Survey marketing

Start a short survey.







============================================================================================================================ Pete wrote: Hi everyone, Well I've learnt a pretty good lesson in the last few days.. trust no one. I have setup my linux box for ip-masq and wasn't too concerned with security. I fugured that there were bigger targets to keep these poeple busy. It turns out that this isn't the case. At least as far as I can figure. Here's what I have found so far: 1. My /var/log/messages file stops at the 4th of november wtih this line: Nov 4 23:39:37 piglet rz[12656]: clean/ZMODEM: 145 Bytes, 44 BPS I had run tail -f on this log file andit had been running fine until the 5th.. it was only becuase I wasn't careful that I hit ^C that stopped it. Running the commandline again showed me this anomoly. I would say that someone has broken in and has now sent a file to the system of this size, yet trying to find it has proven fruitless. 2. who no longer shows me any external logins ie when I telnet from the win95 box it doesn't show up. 3. /var/log/messages hasn't been written to since that last line, hence I suspect that syslogd isn't running, but shows up in the ps aux. 4. my login prompt has changed, and I hadn't changed it. I'm sure there are a number of things here that has been touched or changed, the dates seem to be set ok, ie nothing looks unusual about them. Obviously this person would now have root access, but if they are smart they will have created another user as a backup no? I guess searching the passwd file for any account with root access would be the next thing to check. Also, how would I be sure that once checked and rectified everything that the infiltrator is gone for good? I could just re-install everything and be done with it, this time setting up much tighter security, but then I wouldn't learn anything from this. Any and all assiatance is appreciated, please repond to my email address to as it will be read quicker. Pete This is definetely a breakin. Do an altavista search on "Root Kit" or maybe "rootkit". It is a comprehensive hackers' toolkit for breaking into Unix and Linux boxes. While it does not allow someone to just be root, it allows that person to modify your system once he has root access. In other words, he got root access one of several ways: tried a gazillion passwords, guessed it right, or found the root password by hook or by crook. OK, now he is root. He uploads a bunch of programs that REPLACE the ones in your Linux box. Most of these programs have install routines on them that ensure that both the date, size of the file is the SAME, and the CRC is the same. This is real sneaky, as it defeats a lot of programs that depend on this info. Programs that get modified, among others, are the syslogging programs ie, they log things except what the hacker does. It modifies who, last and so on, so HIS login doesn't show. It also modifies less, more and a few other programs to filter out HIS entry in the /etc/passwd, /etc/group and /etc/shadow. I am not sure what word processors are modified if any. I think that cp and mv is modified to filter out his entry as well, so that if for instance, you copy /etc/passwd to something else and examine it with an editor, it will still not have his entry in there. I know this sounds incredible, but its there. I do not have the URL handy, but you will find it easy enough. Read the docs. They are written by an obviously immature person (or dopehead ), but the work it does is actually quite good. Your own breakin attempt sounds a bit more amateurish, nevertheless it seems that the breaker used an older rootkit or manually did things in there. The latest rootkit will leave files that easily pass the rpm -v (verify) test, so that is no indication at all. What I suggest you do is this. Go back to your installation notes. Resize all your partitions from an installation disk, perhaps by ONE cylinder (example /usr was cyl 608 to 747, now will be 608 to 746), then reformat the entire drive, all partitions, and reinstall. What? You have no NOTES? Shame on you, and lesson learned! You ought to be able to reinstall RedHat Linux in 15 to 20 minutes if you have your notes. His files and hacks will then be erased. Use a secure root password, and change it every so often. Etc. You know the routine. Bite the bullet and do it. The hacker will think himself victorious. Breaking into a Linux box like this does not have too many consequences for most people. But here is what he can do with root access: IP sniffers. Password Sniffers. Credit card number sniffers. PGP key sniffers. All of this info can be telnet or emailed to HIM. Don't forget your firewall ipfwadm machine has en interface on both nets: the internet where the hacker is, and the intranet where you think you are secure from sniffers. Some hackers just like to look around; others pry more. Some like to break things just to frustrate you. Some are serious criminals that will gather info for a period of time and then spring it on the unsuspecting victims. So. Reinstall Linux TONIGHT. Good luck! -- Ramon Gandia ==== Sysadmin ==== Nook Net ==== http://www.nook.net 285 West First Avenue rf ... @nook.net P.O. Box 970 tel. 907-443-7575 Nome, Alaska 99762-0970 ======================= fax. 907-443-2487 Hi, There is a reporting plugin called simian -report-maven-plugin in the sandbox. I've hacked this into an updated simian plugin, primarily to add support for XML output. Basically this updated plugin has two goals, ' simian ' which outputs an XML report, and 'report' which outputs both an XML report and an HTML report. The html report one is designed to be run as a report, but the XML one can be run not as a report, for example to check and possibly fail a build, or simply to create the XML report for further downstream processing. This is very similar to the way in which PMD, findbugs or checkstyle plugins can be used. Its a bit more than a patch to the original plugin, as I've considerably refactored things to ensure that common code is shared between the reporting HTML and XML mojos. My motiviations for doing this are: I want an XML report to extract data from to add a new column to the Xebia dashboard plugin. I want an XML report for Hudson to extract data from. CPD is ok, but Simian is better and is configurable. I want to rename the simian -report-maven-plugin to simian -maven-plugin, because it is now not just for reporting. Is there any interest in adding this plugin to the codehaus mojo collection? Please let me know if there is, and I will gladly contribute my efforts. If there is not, I intend to publish it independently, with respect to Miguel Griffa, its original author, and following the Gnu LGPL terms under which it was made available. Thanks for your interest. Rupert Smith --------------------------------------------------------------------- To unsubscribe from this list, please visit: http://xircles.codehaus.org/manage_email