Re: Houston, I May Have a Problem (chkrootkit Results)

To: debian-user@lists.debian.org
Subject: Re: Houston, I May Have a Problem (chkrootkit Results)
From: gsutton9503@wavecable.com
Date: Sun, 29 Aug 2004 11:04:18 +0000
Message-id: <[🔎] auto-000013388813@wavecable.net>
In-reply-to: <[🔎] Pine.LNX.3.96.1040829004724.28517A-100000@Maggie.Linux-Consulting.com>
References: <[🔎] 200408282159.39192.gsutton9503@wavecable.com>

On 29 Aug 04, at 1:01, Alvin Oga wrote:

>
> hi ya scarledown
>
> On Sat, 28 Aug 2004, Scarletdown wrote:
>
> > I'm in the process of archiving and backing up my documents, images,
> > media, and other stuff I want to keep now, about 425MB worth of stuff.
>
> cool ... luckily ... the culprit didnt do anything worst to your machine
>
> however, you should have already had backups ..
>
> now that you know you probably have been cracked, its too late to start
> doing backups, and definitely do NOT overwrite any old backups since
> they contain good backups and your current system ( backup you're doing
> now ) is suspect and all you might be doing is saving their trojan
> and restoring it again on your new install

All that was backed up was non-executable stuff like documents, images, wav files, etc, so it is highly unlikely that any malware got archived. I will know for sure when I restore them.

>
> the serious problem is ... lest it occur again for the same reason ...
> - how did that happen ... why havent other boxes been cracked
> - how did they get in
> - who got in ..
> - how long have they been in
> - what other machines have they cracked
> - why they got in.... well probably for fun in this case

I can only guess that they got in because I screwed up while doing a few little experiments and forgot to turn the firewall back on.

The couple other systems that are currently active on my network are running 98SE at this time with ZA Pro and AVG Antivirus, so they haven't been violated. My workstation is currently the only Linux box in the house, and has a direct connection to the Internet, whereas all other systems are going through one of the other 98 Boxes set up with Internet Connection Sharing (nice having both an Ethernet port and a USB port on the cable modem and having 2 IP addresses...)

As for the other questions, I have no idea, since I wiped the entire system already.

> - and if the attacking site came from goes to *.gov server,
> than call the local fbi branch and chase down the attacker
>
> - if you simply reinstall ... you have a high risk they will revisit
> and get back into your new box too

To late for that now. I already did the reinstall, and am troubleshooting some other issues, which I will save for either a different post, or for further down in this message. My top priority is getting back up and operational. Thankfully, I have a couple other systems I can work with online while I do these fixes (DOS 6.22 and WfW 3.11 is quite the screamer on a P- 120 with 64MB RAM) :D

It is also not too likely that the incident will be repeated, since

A: Guard Dog Firewall gets activated at boot
B: At the moment, Mepis can't seem to detect the NICs on my MB.

I suspect the NIC issue probably has something to do with how the permissions were set when I transferred /tmp /root /usr /usr/local /var /opt and /home to their own dedicated partitions. I suppose I should reboot yet again with the Mepis CD and have a look at how they are supposed to be set.

> how much swap would be dictated by your apps
>
> - watch how much swap is used ... ( top -i ) when blender is
> running
>
> - if blendor is using 128MB of swap, add that much more memory
>
> - if the apps used up all of the system memory and runs out of swap,
> its highly likely the system randomly decides to reboot or worst
> start to eat itself, though it usually doesnt happen lately
>
> - in your case, size of swap is not a trivial answer since you're running
> blender .. and we dont know how much resources your system is using
> ( 3D stuff is memory/disk intensive )

I set swap to 2GB, which, according to a bit of Googling and asking Jeeves, appears to be the max that the 32 bit versions of Linux can use. My RAM is currently at 1GB.

>
> (my) recommended partitions ... for googletuple reasons ..
> / - 256MB so your can get into single user to fix things
> /tmp - 256MB so you or the cracker doesnt have much play room
> /var - 512MB or the size of your package manager and apps
> /usr - 4096MB for all the apps you install manually
> swap - 2x physical memory was the old guideline when memory was
> super-duper expensive and in the kB of total memory
> ( current wap size i use is a blind 512MB or so and if
> ( all of swap is used, add more physical memory
> /rest of disk

Here is the scheme I went with:

/dev/hda

/ 3GB
swap 2GB
/tmp 1GB
/root 1GB
/opt 10GB
/var 3GB
/usr 20GB
/usr/local 35GB

/dev/hdb

/home 3GB
/shared 8GB
/workspace 2GB

Well, back to troubleshooting...








Reply to:

  debian-user@lists.debian.org
  gsutton9503 (on-list)
  gsutton9503 (off-list)


Follow-Ups:

2 Problems Yet to Be Resolved
From: gsutton9503@wavecable.com
Re: Houston, I May Have a Problem (chkrootkit Results)
From: Bradley M Alexander <storm@tux.org>



References:

Re: Houston, I May Have a Problem (chkrootkit Results)
From: Scarletdown <gsutton9503@wavecable.com>
Re: Houston, I May Have a Problem (chkrootkit Results)
From: Alvin Oga <aoga@ns.Linux-Consulting.com>




Prev by Date:
ax25 experiment problem

Next by Date:
new users shell set to /bin/false - are there any security issues?

Previous by thread:
Re: Houston, I May Have a Problem (chkrootkit Results)

Next by thread:
2 Problems Yet to Be Resolved

Index(es):

Date
Thread