LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-04-2009, 07:56 AM   #31
Jim Bengtson
Member
 
Registered: Feb 2009
Location: Iowa
Distribution: Ubuntu 9.10
Posts: 164

Rep: Reputation: 38

Quote:
Screw the damned lawyers...
Unfortunately when lawyers get involved it's usually them who do the screwing. Best to avoid them at all costs.
 
Old 11-04-2009, 08:11 AM   #32
websissy
Member
 
Registered: Jul 2008
Posts: 49

Original Poster
Rep: Reputation: 15
Oh, geez... What'd I SAY here? My most abject and sincere apologies to all the very nice ayrabs, commies and bastards in the world. That was unquestionably the MOST UN-politically-correct statement I've made in years (felt good too)!! I actually LIKE ayrabs... and a few of my oldest friends are probably commies and I couldn't even BEGIN to count the illegitimate bastards who are my friends (including ME, in fact). It's the hackers and petty thieves who have nothing better to do than steal and damage the work of others that I TRULY hate. F&$# You, You Mo Fos!!!!

Other than that I have no opinions...

Last edited by websissy; 11-04-2009 at 08:59 AM.
 
Old 11-04-2009, 08:41 AM   #33
websissy
Member
 
Registered: Jul 2008
Posts: 49

Original Poster
Rep: Reputation: 15
Bottom line... lighten up guys. This isn't the end of the damn world. It's just one stinkin server among the legions of compromised computers worldwide that has been infected with two stupid viruses. Hell I've personally deloused customer PCs infected with dozens of similar beasties... and ain't nobody ever sued nobody over it yet.

My customers are all small struggling businesses who are for the most part thrilled to have someone with my experience who's willing to work for them for what amounts to peanuts. Ain't none of them gonna sue me 'cause I hain't got no diņero for them to take. Kapeesh (or capite, capishe or capiche as you prefer...)?

Shit happens. We wipe our butts and get up to fight another day. C'est la vie!

No problema, seņors! Uno momento, por favore... esta el tiempo para mi siesta... Ahore!

(Note to ayrab-commie-spanglish-speaking-hacker-bastards: Mi esapaņol esta mui mala! My Italian and French suck osos muertos too.)

Last edited by websissy; 11-04-2009 at 08:56 AM.
 
Old 11-04-2009, 09:12 AM   #34
Jim Bengtson
Member
 
Registered: Feb 2009
Location: Iowa
Distribution: Ubuntu 9.10
Posts: 164

Rep: Reputation: 38
If you're gonna be unPC, at least aim your guns in the direction of the right target. Most hackers these days are operating out of Russia, China, and eastern Europe. Brush up on mangling your Mandarin and Russian...
 
Old 11-04-2009, 11:00 AM   #35
websissy
Member
 
Registered: Jul 2008
Posts: 49

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by Jim Bengtson View Post
If you're gonna be unPC, at least aim your guns in the direction of the right target. Most hackers these days are operating out of Russia, China, and eastern Europe. Brush up on mangling your Mandarin and Russian...
I'm acutely aware of where the world's evolving cyber threats come from, Jim. That's precisely why I aimed my guns in another direction. The guys in Uzbekistan are well aware of it too. The scariest part is it's 'volunteers' from those same places who are now selflessly maintaining some of our favorite defensive weapons. Did someone mumble, 'conspiracy'? Not ME...

Don't believe me? Look at this:

http://packages.debian.org/changelog...sid1/changelog

Now THERE's some tasty food for thought! (cue ominous music...)

Can you translate... мы ввернуты ?

Oi vey...

Last edited by websissy; 11-04-2009 at 11:26 AM.
 
Old 11-04-2009, 11:32 AM   #36
Jim Bengtson
Member
 
Registered: Feb 2009
Location: Iowa
Distribution: Ubuntu 9.10
Posts: 164

Rep: Reputation: 38
Quote:
Can you translate... мы ввернуты or 我们是在深粪 ?
Which reminds me...now that non-latin characters will be allowed in URLs, Fail2Ban (and Squid, Squidguard, and possibly DNS) will have to be updated to handle the bad guys under those URLs...
 
Old 11-04-2009, 11:41 AM   #37
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
The intentional spelling of certain ethnicities in abnormal ways can quite easily be interpreted as derogatory, which is not something we want to see happen here. This is a technical forum, so let's keep things technical. As for the countries, there will of course be some which are more prone to being mentioned when talking about cyber attacks (due to, for example, statistical data), but talk about conspiracies and such doesn't belong here. I'd also like to remind everyone that posts should be in English, as is made clear in the LQ Rules. I'd appreciate everyone's cooperation in getting this thread back on topic. Thanks.

Last edited by win32sux; 11-04-2009 at 11:48 AM.
 
Old 11-04-2009, 01:17 PM   #38
websissy
Member
 
Registered: Jul 2008
Posts: 49

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by win32sux View Post
The intentional spelling of certain ethnicities in abnormal ways can quite easily be interpreted as derogatory, which is not something we want to see happen here. This is a technical forum, so let's keep things technical. As for the countries, there will of course be some which are more prone to being mentioned when talking about cyber attacks (due to, for example, statistical data), but talk about conspiracies and such doesn't belong here. I'd also like to remind everyone that posts should be in English, as is made clear in the LQ Rules. I'd appreciate everyone's cooperation in getting this thread back on topic. Thanks.
Sorry, win32sux. Didn't realize I'd broken any rules. I had no clue you were an English only site. God knows I wasn't intentionally being bigoted or insulting. I was just trying to lighten things up a bit. It got so lead-heavy here yesterday even natural flatulence fell straight to the ground as pellets. But I understand now. Sarcasm and humor aren't allowed here... no matter what. Better that we all drop dead of strokes or hypertension.

I get it. Just the facts. No spitting, mud balls, fist fights, kicking, screaming or hair-pulling. And especially never utter the forbidden "c-word". No foreign words or phrases - and absolutely no Spanish, French, Italian, Yiddish, Russian or Chinese. We can't risk offending anyone. Gallows humor not allowed.

My sincere apologies to all you hackers too. I'm sure you're all very nice gentlemen or ladies deep down.

Now, back to the topic. My current plan is to take my server down, move all my clients to another temporary location. Then rebuild and fully harden the server before moving them back again. Does anyone strenuously object to that plan? Have I overlooked any obvious pot holes?

Can anyone recommend sites that offer reliable prefab server building scripts OTHER than the tutorials at LinuxHowto.com and YoLinux.com? I found Falco's Tutorials at LinuxHowTo to be excellent. But by the time I figured out and resolved things like apachie configuration, install, setup and integration, postfix installation, configuration and setup, plus openssh, spamassassin, dovecot, squirrelmail and mailman integration along with virtual mailboxes, DNS server selection, integration, installation and testing, php, perl and mysql installation, setup, integration and testing, etc, etc, etc. And handled the reinstall and testing of 20 web sites. It literally took weeks for me to build, configure, test and minimally harden this server last year and roll it out.

Needless to say, I'd like to find ways to vastly shorten that path while not taking any foolish or fatal shortcuts. That's especially true where server hardening, mail setup and spam filtering are concerned.

Wizened suggestions from veterans with scars on their backs would be greatly appreciated! Threats of violence, lawsuits and global anthrax releases will all be completely ignored.

Thanks.

Last edited by websissy; 11-04-2009 at 01:26 PM.
 
Old 11-04-2009, 01:36 PM   #39
websissy
Member
 
Registered: Jul 2008
Posts: 49

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by Jim Bengtson View Post
Which reminds me...now that non-latin characters will be allowed in URLs, Fail2Ban (and Squid, Squidguard, and possibly DNS) will have to be updated to handle the bad guys under those URLs...
The good news is volunteers from Eastern Europe, Russia and the far east are already maintaining some of those tools. That means it should be easy for them to fix them. Other than that, I'm not touching that particular live transformer with a 75' rubber pole.

Last edited by websissy; 11-04-2009 at 01:38 PM.
 
Old 11-04-2009, 01:46 PM   #40
websissy
Member
 
Registered: Jul 2008
Posts: 49

Original Poster
Rep: Reputation: 15
Speaking of server rebuilds and homeland security, here's good news from our federal government published 3 hours ago. Maybe I can convince Joe Lieberman to come help rebuild my server or at least send me a few bucks to underwrite the costs.

http://www.newsfactor.com/news/Cente...GW&full_skip=1

Last edited by websissy; 11-04-2009 at 01:49 PM.
 
Old 11-05-2009, 12:10 PM   #41
Jorge-Getson
LQ Newbie
 
Registered: Nov 2009
Posts: 5

Rep: Reputation: 0
Unhappy I agree with you about new drive for two reasons.

Quote:
Originally Posted by websissy View Post
As I said above, I was wrong when I said the ls -v command was in a bootlog. I had run a debian script (dpkg-reconfigure) and captured the output to check it. I noticed the ls error in the log and questioned it. That's how the rootkit was discovered.

I realize the server will need to be rebuilt; but before I start that, I'd like to try to figure out how long this compromise has been present and determine if there is any way at all to lobotomize it or keep it from doing any further harm. If it has been there for months (I suspect it may have been), then rather than take 25 client sites down for weeks while I rebuild, I might conclude it's best to leave the compromised system running and keep client sites running while I work on building a completely new server or building a completely new drive on THIS server.

I know I may be whistling in the dark here. But most of my clients are small businesses and their www server needs are not complex - a few html pages, a web form or two and some streaming music or videos. Only two of them involve significant databases and both of those sites are mine. But despite their size, my small business customers really do NEED their sites to be up and accessible on the web. So, my goal here would be to avoid putting them completely out of the web business while I tackle this rebuild.

Thanks a lot for your comments and any feedback you can offer.
I use my site for mostly personal reasons. I have a backup system, not web accessible with 1.7 Tb raid 10 for backups.
All my other systems have a single drive but I'm going to change that soon. Pondering the rout to go on that.
Now, my two reasons actually are two in one.
1. Drives are cheap now days.
2. You get to keep the infected drive for those late nights that you want to dig around and find the way it happened. Could be good information for you, and yes all the rest of us as well.

Wish I had an easy answer for you.
Good luck
 
Old 11-05-2009, 12:17 PM   #42
Jorge-Getson
LQ Newbie
 
Registered: Nov 2009
Posts: 5

Rep: Reputation: 0
Talking Lawyers!

Quote:
Originally Posted by Jim Bengtson View Post
Unfortunately when lawyers get involved it's usually them who do the screwing. Best to avoid them at all costs.
Hey! Why don't you just tell us how your feel about it! ;>)

Look what the damned lawyers are doing to our country!
Need a new rule.
# 1.disqualification for a political office, Law Degree!
 
Old 11-05-2009, 11:19 PM   #43
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Slackware 10.1/10.2/12, Ubuntu 12.04, Crunchbang Statler
Posts: 3,786

Rep: Reputation: 282Reputation: 282Reputation: 282
This thread is going nowhere. Lawyers, politics and religion amongst other stuff belong somewhere else.
 
Old 11-06-2009, 12:26 AM   #44
frenchn00b
Senior Member
 
Registered: Jun 2007
Location: E.U., Mountains :-)
Distribution: Debian, Etch, the greatest
Posts: 2,546

Rep: Reputation: 57
so finally this Debian etch machine has been hacked or not. Did the rootkits gave with logs: ?

I hope that, I wished that, it was just an hoax.
 
Old 11-06-2009, 10:22 AM   #45
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 4,070

Rep: Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897
Quote:
Originally Posted by websissy View Post
Sorry, win32sux. Didn't realize I'd broken any rules. I had no clue you were an English only site. God knows I wasn't intentionally being bigoted or insulting. I was just trying to lighten things up a bit.
This is an English-language only site; I'm not sure what the rule on strings of non-ASCII characters is, but best to avoid them, unless they are directly germane to the issue at hand.

Quote:
I get it. Just the facts. No spitting, mud balls, fist fights, kicking, screaming or hair-pulling. And especially never utter the forbidden "c-word". No foreign words or phrases - and absolutely no Spanish, French, Italian, Yiddish, Russian or Chinese. We can't risk offending anyone. Gallows humor not allowed.
For my taste, this thread has gotten a bit random (maybe, scatter-gun would be a better phrase). That isn't to outlaw humour and there is a fine line between humour directed to a purpose and just offending random people because you can. After all, if you think of the way that the media usually portrays people who have anything to do with computers, we wouldn't want to repeat that kind of stereotyping here, whether it is stereotyping of techies or of any particular race (well, unless it is really, really, really funny and in an appropriate forum, like general, where there wouldn't be a risk of distracting from an important thread).

Quote:
Now, back to the topic. My current plan is to take my server down, move all my clients to another temporary location. Then rebuild and fully harden the server before moving them back again. Does anyone strenuously object to that plan? Have I overlooked any obvious pot holes?
...reliable prefab server building scripts OTHER than the tutorials at LinuxHowto.com and YoLinux.com? I found Falco's Tutorials at LinuxHowTo to be excellent...Needless to say, I'd like to find ways to vastly shorten that path while not taking any foolish or fatal shortcuts. That's especially true where server hardening, mail setup and spam filtering are concerned.
There has not been any report of the evidence of the 'how...' part of the 'how did the bad guys do this' question; if you do get such evidence please be sure to post it.

My belief is that someone did something really, really stupid with this server - probably the previous administrators, but that is just a wild guess on my part - like, say, having a root password of root and allowing root logins (which would be an extraordinarily stupid thing to do...but something bad happened somehow, probably twice). It would be excellent to know that whatever it was isn't going to happen again.

There was an excellent tutorial recommended back on page one of this thread (http://www.cyberciti.biz/tips/linux-security.html way back in post #8) and I would also recommend the bastille set of hardening scripts (but with the usual proviso that you cannot just get a fire 'n forget solution to security...it should be one of a series of measures and an ongoing process of patching and monitoring).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
think i got hacked phatbastard Linux - Security 7 12-01-2007 01:36 PM
hacked? WRSpithead Linux - Security 2 08-30-2006 03:21 AM
Was my PC hacked? the-iguana Linux - Security 4 04-07-2006 08:38 AM
Have I been hacked? af_dave Linux - Security 3 07-14-2004 02:02 PM
HELP I think i got hacked spank Linux - Newbie 5 03-24-2004 08:59 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:49 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration