Post by thread:[OT]:Need linux help fast

I got nailed by the "lion" worm. Apparently my "lion-proof" version of bind, wasn't. I've killed off most of it, but I need a hand on how to replace the trojaned system files like PS and LS The system is about 300 miles away, so this has to be done remotely. This is on an RH6.2 machine. I've installed the latest bind, killed off most if not all of the t0rn junk. -- Dave's Engineering Page: http://www.dvanhorn.org Got a need to read Bar codes? http://www.barcodechip.com Bi-directional read of UPC-A, UPC-E, EAN-8, EAN-13, JAN, and Bookland, with two or five digit supplemental codes, in an 8 pin chip, with NO external parts. -- http://www.piclist.com hint: To leave the PICList spam_OUTpiclist-unsubscribe-requestTakeThisOuTmitvma.mit.edu

David VanHorn wrote: > > I got nailed by the "lion" worm. Apparently my "lion-proof" version of > bind, wasn't. > I've killed off most of it, but I need a hand on how to replace the > trojaned system files like PS and LS > The system is about 300 miles away, so this has to be done remotely. > This is on an RH6.2 machine. > > I've installed the latest bind, killed off most if not all of the t0rn junk. format and then install FreeBSD :) You definately need to do a fresh format/install of an OS that has the latest version of bind, I forget what RH is up to now. -- http://www.piclist.com hint: To leave the PICList .....piclist-unsubscribe-requestKILLspam@spam@mitvma.mit.edu

> >format and then install FreeBSD :) Please enlighten me on how to do that through a telnet connection. -- Dave's Engineering Page: http://www.dvanhorn.org Got a need to read Bar codes? http://www.barcodechip.com Bi-directional read of UPC-A, UPC-E, EAN-8, EAN-13, JAN, and Bookland, with two or five digit supplemental codes, in an 8 pin chip, with NO external parts. -- http://www.piclist.com hint: To leave the PICList piclist-unsubscribe-requestKILLspammitvma.mit.edu

David VanHorn wrote: > > > > >format and then install FreeBSD :) > > Please enlighten me on how to do that through a telnet connection. Probably can't, but then I doubt you can do a clean wipe and install of RH over a telnet connection either. There is a way to do a net install of freebsd using bootp or pxe, but I'm not familiar with it and I think you still need console access. I imagine linux can do it too, but again I don't know much about it. I don't know enough about linux to say how to sweep it for compromises. For a case like this with FreeBSD sometimes you can get away with doing a make buildworld on a known good machine and then installing world over the net. I'm told thats difficult to do with RH, but it may be your only option. Maybe if you nfs mount the infected machine onto a good machine and just copy over the system files? Is there somebody local to the box that you can enlist? -- http://www.piclist.com hint: To leave the PICList .....piclist-unsubscribe-requestKILLspam.....mitvma.mit.edu

At 03:20 PM 9/23/01 -0400, Brandon Fosdick wrote: >David VanHorn wrote: > > > > > > > >format and then install FreeBSD :) > > > > Please enlighten me on how to do that through a telnet connection. > >Probably can't, but then I doubt you can do a clean wipe and install of >RH over a telnet connection either. There is a way to do a net install >of freebsd using bootp or pxe, but I'm not familiar with it and I think >you still need console access. I imagine linux can do it too, but again >I don't know much about it. I've got a list of the files that it mungs, but it includes ls and find, so it's hard to do anything without trusted binaries. If it comes to that, I'll have to have them take it down and ship it home, and then I'll likely have to spend on a major upgrade. -- Dave's Engineering Page: http://www.dvanhorn.org Got a need to read Bar codes? http://www.barcodechip.com Bi-directional read of UPC-A, UPC-E, EAN-8, EAN-13, JAN, and Bookland, with two or five digit supplemental codes, in an 8 pin chip, with NO external parts. -- http://www.piclist.com hint: To leave the PICList EraseMEpiclist-unsubscribe-requestspam_OUTTakeThisOuTmitvma.mit.edu

At 03:42 PM 9/23/01 -0400, Andy N1YEW wrote: >well, Slackware is the most best linux version :-) > >It is the safest linux version.. RH had more security vulnerabilites than >2000 this year! If I have to take the system down and reformat, that means going offline for at least a week, shipping the box, etcetcetc.. It's 300 miles away. I have a list of all the files that this worm attacks, and all I need at this point is some fresh binaries to replace my munged ones. -- Dave's Engineering Page: http://www.dvanhorn.org Got a need to read Bar codes? http://www.barcodechip.com Bi-directional read of UPC-A, UPC-E, EAN-8, EAN-13, JAN, and Bookland, with two or five digit supplemental codes, in an 8 pin chip, with NO external parts. -- http://www.piclist.com hint: To leave the PICList piclist-unsubscribe-requestspam_OUTmitvma.mit.edu

Install RH locally, or use binaries from another person's linux box. I'd send you some, but I don't have simple access to a box right now. You can also telnet the source for those utilities from red hat's ftp site, and the compile them remotely. -Adam David VanHorn wrote: {Quote hidden}> At 03:42 PM 9/23/01 -0400, Andy N1YEW wrote: > >> well, Slackware is the most best linux version :-) >> >> It is the safest linux version.. RH had more security vulnerabilites >> than >> 2000 this year! > > > If I have to take the system down and reformat, that means going offline > for at least a week, shipping the box, etcetcetc.. It's 300 miles away. > > I have a list of all the files that this worm attacks, and all I need at > this point is some fresh binaries to replace my munged ones. > > -- > Dave's Engineering Page: http://www.dvanhorn.org > > Got a need to read Bar codes? http://www.barcodechip.com > Bi-directional read of UPC-A, UPC-E, EAN-8, EAN-13, JAN, and Bookland, > with > two or five digit supplemental codes, in an 8 pin chip, with NO > external parts. > > -- > http://www.piclist.com hint: To leave the PICList > @spam@piclist-unsubscribe-requestKILLspammitvma.mit.edu > > > > > -- http://www.piclist.com hint: To leave the PICList KILLspampiclist-unsubscribe-requestKILLspammitvma.mit.edu

At 04:59 PM 9/23/01 -0400, M. Adam Davis wrote: >Install RH locally, or use binaries from another person's linux box. >I'd send you some, but I don't have simple access to a box right now. > >You can also telnet the source for those utilities from red hat's ftp >site, and the compile them remotely. I'm working on the first option now. I'm a bit hobbled because the munged binaries make it hard for me to do anything on that box. I'm going to install it on a machine here, FTP in, (hopefully that's still working) and replace them. I hope that does it. What a mess. The kicker is that I installed the patch for this worm within hours of when it came out. Apparently it wasn't quite right yet. -- Dave's Engineering Page: http://www.dvanhorn.org Got a need to read Bar codes? http://www.barcodechip.com Bi-directional read of UPC-A, UPC-E, EAN-8, EAN-13, JAN, and Bookland, with two or five digit supplemental codes, in an 8 pin chip, with NO external parts. -- http://www.piclist.com hint: To leave the PICList RemoveMEpiclist-unsubscribe-requestTakeThisOuTmitvma.mit.edu

David VanHorn wrote: > I'm working on the first option now. > I'm a bit hobbled because the munged binaries make it hard for me to do > anything on that box. > I'm going to install it on a machine here, FTP in, (hopefully that's still > working) and replace them. > I hope that does it. What a mess. Do you have sshd running on that box? Is it on the munged list? If its still good you can use scp from a good box to copy the files. -- http://www.piclist.com hint: To leave the PICList spamBeGonepiclist-unsubscribe-requestspamBeGonemitvma.mit.edu

> >Do you have sshd running on that box? Is it on the munged list? >If its still good you can use scp from a good box to copy the files. > They munged my SSH, but I rebuilt it from source that was on the machine. I don't have a good box yet to mess with, I'm doing a brain-dump on a machine here, then I'll have to install 6.1...... $#@!$ I've never messed with scp before, secure copy, I assume? My main push in getting SSH online was to get rid of telnet. -- Dave's Engineering Page: http://www.dvanhorn.org Got a need to read Bar codes? http://www.barcodechip.com Bi-directional read of UPC-A, UPC-E, EAN-8, EAN-13, JAN, and Bookland, with two or five digit supplemental codes, in an 8 pin chip, with NO external parts. -- http://www.piclist.com hint: To leave the PICList TakeThisOuTpiclist-unsubscribe-requestEraseMEspam_OUTmitvma.mit.edu

On Sun, 23 Sep 2001, David VanHorn wrote: > The kicker is that I installed the patch for this worm within hours of when > it came out. > Apparently it wasn't quite right yet. How do you know that it was this worm that got you? Since you access the machine via telnet, then any compromised intermediate hop can sniff your passwords. If su root via telnet, you might as well publish your password with finger. -- http://www.piclist.com hint: To leave the PICList RemoveMEpiclist-unsubscribe-requestTakeThisOuTmitvma.mit.edu

> >How do you know that it was this worm that got you? Since you access the >machine via telnet, then any compromised intermediate hop can sniff your >passwords. If su root via telnet, you might as well publish your password >with finger. There's a detection script available, which I've installed and run. As to security, well. the worm emails my passwords to china, so I'm not too worried about it at the moment. I'm going to repair it if I can, then change the passwords, re-install the good stuff, and hope that holds it. I'd use SSH if I could, but something's preventing it at the moment. -- Dave's Engineering Page: http://www.dvanhorn.org Got a need to read Bar codes? http://www.barcodechip.com Bi-directional read of UPC-A, UPC-E, EAN-8, EAN-13, JAN, and Bookland, with two or five digit supplemental codes, in an 8 pin chip, with NO external parts. -- http://www.piclist.com hint: To leave the PICList piclist-unsubscribe-requestEraseME.....mitvma.mit.edu

David VanHorn wrote: > They munged my SSH, but I rebuilt it from source that was on the machine. > I don't have a good box yet to mess with, I'm doing a brain-dump on a > machine here, then I'll have to install 6.1...... $#@!$ > > I've never messed with scp before, secure copy, I assume? yes. its very easy to use and works similar to cp, except that it always asks for a password first. scp somefile.txt darkstar:~ would copy somefile.txt from the current dir to my home dir on darkstar. Specifying remote locations works as expected... [user@]hostname:path... you can also copy remote files to the local machine if you already know the path... `scp darkstar:~/somefile.txt .` > My main push in getting SSH online was to get rid of telnet. telnet bad...ssh good The lab a few floors up from me gets cracked regularly because the admin refuses to switch to ssh, something about being too much work. -- http://www.piclist.com hint: To leave the PICList EraseMEpiclist-unsubscribe-requestmitvma.mit.edu

I've got a RH6.2 box here I can get the binaries off for you. If you still need them send me a list and I'll send you the files ASAP. Paul {Quote hidden}> Install RH locally, or use binaries from another person's linux box. > I'd send you some, but I don't have simple access to a box right now. > > You can also telnet the source for those utilities from red hat's ftp > site, and the compile them remotely. > > -Adam > > David VanHorn wrote: > > > If I have to take the system down and reformat, that means going offline > > for at least a week, shipping the box, etcetcetc.. It's 300 miles away. > > > > I have a list of all the files that this worm attacks, and all I need at > > this point is some fresh binaries to replace my munged ones. > > -- http://www.piclist.com hint: To leave the PICList RemoveMEpiclist-unsubscribe-requestEraseMEEraseMEmitvma.mit.edu

At 09:34 PM 9/23/01 -0400, Paul Hutchinson wrote: >I've got a RH6.2 box here I can get the binaries off for you. If you still >need them send me a list and I'll send you the files ASAP. Thanks. The list is here: http://www.sans.org/y2k/lion.htm I also need to know where to put them, I don't want to trust the current locations. Email this to me direct, at RemoveMEdvanhornspam_OUTKILLspamcedar.net -- Dave's Engineering Page: http://www.dvanhorn.org Got a need to read Bar codes? http://www.barcodechip.com Bi-directional read of UPC-A, UPC-E, EAN-8, EAN-13, JAN, and Bookland, with two or five digit supplemental codes, in an 8 pin chip, with NO external parts. -- http://www.piclist.com hint: To leave the PICList RemoveMEpiclist-unsubscribe-requestTakeThisOuTspammitvma.mit.edu

There's a Windows program called RPM Browser (or something like that) that may be helpfull. Francisco David VanHorn wrote: {Quote hidden}> At 03:42 PM 9/23/01 -0400, Andy N1YEW wrote: > >well, Slackware is the most best linux version :-) > > > >It is the safest linux version.. RH had more security vulnerabilites than > >2000 this year! > > If I have to take the system down and reformat, that means going offline > for at least a week, shipping the box, etcetcetc.. It's 300 miles away. > > I have a list of all the files that this worm attacks, and all I need at > this point is some fresh binaries to replace my munged ones. > > -- > Dave's Engineering Page: http://www.dvanhorn.org > > Got a need to read Bar codes? http://www.barcodechip.com > Bi-directional read of UPC-A, UPC-E, EAN-8, EAN-13, JAN, and Bookland, with > two or five digit supplemental codes, in an 8 pin chip, with NO external parts. > > -- > http://www.piclist.com hint: To leave the PICList > EraseMEpiclist-unsubscribe-requestspamspamBeGonemitvma.mit.edu -- http://www.piclist.com hint: PICList Posts must start with ONE topic: [PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads

Thanks guys, I'm handled. Now I just have to clean up the mess. -- Dave's Engineering Page: http://www.dvanhorn.org Got a need to read Bar codes? http://www.barcodechip.com Bi-directional read of UPC-A, UPC-E, EAN-8, EAN-13, JAN, and Bookland, with two or five digit supplemental codes, in an 8 pin chip, with NO external parts. -- http://www.piclist.com hint: PICList Posts must start with ONE topic: [PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads

Hence you're using RH, there's an option for the "rpm" program (don't remember now, but that's on it's man page) where you can list the RPM database of your machine; try to find out in whitch package you would get the infected programs, and also another option for the "rpm" program forces the reinstall of all files of the package (back up all config files, first ;-) To avoid future problems, check this link: http://www.lids.org/ David VanHorn wrote: {Quote hidden}> I got nailed by the "lion" worm. Apparently my "lion-proof" version of > bind, wasn't. > I've killed off most of it, but I need a hand on how to replace the > trojaned system files like PS and LS > The system is about 300 miles away, so this has to be done remotely. > This is on an RH6.2 machine. > > I've installed the latest bind, killed off most if not all of the t0rn junk. > -- > Dave's Engineering Page: http://www.dvanhorn.org > > Got a need to read Bar codes? http://www.barcodechip.com > Bi-directional read of UPC-A, UPC-E, EAN-8, EAN-13, JAN, and Bookland, with > two or five digit supplemental codes, in an 8 pin chip, with NO external parts. > > -- > http://www.piclist.com hint: To leave the PICList > RemoveMEpiclist-unsubscribe-requestKILLspammitvma.mit.edu -- http://www.piclist.com hint: PICList Posts must start with ONE topic: [PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads

> Please enlighten me on how to do that through a telnet connection. Install a system with what you need, then tar, bzip and FTP or netpipe the whole of it across the network, onto another partition than the one you are running now, edit and run lilo as required to boot the other partition and then cross your fingers and do a 'shutdown -r -t1 now'. If you fail it will hang so mistake(s) is not an option ;-). If tar or bzip are contaminated then this will likely fail. There is no way to help a compromised machine until you reboot it from media known to be virus free. Peter -- http://www.piclist.com hint: The list server can filter out subtopics (like ads or off topics) for you. See http://www.piclist.com/#topics

How'd the worm get into the box? I'm running RH7.0 on one machine and RH7.1 on another. What should I be watching for? Thanks!! Harold On Sun, 23 Sep 2001 16:36:22 -0500 David VanHorn <dvanhornSTOPspamspam_OUTCEDAR.NET> writes: {Quote hidden}> At 04:59 PM 9/23/01 -0400, M. Adam Davis wrote: > >Install RH locally, or use binaries from another person's linux > box. > >I'd send you some, but I don't have simple access to a box right > now. > > > >You can also telnet the source for those utilities from red hat's > ftp > >site, and the compile them remotely. > > I'm working on the first option now. > I'm a bit hobbled because the munged binaries make it hard for me to > do > anything on that box. > I'm going to install it on a machine here, FTP in, (hopefully that's > still > working) and replace them. > I hope that does it. What a mess. > > The kicker is that I installed the patch for this worm within hours > of when > it came out. > Apparently it wasn't quite right yet. > > > -- > Dave's Engineering Page: http://www.dvanhorn.org > > Got a need to read Bar codes? http://www.barcodechip.com > Bi-directional read of UPC-A, UPC-E, EAN-8, EAN-13, JAN, and > Bookland, with > two or five digit supplemental codes, in an 8 pin chip, with NO > external parts. > > -- > http://www.piclist.com hint: To leave the PICList > spamBeGonepiclist-unsubscribe-requestSTOPspamEraseMEmitvma.mit.edu > > FCC Rules Online at http://hallikainen.com/FccRules Lighting control for theatre and television at http://www.dovesystems.com ________________________________________________________________ GET INTERNET ACCESS FROM JUNO! Juno offers FREE or PREMIUM Internet access for less! Join Juno today! For your FREE software, visit: dl.http://www.juno.com/get/web/. -- http://www.piclist.com#nomail Going offline? Don't AutoReply us! email KILLspamlistservspamBeGonemitvma.mit.edu with SET PICList DIGEST in the body