On Thursday 13 December 2007, Dan Farrell wrote:
> On Thu, 06 Dec 2007 09:50:58 -0500
>
> Billy Holmes <[EMAIL PROTECTED]> wrote:
> > also look for entries where is says eth0 has entered promiscuous
> > mode
> > - that's a sure fire sign you've been hacked.. unless you're running
> > a virtual mach
> > I'm going
> > to try 2006.1 and Knoppix.
> >
> > - Grant
>
> You don't use minimals, grant? I'm surprised. I would never put a
> liveCD in a computer if I could avoid it, myself.
What do you mean?
- Grant
--
[EMAIL PROTECTED] mailing list
On Thu, 6 Dec 2007 10:44:35 -0800
Grant <[EMAIL PROTECTED]> wrote:
> I'm going
> to try 2006.1 and Knoppix.
>
> - Grant
You don't use minimals, grant? I'm surprised. I would never put a
liveCD in a computer if I could avoid it, myself.
--
[EMAIL PROTECTED] mailing list
On Thu, 06 Dec 2007 09:50:58 -0500
Billy Holmes <[EMAIL PROTECTED]> wrote:
> also look for entries where is says eth0 has entered promiscuous
> mode
> - that's a sure fire sign you've been hacked.. unless you're running
> a virtual machine with a bridge, or your own packet sniffer/traffic
> mo
> > > # ls -l
> >
> > notice in /usr/src/linux, you have much fewer files (not dirs), than
> > you do on your laptop. Something deleted them.
> >
> > The vmlinux, Module.symvers, and System.map are all generated files.
> > So it looks like something deleted those files while your kernel was
> > bei
> > # ls -l
>
> notice in /usr/src/linux, you have much fewer files (not dirs), than
> you do on your laptop. Something deleted them.
>
> The vmlinux, Module.symvers, and System.map are all generated files.
> So it looks like something deleted those files while your kernel was
> being compiled?
>
>
Quoting Grant <[EMAIL PROTECTED]>:
# ls -l
notice in /usr/src/linux, you have much fewer files (not dirs), than
you do on your laptop. Something deleted them.
The vmlinux, Module.symvers, and System.map are all generated files.
So it looks like something deleted those files while your k
That last email was all wrong. It was output from my laptop. Here is
the stuff from my router.
> > make: *** No rule to make target `menuconfig'. Stop.
>
> what does "ls" show?
# ls -l
total 5732
-rw-r--r-- 1 root root 150641 Apr 17 2007 Module.symvers
-rw-r--r-- 1 root root 928127 Apr 17
> > make: *** No rule to make target `menuconfig'. Stop.
>
> what does "ls" show?
# ls -l
total 7652
-rw-r--r-- 1 root root18693 Nov 30 10:26 COPYING
-rw-r--r-- 1 root root91435 Nov 30 10:26 CREDITS
drwxr-xr-x 64 root root12288 Nov 30 10:26 Documentation
-rw-r--r-- 1 root root
Quoting Grant <[EMAIL PROTECTED]>:
make: *** No rule to make target `menuconfig'. Stop.
what does "ls" show?
perhaps your HDD has decided to retire early?
or a hacker deleted a lot of your stuff?
or /usr/src/linux -> points to something else
what's in /usr/src ?
--
[EMAIL PROTECTED] mai
> > If I wasn't hacked, this kind of strange behavior would have to be a
> > hardware or filesystem problem right? What are the best ways to check
> > for that? Just fsck?
>
> dmesg, /var/log/syslog and /var/log/messages. Look for IDE or SATA
> timeouts, or kernel panics.
Nothing in the logs jum
Quoting Grant <[EMAIL PROTECTED]>:
If I wasn't hacked, this kind of strange behavior would have to be a
hardware or filesystem problem right? What are the best ways to check
for that? Just fsck?
dmesg, /var/log/syslog and /var/log/messages. Look for IDE or SATA
timeouts, or kernel panics.
Quoting Grant <[EMAIL PROTECTED]>:
also look for strange kernel modules
How can I do that?
One way is to test what's in your /lib/modules with what's in your
kernel source:
[cmds]
(cd /lib/modules/$( uname -r )/build/; find -type f -name '*.ko')|sort
> /tmp/t1
(cd /lib/modules/$( un
Grant wrote:
> If I wasn't hacked, this kind of strange behavior would have to be a
> hardware or filesystem problem right? What are the best ways to check
> for that? Just fsck?
You can also boot the gentoo live CD into the memory test. At the
beginning when it prompts you for which kernel, yo
On Wed, 5 Dec 2007 21:35:05 +, Mick wrote:
> > maybe use portage to check that all the binaries on your computer
> > match to what portage thinks it should be.
