On Fri, 2002-01-11 at 05:02, Alan Aldrich wrote:
Not sure what all it did, but really played havoc with SSH and some other networking
components and is keeping my aventail authentication server from honoring socks
requests.
Can someone help undo whatever it did or point me to a site that
hi alan
where are you ???
if in silicon valley...
you can be back online within 1hr or so...
( assuming you have data-only backed up prior to the hacker getting
( into your box..
if the [h/cr]acker didnt rm -rf / your machine..you're still online..
- maybe just sniffing your passwds ???
-
Angus D Madden [EMAIL PROTECTED] wrote on 11/01/2002 (11:53) :
On Fri, Jan 11, 2002 at 05:07:02AM +0100, martin f krafft wrote:
you've been hacked - backup - re-mkfs - reinstall - re-config from
backup very carefully (i.e. file by file) - restore user data - do
some post-mortem with backup
also sprach Angus D Madden [EMAIL PROTECTED] [2002.01.11.0649 +0100]:
agreed. full disk format and reinstall from backup is the only secure
option. unless you are running something like tripwire there is no way
to tell what the intruder did, and even then ...
... if, only if, you have the
also sprach Preben Randhol [EMAIL PROTECTED] [2002.01.11.1543 +0100]:
This is not safe at all if you mean reinstall programs too. You should
reinstall programs from the net/CD distro and update all programs that
has security fixes.
yeah sorry, i meant that actually. reinstall debian from
On Fri, Jan 11, 2002 at 03:43:11PM +0100, Preben Randhol wrote:
agreed. full disk format and reinstall from backup is the only secure
^
This is not safe at all if you mean reinstall programs too. You should
reinstall programs from the
hi patrice
yup .. sillicon valley has nothing to do with getting backonline
but was intended ...that i could go over ahd help figure out
what happened to the box... before the reinstall ...
but never mind... scaramento is not too far awayeither..
on the way up to go skiing on a fri-weekend..
On Thu, Jan 10, 2002 at 08:31:00PM -0800, Alvin Oga wrote:
- if you think they used a simple/ordinary rootkits... you can
try some of the rootkit detectors
http://www.chkrootkit.org/
Great tool
Got :
Searching for t0rn's default files and dirs... Possible t0rn rootkit
Jacques Lav!gnotte wrote:
On Thu, Jan 10, 2002 at 08:31:00PM -0800, Alvin Oga wrote:
A RootKit was installed, only the sniffer was used...
Any idea of what the «default files and dirs» are ?
Please see
http://www.sans.org/y2k/t0rn.htm
Greetz
Christoph
--
.-.
msg.pgp
Description: PGP message
On Fri, 11 Jan 2002, Ricardo B wrote:
Isn't there a way to turn module loading off (a way that can't be chagend
back - without rebooting) ?
None that cannot be undone if you're root in a non-ACL kernel. It gets hard
if the kernel has no module support at all, but not impossible.
--
One
also sprach Ricardo B [EMAIL PROTECTED] [2002.01.11.1804 +0100]:
There is no need for a rootkit to reboot the machine in order to hide himself.
He can be loaded as a kernel module and then hide all traces of its presence in
the system, by overriding the proper system calls and /proc info.
On Fri, Jan 11, 2002 at 05:04:53PM +, Ricardo B wrote:
He can be loaded as a kernel module and then hide all traces of its
presence in the system, by overriding the proper system calls and
/proc info. Isn't there a way to turn module loading off (a way that
can't be chagend back -
On Fri, Jan 11, 2002 at 10:25:03PM +0100, martin f krafft wrote:
i doubt that a kernel module can override the linux kernel filesystem
abstraction layer. but i guess it could be possible.
Oh, it certainly can! knark is a perfect example of a kernel module to
do just this. (knark is
also sprach Noah L. Meyerhans [EMAIL PROTECTED] [2002.01.11.2240 +0100]:
Oh, it certainly can! knark is a perfect example of a kernel module to
do just this. (knark is Swedish for drugged.) It allows files,
processes, network connections, and network interface promiscuity to be
I have run chkrootkit and get
Checking `bindshell'... INFECTED (PORTS: 31337)
What I need to do?
Billy
òÅËÌÁÍÁ:
íÏÓËÏ×ÓËÁÑ ëÁÌÅÎÄÁÒÎÁÑ æÁÂÒÉËÁ - Ë×ÁÒÔÁÌØÎÙÅ ËÁÌÅÎÄÁÒÉ
ÐÏ ÓÁÍÙÍ ÎÉÚËÉÍ ÃÅÎÁÍ. ôÅÌÅÆÏÎ: (8095)254-88-55
http://www.kalendar.r2.ru/
--
To UNSUBSCRIBE, email to
also sprach éÇÏÒØ âÁÌÕÓÏ× [EMAIL PROTECTED] [2002.01.11.2316 +0100]:
I have run chkrootkit and get
Checking `bindshell'... INFECTED (PORTS: 31337)
What I need to do?
reinstall. no, really! unless this is a non-productive system, in which
case you are free to try to remove it. but once you
still, I think that one of the first things you should do with your hacked
systems is unplug the network cable. the majority of hacks these days are
for stepping stones, they don't necessarily care about the data on your PC,
but will have other PCs from your. I don't think you really want the FBI
I have run chkrootkit and get
Anyone have a d/l site for the deb package of this?
Ed
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
What is mean:
If you're running PortSentry/klaxon or another program that binds itself to
unused ports probably chkrootkit will give you a false positive on the
bindshell test (ports .. 31336/tcp, 31337/tcp ...).?
It is from http://www.chkrootkit.org/
My PC is really hacked or no? How I can
On Fri, 11 Jan 2002, Noah L. Meyerhans wrote:
On Fri, Jan 11, 2002 at 10:25:03PM +0100, martin f krafft wrote:
i doubt that a kernel module can override the linux kernel filesystem
abstraction layer. but i guess it could be possible.
Oh, it certainly can! knark is a perfect
On Fri, 2002-01-11 at 17:49, Igor Balusov wrote:
What is mean:
If you're running PortSentry/klaxon or another program that binds itself to
unused ports probably chkrootkit will give you a false positive on the
bindshell test (ports .. 31336/tcp, 31337/tcp ...).?
It is from
(2002-01-12) Igor Balusov sed :
| What is mean:
| If you're running PortSentry/klaxon or another program that binds itself to
| unused ports probably chkrootkit will give you a false positive on the
| bindshell test (ports .. 31336/tcp, 31337/tcp ...).?
| It is from
Thanks Stephen,
I have run the netstat -anp
The result is:
0.0.0.0:31337 0.0.0.0:*1687/fakebo
Really I have installed fakebo.
It is usefull. Very often anybody try to find on my PC backdoors. It help me to
discover theirs.
Billy
òÅËÌÁÍÁ:
íÏÓËÏ×ÓËÁÑ ëÁÌÅÎÄÁÒÎÁÑ æÁÂÒÉËÁ -
Sorry but could someone please summerize what the Hacked too? thread is
about?
someone used a script, which should detect rootkits and it said it found
one, although there is probably none. it seems just to check whether a
certain port is open.
just ignore the thread ;)
bye
Ralf
--
To
Hi Ed,
On Fri, Jan 11, 2002 at 05:46:58PM -0500, Ed Street wrote:
I have run chkrootkit and get
Anyone have a d/l site for the deb package of this?
apt-get install chkrootkit
Uwe.
--
Uwe Hermann
[EMAIL PROTECTED]
[EMAIL PROTECTED] | Unmaintained Free Software:
Is there any reason that Socks and Squid couldn't or shouldn't be run on
the same box? I'd appreciate anyone's advice. Thanks.
Sincerely,
Josh Frick
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
hi all!
i want a password file
without hole.
so i have now in /etc/passwd:
root with /bin/bash
daemon, bin and sys with /bin/sh
sync with /bin/sync
normal users with /bin/bash
ftp users with /bin/noshell
here i think that s good
but i have some questions :
what about replace /bin/sh for man
On Sat, 12 Jan 2002, Richard wrote:
On Fri, Jan 11, 2002 at 10:25:03PM +0100, martin f krafft wrote:
i doubt that a kernel module can override the linux kernel filesystem
abstraction layer. but i guess it could be possible.
Oh, it certainly can! knark is a perfect example
On Fri, 11 Jan 2002, Josh Frick wrote:
Is there any reason that Socks and Squid couldn't or shouldn't be run on
the same box? I'd appreciate anyone's advice. Thanks.
Be very careful to configure both of these very restrictively.
The newest favorite trick of pro spammers is to find
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Ivan == \Ivan R \ Ivan writes:
Ivan hi all! i want a password file without hole.
Ivan so i have now in /etc/passwd:
Ivan root with /bin/bash
Ivan daemon, bin and sys with /bin/sh
Ivan sync with /bin/sync
Ivan normal users with /bin/bash
Ivan ftp
On Fri, Jan 11, 2002 at 10:00:32PM -0500, Hubert Chan wrote:
So daemon, bin, sys, ftp, www-data, mail, mysql, etc. can probably be
set to /bin/false. (Why does Debian not do this by default?)
Apart from the ftp users which (sometimes) need their ftp password to
be stored in /etc/shadow and
unsubscribe
On Fri, 2002-01-11 at 05:02, Alan Aldrich wrote:
Not sure what all it did, but really played havoc with SSH and some other
networking components and is keeping my aventail authentication server from
honoring socks requests.
Can someone help undo whatever it did or point me to a site that
hi alan
where are you ???
if in silicon valley...
you can be back online within 1hr or so...
( assuming you have data-only backed up prior to the hacker getting
( into your box..
if the [h/cr]acker didnt rm -rf / your machine..you're still online..
- maybe just sniffing your passwds ???
-
[EMAIL PROTECTED] writes:
if in silicon valley...
you can be back online within 1hr or so...
What does the Silicon Valley have to do with the time to getting back
online?
- maybe just sniffing your passwds ???
- maybe using it to hack other boxes ??
Oh if it's not more... ;-)
- you need
Angus D Madden [EMAIL PROTECTED] wrote on 11/01/2002 (11:53) :
On Fri, Jan 11, 2002 at 05:07:02AM +0100, martin f krafft wrote:
you've been hacked - backup - re-mkfs - reinstall - re-config from
backup very carefully (i.e. file by file) - restore user data - do
some post-mortem with backup
also sprach Angus D Madden [EMAIL PROTECTED] [2002.01.11.0649 +0100]:
agreed. full disk format and reinstall from backup is the only secure
option. unless you are running something like tripwire there is no way
to tell what the intruder did, and even then ...
... if, only if, you have the
also sprach Preben Randhol [EMAIL PROTECTED] [2002.01.11.1543 +0100]:
This is not safe at all if you mean reinstall programs too. You should
reinstall programs from the net/CD distro and update all programs that
has security fixes.
yeah sorry, i meant that actually. reinstall debian from .deb
On Fri, Jan 11, 2002 at 03:43:11PM +0100, Preben Randhol wrote:
agreed. full disk format and reinstall from backup is the only secure
^
This is not safe at all if you mean reinstall programs too. You should
reinstall programs from the
hi patrice
yup .. sillicon valley has nothing to do with getting backonline
but was intended ...that i could go over ahd help figure out
what happened to the box... before the reinstall ...
but never mind... scaramento is not too far awayeither..
on the way up to go skiing on a fri-weekend..
-
On Thu, Jan 10, 2002 at 08:31:00PM -0800, Alvin Oga wrote:
- if you think they used a simple/ordinary rootkits... you can
try some of the rootkit detectors
http://www.chkrootkit.org/
Great tool
Got :
Searching for t0rn's default files and dirs... Possible t0rn rootkit
Jacques Lav!gnotte wrote:
On Thu, Jan 10, 2002 at 08:31:00PM -0800, Alvin Oga wrote:
A RootKit was installed, only the sniffer was used...
Any idea of what the «default files and dirs» are ?
Please see
http://www.sans.org/y2k/t0rn.htm
Greetz
Christoph
--
.-.
msg.pgp
Description: PGP message
On Fri, 11 Jan 2002, Ricardo B wrote:
Isn't there a way to turn module loading off (a way that can't be chagend
back - without rebooting) ?
None that cannot be undone if you're root in a non-ACL kernel. It gets hard
if the kernel has no module support at all, but not impossible.
--
One disk
also sprach Ricardo B [EMAIL PROTECTED] [2002.01.11.1804 +0100]:
There is no need for a rootkit to reboot the machine in order to hide
himself.
He can be loaded as a kernel module and then hide all traces of its presence
in
the system, by overriding the proper system calls and /proc info.
On Fri, Jan 11, 2002 at 05:04:53PM +, Ricardo B wrote:
He can be loaded as a kernel module and then hide all traces of its
presence in the system, by overriding the proper system calls and
/proc info. Isn't there a way to turn module loading off (a way that
can't be chagend back - without
On Fri, Jan 11, 2002 at 10:25:03PM +0100, martin f krafft wrote:
i doubt that a kernel module can override the linux kernel filesystem
abstraction layer. but i guess it could be possible.
Oh, it certainly can! knark is a perfect example of a kernel module to
do just this. (knark is
also sprach Noah L. Meyerhans [EMAIL PROTECTED] [2002.01.11.2240 +0100]:
Oh, it certainly can! knark is a perfect example of a kernel module to
do just this. (knark is Swedish for drugged.) It allows files,
processes, network connections, and network interface promiscuity to be
*completely*
I have run chkrootkit and get
Checking `bindshell'... INFECTED (PORTS: 31337)
What I need to do?
