Re: hard disk failure - now what?
First, thanks to everyone for the really great replies. Many suggestions were quite helpful and have kept me on track. I'll quote a couple of people and then add some comments below. On Mon, Aug 24, 2009 at 4:32 PM, Roland Smith wrote: > It _could_ just be a bad or improperly connected SATA cable. Try changing or > re-seating the cable. I thought of that too, but no luck. > Read errors cannot damage your data, but write errors can! Immediately stop > all writing to the disk. Re-mount the partitions on that disk as read-only, or > unmount them. That was a consensus among everyone who replied, so I made that step #1. I mounted the partitions read-only and crossed my fingers. Trying to check the integrity of the data, or even get directory listings was another matter, as I got various strange errors... which told me I quite likely had some data loss. > To see if a disk really is broken, install sysutils/smartmontools, and run > 'smartctl -a' on the disk. If you see errors in its report (e.g. reallocated > sectors), the disk is dying and should be unplugged to prevent it from getting > worse. That's a good idea and I'll try to use it in the future. After plugging the drive in and accessing it, I heard those tell-tale signs of hard drive failure: clicks and pops and other unusual noises, so I know that it has some damage. I hate those sounds, having heard them on failing drives too many times before. > >> My question: what kind of checks and/or repair tools should I run on >> the damaged drive after it's mounted? > > As others have mentioned, first make a copy (with the disk unmounted) of the > partitions on that disk with dd, saving them to another drive. That way you > can experiment with the data without further deterioration of the > original. I ran dd and it took over 20 hours to complete. In fact it just finished this evening, after running all day. Lots of FAILURE errors were reported along the way, enough to fill two console screens or more. And of course to complicate things I didn't have a spare drive as an output device that was the *same size*, so I used a smaller drive thinking that it wouldn't matter since the source drive wasn't full anyway. I have no idea if data is scattered around on the FFS filesystem such that cloning a mostly empty, larger drive onto something smaller might lose data... I searched Google and couldn't find the answer, so I proceeded anyway. It doesn't matter now though, as I have a new drive now and another plan. >You can use this disk image e.g. as a vnode-backed memory disk, see > mdconfig(8). If you cannot get a good copy of the disk partitions it might be > a good idea to get a quote from a professional hard drive data recovery > company to do that for you. I've never had occasion to try this (hooray for > backups) but I've heard it can be quite expensive. :-/ I'm going to try dd a second time, but this time I'll use ddrescue as some people suggested and I'll make the target drive an identical-sized 500 Gbyte drive, which I purchased today. I imagine it will take a long time to create this cloned disk... hopefully with fewer errors than dd gave me, though we'll see. > Try using fsck_ffs on (copies of) the disk image to see if that can restore > the damage. If the damage is beyond repair for fsck_ffs, you have a real > problem. Of course is you have a good disk image, your data is still > there, but you might have to use a forensics program like sysutils/sleuthkit > or hexdump to try and piece files together. And even then you cannot be sure > that there is no corrupted data in the files themselves. Good luck with that. > :-( Indeed some of the partitions seem to be beyond repair. In particular my /var partition is totally fubar'ed. When using fsck_ffs I got all sorts of errors when trying to repair the partition, things like: BAD SUPER BLOCK: VALUES IN SUPER BLOCK DISAGREE WITH THOSE IN FIRST ALTERNATE So I used the -b option suggested in the man page, "fsck_ffs -y -b 160 /dev/ad0s1d" and it ran and fixed a few things, but then stopped with the following error: fsck_ufs: cannot alloc 4294967292 bytes for inoinfo The worst part of all is that the /var partition would normally be okay to lose if it didn't have my MySQL database on it - the most important data on the server. I just about choked down a golf ball when I discovered my /var partition was in such rough shape and I might be forced to use real recovery tools, or hire a professional for $$$, or be out-of-luck. MySQL databases are normally stored in /var/db/mysql. But then I remembered my MySQL server was actually running in a Jail environment, and therefore it was located at /usr/jails/myjail/var/db/mysql instead of /var/db/mysql, and therefore the jailed MySQL database was on a totally different partition. Lucky! And I was also very lucky that I could mount the large /usr partition in read-only mode and copy off the most critical files I needed, starting with the database. No errors on that part o
nxclient connection failure
Hi all, Not sure if this is the correct forum. If so, kindly point to appropriate mailing list. Connecting from nxclient on freeBSD to nxserver on RHEL fails with following errors: Info: Proxy running in client mode with pid '1330'. Session: Starting session at 'Tue Aug 25 20:42:56 2009'. Error: Failed to set TCP_NODELAY flag on FD#10 to 1. Error is 22 'Invalid argument'. Warning: Connected to remote NXPROXY version 3.3.0 with local version 2.1.0. Warning: Consider checking http://www.nomachine.com/ for updates. Info: Synchronizing local and remote caches. Info: Handshaking with remote proxy completed. Warning: Failed to set IPTOS_LOWDELAY flag on FD#10. Error is 92 'Protocol not available'. Error: Failed to set TCP_NODELAY flag on FD#10 to 1. Error is 22 'Invalid argument'. Info: Using ADSL link parameters 512/24/1/0. Info: Using cache parameters 4/4194304/8192KB/8192KB. Info: Using image streaming parameters 50/128/1024KB/2048/256. Info: Using image cache parameters 1/1/32768KB. Info: Using pack method '16m-jpeg-7' with session 'unix-gnome'. Info: Using product 'LFE/None/LFEN/None'. Info: Using ZLIB data compression 1/1/0. Info: Using ZLIB stream compression 4/4. Info: No suitable cache file found. Info: Listening for font server connections on port '11014'. Session: Session started at 'Tue Aug 25 20:42:56 2009'. Error: Failed to set TCP_NODELAY flag on FD#15 to 1. Error is 22 'Invalid argument'. Session: Terminating session at 'Tue Aug 25 20:42:56 2009'. Info: End of NX transport requested by signal '15'. Warning: Parent process appears to be dead. Exiting keeper. Any help would be appreciated. Thanks sandeep ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Trying to make a mirror for a disconnected lab
I'm planning to build a "lab" of perhaps 15 freebsd machines. Not only do I want to be a good sysadmin and only download what I need, but another issue is that these machines will live on a network that will not have a reliable connection to the internet. Therefore I want to build a mirror of parts of ftp.freebsd.org so that the lead machine (for each of 2 architectures) can build packages for the other machines to install. I think that if I mirror: ports/distfiles releases//-RELEASE then I think I will be able to install FreeBSD on each machine and build packages of anything from ports that I want to install on all the machines. And then for each individual machine set PKG_PATH to be the nfs served location from the main server. Therefore to make my mirror, I have a rsync filter file that looks something like this: + /ports/ + /ports/distfiles/ + /ports/distfiles/* + /releases/ + /releases/i386/ + /releases/i386/7.2-RELEASE/ + /releases/i386/7.2-RELEASE/* + /releases/i386/7.2-RELEASE/base/ + /releases/i386/7.2-RELEASE/base/* etc. - * Hopefully, someone can give me confidence that this is a reasonable plan? Or am I going about this wrongheadedly? I have a question: Q. ports/distfiles contains tarballs of multiple versions of each software; I assume that I only need one version of each tarball. And since this mirror as described comes to ~100GiB, how can I modify my rsync filter so I don't get anything more than either the latest tarball for each software package in distfiles or whichever version accords to the Makefiles provided by ports.tgz Hopefully some of this detail will be of help to someone else in a similar position. -- Duncan Hutty ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: howto alias a stty erase?
If you use sh or bash, you can add to .profile or .bash_profile: stty erase ^h That should do it. Type the caret (^) and (h). On Aug 25, 2009, at 6:30 PM, Gary Kline wrote: is there a way of setty'ing "stty erase" to [backspace key"? pretty sure that is the delete key. i'm tired of having to hand set it every time when i use the Konsole term. thanks, gary -- Gary Kline kl...@thought.org http://www.thought.org Public Service Unix http://jottings.thought.org http://transfinite.thought.org The 5.67a release of Jottings: http://jottings.thought.org/ index.php ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org " ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
howto alias a stty erase?
is there a way of setty'ing "stty erase" to [backspace key"? pretty sure that is the delete key. i'm tired of having to hand set it every time when i use the Konsole term. thanks, gary -- Gary Kline kl...@thought.org http://www.thought.org Public Service Unix http://jottings.thought.org http://transfinite.thought.org The 5.67a release of Jottings: http://jottings.thought.org/index.php ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: src.conf and cleaning up of base?
>I enabled a few WITHOUT_ options in src.conf. However, the >binaries for that still exists after a installworld. Is there an >automatic way to "clean up" the base install? Yes and no. These files are supposed to be removed by running: make delete-old make delete-old-libs (see /usr/src/UPDATING). However, some of the less-commonly used knobs from src.conf do not receive routine testing, and are broken: either they break the build, or they leave files behind. There are PRs for some of these problems, and others remain to be fixed. The best solution for now is to run the commands above, and then do a separate cleaning of the base system, using the timestamps as a guide. Here find(1) is your friend. I usually use something like: find /bin /sbin /lib /libexec /rescue /usr/bin /usr/sbin /usr/include /usr/lib /usr/lib32 \ /usr/libdata /usr/libexec /usr/share ! -ctime 1 soon after the installation, and then inspect the output before deleting. Be careful when cleaning, and don't forget that there are a few commonly-installed ports, like perl, that leave important files in base system directories. b. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: what www perl script is running?
Colin, Be aware that what you listed below is what additional scripts the hacker installed on your server after he broke in. This does not tell you hwo the hacker broke in. So your server is still subject to compromission. Bests, olivier >> Try a find through the entire filesystem for files owned by this user that >> you can't account for. Also check your cron and at files under /var/cron >> and >> /var/at >> > > I found the cronjob which keeps restarting the script: > > [r...@venus /var/cron/tabs]# ls -l > total 12 > -rw--- 1 root wheel 3440 Aug 25 12:06 colin > -rw--- 1 root wheel 240 Jul 28 23:49 www > > [r...@venus /var/cron/tabs]# cat www > # DO NOT EDIT THIS FILE - edit the master and reinstall. > # (cron.job installed on Tue Jul 28 23:49:28 2009) > # (Cron version -- $FreeBSD: src/usr.sbin/cron/crontab/crontab.c,v 1.24 > 2006/09/03 17:52:19 ru Exp $) > */1 * * * * perl /tmp/tmpfile > > I removed it, so now at least the script stops relaunching. > > /tmp/tmpfile is of course the script. > > In a subdirectory of tmp, there is a whole bunch of source code, all owned > by 'www': > > /tmp/.,]# ls -l > total 5692 > -rw-r--r-- 1 www wheel 2844160 Mar 27 10:00 m.tgz > drwxr-xr-x 4 www wheel 512 Nov 10 2008 ml > -rw-r--r-- 1 www wheel43419 May 27 23:22 scanxml.txt > > ]# ls -l ml > total 3208 > -rwxr-xr-x 1 www wheel 411 Mar 27 09:57 1.user > -rwxr-xr-x 1 www wheel 422 Mar 27 09:57 2.user > -rwxr-xr-x 1 www wheel 505767 Aug 3 2008 LinkEvents > -rwxr-xr-x 1 www wheel2154 May 16 2003 Makefile > -rwx--x--x 1 www wheel 418490 Dec 3 2005 bsd > -rwxr-xr-x 1 www wheel 941 Dec 3 2005 checkmech > -rwxr-xr-x 1 www wheel 23237 May 16 2003 configure > -rwx--x--x 1 www wheel 397274 Dec 3 2005 crond > -rwxr-xr-x 1 www wheel 22882 May 16 2003 m.h > -rwxr-xr-x 1 www wheel1054 Aug 3 2008 m.lev > -rwx--x--x 1 www wheel 6 May 25 2008 m.pid > -rwxr-xr-x 1 www wheel1320 Mar 27 09:56 m.set > -rwxr-xr-x 1 www wheel 10240 Nov 10 2008 m.tgz > -rwxr-xr-x 1 www wheel 167964 Mar 16 2001 pico > drwxr-xr-x 2 www wheel 512 Mar 4 2005 r > drwxr-xr-x 2 www wheel1024 Dec 3 2005 src > > If anyone is interested in looking at this stuff, or wants more info, please > let me know. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
src.conf and cleaning up of base?
Hello List, I enabled a few WITHOUT_ options in src.conf. However, the binaries for that still exists after a installworld. Is there an automatic way to "clean up" the base install? For example, I did a minimal install of 8.0-BETA2, csup'ed down -CURRENT and set WITHOUT_RCMDS in src.conf . However, rsh is still installed in /usr/bin . However, the timestamp is from the original install BETA2 build and not from my buildworld. For smaller items like NTP this is fine, but for stuff like WITHOUT_SENDMAIL or WITHOUT_LPR those binaries can get in the way of their replacements, ie: Postfix and CUPS. Anyway to to autoclean the base system? Henrik -- Henrik Hudson li...@rhavenn.net - "God, root, what is difference?" Pitr; UF ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: what www perl script is running?
Adam Vande More wrote: [ huge, huge snip ] > You said block by destination port. What you presented is not this, > although it gives give a functional environment of it. Sorry for the > pedantic pursuit here, but IMO terminology is important here. I've read this thread on a 'best-effort' basis throughout the day. Although I can *personally* translate what Bill's excellent feedback is saying into functional protection, I have to say that your statement quoted was the 'politically correct' way to express it. We've (ie: I've) been compromised in the past (several times), and experience based on having an installed Perl-based httpd program tells me thus: - it is likely a PHP script that was the root cause - it is likely that the script had access to a MySQL database - bulletin boards, mailer apps and blog software was often the culprit - it's a common hack, the Perl code that is installed can be downloaded anywhere We have a multi-site hosting environment, so we see things like this from time-to-time. I can't remember for sure if it was this list or not, but I know I've posted "what to look for" someplace. In this case, OP, look for: - directories named as such: -- ... -- . .. -- . . -- etc, particularly under: -- /var/tmp -- /tmp -- or anywhere else the [gu]id of the webserver could possibly write to There are other similar problems that are prevalent out there that someone running a web server may run into (one I've seen recently). It inserts HTML redirects into files (or directly into a MySQL table, in situations where links are generated dynamically) that direct the browser to foreign pages (presumably so that the browser will inadvertently download rogue programs into the visiting computer). This has had the effect of having Google block the page, and for client relations, it doesn't look good. Any time we've seen this, we refer the client to their web developer for assistance (heh). This such infection has noticeably been caused by server-side PDF management software, and a specific PHP video management software. We've never found that such 'kiddie/automated' hacks tried to manipulate or steal any information directly/initially, even after reviewing the code. With that said, I firmly agree with Bill that you should/must replace all passwords both on the Unix side of things, as well as within MySQL. tcpdump(1) is your friend. On the firewall side of things... I am on the fence with both Paul and Bill's comments as to whether having protection on each machine is a bonus or a failure. This really depends... and it depends on the environment which and where the box is logically attached. Given that I'm in an ISP environment, I don't want to manage ACLs for web servers on my network edge routers, so it's best that I contain them locally to the hosted web box itself. In other cases (such as an enterprise environment), it would be easier to manage such ACLs at the network perimeter. For a home box, a firewall-per-box may lead to better understanding and experience. What I haven't read in this thread so far is the term 'state', relative to stack protection. For instance, if I were to: % ipfw add 10 allow all from any to me 80 keep-state % ipfw add 15 deny all from any to any ... it would dynamically allow all requests to my web server (fw running on the host itself), would allow all responses back to the client (regardless of the port they used to send the request (because of state)), but it would deny everything and anything else, inbound and outbound. Note that in heavy environments that keeping state can have it's own detrimental drawbacks, which there is no need to get into here. These drawbacks are generally why one might decide not to block everything at the network edge, but on the box itself. Steve smime.p7s Description: S/MIME Cryptographic Signature
Re: what www perl script is running?
CyberLeo Kitsana wrote: > > Are these files available in a tarball someplace public, for those of us > who enjoy performing autopsies on virii? Sure thing: http://silenceisdefeat.com/~cbrace/www_badstuff.gz this tarball contains "tmpfile" which is the misbehaving script as well as the contents of a directory called ".," which has a bunch of source code and so on. As indicated earlier, this stuff was installed by user 'www'. It should be unpacked in an empty directory. Have fun! - Colin Brace Amsterdam http://lim.nl -- View this message in context: http://www.nabble.com/what-www-perl-script-is-running--tp25112050p25143778.html Sent from the freebsd-questions mailing list archive at Nabble.com. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: what www perl script is running?
On Tue, Aug 25, 2009 at 2:43 PM, Bill Moran wrote: > In response to Adam Vande More : > > > On Tue, Aug 25, 2009 at 12:06 PM, Bill Moran >wrote: > > > > > In response to Adam Vande More : > > > > > > > On Tue, Aug 25, 2009 at 11:05 AM, Bill Moran < > wmo...@potentialtech.com > > > >wrote: > > > > > > > > > In response to Paul Schmehl : > > > > > > > > > > > --On Tuesday, August 25, 2009 08:30:17 -0500 Colin Brace < > c...@lim.nl> > > > > > wrote: > > > > > > > > > > > > > Bill Moran wrote: > > > > > > >> > > > > > > >> You can add an ipfw rule to prevent the script from calling > home, > > > > > which > > > > > > >> will effectively render it neutered until you can track down > and > > > > > actually > > > > > > >> _fix_ the problem. > > > > > > > > > > > > > > Mike Bristow above wrote: "The script is talking to > 94.102.51.57 on > > > > > port > > > > > > > 7000". OK, so I how do I know what port the script is using for > > > > > outgoing > > > > > > > traffic on MY box? 7000 is the remote host port, right? > > > > > > > > > > > > > > FWIW, here are my core PF lines: > > > > > > > > > > > > > > pass out quick on $ext_if proto 41 > > > > > > > pass out quick on gif0 inet6 > > > > > > > pass in quick on gif0 inet6 proto icmp6 > > > > > > > block in log > > > > > > > > > > > > > > That is to say: nothing is allowed in unless explicitly allowed > > > > > > > Everything allowed out. > > > > > > > (plus some ipv6 stuff I was testing with a tunnel) > > > > > > > > > > > > > > > > > > > The problem with blocking outbound ports is that it breaks things > in > > > odd > > > > > ways. > > > > > > For example, your mail server listens on port 25 (and possibly > 465 as > > > > > well) but > > > > > > it communicates with connecting clients on whatever ethereal port > the > > > > > client > > > > > > decided to use. If the port the client selects happens to be in > a > > > range > > > > > that > > > > > > you are blocking, communication will be impossible and the client > > > will > > > > > report > > > > > > that your mail server is non-responsive. > > > > > > > > > > You're doing it wrong. Block on the destination port _only_ and > you > > > don't > > > > > care about the ephemeral ports. > > > > > > > > What ports would you block then when you're trying to run a > webserver? > > > > > > My point (which is presented in examples below) is that you block > > > everything > > > and only allow what is needed (usually only dns and ntp, possibly smtp > if > > > the web server needs to send mail) > > > > > > That single statement above was directed specifically at the comment > about > > > it being impossible to predict (and thus block) ephemeral source ports. > > > He's > > > right about that, and that's why filtering on the destination port is > the > > > more common practice. > > > > > > Of course, that caused me to create an email that seems to contradict > > > itself, if you don't notice that it's two answers to two different > > > comments. > > > > My point was that it's unfeasible to block by destination point. You can > > only block by destination port if it's a known quantity, and the > destination > > port is ephemeral in the question I posed(which what the OP had an issue > > with). > > Please read the entire email before you respond. My last example below > demonstrates how to do what you call "unfeasible". > > > > > > > It's much easier to block outgoing ports for services you *don't* > > > want to > > > > > > offer, but, if the service isn't running anyway, blocking the > port is > > > > > > non-productive. > > > > > > > > > > You're obviously misunderstanding me completely. Your not blocking > > > > > incoming > > > > > connections, your preventing outgoing ones, which means there _is_ > no > > > > > service running on your local machine. > > > > > > > > > > For example, a server that is _only_ web (with SSH for admin) could > > > have > > > > > a ruleset like: > > > > > > > > > > pass in quick on $ext_if proto tcp from any to me port > {25,587,465,22} > > > keep > > > > > state > > > > > pass out quick on $ext_if proto tcp from me to any port {25} keep > state > > > > > pass out quick on $ext_if proto upd from me to any port {53,123} > keep > > > state > > > > > block all > > > > > > > > > > (note that's only an example, there may be some fine points I'm > > > missing) > > > > > > > > > > One thing that had not yet been mentioned when I posted my earlier > > > comment, > > > > > is that this system is a combination firewall/web server. That > makes > > > the > > > > > rules more complicated, but the setup is still possible: > > > > > > > > > > pass in quick on $ext_if proto tcp from any to me port {80} keep > state > > > > > pass out quick on $ext_if proto upd from me to any port {53,123} > keep > > > state > > > > > pass out quick on $ext_if from $internal_network to any all keep > state > > > > > block all > > > > > > > > > > Which allows limited outgoing traffic originating from the box > itself,
Re: what www perl script is running?
In response to Adam Vande More : > On Tue, Aug 25, 2009 at 12:06 PM, Bill Moran wrote: > > > In response to Adam Vande More : > > > > > On Tue, Aug 25, 2009 at 11:05 AM, Bill Moran > >wrote: > > > > > > > In response to Paul Schmehl : > > > > > > > > > --On Tuesday, August 25, 2009 08:30:17 -0500 Colin Brace > > > > wrote: > > > > > > > > > > > Bill Moran wrote: > > > > > >> > > > > > >> You can add an ipfw rule to prevent the script from calling home, > > > > which > > > > > >> will effectively render it neutered until you can track down and > > > > actually > > > > > >> _fix_ the problem. > > > > > > > > > > > > Mike Bristow above wrote: "The script is talking to 94.102.51.57 on > > > > port > > > > > > 7000". OK, so I how do I know what port the script is using for > > > > outgoing > > > > > > traffic on MY box? 7000 is the remote host port, right? > > > > > > > > > > > > FWIW, here are my core PF lines: > > > > > > > > > > > > pass out quick on $ext_if proto 41 > > > > > > pass out quick on gif0 inet6 > > > > > > pass in quick on gif0 inet6 proto icmp6 > > > > > > block in log > > > > > > > > > > > > That is to say: nothing is allowed in unless explicitly allowed > > > > > > Everything allowed out. > > > > > > (plus some ipv6 stuff I was testing with a tunnel) > > > > > > > > > > > > > > > > The problem with blocking outbound ports is that it breaks things in > > odd > > > > ways. > > > > > For example, your mail server listens on port 25 (and possibly 465 as > > > > well) but > > > > > it communicates with connecting clients on whatever ethereal port the > > > > client > > > > > decided to use. If the port the client selects happens to be in a > > range > > > > that > > > > > you are blocking, communication will be impossible and the client > > will > > > > report > > > > > that your mail server is non-responsive. > > > > > > > > You're doing it wrong. Block on the destination port _only_ and you > > don't > > > > care about the ephemeral ports. > > > > > > What ports would you block then when you're trying to run a webserver? > > > > My point (which is presented in examples below) is that you block > > everything > > and only allow what is needed (usually only dns and ntp, possibly smtp if > > the web server needs to send mail) > > > > That single statement above was directed specifically at the comment about > > it being impossible to predict (and thus block) ephemeral source ports. > > He's > > right about that, and that's why filtering on the destination port is the > > more common practice. > > > > Of course, that caused me to create an email that seems to contradict > > itself, if you don't notice that it's two answers to two different > > comments. > > My point was that it's unfeasible to block by destination point. You can > only block by destination port if it's a known quantity, and the destination > port is ephemeral in the question I posed(which what the OP had an issue > with). Please read the entire email before you respond. My last example below demonstrates how to do what you call "unfeasible". > > > > > It's much easier to block outgoing ports for services you *don't* > > want to > > > > > offer, but, if the service isn't running anyway, blocking the port is > > > > > non-productive. > > > > > > > > You're obviously misunderstanding me completely. Your not blocking > > > > incoming > > > > connections, your preventing outgoing ones, which means there _is_ no > > > > service running on your local machine. > > > > > > > > For example, a server that is _only_ web (with SSH for admin) could > > have > > > > a ruleset like: > > > > > > > > pass in quick on $ext_if proto tcp from any to me port {25,587,465,22} > > keep > > > > state > > > > pass out quick on $ext_if proto tcp from me to any port {25} keep state > > > > pass out quick on $ext_if proto upd from me to any port {53,123} keep > > state > > > > block all > > > > > > > > (note that's only an example, there may be some fine points I'm > > missing) > > > > > > > > One thing that had not yet been mentioned when I posted my earlier > > comment, > > > > is that this system is a combination firewall/web server. That makes > > the > > > > rules more complicated, but the setup is still possible: > > > > > > > > pass in quick on $ext_if proto tcp from any to me port {80} keep state > > > > pass out quick on $ext_if proto upd from me to any port {53,123} keep > > state > > > > pass out quick on $ext_if from $internal_network to any all keep state > > > > block all > > > > > > > > Which allows limited outgoing traffic originating from the box itself, > > > > but allows unlimited outgoing traffic from systems on > > $internal_network. > > > > > > > > I've done this with great success. In fact, I had a fun time where a > > > > client in question was infected with viruses out the wazoo, but the > > > > viruses never spread off their local network because I only allowed > > > > SMTP traffic to their SMTP relay, which required SMTP
Re: netbooks for freebsd?
Monday, 24 August 2009 at 5:45:20 -0700, Jeff Hamann said: > thanks. > > i've looked at both an acer and lenovo models and like the lenovo > model better. I like my s10e too - but remember I don't have native wireless, I'm using ndis. There are also some acpi glitches which the currently available patch only partially resolves. Peter Harrison. > > as for linux... no way.. had too many hack experiences during the > early years. that's why i made the switch to bsd. i would like to make > my own port (super-port?), build a distro, and dump it onto a machine. > haven't tested on virtual machine yet, but think that would be the > smartest method. > > thanks again. > > On Aug 23, 2009, at 11:39 AM, ill...@gmail.com wrote: > > >2009/8/19 Jeff Hamann : > >>I would like to try some experimental software on a netbook. Can > >>somebody > >>recommend a netbook that can do FreeBSD. > >> > > > >Late to the discussion, sorry I can't give positive > >advice, but: > > > >I can explicity UNADVISE the (ee?)pc 1005ha > > > >Networking (atheros 9285, iirc) might work under > >ndis, wired (I forget which chipset) doesn't work. > > > >I put ubuntu on it, and even _that_ took some hacks. > > > >-- > >-- > > Jeff Hamann, PhD > PO Box 1421 > Corvallis, Oregon 97339-1421 > 541-754-2457 > jeff.hamann[at]forestinformatics[dot]com > http://www.forestinformatics.com > > > > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: what www perl script is running?
On Tue, Aug 25, 2009 at 12:06 PM, Bill Moran wrote: > In response to Adam Vande More : > > > On Tue, Aug 25, 2009 at 11:05 AM, Bill Moran >wrote: > > > > > In response to Paul Schmehl : > > > > > > > --On Tuesday, August 25, 2009 08:30:17 -0500 Colin Brace > > > wrote: > > > > > > > > > Bill Moran wrote: > > > > >> > > > > >> You can add an ipfw rule to prevent the script from calling home, > > > which > > > > >> will effectively render it neutered until you can track down and > > > actually > > > > >> _fix_ the problem. > > > > > > > > > > Mike Bristow above wrote: "The script is talking to 94.102.51.57 on > > > port > > > > > 7000". OK, so I how do I know what port the script is using for > > > outgoing > > > > > traffic on MY box? 7000 is the remote host port, right? > > > > > > > > > > FWIW, here are my core PF lines: > > > > > > > > > > pass out quick on $ext_if proto 41 > > > > > pass out quick on gif0 inet6 > > > > > pass in quick on gif0 inet6 proto icmp6 > > > > > block in log > > > > > > > > > > That is to say: nothing is allowed in unless explicitly allowed > > > > > Everything allowed out. > > > > > (plus some ipv6 stuff I was testing with a tunnel) > > > > > > > > > > > > > The problem with blocking outbound ports is that it breaks things in > odd > > > ways. > > > > For example, your mail server listens on port 25 (and possibly 465 as > > > well) but > > > > it communicates with connecting clients on whatever ethereal port the > > > client > > > > decided to use. If the port the client selects happens to be in a > range > > > that > > > > you are blocking, communication will be impossible and the client > will > > > report > > > > that your mail server is non-responsive. > > > > > > You're doing it wrong. Block on the destination port _only_ and you > don't > > > care about the ephemeral ports. > > > > What ports would you block then when you're trying to run a webserver? > > My point (which is presented in examples below) is that you block > everything > and only allow what is needed (usually only dns and ntp, possibly smtp if > the web server needs to send mail) > > That single statement above was directed specifically at the comment about > it being impossible to predict (and thus block) ephemeral source ports. > He's > right about that, and that's why filtering on the destination port is the > more common practice. > > Of course, that caused me to create an email that seems to contradict > itself, if you don't notice that it's two answers to two different > comments. My point was that it's unfeasible to block by destination point. You can only block by destination port if it's a known quantity, and the destination port is ephemeral in the question I posed(which what the OP had an issue with). > > > > > > It's much easier to block outgoing ports for services you *don't* > want to > > > > offer, but, if the service isn't running anyway, blocking the port is > > > > non-productive. > > > > > > You're obviously misunderstanding me completely. Your not blocking > > > incoming > > > connections, your preventing outgoing ones, which means there _is_ no > > > service running on your local machine. > > > > > > For example, a server that is _only_ web (with SSH for admin) could > have > > > a ruleset like: > > > > > > pass in quick on $ext_if proto tcp from any to me port {25,587,465,22} > keep > > > state > > > pass out quick on $ext_if proto tcp from me to any port {25} keep state > > > pass out quick on $ext_if proto upd from me to any port {53,123} keep > state > > > block all > > > > > > (note that's only an example, there may be some fine points I'm > missing) > > > > > > One thing that had not yet been mentioned when I posted my earlier > comment, > > > is that this system is a combination firewall/web server. That makes > the > > > rules more complicated, but the setup is still possible: > > > > > > pass in quick on $ext_if proto tcp from any to me port {80} keep state > > > pass out quick on $ext_if proto upd from me to any port {53,123} keep > state > > > pass out quick on $ext_if from $internal_network to any all keep state > > > block all > > > > > > Which allows limited outgoing traffic originating from the box itself, > > > but allows unlimited outgoing traffic from systems on > $internal_network. > > > > > > I've done this with great success. In fact, I had a fun time where a > > > client in question was infected with viruses out the wazoo, but the > > > viruses never spread off their local network because I only allowed > > > SMTP traffic to their SMTP relay, which required SMTP auth (thus the > > > viruses couldn't send mail) > > > > > > > > > > > > -- > > Adam Vande More > > ___ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to " > freebsd-questions-unsubscr...@freebsd.org" > > > -- > Bill Moran > http://www.potentialtech.com > h
Re: what www perl script is running?
Colin Brace wrote: > > Ruben de Groot wrote: >> Try a find through the entire filesystem for files owned by this user that >> you can't account for. Also check your cron and at files under /var/cron >> and >> /var/at >> > > I found the cronjob which keeps restarting the script: > > [r...@venus /var/cron/tabs]# ls -l > total 12 > -rw--- 1 root wheel 3440 Aug 25 12:06 colin > -rw--- 1 root wheel 240 Jul 28 23:49 www > > [r...@venus /var/cron/tabs]# cat www > # DO NOT EDIT THIS FILE - edit the master and reinstall. > # (cron.job installed on Tue Jul 28 23:49:28 2009) > # (Cron version -- $FreeBSD: src/usr.sbin/cron/crontab/crontab.c,v 1.24 > 2006/09/03 17:52:19 ru Exp $) > */1 * * * * perl /tmp/tmpfile > > I removed it, so now at least the script stops relaunching. > > /tmp/tmpfile is of course the script. > > In a subdirectory of tmp, there is a whole bunch of source code, all owned > by 'www': > > /tmp/.,]# ls -l > total 5692 > -rw-r--r-- 1 www wheel 2844160 Mar 27 10:00 m.tgz > drwxr-xr-x 4 www wheel 512 Nov 10 2008 ml > -rw-r--r-- 1 www wheel43419 May 27 23:22 scanxml.txt > > ]# ls -l ml > total 3208 > -rwxr-xr-x 1 www wheel 411 Mar 27 09:57 1.user > -rwxr-xr-x 1 www wheel 422 Mar 27 09:57 2.user > -rwxr-xr-x 1 www wheel 505767 Aug 3 2008 LinkEvents > -rwxr-xr-x 1 www wheel2154 May 16 2003 Makefile > -rwx--x--x 1 www wheel 418490 Dec 3 2005 bsd > -rwxr-xr-x 1 www wheel 941 Dec 3 2005 checkmech > -rwxr-xr-x 1 www wheel 23237 May 16 2003 configure > -rwx--x--x 1 www wheel 397274 Dec 3 2005 crond > -rwxr-xr-x 1 www wheel 22882 May 16 2003 m.h > -rwxr-xr-x 1 www wheel1054 Aug 3 2008 m.lev > -rwx--x--x 1 www wheel 6 May 25 2008 m.pid > -rwxr-xr-x 1 www wheel1320 Mar 27 09:56 m.set > -rwxr-xr-x 1 www wheel 10240 Nov 10 2008 m.tgz > -rwxr-xr-x 1 www wheel 167964 Mar 16 2001 pico > drwxr-xr-x 2 www wheel 512 Mar 4 2005 r > drwxr-xr-x 2 www wheel1024 Dec 3 2005 src > > If anyone is interested in looking at this stuff, or wants more info, please > let me know. Are these files available in a tarball someplace public, for those of us who enjoy performing autopsies on virii? -- Fuzzy love, -CyberLeo Technical Administrator CyberLeo.Net Webhosting http://www.CyberLeo.Net Furry Peace! - http://.fur.com/peace/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
IBM Stinkpad and Wifi
Hi Daemons, I have some troubles to get connected to an open Wifi-Net. Its an older IBM Stinkpad 600 and I bought a new PCMCIA-card for it. Chipset of the card is from Atheros, this is recommended by the FreeBSD Handbook. I boot the Laptop, the drivers seem to be compiled in the generic Kernel. Booting shows something like: ath0: mem 0xff9f-0xff9f irq 17 at device 2.0 on pci2 ath0: Ethernet address: 00:11:95:d5:43:62 ath0: mac 7.9 phy 4.5 radio 5.6 Good. Then I try: # ifconfig ath0 up scan # (I tried this in a cool café, with cool people there and a cool open access point..) Nothing. There should be a list of the available access points. Is that right? Something I missed with the setup? I tried: #kldload wlan_wep.ko #kldload wlan_ccmp.ko #kldload wlan_tkip.ko ..and BSD 7.2, a very recent version, tells me that these files already exist (so the kernel took already care of it). What am I doing wrong?? All ideas appreciated! Thanks herb langhans -- sprachtraining langhans herbert langhans, warschau http://www.langhans.com.pl herbert dot raimund at gmx dot net +0048 603 341 441 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: hard disk failure - now what?
On Tue, 25 Aug 2009 11:04:38 -0400, Jerry McAllister wrote: > dd will barf on bad bits too. > You can tinker to make it skip over the bad block, but it > won't read it. As it has been suggested, there are interesting tools in the ports collection. I'll post my "famous list" again. Among them, note ddrescue and dd_rescue. But base system tools such as the fetch program can help. System: dd fsck_ffs clri fsdb fetch -rR recoverdisk (!) Ports: ddrescue dd_rescue ffs2recov magicrescue testdisk The Sleuth Kit: fls dls ils autopsy scan_ffs recoverjpeg foremost photorec Those programs are not ordered in any way. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Problem mounting EXT2FS
On Tue, 25 Aug 2009 13:33:59 +0200, Mark Stapper wrote: > Don't forget to reapply the ext2 patch... ;-) And of course keep in mind that kernel and world (userland) have to be of the same version, e. g. if you upgrade your sources to 7-STABLE, recompile kernel and world and install them. You'll find a handy procedure for that in the handbook. > the userland is just the collection of base applications or "base > distribution". It can be called "only the OS", too. :-) > Just read all the chapters listed here: > http://www.freebsd.org/doc/en/books/handbook/ > ;-) At leasst, keep it near yourself. Most "ordinary" problems can be solved or even avoided by sticking to what the handbook says. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
ppp problem over bluetooth
hello i am on freesd 6 , i am trying to connect to internet using my nokia phone. so far i got paired it with my pc and able to dialup to my isp, problem is i get connected for sometime and gets disconnected. i cant browse, only one dsn server gets assigned in resolv.conf, infact there must be two. this is how i do it : # /etc/rc.bluetooth start ubt0 BD_ADDR: 00:11:67:0e:04:85 Features: 0xff 0xff 0x8d 0x78 0x8 0x18 00 00 <3-Slot> <5-Slot> Max. ACL packet size: 678 bytes Number of ACL packets: 8 Max. SCO packet size: 48 bytes Number of SCO packets: 10 # rfcomm_pppd -a BD_ADDR -c -C dun -l rfcomm-dialup my ppp.conf - default: set log Phase Chat LCP IPCP CCP tun command ident user-ppp VERSION (built COMPILATIONDATE) set device /dev/cuad1 set speed 115200 set dial "ABORT ERROR ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \ \"\" ATZ OK-ATZ-OK AT+CGDCONT=1,\\\"IP\\\",\\\"airtelgprs.com\\\" OK \\dATD\\T TIMEOUT 40 CONNECT" set timeout 120 enable force-scripts enable dns accept dns enable lqr accept lqr set dial set timeout 0 rfcomm-dialup: set phone "*99***1#" set authname set authkey accept pap accept chap set timeout 300 add default HISADDR #set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 #set dial "ABORT ERROR ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \\"\"AT+CGDCONT=1,\\\"IP\\\",\\\"airtelgprs.com \\\" OK #\\dATD\\T TIMEOUT 40 CONNECT" #set dial "ABORT ERROR ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \ \"\" ATZ OK-ATZ-OK AT+CGDCONT=1,\\\"IP\\\",\\\"airtelgprs.com\\\" OK \\dATD\\T TIMEOUT 40 CONNECT" # Ensure that "device" references the correct serial port # for your modem. (cuad0 = COM1, cuad1 = COM2) #PAPorCHAPpmdemand: #set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \ # \"\" AT OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT" # edit the next three lines and replace the items in caps with # the values which have been assigned by your ISP. my ppp.log Aug 25 21:00:51 ppp[787]: Phase: Using interface: tun0 Aug 25 21:00:51 ppp[787]: Phase: deflink: Created in closed state Aug 25 21:00:51 ppp[787]: tun0: Command: default: ident user-ppp VERSION (built COMPILATIONDATE) Aug 25 21:00:51 ppp[787]: tun0: Command: default: set device /dev/cuad1 Aug 25 21:00:51 ppp[787]: tun0: Command: default: set speed 115200 Aug 25 21:00:51 ppp[787]: tun0: Command: default: set dial ABORT ERROR ABORT BUSY ABORT NO\sCARRIER TIMEOUT 5"" AT+CGDCONT=1,\"IP\",\"airtelgprs.com\" OK \dATD\T TIMEOUT 40 CONNECT Aug 25 21:00:51 ppp[787]: tun0: Command: default: set timeout 120 Aug 25 21:00:51 ppp[787]: tun0: Command: default: enable force-scripts Aug 25 21:00:51 ppp[787]: tun0: Command: default: enable dns Aug 25 21:00:51 ppp[787]: tun0: Command: default: enable lqr Aug 25 21:00:51 ppp[787]: tun0: Command: default: accept lqr Aug 25 21:00:51 ppp[787]: tun0: Command: default: set dial Aug 25 21:00:51 ppp[787]: tun0: Command: default: set timeout 0 Aug 25 21:00:51 ppp[787]: tun0: Command: default: set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 Aug 25 21:00:51 ppp[787]: tun0: Command: rfcomm-dialup: set phone *99***1# Aug 25 21:00:51 ppp[787]: tun0: Command: rfcomm-dialup: set authname Aug 25 21:00:51 ppp[787]: tun0: Command: rfcomm-dialup: set authkey Aug 25 21:00:51 ppp[787]: tun0: Command: rfcomm-dialup: accept pap Aug 25 21:00:51 ppp[787]: tun0: Command: rfcomm-dialup: accept chap Aug 25 21:00:51 ppp[787]: tun0: Command: rfcomm-dialup: set timeout 300 Aug 25 21:00:51 ppp[787]: tun0: Command: rfcomm-dialup: add default HISADDR Aug 25 21:00:51 ppp[787]: tun0: Command: rfcomm-dialup: resolv rewrite Aug 25 21:00:51 ppp[787]: tun0: IPCP: Primary nameserver set to xxx.xx.250.6 Aug 25 21:00:51 ppp[787]: tun0: Command: rfcomm-dialup: set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 Aug 25 21:00:51 ppp[787]: tun0: Phase: PPP Started (direct mode). Aug 25 21:00:51 ppp[787]: tun0: Phase: bundle: Establish Aug 25 21:00:51 ppp[787]: tun0: Phase: deflink: closed -> opening Aug 25 21:00:51 ppp[787]: tun0: Phase: deflink: Connected! Aug 25 21:00:51 ppp[787]: tun0: Phase: deflink: opening -> dial Aug 25 21:00:51 ppp[787]: tun0: Chat: deflink: Dial attempt 1 of 1 Aug 25 21:00:51 ppp[787]: tun0: Phase: deflink: dial -> carrier Aug 25 21:00:51 ppp[787]: tun0: Phase: deflink: carrier -> login Aug 25 21:00:51 ppp[787]: tun0: Phase: deflink: login -> lcp Aug 25 21:00:51 ppp[787]: tun0: LCP: FSM: Using "deflink" as a transport Aug 25 21:00:51 ppp[787]: tun0: LCP: deflink: State change Initial --> Closed Aug 25 21:00:51 ppp[787]: tun0: LCP: deflink: State change Closed --> Stopped Aug 25 21:00:52 ppp[787]: tun0: LCP: deflink: LayerStart Aug 25 21:00:52 ppp[787]: tun0: LCP: deflink: SendConfigReq(1) state = Stopped Aug 25 21:00:52 ppp[787]: tun0: LCP: ACFCOMP[2] Aug 25 21:00:52 ppp[787]: tun0: LCP: PROTOCOMP[2] Aug 25 21:00:52 ppp[787]: tun0: LCP: ACCMAP[6] 0x Aug 25 21:00:52 ppp[787]: tun0: LCP: MRU[4] 1500 Aug
Re: what www perl script is running?
In response to Adam Vande More : > On Tue, Aug 25, 2009 at 11:05 AM, Bill Moran wrote: > > > In response to Paul Schmehl : > > > > > --On Tuesday, August 25, 2009 08:30:17 -0500 Colin Brace > > wrote: > > > > > > > Bill Moran wrote: > > > >> > > > >> You can add an ipfw rule to prevent the script from calling home, > > which > > > >> will effectively render it neutered until you can track down and > > actually > > > >> _fix_ the problem. > > > > > > > > Mike Bristow above wrote: "The script is talking to 94.102.51.57 on > > port > > > > 7000". OK, so I how do I know what port the script is using for > > outgoing > > > > traffic on MY box? 7000 is the remote host port, right? > > > > > > > > FWIW, here are my core PF lines: > > > > > > > > pass out quick on $ext_if proto 41 > > > > pass out quick on gif0 inet6 > > > > pass in quick on gif0 inet6 proto icmp6 > > > > block in log > > > > > > > > That is to say: nothing is allowed in unless explicitly allowed > > > > Everything allowed out. > > > > (plus some ipv6 stuff I was testing with a tunnel) > > > > > > > > > > The problem with blocking outbound ports is that it breaks things in odd > > ways. > > > For example, your mail server listens on port 25 (and possibly 465 as > > well) but > > > it communicates with connecting clients on whatever ethereal port the > > client > > > decided to use. If the port the client selects happens to be in a range > > that > > > you are blocking, communication will be impossible and the client will > > report > > > that your mail server is non-responsive. > > > > You're doing it wrong. Block on the destination port _only_ and you don't > > care about the ephemeral ports. > > What ports would you block then when you're trying to run a webserver? My point (which is presented in examples below) is that you block everything and only allow what is needed (usually only dns and ntp, possibly smtp if the web server needs to send mail) That single statement above was directed specifically at the comment about it being impossible to predict (and thus block) ephemeral source ports. He's right about that, and that's why filtering on the destination port is the more common practice. Of course, that caused me to create an email that seems to contradict itself, if you don't notice that it's two answers to two different comments. > > > It's much easier to block outgoing ports for services you *don't* want to > > > offer, but, if the service isn't running anyway, blocking the port is > > > non-productive. > > > > You're obviously misunderstanding me completely. Your not blocking > > incoming > > connections, your preventing outgoing ones, which means there _is_ no > > service running on your local machine. > > > > For example, a server that is _only_ web (with SSH for admin) could have > > a ruleset like: > > > > pass in quick on $ext_if proto tcp from any to me port {25,587,465,22} keep > > state > > pass out quick on $ext_if proto tcp from me to any port {25} keep state > > pass out quick on $ext_if proto upd from me to any port {53,123} keep state > > block all > > > > (note that's only an example, there may be some fine points I'm missing) > > > > One thing that had not yet been mentioned when I posted my earlier comment, > > is that this system is a combination firewall/web server. That makes the > > rules more complicated, but the setup is still possible: > > > > pass in quick on $ext_if proto tcp from any to me port {80} keep state > > pass out quick on $ext_if proto upd from me to any port {53,123} keep state > > pass out quick on $ext_if from $internal_network to any all keep state > > block all > > > > Which allows limited outgoing traffic originating from the box itself, > > but allows unlimited outgoing traffic from systems on $internal_network. > > > > I've done this with great success. In fact, I had a fun time where a > > client in question was infected with viruses out the wazoo, but the > > viruses never spread off their local network because I only allowed > > SMTP traffic to their SMTP relay, which required SMTP auth (thus the > > viruses couldn't send mail) > > > > > > > -- > Adam Vande More > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" -- Bill Moran http://www.potentialtech.com http://people.collaborativefusion.com/~wmoran/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: what www perl script is running?
On Tue, Aug 25, 2009 at 11:05 AM, Bill Moran wrote: > In response to Paul Schmehl : > > > --On Tuesday, August 25, 2009 08:30:17 -0500 Colin Brace > wrote: > > > > > Bill Moran wrote: > > >> > > >> You can add an ipfw rule to prevent the script from calling home, > which > > >> will effectively render it neutered until you can track down and > actually > > >> _fix_ the problem. > > > > > > Mike Bristow above wrote: "The script is talking to 94.102.51.57 on > port > > > 7000". OK, so I how do I know what port the script is using for > outgoing > > > traffic on MY box? 7000 is the remote host port, right? > > > > > > FWIW, here are my core PF lines: > > > > > > pass out quick on $ext_if proto 41 > > > pass out quick on gif0 inet6 > > > pass in quick on gif0 inet6 proto icmp6 > > > block in log > > > > > > That is to say: nothing is allowed in unless explicitly allowed > > > Everything allowed out. > > > (plus some ipv6 stuff I was testing with a tunnel) > > > > > > > The problem with blocking outbound ports is that it breaks things in odd > ways. > > For example, your mail server listens on port 25 (and possibly 465 as > well) but > > it communicates with connecting clients on whatever ethereal port the > client > > decided to use. If the port the client selects happens to be in a range > that > > you are blocking, communication will be impossible and the client will > report > > that your mail server is non-responsive. > > You're doing it wrong. Block on the destination port _only_ and you don't > care about the ephemeral ports. What ports would you block then when you're trying to run a webserver? > > > > It's much easier to block outgoing ports for services you *don't* want to > > offer, but, if the service isn't running anyway, blocking the port is > > non-productive. > > You're obviously misunderstanding me completely. Your not blocking > incoming > connections, your preventing outgoing ones, which means there _is_ no > service running on your local machine. > > For example, a server that is _only_ web (with SSH for admin) could have > a ruleset like: > > pass in quick on $ext_if proto tcp from any to me port {25,587,465,22} keep > state > pass out quick on $ext_if proto tcp from me to any port {25} keep state > pass out quick on $ext_if proto upd from me to any port {53,123} keep state > block all > > (note that's only an example, there may be some fine points I'm missing) > > One thing that had not yet been mentioned when I posted my earlier comment, > is that this system is a combination firewall/web server. That makes the > rules more complicated, but the setup is still possible: > > pass in quick on $ext_if proto tcp from any to me port {80} keep state > pass out quick on $ext_if proto upd from me to any port {53,123} keep state > pass out quick on $ext_if from $internal_network to any all keep state > block all > > Which allows limited outgoing traffic originating from the box itself, > but allows unlimited outgoing traffic from systems on $internal_network. > > I've done this with great success. In fact, I had a fun time where a > client in question was infected with viruses out the wazoo, but the > viruses never spread off their local network because I only allowed > SMTP traffic to their SMTP relay, which required SMTP auth (thus the > viruses couldn't send mail) > > -- Adam Vande More ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: what www perl script is running?
In response to Paul Schmehl : > --On Tuesday, August 25, 2009 08:30:17 -0500 Colin Brace wrote: > > > Bill Moran wrote: > >> > >> You can add an ipfw rule to prevent the script from calling home, which > >> will effectively render it neutered until you can track down and actually > >> _fix_ the problem. > > > > Mike Bristow above wrote: "The script is talking to 94.102.51.57 on port > > 7000". OK, so I how do I know what port the script is using for outgoing > > traffic on MY box? 7000 is the remote host port, right? > > > > FWIW, here are my core PF lines: > > > > pass out quick on $ext_if proto 41 > > pass out quick on gif0 inet6 > > pass in quick on gif0 inet6 proto icmp6 > > block in log > > > > That is to say: nothing is allowed in unless explicitly allowed > > Everything allowed out. > > (plus some ipv6 stuff I was testing with a tunnel) > > > > The problem with blocking outbound ports is that it breaks things in odd > ways. > For example, your mail server listens on port 25 (and possibly 465 as well) > but > it communicates with connecting clients on whatever ethereal port the client > decided to use. If the port the client selects happens to be in a range that > you are blocking, communication will be impossible and the client will report > that your mail server is non-responsive. You're doing it wrong. Block on the destination port _only_ and you don't care about the ephemeral ports. > It's much easier to block outgoing ports for services you *don't* want to > offer, but, if the service isn't running anyway, blocking the port is > non-productive. You're obviously misunderstanding me completely. Your not blocking incoming connections, your preventing outgoing ones, which means there _is_ no service running on your local machine. For example, a server that is _only_ web (with SSH for admin) could have a ruleset like: pass in quick on $ext_if proto tcp from any to me port {25,587,465,22} keep state pass out quick on $ext_if proto tcp from me to any port {25} keep state pass out quick on $ext_if proto upd from me to any port {53,123} keep state block all (note that's only an example, there may be some fine points I'm missing) One thing that had not yet been mentioned when I posted my earlier comment, is that this system is a combination firewall/web server. That makes the rules more complicated, but the setup is still possible: pass in quick on $ext_if proto tcp from any to me port {80} keep state pass out quick on $ext_if proto upd from me to any port {53,123} keep state pass out quick on $ext_if from $internal_network to any all keep state block all Which allows limited outgoing traffic originating from the box itself, but allows unlimited outgoing traffic from systems on $internal_network. I've done this with great success. In fact, I had a fun time where a client in question was infected with viruses out the wazoo, but the viruses never spread off their local network because I only allowed SMTP traffic to their SMTP relay, which required SMTP auth (thus the viruses couldn't send mail) -- Bill Moran http://www.potentialtech.com http://people.collaborativefusion.com/~wmoran/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: antivirus gateway
On Aug 23, 2009, at 1:47 PM, Yavuz Maşlak wrote: Hello I wish to use freebsd7.2 as an antivirus gateway. is there any document about that? Could you give an advice ? snort_inline with if_bridge provides a bit of this functionality. You drop all incoming off at a socket which you have snort listening on. It's then logged and reinserted if it passes the rules that snort.org provides. You can decide if you want to drop the traffic or not, by default it's just logged. I don't use it to catch viruses so I don't watch how effective it is. For me it's a filtering mechanism to match custom rules. There is a document that can be googled on the net concerning this. It shows most of the config but says you can't use it with if_bridge which you can. I don't have a 7.2 instance but it works well on 7.0. Even with horrendous amounts of traffic it seems to remain reliable. From memory (may be inaccurate), if you want to filter bi-directionally, you have to run two instances on different sockets with two different IPFW rules, one for each interface. I only have experience using this with IPFW. Thanks Bu elektronik posta ve varsa ekleri tamamen gizli ve gönderilen kişiler listesine özeldir. Eğer adınız gönderilen kişiler listesinde yer almıyorsa, lütfen derhal gönderen kişiyi bilgilendiriniz ve içeriğini herhangi başka bir kişiye iletmeyiniz, herhangi bir amaç için kullanmayınız, sayısal ve basılı ortamlar dahil olmak üzere saklamayınız ve kopyalamayınız. This e-mail and attachments, if any, may contain confidential and/or proprietary information. Please be advised that the unauthorized use or disclosure of the information is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by reply e-mail and delete all copies of this message and attachments. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org " ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: hard disk failure - now what?
per...@pluto.rain.com writes: > Lowell Gilbert wrote: >> Kelly Martin writes: >> > I just experienced a hard drive failure on one of my >> > FreeBSD 7.2 production servers with no backup! > ... >> First, try copying the entire disk, *without* mounting it. > > Yep. > >> Use dd(1) to get a copy of the whole disk. I believe that >> "conv=noerror" may be necessary. > > Much better: use sysutils/ddrescue, which was written > specifically to deal with this sort of situation. Excellent suggestion. -- Lowell Gilbert, embedded/networking software engineer, Boston area http://be-well.ilk.org/~lowell/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: what www perl script is running?
In response to Paul Schmehl : > --On Tuesday, August 25, 2009 07:26:04 -0500 Bill Moran > wrote: > >> > >> I am currently killing the process with the following bash command while I > >> decide what to do next: > >> > >> $ while x=1 ; do sudo killall -9 perl5.8.9 && echo "killed..." ; sleep 15; > >> done > > > > You can add an ipfw rule to prevent the script from calling home, which > > will effectively render it neutered until you can track down and actually > > _fix_ the problem. > > > > In reality, good security practice says that you should have IPFW (or some > > other firewall) running and only allowing known good traffic right from > > the start, which might have protected you from this in the first place. > > > > I disagree. I used to believe this, but experience has taught me otherwise. > When you run a firewall on a host, you open the ports for the services you > want > to offer. The firewall provides you no protection at all against hackers > attacking the services that are listening on ports opened through the > firewall. > All a host firewall does is consume CPU and memory and give you a warm fuzzy > that doesn't really add to security at all and may well make you less > vigilant. > (And yes, I know I'm a security heretic in some quarters.) Well, you're entitled to your opinion, but I think it's misguided. Security isn't always about preventing a compromise. Sometimes it's about reducing the damage. If he had a packet filter installed that allowed only known-good traffic, he still might have gotten compromised through a web server, you got that part right. The part you missed is that the installed script needs to connect out to talk to it's bot master. The packet filter would have prevented this communication, thus the rogue script would have been useless. While the compromise of the machine would succeed, control of the machine would not fall into other hands, and the script would be incapable of compromising _information_ on the machine (as it stands, you have no idea what files that script has been sending up to the bot master ... password files, for example?) A side note to that. Make sure to change each and every password, key file, etc on that system, as they're all suspect at this point. -- Bill Moran http://www.potentialtech.com http://people.collaborativefusion.com/~wmoran/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: hard disk failure - now what?
On Mon, Aug 24, 2009 at 10:26:11PM +0200, Polytropon wrote: > On Mon, 24 Aug 2009 12:29:19 -0600, Kelly Martin > wrote: > > My question: what kind of checks and/or repair tools should I run on > > the damaged drive after it's mounted? Or should I mount it as > > read-only and start backing it up? > > Thou shalt not manipluate thy file systems while they are mounted. :-) > Perform an fsck on the partitions first, then mount them ro. Copy > the files you need. > > In case you can't "reach" essential files, you have the change to > use forensic tools to get them. > > Finally, keep in mind that for further diagnostics and restore > operations it's always wise not to use the original file systems, > i. e. the original disk. Make dd copies of the partitions onto > a working disk and use them instead. Luckily, most operations > work on plain files as well as on block device specials. dd will barf on bad bits too. You can tinker to make it skip over the bad block, but it won't read it. jerry > > > I am hoping most of my data is > > still there, but also don't want to damage it further. > > Good idea. This encourages you to follow the advice given above. > > > > > I desperately > > need to salvage the data, what do the kind people on this list > > recommend? > > BACKUPS!!! =^_^= > > > > -- > Polytropon > Magdeburg, Germany > Happy FreeBSD user since 4.0 > Andra moi ennepe, Mousa, ... > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: what www perl script is running?
--On Tuesday, August 25, 2009 08:30:17 -0500 Colin Brace wrote: Bill, one more thing: Bill Moran wrote: You can add an ipfw rule to prevent the script from calling home, which will effectively render it neutered until you can track down and actually _fix_ the problem. Mike Bristow above wrote: "The script is talking to 94.102.51.57 on port 7000". OK, so I how do I know what port the script is using for outgoing traffic on MY box? 7000 is the remote host port, right? FWIW, here are my core PF lines: pass out quick on $ext_if proto 41 pass out quick on gif0 inet6 pass in quick on gif0 inet6 proto icmp6 block in log That is to say: nothing is allowed in unless explicitly allowed Everything allowed out. (plus some ipv6 stuff I was testing with a tunnel) The problem with blocking outbound ports is that it breaks things in odd ways. For example, your mail server listens on port 25 (and possibly 465 as well) but it communicates with connecting clients on whatever ethereal port the client decided to use. If the port the client selects happens to be in a range that you are blocking, communication will be impossible and the client will report that your mail server is non-responsive. It's much easier to block outgoing ports for services you *don't* want to offer, but, if the service isn't running anyway, blocking the port is non-productive. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. *** "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Continuous backup of critical system files
> I'm setting up a firewall using FreeBSD 7.2 and thought that it may > not be a bad idea to have a continuous backup for important files like > pf and dnsmasq configurations. By continuous I mean some script that > would be triggered every few minutes from cron to automatically create > a backup of any monitored file if it was modified. I also have a full > system backup in place that is executed daily (dump/restore to a > compact flash card), so the continuous backup would really be for > times when someone makes a mistake editing one of the config files and > needs to revert it to a previous state. > > My initial thought was to create a mercurial repository at the file > system root and exclude everything except for explicitly added files. > I'd then run something like "hg commit -m `date`" from cron every 10 > minutes to record the changes automatically. Can anyone think of a > better way to do this (existing port specifically for this purpose)? > Obviously, I need a way to track the history of a file and revert to a > previous state quickly. The storage of changes should be as > size-efficient as possible. > Look into 'rsync', available in the ports collection. Generally for a basic server, you make backup copies manually before you edit something. It's a good habbit to get into: # Make a quick backup: cp rules.pf rules.pf.orig # Then edit the original: nano rules.pf If you're doing some major messing around and don't like the manual backup solution, look into 'subversion', in the ports collection. It is a full-featured revision control system. It's used by most developers (including the FreeBSD team.) You could setup a subversion repository to store all of your config files. Make changes to them and committ those changes back to the repository. Then if you make a bunch of changes you don't like, simply checkout a previous revision. Its a bit more work to setup, but if you're doing a lot of frequent tinkering it might be worth it. For general backups I use rsync on a dedicated backup server. This way if I have to quickly restore something I can simply scp it back to the production server in seconds. rsync is fast (after the initial backup) as it only transvers the deltas (changes) in files. It automatically sorts out who has changed and who needs backed up. You could configure a cron job to run an rsync script every few minutes if you wanted. That script could also contain a command to generate an incremental copy of the entire backup directory using the -l (lowercase ell) flag. This generates a hard-linked copy, which consumes no real additional space. You can read all about it here: http://www.sanitarium.net/golug/rsync_backups.html Whatever you decide, best of luck! -Modulok- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: what www perl script is running?
--On Tuesday, August 25, 2009 05:46:43 -0500 Colin Brace wrote: Olivier Nicole wrote: Am I correct in assuming that my system has been hacked and I am running an IRC server or something? IRC client at least. And yes, I would think that your system has been compromised. Thanks Olivier. I am currently killing the process with the following bash command while I decide what to do next: $ while x=1 ; do sudo killall -9 perl5.8.9 && echo "killed..." ; sleep 15; done I suppose this calls for a "bare-metal" reinstall. Is it worth first trying to determine how my system was broken into? Only you can answer that question. How badly do you need to get the server back up and running? If it's not critical, it would be worth taking the time to investigate. Otherwise you'll set it back up the same way and be hacked again in the same way. If you know someone who is good at forensics on Unix boxes, call them. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. *** "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: what www perl script is running?
Ruben de Groot wrote: > > Try a find through the entire filesystem for files owned by this user that > you can't account for. Also check your cron and at files under /var/cron > and > /var/at > I found the cronjob which keeps restarting the script: [r...@venus /var/cron/tabs]# ls -l total 12 -rw--- 1 root wheel 3440 Aug 25 12:06 colin -rw--- 1 root wheel 240 Jul 28 23:49 www [r...@venus /var/cron/tabs]# cat www # DO NOT EDIT THIS FILE - edit the master and reinstall. # (cron.job installed on Tue Jul 28 23:49:28 2009) # (Cron version -- $FreeBSD: src/usr.sbin/cron/crontab/crontab.c,v 1.24 2006/09/03 17:52:19 ru Exp $) */1 * * * * perl /tmp/tmpfile I removed it, so now at least the script stops relaunching. /tmp/tmpfile is of course the script. In a subdirectory of tmp, there is a whole bunch of source code, all owned by 'www': /tmp/.,]# ls -l total 5692 -rw-r--r-- 1 www wheel 2844160 Mar 27 10:00 m.tgz drwxr-xr-x 4 www wheel 512 Nov 10 2008 ml -rw-r--r-- 1 www wheel43419 May 27 23:22 scanxml.txt ]# ls -l ml total 3208 -rwxr-xr-x 1 www wheel 411 Mar 27 09:57 1.user -rwxr-xr-x 1 www wheel 422 Mar 27 09:57 2.user -rwxr-xr-x 1 www wheel 505767 Aug 3 2008 LinkEvents -rwxr-xr-x 1 www wheel2154 May 16 2003 Makefile -rwx--x--x 1 www wheel 418490 Dec 3 2005 bsd -rwxr-xr-x 1 www wheel 941 Dec 3 2005 checkmech -rwxr-xr-x 1 www wheel 23237 May 16 2003 configure -rwx--x--x 1 www wheel 397274 Dec 3 2005 crond -rwxr-xr-x 1 www wheel 22882 May 16 2003 m.h -rwxr-xr-x 1 www wheel1054 Aug 3 2008 m.lev -rwx--x--x 1 www wheel 6 May 25 2008 m.pid -rwxr-xr-x 1 www wheel1320 Mar 27 09:56 m.set -rwxr-xr-x 1 www wheel 10240 Nov 10 2008 m.tgz -rwxr-xr-x 1 www wheel 167964 Mar 16 2001 pico drwxr-xr-x 2 www wheel 512 Mar 4 2005 r drwxr-xr-x 2 www wheel1024 Dec 3 2005 src If anyone is interested in looking at this stuff, or wants more info, please let me know. - Colin Brace Amsterdam http://lim.nl -- View this message in context: http://www.nabble.com/what-www-perl-script-is-running--tp25112050p25135959.html Sent from the freebsd-questions mailing list archive at Nabble.com. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: what www perl script is running?
--On Tuesday, August 25, 2009 04:41:33 -0500 Ruben de Groot wrote: On Tue, Aug 25, 2009 at 10:19:37AM +0100, Mike Bristow typed: On Tue, Aug 25, 2009 at 01:00:53AM -0700, Colin Brace wrote: > Ok, here is what lsof tells me: > > $ sudo lsof | grep perl > perl5.8.9 4272 www3uIPv4 0xc33cf0000t0 TCP > gw:51295->94.102.51.57:afs3-fileserver (ESTABLISHED) > > The last line would be appear to telling me something, but what? The script is talking to 94.102.51.57 on port 7000. At which port an IRC server is listening: telnet 94.102.51.57 7000 Trying 94.102.51.57... Connected to 94.102.51.57. Escape character is '^]'. :sampson.dangerz.biz NOTICE AUTH :*** Looking up your hostname... :sampson.dangerz.biz NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead And the IRC daemon is screaming "You have been hacked!" You need to get someone who knows about server compromises to help you. Your server has been compromised. If you don't take action now, it will only get worse. -- Paul Schmehl (pa...@utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/
Re: what www perl script is running?
Ruben de Groot wrote: > > Which is exactly what the rogue perl script was using to connect to it's > "home". > Once established this connection could have been used for allmost > anything, > including downloading other malicious software or setting up a tunnel into > your LAN. > Well, the box (also) serves as my DSL gateway, as I indicated above. How would I be able to use various desktop programs like Skype which dynamically set up their own outgoing ports? However, I am perfectly willing to entertain the idea that using a (web)server as a router is a Bad Idea. However, when I set it up, it just seemed more convenient and flexible. - Colin Brace Amsterdam http://lim.nl -- View this message in context: http://www.nabble.com/what-www-perl-script-is-running--tp25112050p25135684.html Sent from the freebsd-questions mailing list archive at Nabble.com. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: what www perl script is running?
--On Tuesday, August 25, 2009 07:26:04 -0500 Bill Moran wrote: I am currently killing the process with the following bash command while I decide what to do next: $ while x=1 ; do sudo killall -9 perl5.8.9 && echo "killed..." ; sleep 15; done You can add an ipfw rule to prevent the script from calling home, which will effectively render it neutered until you can track down and actually _fix_ the problem. In reality, good security practice says that you should have IPFW (or some other firewall) running and only allowing known good traffic right from the start, which might have protected you from this in the first place. I disagree. I used to believe this, but experience has taught me otherwise. When you run a firewall on a host, you open the ports for the services you want to offer. The firewall provides you no protection at all against hackers attacking the services that are listening on ports opened through the firewall. All a host firewall does is consume CPU and memory and give you a warm fuzzy that doesn't really add to security at all and may well make you less vigilant. (And yes, I know I'm a security heretic in some quarters.) Firewalls are much more effective when they're not on the box(es) you're trying to protect. I think it's highly likely that this compromise was through the web server attacking a vulnerable service or a poorly coded script or a permissions problem. And it sounds like the compromise is limited (right now) to the web service. In fact it sounds a great deal like PsyBNC. http://en.wikipedia.org/wiki/PsyBNC Is it worth first trying to determine how my system was broken into? Yes. Otherwise you'll probably just get a repeat once you've reinstalled. You're absolutely correct. The old aphorism about always doing what you've always done always produces the results you've always gotten certainly applies here. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. *** "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: what www perl script is running?
On Tue, Aug 25, 2009 at 06:30:17AM -0700, Colin Brace typed: > > Bill, one more thing: > > > Bill Moran wrote: > > > > You can add an ipfw rule to prevent the script from calling home, which > > will effectively render it neutered until you can track down and actually > > _fix_ the problem. > > Mike Bristow above wrote: "The script is talking to 94.102.51.57 on port > 7000". OK, so I how do I know what port the script is using for outgoing > traffic on MY box? 7000 is the remote host port, right? gw:51295->94.102.51.57:afs3-fileserver (ESTABLISHED) It's using local port 51295. But that's irrelevant as ports for outgoing connections are dynamically allocated. > FWIW, here are my core PF lines: > > pass out quick on $ext_if proto 41 > pass out quick on gif0 inet6 > pass in quick on gif0 inet6 proto icmp6 > block in log > > That is to say: nothing is allowed in unless explicitly allowed > Everything allowed out. Which is exactly what the rogue perl script was using to connect to it's "home". Once established this connection could have been used for allmost anything, including downloading other malicious software or setting up a tunnel into your LAN. Ruben ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: what www perl script is running?
On Tue, Aug 25, 2009 at 06:16:49AM -0700, Colin Brace typed: > > > Bill Moran wrote: > > > > You can add an ipfw rule to prevent the script from calling home, which > > will effectively render it neutered until you can track down and actually > > _fix_ the problem. > > > > In reality, good security practice says that you should have IPFW (or some > > other firewall) running and only allowing known good traffic right from > > the start, which might have protected you from this in the first place. > > > > Bill, > > I am surprised you would think I have no firewall. As long as I have had the > server (2 years), I have had PF installed and running, and I can tell you > exactly which incoming ports I have open to the net: > > tcp_services = "{ ssh smtp www https 4661 4662 52550 }" But are you blocking any outgoing traffic? > wifi_tcp_services = "{ ftp ssh bootps whois domain www imap imaps ntp irc > https sunrpc dict nfs 2628 3689 4711 6667 6909 23398}" > > Should I entertain the possiblity that someone parked their car near my > house and hacked in through one of the above ports? That's certainly possibly. But not my first guess. > Any suggestions as to where to start looking for the breach would be most > welcome; I am quite new to this game. My guess (not much more than that) is that someone used a vulnerable web page, maybe some perl or php application that was exploitable. This because the rogue process was running as user "www". Try a find through the entire filesystem for files owned by this user that you can't account for. Also check your cron and at files under /var/cron and /var/at And try to find out what's starting the proces whith ps -alx, tracking the PPIDs. gooed hunting! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: what www perl script is running?
Bill, one more thing: Bill Moran wrote: > > You can add an ipfw rule to prevent the script from calling home, which > will effectively render it neutered until you can track down and actually > _fix_ the problem. Mike Bristow above wrote: "The script is talking to 94.102.51.57 on port 7000". OK, so I how do I know what port the script is using for outgoing traffic on MY box? 7000 is the remote host port, right? FWIW, here are my core PF lines: pass out quick on $ext_if proto 41 pass out quick on gif0 inet6 pass in quick on gif0 inet6 proto icmp6 block in log That is to say: nothing is allowed in unless explicitly allowed Everything allowed out. (plus some ipv6 stuff I was testing with a tunnel) Merci - Colin Brace Amsterdam http://lim.nl -- View this message in context: http://www.nabble.com/what-www-perl-script-is-running--tp25112050p25134277.html Sent from the freebsd-questions mailing list archive at Nabble.com. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: what www perl script is running?
Bill Moran wrote: > > You can add an ipfw rule to prevent the script from calling home, which > will effectively render it neutered until you can track down and actually > _fix_ the problem. > > In reality, good security practice says that you should have IPFW (or some > other firewall) running and only allowing known good traffic right from > the start, which might have protected you from this in the first place. > Bill, I am surprised you would think I have no firewall. As long as I have had the server (2 years), I have had PF installed and running, and I can tell you exactly which incoming ports I have open to the net: tcp_services = "{ ssh smtp www https 4661 4662 52550 }" the last three are for edonkey and bittorrent, resp. c'est tout. There are no *obvious* weaknesses, ie, ssh is private-key only. That being said, I leave the WiFi open to everyone, with the following ports available: wifi_tcp_services = "{ ftp ssh bootps whois domain www imap imaps ntp irc https sunrpc dict nfs 2628 3689 4711 6667 6909 23398}" Should I entertain the possiblity that someone parked their car near my house and hacked in through one of the above ports? Any suggestions as to where to start looking for the breach would be most welcome; I am quite new to this game. Thanks. - Colin Brace Amsterdam http://lim.nl -- View this message in context: http://www.nabble.com/what-www-perl-script-is-running--tp25112050p25134056.html Sent from the freebsd-questions mailing list archive at Nabble.com. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: what www perl script is running?
In response to Colin Brace : > > Olivier Nicole wrote: > > > >> Am I correct in assuming that my system has been hacked and I am running > >> an > >> IRC server or something? > > > > IRC client at least. And yes, I would think that your system has been > > compromised. > > > > Thanks Olivier. > > I am currently killing the process with the following bash command while I > decide what to do next: > > $ while x=1 ; do sudo killall -9 perl5.8.9 && echo "killed..." ; sleep 15; > done You can add an ipfw rule to prevent the script from calling home, which will effectively render it neutered until you can track down and actually _fix_ the problem. In reality, good security practice says that you should have IPFW (or some other firewall) running and only allowing known good traffic right from the start, which might have protected you from this in the first place. > Is it worth first trying to determine how my system was broken into? Yes. Otherwise you'll probably just get a repeat once you've reinstalled. -- Bill Moran http://www.potentialtech.com http://people.collaborativefusion.com/~wmoran/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Problem mounting EXT2FS
I have as well this in the other hand: heheheh, THE BIBLE! [image: 51dtdR9r6RL._SL500_AA240_.jpg] 2009/8/25 Mark Stapper > Jeronimo Calvo wrote: > > hi Mark! > > > > Im using FreeBSD 7.2-RELEASE... but im not sure about the "userland", > > is currently fresh installed, just compiled the KERNEL to add ext2fs > > support and installed the patch for the 256-inode... nothing else... > > But I will take your advise and upgrade my kernel to STABLE (as I > > think it will be funny as well, ur not the one "geek" here I suposse > > hahahaha) > Don't forget to reapply the ext2 patch... ;-) > > > > I will need to get some more knowledge about "userland"... :D > the userland is just the collection of base applications or "base > distribution". > > > > > Will check up ur links fella! btw, if u find anything else new-bie > > related... send me as well!! > Just read all the chapters listed here: > http://www.freebsd.org/doc/en/books/handbook/ > ;-) > > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Problem mounting EXT2FS
Jeronimo Calvo wrote: > hi Mark! > > Im using FreeBSD 7.2-RELEASE... but im not sure about the "userland", > is currently fresh installed, just compiled the KERNEL to add ext2fs > support and installed the patch for the 256-inode... nothing else... > But I will take your advise and upgrade my kernel to STABLE (as I > think it will be funny as well, ur not the one "geek" here I suposse > hahahaha) Don't forget to reapply the ext2 patch... ;-) > > I will need to get some more knowledge about "userland"... :D the userland is just the collection of base applications or "base distribution". > > Will check up ur links fella! btw, if u find anything else new-bie > related... send me as well!! Just read all the chapters listed here: http://www.freebsd.org/doc/en/books/handbook/ ;-) signature.asc Description: OpenPGP digital signature
Re: Problem mounting EXT2FS
hi Mark! Im using FreeBSD 7.2-RELEASE... but im not sure about the "userland", is currently fresh installed, just compiled the KERNEL to add ext2fs support and installed the patch for the 256-inode... nothing else... But I will take your advise and upgrade my kernel to STABLE (as I think it will be funny as well, ur not the one "geek" here I suposse hahahaha) I will need to get some more knowledge about "userland"... :D Will check up ur links fella! btw, if u find anything else new-bie related... send me as well!! Cheers! 2009/8/25 Mark Stapper > Jeronimo Calvo wrote: > > Actually, im just compile it and restart it... seems to be working > > fine now... > > > > By the way... who do i do that?? is that necessary? > > > > cheers! > well, if you have the "RELEASE" source, and the "RELEASE" "userland" > there is no problem. > However if you have the "STABLE" source and the "RELEASE" userland there > could be incompatible behaviour. > Upgrading your kernel to the "STABLE" release is generally a good idea. > For more info check: > http://www.freebsd.org/doc/en/books/handbook/kernelconfig.html > and > http://www.freebsd.org/doc/en/books/handbook/synching.html > and > http://www.freebsd.org/doc/en/books/handbook/makeworld.html > Be sure to make backups, as the way to recover is very different from > Linux. > > Have fun! (Yes, I consider compiling your own kernel and userland to be > "fun") > Greetz, > Mark > > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Problem with cURL and pipes
Never mind, cURL bug. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: how to decide if disk / system is quotas capable
Hi, > 1) checking enable_quotas="YES" in /etc/rc.conf > 2) should I try to look in /etc/fstab? There is userquota and / or > groupquota in line for some disk device in option field. That is enough. 1) will tell you that the system is quota capable 2) will tell you what file system is quota capabel 3) will tell you what file system has some quota defined for some user/group, it's beyond your question. Best regards, Olivier ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: what www perl script is running?
Colin, > I suppose this calls for a "bare-metal" reinstall. > Is it worth first trying to determine how my system was broken into? It really depends on: - what is installed on that machine (how long it would take to reinstall, how many softwares, ports, specially configured stuff). - how important is is that you keep the machine running (like the only web server generating all the revenue for your company vs. your home mail server that is being used for you and your household). If you can afford to take the system down for enough time to reinstall it from scratch, it is the best: you will know 100% that you did not forget some backdoor somewhere, you make install updated software, you may implement those fancy changes that you have always wanted to implement, but that you would not do because you were afraid of breaking a working server. In any case, it is a good exercise to try to find out how you were broken into: security hole in the OS or some port, hopefully an upgrade will close them, a security hole in some home made script? If you re-install that script on your new server without closing the holes, the new server will be vulnerable too, and soon compromised. It may also be good to dig from the log and try to find who has been reaching your infected server: it happened to me (third party software installed by an outside contractor), from the log I contacted all the people that I could locate upstream, about 5 to 10% of them where not aware that they had been infected too... Trying to understand how you get compromised is a good way to gain deeper knowledge about your system. Best regards, Olivier ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
how to decide if disk / system is quotas capable
hi, I am writing a script in which I want to decide if disk / system is capable to set quotas for user / groups. how to check it? I am thinking about 1) checking enable_quotas="YES" in /etc/rc.conf 2) should I try to look in /etc/fstab? There is userquota and / or groupquota in line for some disk device in option field. 3) should I test existence of quota.user and quota.group in filesystem root? which method would be the best one? thank you for time ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: what www perl script is running?
Olivier Nicole wrote: > >> Am I correct in assuming that my system has been hacked and I am running >> an >> IRC server or something? > > IRC client at least. And yes, I would think that your system has been > compromised. > Thanks Olivier. I am currently killing the process with the following bash command while I decide what to do next: $ while x=1 ; do sudo killall -9 perl5.8.9 && echo "killed..." ; sleep 15; done I suppose this calls for a "bare-metal" reinstall. Is it worth first trying to determine how my system was broken into? - Colin Brace Amsterdam http://lim.nl -- View this message in context: http://www.nabble.com/what-www-perl-script-is-running--tp25112050p25132123.html Sent from the freebsd-questions mailing list archive at Nabble.com. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: what www perl script is running?
Hi Colin, > Am I correct in assuming that my system has been hacked and I am running an > IRC server or something? IRC client at least. And yes, I would think that your system has been compromised. Good luck, Olivier ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Problem mounting EXT2FS
Actually, im just compile it and restart it... seems to be working fine now... By the way... who do i do that?? is that necessary? cheers! 2009/8/25 Mark Stapper > Jeronimo Calvo wrote: > > Hi folks, im migrating from Linux to BSD, and i found my first problem... > > First of all, i did save my /home from my old Linux distribution on > another > > HD, ext2fs partition /dev/ad6s1... I can correctly see the drive from > > sysinstall. > > > > I read about compiling the KERNEL in order to add Ext2fs support under > > Freebsd, wich I did... Adding the line: > > > > Quote: > > options EXT2FS > > looking like this: > > > > Quote: > > options KBD_INSTALL_CDEV # install a CDEV entry in /dev > > options ADAPTIVE_GIANT # Giant mutex is adaptive. > > options STOP_NMI # Stop CPUS using NMI instead of IPI > > options AUDIT # Security event auditing > > #options KDTRACE_FRAME # Ensure frames are compiled in > > *options EXT2FS* > > #options KDTRACE_HOOKS # Kernel DTrace hooks > > After this i recompiled the kernel and installed... > > > > Quote: > > # uname -a > > FreeBSD 7.2-RELEASE FreeBSD 7.2-RELEASE #0: Mon Aug 24 18:59:43 UTC 2009 > > iscariote@:/usr/obj/usr/src/sys/MYKERNEL amd64 > > Well... everything should be ready now to mount my ext2fs partition... > Using > > the following command... > > > > Quote: > > # mount > > /dev/ad8s1a on / (ufs, local) > > devfs on /dev (devfs, local) > > /dev/ad8s1e on /tmp (ufs, local, soft-updates) > > /dev/ad8s1f on /usr (ufs, local, soft-updates) > > /dev/ad8s1d on /var (ufs, local, soft-updates) > > /dev/ntfs/DATOSWIN on /media/DATOSWIN (ntfs, local, nosuid) > > # mount -t extfs2 /dev/ad6s1 /ext2 > > mount: /dev/ad6s1 : Operation not supported by device > > > > I tried several times, with not luck, one of those times i was able to > mount > > it, but not to access it, when i tried to cd /ext2 (folder when is > mounted) > > system tells me that ext2 is not a folder... > > > > any ideas??? > > > > Thanks in advance!! > > ___ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to " > freebsd-questions-unsubscr...@freebsd.org" > > > Did you recompile world as well? > You might also want to install sysutils/e2fsprogs. > I have not done this myself yet though... > Hope it helps. > Mark > > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: what www perl script is running?
Mike Bristow wrote: > > On Tue, Aug 25, 2009 at 01:00:53AM -0700, Colin Brace wrote: >> Ok, here is what lsof tells me: >> >> $ sudo lsof | grep perl >> perl5.8.9 4272 www3uIPv4 0xc33cf0000t0 TCP >> gw:51295->94.102.51.57:afs3-fileserver (ESTABLISHED) >> >> The last line would be appear to telling me something, but what? > > The script is talking to 94.102.51.57 on port 7000. > > Other useful things: > > ps ajx > will tell you the parent process of the script: this looks like > it may be a (fast?)CGI script; if so then the parent would be the > web server. > > It may also show the name of the script (but beware: the script > can change that) which would be usefull to know. > >> After 24 hour since rebooting, this perl instance is still crunching >> away... > > Is it the same instance of the script, or a new copy each time? > That is, does the PID change? If so, that points to a CGI; if not it > points to a fastCGI - or something else. > I have disabled both CGI and fastCGI in lighttpd.conf, restart the webserver, but the script keeps popping up. Now I notice something interesting: $ ps aux | grep www www 116 100.0 0.7 5864 3588 ?? R11:53AM 8:10.33 /usr/bin/web/httpd (perl5.8.9) www 113 0.0 0.0 0 0 ?? Z11:53AM 0:00.18 This file doesn't exist on my system. Am I correct in assuming that my system has been hacked and I am running an IRC server or something? Thanks. - Colin Brace Amsterdam http://lim.nl -- View this message in context: http://www.nabble.com/what-www-perl-script-is-running--tp25112050p25131646.html Sent from the freebsd-questions mailing list archive at Nabble.com. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Problem mounting EXT2FS
Jeronimo Calvo wrote: > Hi folks, im migrating from Linux to BSD, and i found my first problem... > First of all, i did save my /home from my old Linux distribution on another > HD, ext2fs partition /dev/ad6s1... I can correctly see the drive from > sysinstall. > > I read about compiling the KERNEL in order to add Ext2fs support under > Freebsd, wich I did... Adding the line: > > Quote: > options EXT2FS > looking like this: > > Quote: > options KBD_INSTALL_CDEV # install a CDEV entry in /dev > options ADAPTIVE_GIANT # Giant mutex is adaptive. > options STOP_NMI # Stop CPUS using NMI instead of IPI > options AUDIT # Security event auditing > #options KDTRACE_FRAME # Ensure frames are compiled in > *options EXT2FS* > #options KDTRACE_HOOKS # Kernel DTrace hooks > After this i recompiled the kernel and installed... > > Quote: > # uname -a > FreeBSD 7.2-RELEASE FreeBSD 7.2-RELEASE #0: Mon Aug 24 18:59:43 UTC 2009 > iscariote@:/usr/obj/usr/src/sys/MYKERNEL amd64 > Well... everything should be ready now to mount my ext2fs partition... Using > the following command... > > Quote: > # mount > /dev/ad8s1a on / (ufs, local) > devfs on /dev (devfs, local) > /dev/ad8s1e on /tmp (ufs, local, soft-updates) > /dev/ad8s1f on /usr (ufs, local, soft-updates) > /dev/ad8s1d on /var (ufs, local, soft-updates) > /dev/ntfs/DATOSWIN on /media/DATOSWIN (ntfs, local, nosuid) > # mount -t extfs2 /dev/ad6s1 /ext2 > mount: /dev/ad6s1 : Operation not supported by device > > I tried several times, with not luck, one of those times i was able to mount > it, but not to access it, when i tried to cd /ext2 (folder when is mounted) > system tells me that ext2 is not a folder... > > any ideas??? > > Thanks in advance!! > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" > besides, I think it's ext2fs, not extfs2... Typo? greetz, Mark signature.asc Description: OpenPGP digital signature
Re: what www perl script is running?
On Tue, Aug 25, 2009 at 10:19:37AM +0100, Mike Bristow typed: > On Tue, Aug 25, 2009 at 01:00:53AM -0700, Colin Brace wrote: > > Ok, here is what lsof tells me: > > > > $ sudo lsof | grep perl > > perl5.8.9 4272 www3uIPv4 0xc33cf0000t0 TCP > > gw:51295->94.102.51.57:afs3-fileserver (ESTABLISHED) > > > > The last line would be appear to telling me something, but what? > > The script is talking to 94.102.51.57 on port 7000. At which port an IRC server is listening: > telnet 94.102.51.57 7000 Trying 94.102.51.57... Connected to 94.102.51.57. Escape character is '^]'. :sampson.dangerz.biz NOTICE AUTH :*** Looking up your hostname... :sampson.dangerz.biz NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead Ruben ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Approaching the limit on PV entries, consider increasing either the vm.pmap.shpgperproc or the vm.pmap.pv_entry_max tunable
Hello, We have an HP Proliant DL380G5 with 4GB of RAM and FreeBSD 7.0 which runs PostgreSQL 8.3 for more than a year now. No problems, except that two days ago I noticed those messages in my kernel logs : "Approaching the limit on PV entries, consider increasing either the vm.pmap.shpgperproc or the vm.pmap.pv_entry_max tunable." Since vm.pmap.shpgperproc and vm.pmap.pv_entry_max require a reboot I want to be sure that I put "good" values (for ex: I read that increasing too much vm.pmap.shpgperproc could result in a panic at boot time or later). I have the following in /boot/loader.conf : kern.ipc.semmni=1024 kern.ipc.semmns=16384 kern.ipc.semmnu=16384 vm.pmap.shpgperproc=225 vm.pmap.pv_entry_max=4134816 and the following in /etc/sysctl.conf : kern.ipc.shmall=262144 kern.ipc.shmmax=1073741824 kern.ipc.semmap=16384 kern.ipc.shm_use_phys=1 Do you think that those values for vm.pmap.pv_entry_max and vm.pmap.shpgperproc are OK ? Is it OK to increase vm.pmap.pv_entry_max as long as vm.kvm_free is not too low ? Thanks, Julien -- Julien Cigar Belgian Biodiversity Platform http://www.biodiversity.be Université Libre de Bruxelles (ULB) Campus de la Plaine CP 257 Bâtiment NO, Bureau 4 N4 115C (Niveau 4) Boulevard du Triomphe, entrée ULB 2 B-1050 Bruxelles Mail: jci...@ulb.ac.be @biobel: http://biobel.biodiversity.be/person/show/471 Tel : 02 650 57 52 No trees were killed in the creation of this message. However, many electrons were terribly inconvenienced. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: what www perl script is running?
On Tue, Aug 25, 2009 at 01:00:53AM -0700, Colin Brace wrote: > Ok, here is what lsof tells me: > > $ sudo lsof | grep perl > perl5.8.9 4272 www3uIPv4 0xc33cf0000t0 TCP > gw:51295->94.102.51.57:afs3-fileserver (ESTABLISHED) > > The last line would be appear to telling me something, but what? The script is talking to 94.102.51.57 on port 7000. Other useful things: ps ajx will tell you the parent process of the script: this looks like it may be a (fast?)CGI script; if so then the parent would be the web server. It may also show the name of the script (but beware: the script can change that) which would be usefull to know. > After 24 hour since rebooting, this perl instance is still crunching away... Is it the same instance of the script, or a new copy each time? That is, does the PID change? If so, that points to a CGI; if not it points to a fastCGI - or something else. Cheers, -- :wq ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: what www perl script is running?
Ok, here is what lsof tells me: $ sudo lsof | grep perl perl5.8.9 4272 www cwd VDIR 0,76512 2 / perl5.8.9 4272 www rtd VDIR 0,76512 2 / perl5.8.9 4272 www txt VREG 0,82 4428 3015044 /usr/local/bin/perl perl5.8.9 4272 www txt VREG 0,76 171192 49360 /libexec/ld-elf.so.1 perl5.8.9 4272 www txt VREG 0,821229218 95150 /usr/local/lib/perl5/5.8.9/mach/CORE/libperl.so perl5.8.9 4272 www txt VREG 0,76 92140 16 /lib/libm.so.5 perl5.8.9 4272 www txt VREG 0,76 31928 14 /lib/libcrypt.so.4 perl5.8.9 4272 www txt VREG 0,76 50496 74 /lib/libutil.so.7 perl5.8.9 4272 www txt VREG 0,761026604 13 /lib/libc.so.7 perl5.8.9 4272 www txt VREG 0,82 17427 94753 /usr/local/lib/perl5/5.8.9/mach/auto/IO/IO.so perl5.8.9 4272 www txt VREG 0,82 24006 94951 /usr/local/lib/perl5/5.8.9/mach/auto/Socket/Socket.so perl5.8.9 4272 www0uPIPE 0xc33c4ad4 16384 ->0xc33c4b8c perl5.8.9 4272 www1uPIPE 0xc2fd2874 0 ->0xc2fd27bc perl5.8.9 4272 www2uPIPE 0xc2fd2874 0 ->0xc2fd27bc perl5.8.9 4272 www3uIPv4 0xc33cf0000t0 TCP gw:51295->94.102.51.57:afs3-fileserver (ESTABLISHED) The last line would be appear to telling me something, but what? After 24 hour since rebooting, this perl instance is still crunching away... - Colin Brace Amsterdam http://lim.nl -- View this message in context: http://www.nabble.com/what-www-perl-script-is-running--tp25112050p25130058.html Sent from the freebsd-questions mailing list archive at Nabble.com. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: hard disk failure - now what?
Lowell Gilbert wrote: > Kelly Martin writes: > > I just experienced a hard drive failure on one of my > > FreeBSD 7.2 production servers with no backup! ... > First, try copying the entire disk, *without* mounting it. Yep. > Use dd(1) to get a copy of the whole disk. I believe that > "conv=noerror" may be necessary. Much better: use sysutils/ddrescue, which was written specifically to deal with this sort of situation. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"