[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [silug-discuss] [silug-discuss] Daily digest (10 messages) V1 #72



I have Yahoo, and I do pay for it. I've had it for years but I only recently within the last few months upgraded to the pay service. The new free service however gives you 100 mb. Not to shabby for free. But 20 bucks for 2gb of storage is pretty good.
 
Just my opinion.
Thanks,
 
Joe
 
P.S. Ray I need to get in touch with you so that we can get you your MC seat.
Thanks

silug-discuss-owner@silug.org wrote:
[silug-discuss] Daily digest (10 messages)

This is Digest Volume 1 : Issue 72 : Digest Style "text"
Below is a summary of all the messages, showing the subject of each post
and who posted it, followed by the full text of all messages. 200406/79 : Re: LKM Trojan
bja@Illinois.DynDNS.Org
200406/80 : Re: LKM Trojan
Nathaniel Reindl
200406/84 : Re: LKM Trojan
Travis Owens
200406/82 : Re: LKM Trojan
Travis Owens
200406/81 : Re: xfree vnc and the local console
Travis Owens
200406/88 : Re: xfree vnc and the local console
"Casey Boone"
200406/83 : Re: Friday Night Social
Bonnie Saunders
200406/85 : Can I stop accounts from receiving mail?
"Charlie Brune"
200406/86 : Re: OT: 2GB Yahoo Mail
"L. V. Lammert"
200406/87 : Re: new local kernel hole
JM

----------------------------------------------------------------------

Date: Tue, 15 Jun 2004 16:34:43 -0000 (GMT)
From: bja@Illinois.DynDNS.Org
To: silug-discuss@silug.org
Subject: Re: LKM Trojan
Message-ID: <33165.192.168.1.240.1087317283.squirrel@Illinois.DynDNS.Org>

A couple notes from a similiar experience I had while recovering a
friend's machine from an attack (the probelm was he stopped patching his
system).

First, keep backups. Weekly backups of user data and a backup of critical
configuration files in /etc, /usr/local/etc, and anywhere else your
distro/flavor happen to keep them is really needed. I normally backup all
*.swx, *.txt, *.py, *.html, and *.css files because this is what I use. I
tar up all of these, and burn them to cd. It take s 5 minutes and makes
life much easier in the longrun (something WILL happen).

If you have your user data and config files backed up, there isn't much
stopping you from wiping and reinstalling any time you feel like it if
you're using the machine as a workstation. On a server, you'll want to
make sure to backup any databases and content as well (you should be doing
it already).

Second, explore the options to your filesystems. Certain filesystems, /,
for example, can be mounted ro (read-only) with little effort. /var and
/tmp are probably separate filesystems anyway. All linux filesystems that
I know of support the noexec option. Adding this on /home is a very good
way, basic way to keep exectuable files out of your /home. This won't stop
scripts from being ran, but it would stop anything stored in your home
directory from being ran by itself. These options can be given to mount
when you are mounting the fs and in a field in /etc/ fstab. Check the mount
manpage for more info.

Third, is revert to a trusted kernel and modules at least. A trusted
kernel would be something from your vendor, or from a read-only backup.

If you are backed up, wiping and reinstalling is probably the easiest
thing to do. With backups, you select your packages, start into the
system, load your old config files and data and you're running. This can
be an hour process. The flip side is, you're back to the state you were in
before the attack which means that you are still vulnerable.

I would deny all incomming ip traffic, setup outgoing traffic in a
stateful manner, and update immediately.

With the latest advancements in the linux kernel, I would not trust a
kernel or modules that existed during a breakin. The selinux hooks are a
rootkit author's dream, and I expect that these will become very common as
2.6 is deployed on more systems.

> At 10:05 AM 6/15/2004, you wrote:
>>While exploring the workings of my OS weekend before last, I managed to
>> break
>>Shorewall (Shoreline Firewall) and I surfed unprotected for a couple of
>> daze
>>before I was able to fix it. I ran chkrootkit this last weekend, which
reported
>>that I had four hidden processes and might have picked up the LKM
trojan.
>> For
>>lack of a better plan, I reformatted my root partition and rebuilt from
>> the
>>ground up. :-(
>
> Once you have identified 'unknown' processes, it's fairly simple to kill
them and remove/rename the executables (normally specified in the
process,
> or you might have to search for same).
>
>>What, in plain English, is a trojan?
>
> A Trojan is a running program/process that contains code that interacts
with external machines. Thousands of different applications, both
malicious
> and inn ocuous - e.g. keystroke monitoring (possibly malicious, unless
you're monitoring your kids), web site visit recording (sort of like an
'automatic' cookie, reporting to an external system), .. don't really
allow
> or deal with them, but I'm sure others can supply more possibilities.
>
>>Was there a simpler alternative than wiping the drive and rebuilding?
>
> Sure - identify the code, stop, chmod -x and/or rename (as opposed to
delete, just in case it IS required for some functionality - you can
always
> delete it later).
>
>>Am I correct in assuming that wiping / was sufficient and that was no
danger in
>>retaining /home?
>
> Nope. Malicious code can 'live' anywhere. /home, /usr, /var, .. anywhere
a
> program can execute.
>
>>I'm starting to wonder if purchasing a firewall applicance might be a
>> good
>>idea.
>
> Probably not. Most firewa lls are not 'application' level devices, which
would be required to stop many trojans. They can restrict a number of
attacks, but, by definition, must leave open ports for public services
(e.g. the ubiquitious port 80).
>
> A firewall is only ONE component of a security policy - a secure OS is just
> as critical.
>
> Lee
>
> ============================================
> Leland V. Lammert lvl@omnitec.net
> Chief Scientist Omnitec Corporation
> Network/Internet Consultants www.omnitec.net
> ============================================
>
>
> -
> To unsubscribe, send email to majordomo@silug.org with
> "unsubscribe silug-discuss" in the body.
>




------------------------------

Date: Tue, 15 Jun 2004 18:12:09 -0500
From: Nathaniel Reindl
To: silug-discuss@silug.org
Subject: Re: LKM Trojan
Message-ID: <20040615231209.GA1972@SDF.LONESTAR.ORG>

On Tue, Jun 15, 2004 at 04:34:43PM -0000, bja@Illinois.DynDNS.Org wrote:
> Second, explore the options to your filesystems. Certain filesystems, /,
> for example, can be mounted ro (read-only) with little effort. /var and

It's a good idea to mount / as ro anyway and to leave /boot not
mounted at all. This helps keep the partitions preserved in case the
system goes down in a hard crash.

> /tmp are probably separate filesystems anyway. All linux filesystems that
> I know of support the noexec option. Adding this on /home is a very good
> way, basic way to keep exectuable files out of your /home. This won't stop

You may want to be careful if you opt to set the noexec option on
/home. No, the care has nothing to do with your security; rather,
your users may be a little tweaked to know that they can't install
newer versions of programs in their homedirs that they u se often.
This also brings up the issue of user trust.

The filesystem you **do** want to use the noexec option on, however,
is /tmp.

--
Nathaniel Reindl

"Du weisst doch, dass du es lesen willst, und mach was du musst, weil
es das einzige Ding wird, das du machen wirst."

------------------------------

Date: Tue, 15 Jun 2004 21:30:09 -0500
From: Travis Owens
To: silug
Subject: Re: LKM Trojan
Message-ID: <1087353008.1608.73.camel@localhost>

On Tue, 2004-06-15 at 18:12, Nathaniel Reindl wrote:
> You may want to be careful if you opt to set the noexec option on
> /home. No, the care has nothing to do with your security; rather,
> your users may be a little tweaked to know that they can't install
> newer versions of programs in their homedirs that they use often.
> This also brings up the issue of user trust.

As with all machines--especially those on the Internet, security should
come right after stability. If this machine is a home user, this would
be a good point you make, but if it's a server, then it's the last thing
that's important. Servers have one job, and that's to serve. Stability
and security are chief goals. Users customizations are afterward.

One thing that I've read a while back, was to make every executable on
the machine sudo-ed. This way, there's a very limited amount of
executables on the system, and the really important ones are restricted
to password execution.

This would work really well in conjunction with your mounting almost all
systems read-only, then restricting access to the mount command. This
means that in order to remount the system writable, they'd have to give
the password.

I don't remember the exact setup this guy had, but it was pretty
elaborate. I remember thinking at the time, this is pretty slick.
< BR>Now, this would really only make sense on a full-time server, with
minimal interaction and updating or manual execution. Otherwise, it
would get to be a bit frustrating to manually interact with the system.

Just another take.
--
Travis Owens


------------------------------

Date: Tue, 15 Jun 2004 20:18:49 -0500
From: Travis Owens
To: silug
Subject: Re: LKM Trojan
Message-ID: <1087348729.1608.31.camel@localhost>

On Tue, 2004-06-15 at 11:34, bja@Illinois.DynDNS.Org wrote:

> With the latest advancements in the linux kernel, I would not trust a
> kernel or modules that existed during a breakin. The selinux hooks are a
> rootkit author's dream, and I expect that these will become very common as
> 2.6 is deployed on more systems.
>

could you elaborate on this, please?

Thanks!
--
Travis Owens


------------------------------

Date: Tue, 15 Jun 2004 20:10:18 -0500
From: Travis Owens
To: silug
Subject: Re: xfree vnc and the local console
Message-ID: <1087348218.1614.23.camel@localhost>

Probably the easiest way to do this, is to install KDE 3.2 or so. The
last few releases of KDE have included VNC capabilities directly into
KDE. You can enable them in the KControl Panel.

One way to help with security, is to force it to work on a different
port. This can be done by assigning it to a different port when setting
it up in KControl Panel. The other way is to use the firewall rules to
redirect options to direct the port that's open in the firewall to the
port that's assigned to VNC. I would recommend above 10000 since they're
not probed as often.

Hope that helps.
Travis

On Tue, 2004-06-15 at 14:58, Casey Boone wrote:
> i would like to be able to control a machine remotely. i know i can
> currently do this with vncserver, but this gives me a completely new
> "terminal" into the machine. what i am wanting is to control the x session
> that is logged in locally at the machine. i dont want to kick that user
> off, i just want to join in the session with them. (of course "them" in this
> case is me logged in at home)
>
> i would like to be able to start this up from the command line over ssh if
> possible. i read the man pages for Xvnc and vncserver, but they seemed to
> indicate that a new x session would be spawned and that i didnt see any way
> to attach to an existing session.
>
> i know kde allows for setting this up easily, but that requires me sitting
> there at the machine (and in all honesty i have no idea if it will work
> under gnome or not because im not sure how they impli mented it)
>
> any help on this would be greatly appreciated
>
> Casey
>
> _________________________________________________________________
> Get fast, reliable Internet access with MSN 9 Dial-up now 3 months FREE!
> http://join.msn.click-url.com/go/onm00200361ave/direct/01/
>
>
> -
> To unsubscribe, send email to majordomo@silug.org with
> "unsubscribe silug-discuss" in the body.
--
Travis Owens


------------------------------

Date: Wed, 16 Jun 2004 08:00:32 -0500
From: "Casey Boone"
To: silug-discuss@silug.org
Subject: Re: xfree vnc and the local console
Message-ID:

i do have kde installed, but i was wondering if there was a way to start it
up from the command line.

as for what port to use, it is behind a firewall so i was going to use ssh
tunnel ling to get to it (go steve for the ssh tunnelling tutorial at the
meeting the other night)

oh well, i guess i will set it up from the kcontrol panel (and hope it works
with gnome as well as that is the DE i use)

Casey


>From: Travis Owens

>Probably the easiest way to do this, is to install KDE 3.2 or so. The
>last few releases of KDE have included VNC capabilities directly into
>KDE. You can enable them in the KControl Panel.
>
>One way to help with security, is to force it to work on a different
>port. This can be done by assigning it to a different port when setting
>it up in KControl Panel. The other way is to use the firewall rules to
>redirect options to direct the port that's open in the firewall to the
>port that's assigned to VNC. I would recommend above 10000 since they're
>not probed as often.
>
>Hope that helps.
>Travis
>
& gt;On Tue, 2004-06-15 at 14:58, Casey Boone wrote:
> > i would like to be able to control a machine remotely. i know i can
> > currently do this with vncserver, but this gives me a completely new
> > "terminal" into the machine. what i am wanting is to control the x
>session
> > that is logged in locally at the machine. i dont want to kick that user
> > off, i just want to join in the session with them. (of course "them" in
>this
> > case is me logged in at home)
> >
> > i would like to be able to start this up from the command line over ssh
>if
> > possible. i read the man pages for Xvnc and vncserver, but they seemed
>to
> > indicate that a new x session would be spawned and that i didnt see any
>way
> > to attach to an existing session.
> >
> > i know kde allows for setting this up easily, but that requires me
>sitting
> > there at the machine (and in all honesty i have no idea if it will work
> > under gnome or not because im not sure how they implimented it)
> >
> > any help on this would be greatly appreciated
> >
> > Casey
> >
> > _________________________________________________________________
> > Get fast, reliable Internet access with MSN 9 Dial-up now 3 months
>FREE!
> > http://join.msn.click-url.com/go/onm00200361ave/direct/01/
> >
> >
> > -
> > To unsubscribe, send email to majordomo@silug.org with
> > "unsubscribe silug-discuss" in the body.
>--
>Travis Owens
>
>
>-
>To unsubscribe, send email to majordomo@silug.org with
>"unsubscribe silug-discuss" in the body.

_________________________________________________________________
Is your PC infected? Get a FREE online comput er virus scan from McAfeeŽ
Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963


------------------------------

Date: Tue, 15 Jun 2004 18:22:06 -0700 (PDT)
From: Bonnie Saunders
To: silug-discuss@silug.org
Subject: Re: Friday Night Social
Message-ID: <20040616012206.80677.qmail@web80603.mail.yahoo.com>

Keep me in mind. I'd like to go. Could possibly
provide taxi service if needed.

Bonnie

------------------------------

Date: Tue, 15 Jun 2004 12:43:41 -0500 (CDT)
From: "Charlie Brune"
To: silug-discuss@silug.org
Subject: Can I stop accounts from receiving mail?
Message-ID: <38998.151.145.250.253.1087321421.squirrel@151.145.250.253>

Hi, everybody! I'm loving Fedora Core 2.

Is there a way to make it so that a user account can't receive mail? I'm
using sendmail. Some spammers have figured out that "root" exists for
many (most?) domain names. So... I'd like to block mail to "root" from
the outside world.

Actually, there are other people who use the machine that need to be
blocked as well.

Is there a "simple" way to do this restriction? (I've searched Google,
but haven't hit on the solution.)

Thanks,
Charlie

------------------------------

Date: Tue, 15 Jun 2004 12:07:00 -0500
From: "L. V. Lammert"
To: silug-discuss@silug.org
Subject: Re: OT: 2GB Yahoo Mail
Message-ID: <4.3.2.7.2.20040615120617.00ba64c8@mail.omnitec.net>

At 07:09 AM 6/15/2004, you wrote:
>Yahoo one-upped Google and it's 1GB Gmail service. I
>checked my Yahoo mail, and as of today I have 2GB of
>storage (I'm a SBC Yahoo Dsl customer). Someone needs
>to write a pop3/smtp filesystem driver!

It's there and working, .. but if you want the mail remotely you have to
pay for it! I setup a Yahoo accou nt many years ago, and about 2000 they
decided to charge for remote pop3 access.

Lee

============================================
Leland V. Lammert lvl@omnitec.net
Chief Scientist Omnitec Corporation
Network/Internet Consultants www.omnitec.net
============================================


------------------------------

Date: Wed, 16 Jun 2004 13:54:06 +0800
From: JM
To: silug-discuss@silug.org
Subject: Re: new local kernel hole
Message-ID: <200406161354.06796.jerome@gmanmi.tv>

anyway is there a company that provides RPM based kernel that includes this
patch? ( redhat 9 )

TIA

On Tuesday 15 June 2004 01:46, Casey Boone wrote:
> the internet is odd here, i cant actually go to several redhat and fedora
> related sites right now even though i could last week. i am thinking that
> this week i am being routed through a different proxy than last week (and
> s ince the proxies are not at this site, i have no way of knowing)
>
> of course technically i am not supposed to use the internet for anything
> not affiliated with work, but im a summer intern so i have a lot of down
> time.
>
> so the bug is still present :\
>
> guess that means a new errata kernel will be hitting the streets pretty
> quick now
>
> Casey
>
>
> From: Nathaniel Reindl
>
> >On Mon, Jun 14, 2004 at 10:47:20AM -0500, Sean Jewett wrote:
> > > And yes, while it does not mention your particular case I suspect it
> > > probably is exploitable.
> >
> >It is, and I know this because...
> >
> > > You could always compile the exploit and find out ;)
> >
> >I just tried that. :)
> >
> >--
> >Nathaniel Reindl
> >
> >"Du weisst doch, dass du es lesen willst, und mach was du musst, weil
> >es das einzige Ding wird, das du machen wirst."
> >
> >-
> >To unsubscribe, send email to majordomo@silug.org with
> >"unsubscribe silug-discuss" in the body.
>
> _________________________________________________________________
> Check out the coupons and bargains on MSN Offers! http://youroffers.msn.com
>
>
> -
> To unsubscribe, send email to majordomo@silug.org with
> "unsubscribe silug-discuss" in the body.


------------------------------

End of [silug-discuss] [silug-discuss] Daily digest (10 messages) V1 #72
**********