>
> How do you do that?
equery check cat/pkg
--
Neil Bothwick
It's not a bug, it's tradition!
signature.asc
Description: PGP
> > I'm on the box now and it's quite non-functional. ctrl+alt+del prints
> > "INIT: cannot execute "/sbin/shutdown". I'm going to do a hard reset
> > and we'll see what happens.
>
> Since it's acting as your firewall, there's a very large possibility
> that your machine was compromised. That doe
On Wednesday 05 December 2007, Billy Holmes wrote:
[snip...]
> maybe use portage to check that all the binaries on your computer
> match to what portage thinks it should be.
How do you do that?
--
Regards,
Mick
signature.asc
Description: This is a digitally signed message part.
> > I'm on the box now and it's quite non-functional. ctrl+alt+del prints
> > "INIT: cannot execute "/sbin/shutdown". I'm going to do a hard reset
> > and we'll see what happens.
>
> Since it's acting as your firewall, there's a very large possibility
> that your machine was compromised. That doe
Grant wrote:
> I'm on the box now and it's quite non-functional. ctrl+alt+del prints
> "INIT: cannot execute "/sbin/shutdown". I'm going to do a hard reset
> and we'll see what happens.
That's very strange. Memory test? Can you read the logs when it comes
back up?
--
Randy Barlow
http://elec
> > > > I don't see how that could be because I was able to log in when the
> > > > system was freshly booted yesterday. I'll grab a monitor and keyboard
> > > > from the garage, have a look, and report back here.
> > >
> > > when I have problems with ssh, I run another instance in debug mode:
> >
Quoting Grant <[EMAIL PROTECTED]>:
I'm on the box now and it's quite non-functional. ctrl+alt+del prints
"INIT: cannot execute "/sbin/shutdown". I'm going to do a hard reset
and we'll see what happens.
Since it's acting as your firewall, there's a very large possibility
that your machine w
> > > I don't see how that could be because I was able to log in when the
> > > system was freshly booted yesterday. I'll grab a monitor and keyboard
> > > from the garage, have a look, and report back here.
> >
> > when I have problems with ssh, I run another instance in debug mode:
> >
> > In on
On Wednesday 05 December 2007, Billy Holmes wrote:
> Quoting Grant <[EMAIL PROTECTED]>:
> > I don't see how that could be because I was able to log in when the
> > system was freshly booted yesterday. I'll grab a monitor and keyboard
> > from the garage, have a look, and report back here.
>
> when
Quoting Grant <[EMAIL PROTECTED]>:
I don't see how that could be because I was able to log in when the
system was freshly booted yesterday. I'll grab a monitor and keyboard
from the garage, have a look, and report back here.
when I have problems with ssh, I run another instance in debug mode:
> > > $ ssh [EMAIL PROTECTED]
> > > Read from socket failed: Connection reset by peer
> >
> > what is 0.1 ? is that your router? as in a gentoo system acting as a
> > router?
>
> Have you tried temporarily disabling the firewall on 192.168.0.1 and checking
> the tcpwrappers for any deny all directi
Quoting Mick <[EMAIL PROTECTED]>:
Have you tried temporarily disabling the firewall on 192.168.0.1 and checking
the tcpwrappers for any deny all directives which knock your client out when
it tries to connect?
I was about to suggest that.
if you can ssh to localhost via 0.1, then it's a tcpw
On Wednesday 05 December 2007, Billy Holmes wrote:
> Quoting Grant <[EMAIL PROTECTED]>:
> > $ ssh [EMAIL PROTECTED]
> > Read from socket failed: Connection reset by peer
>
> what is 0.1 ? is that your router? as in a gentoo system acting as a
> router?
Have you tried temporarily disabling the fire
> > $ ssh [EMAIL PROTECTED]
> > Read from socket failed: Connection reset by peer
>
> what is 0.1 ? is that your router? as in a gentoo system acting as a router?
Yep, Gentoo system acting as a firewall/router/print server.
- Grant
--
[EMAIL PROTECTED] mailing list
Quoting Grant <[EMAIL PROTECTED]>:
$ ssh [EMAIL PROTECTED]
Read from socket failed: Connection reset by peer
what is 0.1 ? is that your router? as in a gentoo system acting as a router?
--
[EMAIL PROTECTED] mailing list
> I just tried to log into my local Gentoo router/firewall system and I got
> this:
>
> ssh_exchange_identification: Connection closed by remote host
>
> From Google, It looks like it's a problem caused by too many ssh
> connections, but that system should only ever be logged into by me,
> and I h
30 matches
Mail list logo