Re: Houston, I May Have a Problem (chkrootkit Results)
On Sun, Aug 29, 2004 at 11:04:18AM +0000, gsutton9503@wavecable.com wrote:
>
> I can only guess that they got in because I screwed up while doing a
> few little experiments and forgot to turn the firewall back on.
>
> The couple other systems that are currently active on my network are
> running 98SE at this time with ZA Pro and AVG Antivirus, so they
> haven't been violated. My workstation is currently the only Linux box
> in the house, and has a direct connection to the Internet, whereas
> all other systems are going through one of the other 98 Boxes set up
> with Internet Connection Sharing (nice having both an Ethernet port
> and a USB port on the cable modem and having 2 IP addresses...)
>
> As for the other questions, I have no idea, since I wiped the entire
> system already.
I suspected this. I didn't recommend any forensics since you seemed to want
to get back up in the saddle asap. Would have been nice to know, but no
worries now.
> To late for that now. I already did the reinstall, and am
> troubleshooting some other issues, which I will save for either a
> different post, or for further down in this message. My top priority
> is getting back up and operational. Thankfully, I have a couple other
> systems I can work with online while I do these fixes (DOS 6.22 and
> WfW 3.11 is quite the screamer on a P- 120 with 64MB RAM) :D
Woo joo...I have gots to get me some of that hot technology...:)
> It is also not too likely that the incident will be repeated, since
>
> A: Guard Dog Firewall gets activated at boot
> B: At the moment, Mepis can't seem to detect the NICs on my MB.
Just make sure you stay up on your updates, and as I recommended, run a
host-based and network IDS. Think of the firewall as a fixed fortification.
Any fortification can be gone over, around or battered down with enough
time if there are no watchers on the gate. Remember the Maginot Line in
France...
> I suspect the NIC issue probably has something to do with how the
> permissions were set when I transferred /tmp /root /usr /usr/local
> /var /opt and /home to their own dedicated partitions. I suppose I
> should reboot yet again with the Mepis CD and have a look at how they
> are supposed to be set.
One thing to check on this, do a chmod 1777 /tmp and check your ownership.
That one thing will transparently break a boatload of stuff.
> Here is the scheme I went with:
>
> /dev/hda
>
> / 3GB
> swap 2GB
> /tmp 1GB
> /root 1GB
> /opt 10GB
> /var 3GB
> /usr 20GB
> /usr/local 35GB
I don't know how fluid your drive space needs are (though I could see your
needs changing fairly often), but you also might want to consider running
Logical Volume Manager (LVM). It abstracts hard drive structure and allows
you to create volume groups and logical volumes. The best part about this
is that you can resize partitions on the fly, literally without unmounting
the filesystem. I do a lot of video work, and have extended the partition
on which I was recording a movie off of cable, without interrupting
recording. Its something that would allow you to allocate your filesytems
efficiently without wasting a bunch of space, and to reallocate should your
needs change.
--Brad
> /dev/hdb
>
> /home 3GB
> /shared 8GB
> /workspace 2GB
>
>
> Well, back to troubleshooting...
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>
Reply to: