Re: HELP, my Debian Server was hacked!

2003-04-24 Thread Mauro Chiarugi
Il Thu, 24 Apr 2003 07:03:48 -0500 (CDT) David Ehle sì che favelando sibillò: > I use a cronjob. I'll send it to you privatly, if anyone else wants it > let me know. > David. Thanks a lot, i'll be happy to see it. -- sracatus

Re: HELP, my Debian Server was hacked!

2003-04-24 Thread James Duncan
On Thu, 24 Apr 2003, Dale Amon wrote: > On Wed, Apr 23, 2003 at 10:44:34AM -0400, James Duncan wrote: > > Obviously steps should be in place to mitigate the damage of these sorts > > of acts. Have steps in place to quickly replace machines that have to be > > removed from production quickly and w

Re: HELP, my Debian Server was hacked!

2003-04-24 Thread David Ramsden
On Thu, Apr 24, 2003 at 01:16:49PM +, simon raven wrote: > Le Thu, Apr 24, 2003 at 08:48:27 -0400, Raymond Wood a ?crit: > > On Thu, Apr 24, 2003 at 02:17:48PM +0200, Adam ENDRODI imagined: > > [snip] > > > Details on how to implement this have been discusssed in the > > > list several times a

Re: HELP, my Debian Server was hacked!

2003-04-24 Thread simon raven
Le Thu, Apr 24, 2003 at 08:48:27 -0400, Raymond Wood a écrit: > On Thu, Apr 24, 2003 at 02:17:48PM +0200, Adam ENDRODI imagined: > > > On Thu, Apr 24, 2003 at 11:43:06AM +0200, I.R. van Dongen wrote: > > > > > > lamorak:~# crontab -l > > > @daily apt-get -q -q -q -q update && apt-get -s

Re: HELP, my Debian Server was hacked!

2003-04-24 Thread Raymond Wood
On Thu, Apr 24, 2003 at 02:17:48PM +0200, Adam ENDRODI imagined: > On Thu, Apr 24, 2003 at 11:43:06AM +0200, I.R. van Dongen wrote: > > > > lamorak:~# crontab -l > > @daily apt-get -q -q -q -q update && apt-get -s -q -q -q -q > > dist-upgrade > Before you deploy such a mechanism, I adv

Re: HELP, my Debian Server was hacked!

2003-04-24 Thread Nicolas Sulek
I'm really sorry, I didn't notice that when I wrote my message François TOURDE wrote: Le 12166ième jour après Epoch, Nicolas Sulek écrivait: [SNIP...] Please, please, please... No HTML in text messages... Even if you run NT on your box :)

Re: Re: HELP, my Debian Server was hacked!

2003-04-24 Thread Adam ENDRODI
On Thu, Apr 24, 2003 at 11:43:06AM +0200, I.R. van Dongen wrote: > > lamorak:~# crontab -l > @daily apt-get -q -q -q -q update && apt-get -s -q -q -q -q > dist-upgrade Before you deploy such a mechanism, I advise that you set up another one between the "update" and "upgrade" which check

Re: HELP, my Debian Server was hacked!

2003-04-24 Thread David Ehle
> Il Tue, 22 Apr 2003 17:48:23 -0500 (CDT) > David Ehle sì che favelando > sibillò: > > > nightly apt-get update && apt-get upgrade > > But if it asks human interaction?? How can i do?? I use a cronjob. I'll send it to you privatly, if anyone else wants it let me know. David. > > -- > sracatus

Re: HELP, my Debian Server was hacked!

2003-04-24 Thread François TOURDE
Le 12166ième jour après Epoch, Mathias Gygax écrivait: > On Don, Apr 24, 2003 at 11:19:34 +0200, Mauro Chiarugi wrote: > > Il Tue, 22 Apr 2003 17:48:23 -0500 (CDT) > > David Ehle sì che favelando > > sibillò: > > > > > nightly apt-get update && apt-get upgrade > > > > But if it asks human intera

Re: HELP, my Debian Server was hacked!

2003-04-24 Thread François TOURDE
Le 12166ième jour après Epoch, Nicolas Sulek écrivait: > > [SNIP...] > Please, please, please... No HTML in text messages... Even if you run NT on your box :) -- QOTD: "What I like most about myself is that I'm so understanding when I mess things up." -- François TOURDE - to

Re: HELP, my Debian Server was hacked!

2003-04-24 Thread tps
On Thu, Apr 24, 2003 at 04:02:56AM +0100, Dale Amon wrote: > On Wed, Apr 23, 2003 at 10:44:34AM -0400, James Duncan wrote: > > Obviously steps should be in place to mitigate the damage of these sorts > > of acts. Have steps in place to quickly replace machines that have to be > > removed from prod

Re: HELP, my Debian Server was hacked!

2003-04-24 Thread Mathias Gygax
On Don, Apr 24, 2003 at 11:19:34 +0200, Mauro Chiarugi wrote: > Il Tue, 22 Apr 2003 17:48:23 -0500 (CDT) > David Ehle sì che favelando > sibillò: > > > nightly apt-get update && apt-get upgrade > > But if it asks human interaction?? How can i do?? from the apt-get manual page: [...] -y

Re: HELP, my Debian Server was hacked!

2003-04-24 Thread David Ramsden
On Thu, Apr 24, 2003 at 11:19:34AM +0200, Mauro Chiarugi wrote: > Il Tue, 22 Apr 2003 17:48:23 -0500 (CDT) > David Ehle s? che favelando > sibill?: > > > nightly apt-get update && apt-get upgrade > > But if it asks human interaction?? How can i do?? > apt-get --assume-yes upgrade That'll answer

Re: HELP, my Debian Server was hacked!

2003-04-24 Thread Nicolas Sulek
you can use cron-apt cron-apt - Automatic update of packages using apt Mauro Chiarugi wrote: Il Tue, 22 Apr 2003 17:48:23 -0500 (CDT) David Ehle sì che favelando sibillò: nightly apt-get update && apt-get upgrade But if it asks human interaction?? How can i do?? --

Re: Re: HELP, my Debian Server was hacked!

2003-04-24 Thread I.R. van Dongen
lamorak:~# crontab -l @daily apt-get -q -q -q -q update && apt-get -s -q -q -q -q dist-upgrade make sure the output is mailed to an address you use daily. When an update is available you will be mailed, otherwise you get no mail. Gr, Ivo van Dongen On Thu, 24 Apr 2003 11:19:34 +0200

Re: HELP, my Debian Server was hacked!

2003-04-24 Thread Mauro Chiarugi
Il Tue, 22 Apr 2003 17:48:23 -0500 (CDT) David Ehle sì che favelando sibillò: > nightly apt-get update && apt-get upgrade But if it asks human interaction?? How can i do?? -- sracatus

Re: HELP, my Debian Server was hacked!

2003-04-23 Thread Dale Amon
On Wed, Apr 23, 2003 at 10:44:34AM -0400, James Duncan wrote: > Obviously steps should be in place to mitigate the damage of these sorts > of acts. Have steps in place to quickly replace machines that have to be > removed from production quickly and without warning. Use syslog to log > locally AN

RE: HELP, my Debian Server was hacked!

2003-04-23 Thread James Duncan
On Wed, 23 Apr 2003, DEFFONTAINES Vincent wrote: > What to do > --- > > The first 3 basic steps to handling a "situation" (roughly taken from > the wonderful Criminalistics, An Introduction to Forensic Science, by > Saferstein (see the "bibliography" file) are: > > o Secure and

RE: HELP, my Debian Server was hacked!

2003-04-23 Thread DEFFONTAINES Vincent
Have a look at the coroner toolkit from Dan Farmer and Wietse Venema. Debian packaged : tct It is advised *not* to turn off your box, maybe you can unplug its network... not sure its a good idea even. http://www.fish.com/tct/help-when-broken-into Chosen extract : What to do --- The

Re: HELP, my Debian Server was hacked!

2003-04-22 Thread Christiano Anderson
Hi, Boot your machine in single user. Run a md5sum in /sbin/init and compare with a 'secure' machine. Download http://www.chkrootkit.org and run it. It's recommended to run chkrootkit using your own static binaries on another path or CDROM (you can see which binaries is needed on chkrootkit web

Re: HELP, my Debian Server was hacked!

2003-04-22 Thread Dale Amon
On Tue, Apr 22, 2003 at 09:00:11PM +0200, Christian K?nning wrote: > /var/log, symlinked /root/.bash_history > /dev/null, etc. > Is there any way to recover the evidences, e.g. the /var/log/ directory? > (ext2) Examine your /dev/swap after following advice in other replies about making sure thing

Re: HELP, my Debian Server was hacked!

2003-04-22 Thread David Ehle
While the earlier advice is probably the best advice, don't forget to run chkrootkit. I recently had the same thing happen to one of my machines. I've found a kit in /dev/proc/fuckit The total nuking of /log makes this look like a very amature job. If they were hot they would edit the appropri

Re: HELP, my Debian Server was hacked!

2003-04-22 Thread xbud
tar up your /proc/ directory to save a copy of your kcore - it should have useful information unless he managed to zero out all the memory that was being utilized during the break in. turn the box off but make sure it don't delete crap, watch out for logic bombs or what not. remove the disk a

Re: HELP, my Debian Server was hacked!

2003-04-22 Thread Javier Fernández-Sanguino Peña
On Tue, Apr 22, 2003 at 09:00:11PM +0200, Christian Könning wrote: > Hello List, > > I hope this is not of topic: > > My private server has been hacked: > debian woody 2.4.18bf2.4 kernel, apache-ssl, samba, squid. Ouch. Was it up-to-date to security patches? > > now my problem: the intruder u