Searching \ for '[OT]:Need linux help fast' in subject line. ()
Make payments with PayPal - it's fast, free and secure! Help us get a faster server
FAQ page: www.piclist.com/techref/index.htm?key=need+linux+help
Search entire site for: 'Need linux help fast'.

Exact match. Not showing close matches.
PICList Thread
'[OT]:Need linux help fast'
2001\09\23@040642 by David VanHorn

flavicon
face
I got nailed by the "lion" worm. Apparently my "lion-proof" version of
bind, wasn't.
I've killed off most of it, but I need a hand on how to replace the
trojaned system files like PS and LS
The system is about 300 miles away, so this has to be done remotely.
This is on an RH6.2 machine.

I've installed the latest bind, killed off most if not all of the t0rn junk.
--
Dave's Engineering Page: http://www.dvanhorn.org

Got a need to read Bar codes?  http://www.barcodechip.com
Bi-directional read of UPC-A, UPC-E, EAN-8, EAN-13, JAN, and Bookland, with
two or five digit supplemental codes, in an 8 pin chip, with NO external parts.

--
http://www.piclist.com hint: To leave the PICList
spam_OUTpiclist-unsubscribe-requestTakeThisOuTspammitvma.mit.edu


2001\09\23@115444 by Brandon Fosdick

flavicon
face
David VanHorn wrote:
>
> I got nailed by the "lion" worm. Apparently my "lion-proof" version of
> bind, wasn't.
> I've killed off most of it, but I need a hand on how to replace the
> trojaned system files like PS and LS
> The system is about 300 miles away, so this has to be done remotely.
> This is on an RH6.2 machine.
>
> I've installed the latest bind, killed off most if not all of the t0rn junk.

format and then install FreeBSD :)

You definately need to do a fresh format/install of an OS that has the
latest version of bind, I forget what RH is up to now.

--
http://www.piclist.com hint: To leave the PICList
.....piclist-unsubscribe-requestKILLspamspam@spam@mitvma.mit.edu


2001\09\23@134055 by David VanHorn

flavicon
face
>
>format and then install FreeBSD :)

Please enlighten me on how to do that through a telnet connection.
--
Dave's Engineering Page: http://www.dvanhorn.org

Got a need to read Bar codes?  http://www.barcodechip.com
Bi-directional read of UPC-A, UPC-E, EAN-8, EAN-13, JAN, and Bookland, with
two or five digit supplemental codes, in an 8 pin chip, with NO external parts.

--
http://www.piclist.com hint: To leave the PICList
piclist-unsubscribe-requestspamKILLspammitvma.mit.edu


2001\09\23@153227 by Brandon Fosdick

flavicon
face
David VanHorn wrote:
>
> >
> >format and then install FreeBSD :)
>
> Please enlighten me on how to do that through a telnet connection.

Probably can't, but then I doubt you can do a clean wipe and install of
RH over a telnet connection either. There is a way to do a net install
of freebsd using bootp or pxe, but I'm not familiar with it and I think
you still need console access. I imagine linux can do it too, but again
I don't know much about it.

I don't know enough about linux to say how to sweep it for compromises.
For a case like this with FreeBSD sometimes you can get away with doing
a make buildworld on a known good machine and then installing world over
the net. I'm told thats difficult to do with RH, but it may be your only
option. Maybe if you nfs mount the infected machine onto a good machine
and just copy over the system files?

Is there somebody local to the box that you can enlist?

--
http://www.piclist.com hint: To leave the PICList
.....piclist-unsubscribe-requestKILLspamspam.....mitvma.mit.edu


2001\09\23@153652 by David VanHorn

flavicon
face
At 03:20 PM 9/23/01 -0400, Brandon Fosdick wrote:
>David VanHorn wrote:
> >
> > >
> > >format and then install FreeBSD :)
> >
> > Please enlighten me on how to do that through a telnet connection.
>
>Probably can't, but then I doubt you can do a clean wipe and install of
>RH over a telnet connection either. There is a way to do a net install
>of freebsd using bootp or pxe, but I'm not familiar with it and I think
>you still need console access. I imagine linux can do it too, but again
>I don't know much about it.


I've got a list of the files that it mungs, but it includes ls and find, so
it's hard to do anything without trusted binaries.

If it comes to that, I'll have to have them take it down and ship it home,
and then I'll likely have to spend on a major upgrade.
--
Dave's Engineering Page: http://www.dvanhorn.org

Got a need to read Bar codes?  http://www.barcodechip.com
Bi-directional read of UPC-A, UPC-E, EAN-8, EAN-13, JAN, and Bookland, with
two or five digit supplemental codes, in an 8 pin chip, with NO external parts.

--
http://www.piclist.com hint: To leave the PICList
EraseMEpiclist-unsubscribe-requestspam_OUTspamTakeThisOuTmitvma.mit.edu


2001\09\23@155732 by Andy N1YEW

picon face
well, Slackware is the most best linux version :-)

It is the safest linux version..  RH had more security vulnerabilites than
2000 this year!

andy -- a satisfied slackware user
{Original Message removed}

2001\09\23@160354 by David VanHorn

flavicon
face
At 03:42 PM 9/23/01 -0400, Andy N1YEW wrote:
>well, Slackware is the most best linux version :-)
>
>It is the safest linux version..  RH had more security vulnerabilites than
>2000 this year!

If I have to take the system down and reformat, that means going offline
for at least a week, shipping the box, etcetcetc..  It's 300 miles away.

I have a list of all the files that this worm attacks, and all I need at
this point is some fresh binaries to replace my munged ones.

--
Dave's Engineering Page: http://www.dvanhorn.org

Got a need to read Bar codes?  http://www.barcodechip.com
Bi-directional read of UPC-A, UPC-E, EAN-8, EAN-13, JAN, and Bookland, with
two or five digit supplemental codes, in an 8 pin chip, with NO external parts.

--
http://www.piclist.com hint: To leave the PICList
piclist-unsubscribe-requestspamspam_OUTmitvma.mit.edu


2001\09\23@170059 by M. Adam Davis

flavicon
face
Install RH locally, or use binaries from another person's linux box.
I'd send you some, but I don't have simple access to a box right now.

You can also telnet the source for those utilities from red hat's ftp
site, and the compile them remotely.

-Adam

David VanHorn wrote:

{Quote hidden}

--
http://www.piclist.com hint: To leave the PICList
KILLspampiclist-unsubscribe-requestKILLspamspammitvma.mit.edu


2001\09\23@173704 by David VanHorn

flavicon
face
At 04:59 PM 9/23/01 -0400, M. Adam Davis wrote:
>Install RH locally, or use binaries from another person's linux box.
>I'd send you some, but I don't have simple access to a box right now.
>
>You can also telnet the source for those utilities from red hat's ftp
>site, and the compile them remotely.

I'm working on the first option now.
I'm a bit hobbled because the munged binaries make it hard for me to do
anything on that box.
I'm going to install it on a machine here, FTP in, (hopefully that's still
working) and replace them.
I hope that does it. What a mess.

The kicker is that I installed the patch for this worm within hours of when
it came out.
Apparently it wasn't quite right yet.


--
Dave's Engineering Page: http://www.dvanhorn.org

Got a need to read Bar codes?  http://www.barcodechip.com
Bi-directional read of UPC-A, UPC-E, EAN-8, EAN-13, JAN, and Bookland, with
two or five digit supplemental codes, in an 8 pin chip, with NO external parts.

--
http://www.piclist.com hint: To leave the PICList
RemoveMEpiclist-unsubscribe-requestTakeThisOuTspammitvma.mit.edu


2001\09\23@175758 by Brandon Fosdick

flavicon
face
David VanHorn wrote:
> I'm working on the first option now.
> I'm a bit hobbled because the munged binaries make it hard for me to do
> anything on that box.
> I'm going to install it on a machine here, FTP in, (hopefully that's still
> working) and replace them.
> I hope that does it. What a mess.

Do you have sshd running on that box? Is it on the munged list?
If its still good you can use scp from a good box to copy the files.

--
http://www.piclist.com hint: To leave the PICList
spamBeGonepiclist-unsubscribe-requestspamBeGonespammitvma.mit.edu


2001\09\23@180429 by David VanHorn

flavicon
face
>
>Do you have sshd running on that box? Is it on the munged list?
>If its still good you can use scp from a good box to copy the files.
>

They munged my SSH, but I rebuilt it from source that was on the machine.
I don't have a good box yet to mess with, I'm doing a brain-dump on a
machine here, then I'll have to install 6.1...... $#@!$

I've never messed with scp before, secure copy, I assume?

My main push in getting SSH online was to get rid of telnet.

--
Dave's Engineering Page: http://www.dvanhorn.org

Got a need to read Bar codes?  http://www.barcodechip.com
Bi-directional read of UPC-A, UPC-E, EAN-8, EAN-13, JAN, and Bookland, with
two or five digit supplemental codes, in an 8 pin chip, with NO external parts.

--
http://www.piclist.com hint: To leave the PICList
TakeThisOuTpiclist-unsubscribe-requestEraseMEspamspam_OUTmitvma.mit.edu


2001\09\23@184445 by Scott Dattalo

face
flavicon
face
On Sun, 23 Sep 2001, David VanHorn wrote:

> The kicker is that I installed the patch for this worm within hours of when
> it came out.
> Apparently it wasn't quite right yet.

How do you know that it was this worm that got you? Since you access the
machine via telnet, then any compromised intermediate hop can sniff your
passwords. If su root via telnet, you might as well publish your password
with finger.

--
http://www.piclist.com hint: To leave the PICList
RemoveMEpiclist-unsubscribe-requestspamTakeThisOuTmitvma.mit.edu


2001\09\23@185520 by David VanHorn

flavicon
face
>
>How do you know that it was this worm that got you? Since you access the
>machine via telnet, then any compromised intermediate hop can sniff your
>passwords. If su root via telnet, you might as well publish your password
>with finger.

There's a detection script available, which I've installed and run.
As to security, well. the worm emails my passwords to china, so I'm not too
worried about it at the moment. I'm going to repair it if I can, then
change the passwords, re-install the good stuff, and hope that holds it.

I'd use SSH if I could, but something's preventing it at the moment.

--
Dave's Engineering Page: http://www.dvanhorn.org

Got a need to read Bar codes?  http://www.barcodechip.com
Bi-directional read of UPC-A, UPC-E, EAN-8, EAN-13, JAN, and Bookland, with
two or five digit supplemental codes, in an 8 pin chip, with NO external parts.

--
http://www.piclist.com hint: To leave the PICList
piclist-unsubscribe-requestEraseMEspam.....mitvma.mit.edu


2001\09\23@193314 by Brandon Fosdick

flavicon
face
David VanHorn wrote:
> They munged my SSH, but I rebuilt it from source that was on the machine.
> I don't have a good box yet to mess with, I'm doing a brain-dump on a
> machine here, then I'll have to install 6.1...... $#@!$
>
> I've never messed with scp before, secure copy, I assume?

yes. its very easy to use and works similar to cp, except that it always
asks for a password first.

scp somefile.txt darkstar:~

would copy somefile.txt from the current dir to my home dir on darkstar.
Specifying remote locations works as expected... [user@]hostname:path...
you can also copy remote files to the local machine if you already know
the path... `scp darkstar:~/somefile.txt .`

> My main push in getting SSH online was to get rid of telnet.

telnet bad...ssh good

The lab a few floors up from me gets cracked regularly because the admin
refuses to switch to ssh, something about being too much work.

--
http://www.piclist.com hint: To leave the PICList
EraseMEpiclist-unsubscribe-requestspammitvma.mit.edu


2001\09\23@213626 by Paul Hutchinson

flavicon
face
I've got a RH6.2 box here I can get the binaries off for you. If you still
need them send me a list and I'll send you the files ASAP.

Paul


{Quote hidden}

--
http://www.piclist.com hint: To leave the PICList
RemoveMEpiclist-unsubscribe-requestEraseMEspamEraseMEmitvma.mit.edu


2001\09\23@214631 by David VanHorn

flavicon
face
At 09:34 PM 9/23/01 -0400, Paul Hutchinson wrote:
>I've got a RH6.2 box here I can get the binaries off for you. If you still
>need them send me a list and I'll send you the files ASAP.

Thanks.

The list is here:
http://www.sans.org/y2k/lion.htm

I also need to know where to put them, I don't want to trust the current
locations.
Email this to me direct, at RemoveMEdvanhornspam_OUTspamKILLspamcedar.net
--
Dave's Engineering Page: http://www.dvanhorn.org

Got a need to read Bar codes?  http://www.barcodechip.com
Bi-directional read of UPC-A, UPC-E, EAN-8, EAN-13, JAN, and Bookland, with
two or five digit supplemental codes, in an 8 pin chip, with NO external parts.

--
http://www.piclist.com hint: To leave the PICList
RemoveMEpiclist-unsubscribe-requestTakeThisOuTspamspammitvma.mit.edu


2001\09\24@110139 by Francisco Ares

picon face
There's a Windows program called RPM Browser (or something like that) that may be helpfull.

Francisco

David VanHorn wrote:

{Quote hidden}

--
http://www.piclist.com hint: PICList Posts must start with ONE topic:
[PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads


2001\09\24@113856 by David VanHorn

flavicon
face
Thanks guys, I'm handled.
Now I just have to clean up the mess.
--
Dave's Engineering Page: http://www.dvanhorn.org

Got a need to read Bar codes?  http://www.barcodechip.com
Bi-directional read of UPC-A, UPC-E, EAN-8, EAN-13, JAN, and Bookland, with
two or five digit supplemental codes, in an 8 pin chip, with NO external parts.

--
http://www.piclist.com hint: PICList Posts must start with ONE topic:
[PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads


2001\09\24@134128 by Francisco Ares

picon face
Hence you're using RH, there's an option for the "rpm" program (don't remember now, but that's on it's man page) where you can list the RPM database of your machine; try to find out in whitch package you would get the infected programs, and also another option for the "rpm" program forces the reinstall of all files of the package (back up all config files, first ;-)

To avoid future problems, check this link:
http://www.lids.org/

David VanHorn wrote:

{Quote hidden}

--
http://www.piclist.com hint: PICList Posts must start with ONE topic:
[PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads


2001\09\25@152729 by Peter L. Peres

picon face
> Please enlighten me on how to do that through a telnet connection.

Install a system with what you need, then tar, bzip and FTP or netpipe the
whole of it across the network, onto another partition than the one you
are running now, edit and run lilo as required to boot the other partition
and then cross your fingers and do a 'shutdown -r -t1 now'. If you fail it
will hang so mistake(s) is not an option ;-). If tar or bzip are
contaminated then this will likely fail. There is no way to help a
compromised machine until you reboot it from media known to be virus free.

Peter

--
http://www.piclist.com hint: The list server can filter out subtopics
(like ads or off topics) for you. See http://www.piclist.com/#topics


2001\09\27@113442 by Harold M Hallikainen

picon face
How'd the worm get into the box? I'm running RH7.0 on one machine and
RH7.1 on another. What should I be watching for?

Thanks!!

Harold


On Sun, 23 Sep 2001 16:36:22 -0500 David VanHorn <dvanhornSTOPspamspamspam_OUTCEDAR.NET>
writes:
{Quote hidden}

FCC Rules Online at http://hallikainen.com/FccRules
Lighting control for theatre and television at http://www.dovesystems.com

________________________________________________________________
GET INTERNET ACCESS FROM JUNO!
Juno offers FREE or PREMIUM Internet access for less!
Join Juno today!  For your FREE software, visit:
dl.http://www.juno.com/get/web/.

--
http://www.piclist.com#nomail Going offline? Don't AutoReply us!
email KILLspamlistservspamBeGonespammitvma.mit.edu with SET PICList DIGEST in the body


More... (looser matching)
- Last day of these posts
- In 2001 , 2002 only
- Today
- New search...