice, though the (possible) open shell might just be running on port 80/443 (i.e. a php shell) which is already open and behind a firewall. IMHO, if at all possible he should wipe the entire disk and re-install the system (including the boot record and stuff "outside the filesystem address range"). Short of that he will always be worried that there is yet another present left behind by the cracker. I've been through such a situation many years ago, with very low badget so everything was hosted on the same box and the managers too cheap to buy a separate firewall machine we kept being cracked by a script kiddy and I didn't know where to start patching the holes he exploited (and probably new ones he opened for himself). Without being able to re-install the system he just kept coming in despite all the cleanups. These days it's a matter of how much? 300$ and a days work to put up an extra temporary server while you re-install the main one? Most desktops are strong enough to host web sites so you might not even have to buy dedicated server hardware. --Amos
Re: Nokia E61 Linux syncing
On 07/04/07, Gil Freund <[EMAIL PROTECTED]> wrote: Hi, I am considering buying a Nokia e61 phone, and would appreciate any note on syncing the thing with Linux (more specifically Kontact, FireFox or Evolution). Any experience? Not sure how much this is relevant but I've been tracking the following kernel bug report for a few months now, with various patches being suggested and found to be partial or not to fix the problem. You might want to search about this further before committing to a new Nokia phone: http://bugzilla.kernel.org/show_bug.cgi?id=7201 This bug is of concern to me because disconnecting my 6280 from Debian Etch kernel (now 2.6.18) causes some OOPS's and sometimes can crash it. Apparently this is a well known issue with several Nokia's (my cousine's 6288 just turns off after a few seconds on the USB link). --Amos
Re: Hacked server
On Sun, 8 Apr 2007, ik wrote: I suggest, that you should scan for full open ports on your web site (all the port range), to see if that person have an open "shell" on your account. Good advice, though the (possible) open shell might just be running on port 80/443 (i.e. a php shell) which is already open and behind a firewall. -- - Josh = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Hacked server
On 08/04/07, Josh Zlatin-Amishav <[EMAIL PROTECTED]> wrote: On Sun, 8 Apr 2007, Ori Idan wrote: > What should I do to prevent such hackes in the future? There are lots of things you can do, like keep software up to date, remove unneeded services, audit web applications for flaws (though I am kind of partial to the last one ;) Sticking to supported versions is rule number one in production networks (and plan ahead to switch to a later version well before the current one you use get's EOL'ed). As far as I'm aware FC is just a beta for RedHat and I'm not even sure they promise to issue security patches for it. By "supported" I mean that the distro vendor promises to track the relevant security vulnerabilities in the included software and issue patched packages in a timely manner. Keeping services jailed would help too (even a simple chroot could help here) and generally segregated - minimizing amount of code running as root, possibly running web apps in their own user id, having firewalls on the server in addition to the network firewalls. Preparing to be able to re-build the machine from scratch (not just backups, but an automatic way to install the OS, all necessary packages and configuration files) would also help you just re-install a compromised system - because you can never know what easter egg your friendly neighborhood hacker has left behind. (Again - I'm not quite familiar with FC or RH but Debian makes all these suggestions uber easy). Lots more, depending on particular setup. --Amos
Re: Hacked server
You could do few things: 1. apt-get dist-upgrade (or yum upgrade), or better - move to a stable distribution like CentOS. That way you'll have security fixes for at least 5 years. DO NOT use Fedora on any server which offfer services outside. 2. Have some logs emailed to you from the server on a daily basis (crontab). By default, Redhat/CentOS/Fedora does this automatically, but you can enhance it to send pack few log files and email them to you as .tar.bz2 for example. That way you could check whats going on to see who entered when etc.. (logs like ssh, httpd, sendmail). Ususally when you compress text files, they become small, so the email wouldn't be really big. 3. Make sure your iptables/firewall settings will only let specific needs and nothing else comes in. nmap is your friend to check, along with stuff like SAINT etc. If you don't know firewall settings well, just ask here. I'm sure someone would happily assist you with it. 4. have a cron script that will backup your web server stuff nightly. If you don't have a tape backup or spare space for backup, then pack the essential parts and use the script to email it to you (GMail account can hold almost 3 gigs, so you can save the backup there) 5. You can use applications like TripWire to detect if something changed, or you can simply do a simple MD5 check for your static pages, and if something goes wrong, it could email/SMS/send-a-pigeon to notify you :) Hope this helps, Hetz On 4/8/07, Ori Idan <[EMAIL PROTECTED]> wrote: A server I managed was hacked by a libian hacker. The only thing he did was changing the index.html of some web sites. The server is based on fedora core 2 running: httpd sendmail bind proftp (through xinetd) ssh Any ideas how he could have done it? What should I do to prevent such hackes in the future? -- Ori Idan -- Skepticism is the lazy person's default position. Visit my blog (hebrew) for things that (sometimes) matter: http://wp.dad-answers.com = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Hacked server
Indeed a remote exploit in the services is possible, and ofcourse each
service can have a remote exploit...
However, I'd be trying to eliminate the less-uber-cool-hacker possibilities:
a. Bad local user (Bad user! spank him..)
b. SSH remote login using a weak password which was just guessed
("test123". Bad user again!).
Also try to check for root kits...
- Oren
Ori Idan wrote:
A server I managed was hacked by a libian hacker.
The only thing he did was changing the index.html of some web sites.
The server is based on fedora core 2
running:
httpd
sendmail
bind
proftp (through xinetd)
ssh
Any ideas how he could have done it?
What should I do to prevent such hackes in the future?
--
Ori Idan
=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
Re: Hacked server
I suggest, that you should scan for full open ports on your web site (all the port range), to see if that person have an open "shell" on your account. Regardless of that, please look for known vulnerabilities from the versions of every server on the machine, and also if the server runs any dynamic web apps, you should see if they do not have any problems .. (404 and any other error messages can give you a clue for what they where looking for). Anyway, I recommend you to install (from a clean install rather then to update, because you do not know the whole things that the attackers did) a newer version, such as fc 6 ... or something better such as Debian ;) Ido On 4/8/07, Ori Idan <[EMAIL PROTECTED]> wrote: A server I managed was hacked by a libian hacker. The only thing he did was changing the index.html of some web sites. The server is based on fedora core 2 running: httpd sendmail bind proftp (through xinetd) ssh Any ideas how he could have done it? What should I do to prevent such hackes in the future? -- Ori Idan -- http://ik.homelinux.org/ = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Hacked server
On Sun, 8 Apr 2007, Ori Idan wrote: A server I managed was hacked by a libian hacker. The only thing he did was changing the index.html of some web sites. The server is based on fedora core 2 running: httpd sendmail bind proftp (through xinetd) ssh Any ideas how he could have done it? The httpd log files should have some clues. Without knowing the versions of software your running its hard to say if there are known vulns with the software your running, let alone unpublished flaws. What kind of web applications are running? What should I do to prevent such hackes in the future? There are lots of things you can do, like keep software up to date, remove unneeded services, audit web applications for flaws (though I am kind of partial to the last one ;) -- - Josh = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Hacked server
Ori Idan wrote: > A server I managed was hacked by a libian hacker. > The only thing he did was changing the index.html of some web sites. > > The server is based on fedora core 2 Didn't fedora stopped releasing security updates for this version a long time ago? -- Lior Kaplan [EMAIL PROTECTED] http://www.Guides.co.il = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Hacked server
A server I managed was hacked by a libian hacker. The only thing he did was changing the index.html of some web sites. The server is based on fedora core 2 running: httpd sendmail bind proftp (through xinetd) ssh Any ideas how he could have done it? What should I do to prevent such hackes in the future? -- Ori Idan
Re: FOSS accounting software
On Fri, Apr 06, 2007 at 11:53:45PM +0300, Dan Armak wrote: > On Friday 06 April 2007, Geoffrey S. Mendelson wrote: > > I have a philosophical question. With open source software how do you > > make sure that the copy you are running was not modified to send > > your accounting data to some "data collection" site? > > You seem to be implying that there's a way to do this with proprietary > software that doesn't work for free software. Is there? No, but there is a much greater risk of it happening with open source software. First of all, the probablility in the real world of someone being able to verify the source code is "clean" is not very large. Few people can actually read source code to the point that a hidden exploit is not present. Even those that can, rarely do so. Have you looked at the source code for any of the open source applications you run? Not little bits here and there, but the entire "program"? With open source software it becomes much easier for an unscrupulous person to modify the downloadable source code or ceate a mirror of the compiled program with a bug. There was for example a trojan placed in one of the more common TCP/IP utilities (I forget which it was, either traceroute or tcpdump) and it even made it to a few distributions of various operating systems. With closed source programs where the source code and the distribution of compiled programs is tightly controlled, the skill level required of a person modifiying it for nefareous purposes is much higher. > You can make sure the source code being compiled is the same, because it's > usually signed. So you're saying the binary's correct behavior can't be > deduced from an inspection of the source code followed by a test of a > separately compiled binary on a system similar to yours (where the distro's > packages are built). Yes. It can not. It can be verified to perform within the parameters of a test, but it can not be verified to NOT perform outside of those paramaters. In fact many programs do just that, compilers have been known to recognize benchmarks and substiute special code; the Intel C compiler recognizes usages in the Linux Kernel of GCC bugs and produces incorrect code, but the same as GCC, and so on. Changing checksums to match modified code is a time honored hacking method, I know of it being done in the 1960s and it was probably done years before. I once hid a hand crafted date check routine in the DATA portion of a Fortran program. It was assembled from data statments and then executed. Unless you knew the approriate machine code and was a Fortran whiz, you never would spot it. Doing such a thing now with C, or PERL would be simple. > > But if you don't trust your compiler to build correct code, or your distro's > packaging process to catch backdoors, then how can you trust your libc or > kernel? It's a lot bigger problem than whether some accounting software is > duly certified. I normally don't care. I don't keep anything on a computer that is that sensitive. I am also not an auditor making sure that software performs as required by law and does not contain other unwanted code. I have been in the past, but am not now. > > Using computer programs to steal money or hide income from the tax > > authorities is not a new or uniquely Israeli concept. > How do they check this today, for proprietary apps running on Windows? Do > they > have remote root access to your machine to make sure you're running the > software you claim you are? Are they planning on using TPMs with RA? I have no idea. I can only assume they run some sort of virus/spyware detection program against it and then verify the actions are correct. For example, one committed, records can not be modified. Not an easy thing to lock in an open source program with an external database. > > More importantly, why can't they get as much information by verifying the > data > your app submits? After all, even with a duly certified and unmodified app > the user still controls the input. The app has no more knowledge than is > contained in its output. If I needed to mangle the input data to hide income, > and the mangling was so complex a human couldn't do it, I'd write a separate > app to do that. True but these apps are designed to be used by people with bookeeping certification, not trained programers. The concept behind them is that you enter the data, and once you verify that it is correct, it can not be changed. Then usual accounting practices are applied and checked. BTW,hiding income is probably the last thing they care about. One can hide income in many ways without a computer program. They are more likely interested in expenses. All expenses are logged, and none of it "disappears". Geoff. -- Geoffrey S. Mendelson, Jerusalem, Israel [EMAIL PROTECTED] N3OWJ/4X1GM IL Voice: (07)-7424-1667 Fax ONLY: 972-2-648-1443 U.S. Voice: 1-215-821-1838 Visit my 'blog at http://geoffstechno.livejournal.com/ ==
Re: VMWare and native Windows XP
http://www.vmware.com/support/ws3/doc/ws32_disks8.html Have fun :) Valery Reznic wrote: > Good day. > > I have dual-boot computer with Linux on one partition > (sda1) and WinXP on the other (sda2). > > Linux has VMware installed. > (VMware-server-1.0.2-39867) > > Now, I want boot into Linux, and from VMware run > windows, installed in the sda2. > VMware-server allows specify whole disk or partition > to be disk for virtual machine. > I specify it. And try to but VM. To my surprise I got > grub boot loader, select windows, and windows began to > boot and the fail. > Windows was installed on (native) SATA drive, and > VMware make Windows think drive is LSI, which was not > installed in the first place. > In linux adding modules > mptbase.ko > mptscsih.ko > mptspi.ko > to the initrd can solve the problem. > > Is it a way to achive same on Windows, i.e boot > windows, which was installed "native" under VMWare ? > > Valery > > > > > > > Don't pick lemons. > See all the new 2007 cars at Yahoo! Autos. > http://autos.yahoo.com/new_cars.html > > = > To unsubscribe, send mail to [EMAIL PROTECTED] with > the word "unsubscribe" in the message body, e.g., run the command > echo unsubscribe | mail [EMAIL PROTECTED] > -- Gadi Cohen aka Kinslayer <[EMAIL PROTECTED]> www.wastelands.net Freelance admin/coding/design HABONIM DROR linux/fantasy enthusiast KeyID 0x93F26EF5: 256A 1FC7 AA2B 6A8F 1D9B 6A5A 4403 F34B 93F2 6EF5
Nokia E61 Linux syncing
Hi, I am considering buying a Nokia e61 phone, and would appreciate any note on syncing the thing with Linux (more specifically Kontact, FireFox or Evolution). Any experience? -- Gil Freund, Systems Analyst --- Sysnet consulting [EMAIL PROTECTED], http://www.sysnet.co.il voice: +972-54-2035888, Fax: +972-8-9356026 = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Performance monitoring for selected process
HI again, Just to make myself clear, Valgrind and Vtune are different. Valgring have memory cache profiler "Cachegrind" and "Callgrind". So it can be used for that purpose. I must confess that I use Valgrind mainly for memchecks, and vtune for to gain speed. Regarding oprofile, I am not familiar with tool, but I will try it, Baruch. thanks for the correction, Yaron - Original Message - From: "Baruch Even" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Cc: "Maxim Veksler" <[EMAIL PROTECTED]>, "Linux-IL," Sent: 07:32:48 (GMT+0200) Asia/Jerusalem שבת 7 אפריל 2007 Subject: Re: Performance monitoring for selected process * [EMAIL PROTECTED] <[EMAIL PROTECTED]> [070406 20:25]: > > Hi again, > > As a developer I would start to work with tools like vtune (in case of > c/c++). > The open sourced tool that I know is "valgrind" but Vtune is my my > first choice. VTune is Intel tool that use special Intel hardware > features that helps you do just that. Valgrind and vtune are completely different beasts. The equivalent in Linux to Vtune is oprofile, it also uses the performance counters to do statistical profiling of the system. Baruch To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Performance monitoring for selected process
Hi Baruch, >From Its main second version, valgrind equipped with a profiling tool. Although I tested this tool only several times, I think it might be handy See http://valgrind.org/info/about.html "Valgrind can help you speed up your programs. With Valgrind tools you can also perform very detailed profiling to help speed up your programs." and.. "As for Valgrind's profiling tools, use those whenever you want information about how your program is spending its time, or you want to speed it up. " Best regards, Yaron Kahanovitch - Original Message - From: "Baruch Even" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Cc: "Maxim Veksler" <[EMAIL PROTECTED]>, "Linux-IL," Sent: 07:32:48 (GMT+0200) Asia/Jerusalem שבת 7 אפריל 2007 Subject: Re: Performance monitoring for selected process * [EMAIL PROTECTED] <[EMAIL PROTECTED]> [070406 20:25]: > > Hi again, > > As a developer I would start to work with tools like vtune (in case of > c/c++). > The open sourced tool that I know is "valgrind" but Vtune is my my > first choice. VTune is Intel tool that use special Intel hardware > features that helps you do just that. Valgrind and vtune are completely different beasts. The equivalent in Linux to Vtune is oprofile, it also uses the performance counters to do statistical profiling of the system. Baruch To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