Billy
Реклама:
Московская Календарная Фабрика - квартальные календари
по самым низким ценам. Телефон: (8095)254-88-55
http://www.kalendar.r2.ru/
also sprach éÇÏÒØ âÁÌÕÓÏ× [EMAIL PROTECTED] [2002.01.11.2316 +0100]:
I have run chkrootkit and get
Checking `bindshell'... INFECTED (PORTS: 31337)
What I need to do?
reinstall. no, really! unless this is a non-productive system, in which
case you are free to try to remove it. but once you
still, I think that one of the first things you should do with your hacked
systems is unplug the network cable. the majority of hacks these days are
for stepping stones, they don't necessarily care about the data on your PC,
but will have other PCs from your. I don't think you really want the FBI
I have run chkrootkit and get
Anyone have a d/l site for the deb package of this?
Ed
What is mean:
If you're running PortSentry/klaxon or another program that binds itself to
unused ports probably chkrootkit will give you a false positive on the
bindshell test (ports .. 31336/tcp, 31337/tcp ...).?
It is from http://www.chkrootkit.org/
My PC is really hacked or no? How I can
On Fri, 11 Jan 2002, Noah L. Meyerhans wrote:
On Fri, Jan 11, 2002 at 10:25:03PM +0100, martin f krafft wrote:
i doubt that a kernel module can override the linux kernel filesystem
abstraction layer. but i guess it could be possible.
Oh, it certainly can! knark is a perfect
On Fri, 2002-01-11 at 17:49, Igor Balusov wrote:
What is mean:
If you're running PortSentry/klaxon or another program that binds itself to
unused ports probably chkrootkit will give you a false positive on the
bindshell test (ports .. 31336/tcp, 31337/tcp ...).?
It is from
(2002-01-12) Igor Balusov sed :
| What is mean:
| If you're running PortSentry/klaxon or another program that binds itself to
| unused ports probably chkrootkit will give you a false positive on the
| bindshell test (ports .. 31336/tcp, 31337/tcp ...).?
| It is from
Thanks Stephen,
I have run the netstat -anp
The result is:
0.0.0.0:31337 0.0.0.0:*1687/fakebo
Really I have installed fakebo.
It is usefull. Very often anybody try to find on my PC backdoors. It help me to
discover theirs.
Billy
Реклама:
Московская Календарная Фабрика -
Sorry but could someone please summerize what the Hacked too? thread is
about?
someone used a script, which should detect rootkits and it said it found
one, although there is probably none. it seems just to check whether a
certain port is open.
just ignore the thread ;)
bye
Ralf
Hi Ed,
On Fri, Jan 11, 2002 at 05:46:58PM -0500, Ed Street wrote:
I have run chkrootkit and get
Anyone have a d/l site for the deb package of this?
apt-get install chkrootkit
Uwe.
--
Uwe Hermann
[EMAIL PROTECTED]
[EMAIL PROTECTED] | Unmaintained Free Software:
Sorry but could someone please summerize what the Hacked too? thread is
about?
just got back into town and not making sense of the thread that i read in
the archives
Thankx
Is there any reason that Socks and Squid couldn't or shouldn't be run on
the same box? I'd appreciate anyone's advice. Thanks.
Sincerely,
Josh Frick
hi all!
i want a password file
without hole.
so i have now in /etc/passwd:
root with /bin/bash
daemon, bin and sys with /bin/sh
sync with /bin/sync
normal users with /bin/bash
ftp users with /bin/noshell
here i think that s good
but i have some questions :
what about replace /bin/sh for man
On Sat, 12 Jan 2002, Richard wrote:
On Fri, Jan 11, 2002 at 10:25:03PM +0100, martin f krafft wrote:
i doubt that a kernel module can override the linux kernel filesystem
abstraction layer. but i guess it could be possible.
Oh, it certainly can! knark is a perfect example of
On Fri, 11 Jan 2002, Josh Frick wrote:
Is there any reason that Socks and Squid couldn't or shouldn't be run on
the same box? I'd appreciate anyone's advice. Thanks.
Be very careful to configure both of these very restrictively.
The newest favorite trick of pro spammers is to find
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Ivan == \Ivan R \ Ivan writes:
Ivan hi all! i want a password file without hole.
Ivan so i have now in /etc/passwd:
Ivan root with /bin/bash
Ivan daemon, bin and sys with /bin/sh
Ivan sync with /bin/sync
Ivan normal users with /bin/bash
Ivan ftp
On Fri, Jan 11, 2002 at 10:00:32PM -0500, Hubert Chan wrote:
So daemon, bin, sys, ftp, www-data, mail, mysql, etc. can probably be
set to /bin/false. (Why does Debian not do this by default?)
Apart from the ftp users which (sometimes) need their ftp password to
be stored in /etc/shadow and thus
Lou Poppler wrote:
On Fri, 11 Jan 2002, Josh Frick wrote:
Is there any reason that Socks and Squid couldn't or shouldn't be run on
the same box? I'd appreciate anyone's advice. Thanks.
Be very careful to configure both of these very restrictively.
The newest favorite trick of pro
68 matches
Mail list logo
