I will be out of the office starting 30/10/2003 and will not return until 03/11/2003.
Catch U Soon Folks!......
On Thu, 30 Oct 2003, SRINIVAS TURAGA wrote:
~ I will be out of the office starting 30/10/2003 and will not return until ~ 03/11/2003.
Oh shit! So what happens to the lunch you promised me? I hope in future you are more sincere and tell us well in advance about your plans.
Boys and girls,
I'm sick of this problem, and haven't found a solution for, uh.. ever.
Here's how it goes: Several of my servers have been compromised by worms at some point or other. I haven't had the time to do a complete post-mortem, but most seem to exploit SSH or Apache vulnerabilities. I've managed to clean up most without a complete reinstall (thank you apt-get!) but a few, including the most recent, don't seem to want to behave.
Even after cleaning the box up to the point that chkrootkit detects nothing, the system won't boot. It just stalls at "Setting hostname..." in the bootup sequence. Google groups shows this as a problem with several other folks as well, each using Red Hat 7.1/7.2 (mine's 7.2), but no answers are posted.
Has anyone else had this problem? Exasperated, I usually just reinstall the damn thing and patch like crazy, but I just don't have the time or inclination to do this again and again.
TIA
One way to trace the problem would be to add -x in the first line of /etc/rc.d/rc.sysinit and then boot.
So instead of #!/bin/bash make it #!/bin/bash -x
It will print each statement which is getting executed and when it stops, you will know at what command it hangs. That will give some indication as to what could be going wrong.
Amitay.
On Thu, 2003-10-30 at 22:33, Tushar Burman wrote:
Next LUG meet: 9 Nov 2003 around 4 pm - VJTI
Boys and girls,
I'm sick of this problem, and haven't found a solution for, uh.. ever.
Here's how it goes: Several of my servers have been compromised by worms at some point or other. I haven't had the time to do a complete post-mortem, but most seem to exploit SSH or Apache vulnerabilities. I've managed to clean up most without a complete reinstall (thank you apt-get!) but a few, including the most recent, don't seem to want to behave.
Even after cleaning the box up to the point that chkrootkit detects nothing, the system won't boot. It just stalls at "Setting hostname..." in the bootup sequence. Google groups shows this as a problem with several other folks as well, each using Red Hat 7.1/7.2 (mine's 7.2), but no answers are posted.
Has anyone else had this problem? Exasperated, I usually just reinstall the damn thing and patch like crazy, but I just don't have the time or inclination to do this again and again.
TIA
Tushar Burman Linux/BSD evangelist, RD350 rider, friend to animals Senior Writer, Network Computing Magazine Official: tushar_burman@jasubhai.com Y!: tusharburman MSN: tusharburman AOL: tusharburman ICQ: 112803958
All for freedom and for pleasure Nothing ever lasts forever Everybody wants to rule the world
Amitay.
Greetings,
It might be a problem if you are connected so someother domain server or DHCP ( I did faced it by I wisely chose to swtich to woody), to confirm this disable network startup script from 3 and 5 and once you are in console try giving it a start and see.
Regards
Tushar Burman wrote:
Next LUG meet: 9 Nov 2003 around 4 pm - VJTI
Boys and girls,
I'm sick of this problem, and haven't found a solution for, uh.. ever.
Here's how it goes: Several of my servers have been compromised by worms at some point or other. I haven't had the time to do a complete post-mortem, but most seem to exploit SSH or Apache vulnerabilities. I've managed to clean up most without a complete reinstall (thank you apt-get!) but a few, including the most recent, don't seem to want to behave.
Even after cleaning the box up to the point that chkrootkit detects nothing, the system won't boot. It just stalls at "Setting hostname..." in the bootup sequence. Google groups shows this as a problem with several other folks as well, each using Red Hat 7.1/7.2 (mine's 7.2), but no answers are posted.
Has anyone else had this problem? Exasperated, I usually just reinstall the damn thing and patch like crazy, but I just don't have the time or inclination to do this again and again.
TIA
On 30/10/03 22:33 +0530, Tushar Burman wrote:
Here's how it goes: Several of my servers have been compromised by worms at some point or other. I haven't had the time to do a complete post-mortem, but most seem to exploit SSH or Apache vulnerabilities. I've managed to clean up most without a complete reinstall (thank you apt-get!) but a few, including the most recent, don't seem to want to behave.
So backup your data, format, reinstall, patch, restore data, bring online. Keep the boxes patched. You don't know what else has gone on the system.
Devdas Bhagat
On Fri, 2003-10-31 at 15:53, Devdas Bhagat wrote:
So backup your data, format, reinstall, patch, restore data, bring online. Keep the boxes patched. You don't know what else has gone on the system.
Wow! Really? Gee, thanks! :P
But seriously, as I mentioned in the mail, I'd like to get to the bottom of the problem; If I don't have a reason why it's happening, I don't have a reason why it won't happen again.
The other suggestions of adding -x to the rc.sysinit script or disabling networking sound more reasonable to me.
On 31/10/03 18:38 +0530, Tushar Burman wrote: <snip>
But seriously, as I mentioned in the mail, I'd like to get to the bottom of the problem; If I don't have a reason why it's happening, I don't have a reason why it won't happen again.
Are you up to date on all patches? IIRC, RH support for 7.2 has expired, or is about to. So you might have to roll your own versions. Are you running any non RH supplied software? Perhaps a CGI script?
The other suggestions of adding -x to the rc.sysinit script or disabling networking sound more reasonable to me.
You are making the fundamental mistake of assuming that chrootkit can detect everything. How do you know that your kernel has not got an LKM which hides the process information? Once the attacker gains full administrative privileges, you are toast.
And replies to the list only, please. Devdas Bhagat
Greetings,
If that is the case then get a image of the HDD I can collect the image directly from your office and do a analysis on my spare machine ( For free) ( I love this kind of work)
Regards
Wow! Really? Gee, thanks! :P
But seriously, as I mentioned in the mail, I'd like to get to the bottom of the problem;
On Fri, 2003-10-31 at 20:50, S. K Rahman wrote:
If that is the case then get a image of the HDD I can collect the image directly from your office and do a analysis on my spare machine ( For free) ( I love this kind of work)
Thanks for the offer; I had no choice but to install Red Hat 9, which posed a whole new set of problems. Suffice to say that it took all night, one 40GB USB drive, one PowerBook G4, several old hard disks, good luck and Gold Flake Lights to get the system back online.
PS: Trevor, please update qmailtheeasyway for RH9.
-
Amit Upadhyay -
Amitay Isaacs -
Devdas Bhagat -
S. K Rahman -
SRINIVAS TURAGA -
Tushar Burman