Suspect Web Server has been hacked :(
Hi debian fellas I need to know if there is any software for debian to detect the presence of backdoors or rootkits. I suspect that our old debian web server has been compromised. ..Craig -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Suspect Web Server has been hacked :(
Hi Craig, On Thu, Aug 30, 2001 at 09:34:51AM +0200, Craig wrote: > I need to know if there is any software for debian to > detect the presence of backdoors or rootkits. I suspect > that our old debian web server has been compromised. This is what I would do: - check running processes: compare 'ps ax' with process entries in /proc most rootkits hide processes via a patched ps but cannot do so with the procfs - check scripts in /etc/init.d for starting of any suspect daemons, check for scripts that are not debian-like and ones not written by you or any other admin - look for ordinary files in /dev (I had a directory named /dev/hda0 for example) or dotfiles like /lib/.moo/, directories with names normally used only for files (/usr/lib/libfoobar.so/) and directories with invisible names (spaces for example: /tmp/ /) - scan the machine for unusual open ports and use lsof to find out to which processes these ports belong, but be aware that lsof might be rooted - If can find running backdoors, look at their environment (/proc//environ), you may find useful information like SSH_CLIENT - mount the harddisk in another machine so you can use tools that won't be overwritten by a root kit. - use debsums(1) to check files against the md5 sums stored in in /var/lib/dpkg/info/*.md5sums, but be aware that these files could be modified - backup your data and reinstall the machine. - maybe you need to hire a security expert for complete recovery ;-) HTH, Joerg -- \ Joerg Wendland \ systems / network administrator, ITSec, Scan Plus GmbH \ *joergland* \ Moerikestrasse 5, 89077 Ulm, Germany \\ fon +49-731-92013-21, fax +49-731-6027146 \\ PGP-key: finger [EMAIL PROTECTED] \ key fingerprint: 79C0 7671 AFC7 315E 657A F318 57A3 7FBD 51CF 8417 PGP signature
Re: Suspect Web Server has been hacked :(
On Thu, Aug 30, 2001 at 10:11:42AM +0200, Joerg Wendland wrote: > Hi Craig, > > On Thu, Aug 30, 2001 at 09:34:51AM +0200, Craig wrote: > > I need to know if there is any software for debian to > > detect the presence of backdoors or rootkits. I suspect > > that our old debian web server has been compromised. > > This is what I would do: > > - check running processes: compare 'ps ax' with process > entries in /proc most rootkits hide processes via a patched > ps but cannot do so with the procfs Unless they've installed a kernel module that messes around with procfs or something. [snip] > - scan the machine for unusual open ports and use lsof to find > out to which processes these ports belong, but be aware that > lsof might be rooted You could also compare the output of netstat -tuln with a portscan of the machine to see if they agree. [snip] > - backup your data and reinstall the machine. And don't backup any possibly trojaned binaries :) -- Michael Wood <[EMAIL PROTECTED]> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: FTP thro' firewall
On Wed, 29 Aug 2001, Michael Wood wrote: > I don't know what "Mandrake SNF" is Mandrakesoft's Single Network Firewall -- a pre-built template for an ipchains rules firewall, controlled by a web browser + PHP interface. $99 with snappy 412 pp manual; or whatever it costs you to download and burn your own ISO -- _sans_ manual. The one I'm using was built from a downloaded CD image. > but if you can install a > 2.4 kernel on it, you could use iptables instead of ipchains. > This means you can use the stateful inspection features to allow > active and passive FTP through the firewall. Maybe; but at that point you're almost certainly better off controlling the firewall via CLI anyway. > The other option is to install an ftp proxy ... thanks for the useful info. I may try this when I've got time to play. > If people are using WS_FTP to ftp through the firewall They aren't. They're being hynoptised by a button with "Firewall" written on it :-) Martin -- Sell your shares in Adobe. Boycott ALL American non-free software. *** Free Dmitry Sklyarov *** === N O W -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: FTP thro' firewall
I highly recommend the rcf firewall which can be found at http://rcf.mvlan.net > On Wed, 29 Aug 2001, Michael Wood wrote: > > > I don't know what "Mandrake SNF" is > > Mandrakesoft's Single Network Firewall -- a pre-built template for an > ipchains rules firewall, controlled by a web browser + PHP interface. > $99 with snappy 412 pp manual; or whatever it costs you to download and > burn your own ISO -- _sans_ manual. > The one I'm using was built from a downloaded CD image. > > > but if you can install a > > 2.4 kernel on it, you could use iptables instead of ipchains. > > This means you can use the stateful inspection features to allow > > active and passive FTP through the firewall. > > Maybe; but at that point you're almost certainly better off > controlling the firewall via CLI anyway. > > > The other option is to install an ftp proxy > > ... thanks for the useful info. > I may try this when I've got time to play. > > > If people are using WS_FTP to ftp through the firewall > > They aren't. They're being hynoptised by a button with "Firewall" > written on it :-) > > Martin > -- > Sell your shares in Adobe. Boycott ALL American non-free software. > *** Free Dmitry Sklyarov *** > === > N O W > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Suspect Web Server has been hacked :(
On Thu, 30 Aug 2001, Craig wrote: Specific question: > I need to know if there is any software for debian to > detect the presence of backdoors or rootkits. Specific answer: apt-get install chkrootkit HTH -- Sell your shares in Adobe. Boycott ALL American non-free software. *** Free Dmitry Sklyarov *** === N O W -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: FTP thro' firewall
On Thu, Aug 30, 2001 at 10:58:25AM +, Martin WHEELER wrote: > On Wed, 29 Aug 2001, Michael Wood wrote: > > > I don't know what "Mandrake SNF" is > > Mandrakesoft's Single Network Firewall -- a pre-built template > for an ipchains rules firewall, controlled by a web browser + [snip] I see :) > > but if you can install a 2.4 kernel on it, you could use > > iptables instead of ipchains. This means you can use the > > stateful inspection features to allow active and passive FTP > > through the firewall. > > Maybe; but at that point you're almost certainly better off > controlling the firewall via CLI anyway. indeed. > > The other option is to install an ftp proxy > > ... thanks for the useful info. > I may try this when I've got time to play. No problem :) > > If people are using WS_FTP to ftp through the firewall > > They aren't. They're being hynoptised by a button with > "Firewall" written on it :-) hehe, I see :) That button is to do with proxy settings, not really firewalls, although one valid reason to run an ftp proxy is that you have a firewall. -- Michael Wood <[EMAIL PROTECTED]> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
FW: Webalizer
On Tue, 28 Aug 2001, Craig wrote: >> only thing is its version 1.30 >> whereas if you download the source its 2.01 > Martin then wrote: Ah -- OK. Thanks for clueing me in -- I hadn't realised. Is the difference worth it? (I.e. what can't-possibly-do-without goodies am I going to get that will persuade me to roll my own before >= v2.01 makes it into testing?) I'm hoping it will help me...my webalizer gets an error about strings being too long. Rob... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Funny kernel antics
Hi! On my Internet server (running potato and kernel 2.2.19pre), I got a funny thing happening. The kernel started to spit out errors on the console. I can't reproduce them, but they are the CPU dump of registers that you get when unix normally crashes and then halts the machine. I kept getting this dump, then I tried to shut down the machine, but couldn't. It was dumping on qmail and apache processes and just causing havoc, although I could still ping the outside world. I had to press the reset button to get out of this situation. Luckily the machine came up ok. Some symptoms include: (a) I can't log in properly in the first console screen, but after Alt-F2 to the second screen, I can get in ok (b) I have had the machine hang with the screen being blank..had to press reset...this happens once every two weeks. Logs don't show up any errors. I had upgraded from the bo distribution to potato and suspect it must have been something done during the upgrade, as I updated heaps of packages. Previously, running on bo was very stable..hardly had a crash at all Anyone know what causes this or seen this happen before? I will probably install a fresh copy of potato on another hard disk and do the config again, just as a backup :-) Rob... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Funny kernel antics
> Anyone know what causes this or seen this happen before? I have no idea why but I did have this happen to me running 2.2.19. Same exact symptoms. Only thing unusual was that I had patched the kernel to support an AACraid controller and made some modifications to run Oracle. At the time I was using 2.2.19 on 5 or 6 other boxen without problems. I was rushed for a solution, so I simply fell back to an older kernel without investigation. I'm sure this was completely un-helpful. Pete -- http://www.elbnet.com ELB Internet Services, Inc. Web Design, Computer Consulting, Internet Hosting -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
dhcpd option static-routes and network routes.
Hi all, I was wondering if anyone could give me a hint as to how to set up my dhcpd to issue routing information to clients for a private network. What I would like to be able to do is have something like this: option static-routes 192.168.40.0/24 10.0.15.4, 192.168.50.0/24 10.0.15.5; option routers 10.0.15.1; My problem: I cannot specify networks in this fashion, only single IPs. == David Stanaway Personal: [EMAIL PROTECTED] Work: [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Suspect Web Server has been hacked :(
I think it's probably too late for that. The only way to be 100% about your "disinfected" system is to fdisk it and rebuild from scratch. You can save your config files and data files, if you're sure they too haven't been altered. But say somebody relaxed an obscure security setting in some config file that will make it easy for them to get right back in. The only sure fire way of detecting what was done is to use something like tripwire to take a snapshot of the system *before* it goes online again. Then save that snapshot off-system on write protected media. Like a floppy disk with the write protect tab set or a CD. Then do a nightly comparison of the system to the snapshot. But keep in mind that the comparison software itself can be hacked so it should run off-system too. Periodically do manual scans, because if you just have a cron job running to alert you to instrusion, somebody can just change the crontab to send you bogus "alls-well" status reports, when in fact the thing ain't even running!! At 09:34 AM 8/30/01 +0200, Craig wrote: >Hi debian fellas > >I need to know if there is any software for debian to >detect the presence of backdoors or rootkits. I suspect >that our old debian web server has been compromised. > >..Craig ---==--- ___/``\___ 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Apache not dropping port 80
On Thu, 23 Aug 2001, Jordi S . Bunster wrote: > What can possibly be happening? Sometimes the command > /etc/init.d/apache restart, or sometimes even ( /etc/init.d/apache > stop ; sleep 5 ; /etc/init.d/apache start) seems not do release por > 80. Before you start it again did you use "ps" to see that it was stopped? > What I do, enter top, list all processes for the www-data user, and > kill them one by one. Sometimes there're three, sometimes two. Among > the processes I've found, tail, sh, bd tail and sh are probably from some CGI script. You may need to wait for them to close. (What is bd?) > After killing them all, apache starts again perfectly. If you wait longer than five seconds, will they properly die/close on their own? > Also, other strange messages follow: Where do you see these? (In the error logs?) > gd-png warning: alpha channel not supported > sh: ./tmp: No such file or directory > sh: ./.tmp: Permission denied > We'r in MaxDigits Is there corresponding entries in your access log? (There should be.) > The first one, I know what means. But the rest I have been told that "We'r in MaxDigits" is from a counter script. > Is that a bug? Has the server been compromised? Look at your access logs and see what scripts are doing what. Jeremy C. Reed BSD software, documentation, resources, news... http://bsd.reedmedia.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
