Hi all,

I have fedora core 6 installed on a Compaq presario machine with vmware workstation running.
Yesterday while surfing the internet (pppoe connection) i faced the following problems
when i tried to end the pppoe connection

#adsl-stop
[no response]
#adsl-status
[no response]

cannot login as root;
it says password incorrect

went for a reboot;

immediately, xdisplay shuts down and this message came up:
link ppp0 used in promiscous mode
during power down vmware services failed to stop.
during power-up, no gui
INIT no processess left in this runlevel
[system refuses to boot]

tried going to single user mode via grub editing
but again gives the same output that
INIT no processes left in this runlevel

Has my machine been hacked into?
please help...

You have a damaged filesystem. Run fsck.

FC6 is obsolete. Are you running vmware (which one?) on top of FC6 or is FC6 a guest?

Calm down - there is no indication at this time that this is anything more than normal data corruption.

However, both vmware and fc6 have security problems. You should make sure you are running the most recent versions.

And what OS is vmware hosted in? What version of vmware?

Hi, thanks for the response;

As suggested, I ran an fsck on the filesystems (in rescue mode). It showed no errors (clean filesystems).

My physical OS (host OS) is Fedora Core 6 and I was running VMware Workststion 5.5.2. Initially there was a problem in installing vmware which was later fixed by the any-to-any patch found on the vm community.
I had installed Win2000 Prof as a guest OS.

Quote:
"However, both vmware and fc6 have security problems. You should make sure you are running the most recent versions."

Now that you mention it, this crashing occured just two weeks after vmware install. Previously, FC6 was working fine for several months.
Maybe I should go for some other virtualization apps.

Reading what you said made me think that you may have picked up something with vmware or with windows 2000. Most people will run Windows in VM inside a secure environment like a chroot jail etc - take a look at the various honeypot projects.

If you did not patch win2k, you can expect it to be hacked in minutes - you still have to secure the guest.

The isolation would normally protect your host system from being corrupted. But see:
http://www.vmware.com/support/ws55/d...otes_ws55.html

Be glad you are not using windows
But there are a few of these system level vulnerabilities patched in releases later than yours. It may be that an attack designed to compromise a windows host could, by failing, put a linux host in an unbootable configuration.

If you can verify this happened to you - and how - this would be a valuable contribution.

Hi Simon Bridge,
I now believe that whatever happened to my machine has something to do with vmware vulnerability and guest OS attacks as you mentioned.

But like you suggested, to verify and find the root cause, i need some help. I mean, I dont know exactly where to look and what to look for.

The filesystem is mountable in rescue mode; I went through the var/log/messages and other log files but could'nt find anything out of place...

Any help/suggestion will be a great favour to me..

Well... you'll have to trawl through vmware files and the guest OS - as the trouble is there.

VMWare is a proprietary, closed source, system. I can't help you.

Hi all,

I could not find any malicious content in the vmware files(not that I know a lot about them). So I've decided to go for a fresh linux install.

Only this time, I've chosen Archlinux Duke for my machine. I've to configure everything from scratch now as is the flavor of this distro. The good news is I am learning a lot more about linux than with Fedora and other gui based distros.

It shames me to admit it, but gui tends to make me dependent on them for any system config/admin jobs. I'm glad I chose Arch, its as if I'm rediscovering Linux from the beginning.

Thank You all for your time

try slackware)

... presumably as a way to learn even more about linux than with Arch... but that's not clear from the post. Perhaps Starharvest has information that Slackware more reliably runs VMWare than Arch? Or that it is more robust against random writes to the install partitions?

I guess even more could be learned from LFS, or, wth, write his own unix kernel. At some point we just have to hope the user has chosen a balance which seems useful for that users entire needs. We don't know what they are, and we haven't been asked for our opinions on this. There are thousands of GNU/Linux distros, if everyone piped up with their favorite, we'd be here all night.

How would you look?

IMO: the only approach is to set up the latest VMWare in a secure environment, and keep up with the updates.

Hi all,

As Simon correctly pointed out, I may not have looked at the right files the right way. But then I wasn't sure of what to look for and where to look for. Either way I had to rebuild my machine.

Also I would like to clarify that I have nothing against Fedora or other GUI based distros. I had been using FC6 for about a year before it crashed. And I must point it out that before vmware, it had worked without any hitches and to me was a better replacement to windows XP.
I just chose to do the configs by hand instead of having the OS do it in background for me. Otherwise it is a great distro.

Regarding running a virtual machine, probably a chroot jailed environment is better. Any help/guidance is welcome.

Thanks to all anyway.

Probably none of that. He's just one of those typical users that "promote" they distro by non compos mentis drive-by posts such as that one.


So it ends inconclusive. Your OP:
vaguely reminds me of botched upgrades, the only thing of interest being the device promiscous mode if there was nothing listening legitimately (tcpdump, Snort, etc, etc). Unfortunately I'm entering this thread too late and w/o logs we'll never know. Pity. Really. Next time you think you have security-related problems please try posting them in the Linux Security forum. It's what it's for.


If your intention is to run W2K then I think VMware still performs better compared to say QEmu. If you are forced to use your W2K VM in a networked situation then restrict traffic with a firewall inside the VM, disable services you really don't need, install AV SW, don't use MsIE and don't give the VM its own IP but make it use the host adapter so you can firewall and IDS it there. I think running a VM inside VMware inside a chroot is too much. The VM should not have access to the host anyway so I don't know what could balance the penalty of chrooting VMware?