jdstrand | ScottK: big thanks for taking care of 0.95.1 :) | 00:14 |
---|---|---|
ScottK | jdstrand: Thanks. Glad I could find the time to squeeze it in. | 00:14 |
jdstrand | ScottK: I actually added the CVEs to our tracker when they came through last week, and updated the USN | 00:14 |
jdstrand | (but yeah, not in the changelog) | 00:15 |
ScottK | jdstrand: OK. There's one or two more from 0.95.1. | 00:15 |
* jdstrand nods | 00:16 | |
jdstrand | I'll get to those next week | 00:17 |
ScottK | jdstrand: One of the Debian guys is going to have a look at it tomorrow, so I may have something before then. | 00:18 |
jdstrand | ah, great :) | 00:34 |
Polk` | !hammertime | 02:50 |
ubottu | Sorry, I don't know anything about hammertime | 02:50 |
=== kraut_ is now known as kraut | ||
=== tonyyaru1so is now known as tonyyarusso | ||
=== ScottK2 is now known as ScottK | ||
=== twb` is now known as twb | ||
cemc | is there a way to install exim without removing postfix ? | 06:15 |
cemc | when I do an apt-get install exim, it automatically wants to remove postfix, but I'd like to keep postfix on too | 06:15 |
lamont | cemc: that is according to policy. you get at most one MTA | 06:16 |
cemc | I see. no way around that? | 06:17 |
lamont | it would violate policy if you could. so that'd be a "no, you can't do that" | 06:17 |
lamont | of course, you could run the other inside of a VM or even a chroot, but then you get to decide which one listens on port 25, and which one fails | 06:17 |
cemc | got it | 06:19 |
ScottK | The one true answer is you really want to keep postfix. | 06:23 |
ScottK | ;-) | 06:23 |
cemc | I know that :) | 06:25 |
cemc | just wanted to do some exim testing, without removing postfix | 06:25 |
cemc | but I guess it only removes the package, not the config, so it's good | 06:25 |
cemc | policy is kinda strange tho :) why can't I have more than one MTAs if I can handle the conf, or I have multiple IPs, or whatever | 06:26 |
lamont | cemc: tell me how you'll have more than one daemon listening on port 25, and I'll tell you how to have policy allow multiple MTAs (oh, and make /usr/sbin/sendmail point to both MTAs while you're at it) | 06:28 |
ScottK | Multiple IPs could solve the port 25 problem, but not sendmail. | 06:28 |
lamont | yeah | 06:28 |
cemc | you have sendmail.postfix and sendmail.exim, and you have sendmail pointing to one or the other, like with alternatives ? | 06:29 |
lamont | cemc: yeah - except for the part where debian policy says that the MTA will provides/conflicts/replaces: mail-transport-agent | 06:30 |
cemc | ehe :) | 06:30 |
cemc | too bad, but no biggie ;) | 06:31 |
cemc | did I say something wrong? :)) | 06:35 |
* |Sigma| waves | 08:42 | |
|Sigma| | is there any way to setup a VPN server so only a certain subnet gets routed through it, and everything else gets routed to a DNS server? | 08:45 |
twb | That would be called setting up a routing table | 08:56 |
twb | Yes, you an do it. | 08:56 |
twb | *can | 08:57 |
|Sigma| | great, routing table, thanks for the key word, I've been trying to figure this out for a while | 08:58 |
|Sigma| | so in this case, I could get away with setting up the table on the vpn server and then setting up the clients to send all traffic through the VPN, correct? | 09:00 |
=== asac_ is now known as asac | ||
twb | Can I remotely drop a machine into single user mode and straight back out again? | 10:39 |
twb | ls /proc/NNNN/ hangs, and similar problems with the process table, but I don't want to drive out there and do a hard reboot. A soft reboot doesn't work, it just ignored my "shutdown -r now" | 10:39 |
bootsandall | I'm a bit new to linux, but I guess you could set up a cron job to bring it back to multi user mode in 5 minutes? | 10:52 |
=== maxb_ is now known as maxb | ||
twb | bootsandall: assuming that atd/crond aren't stopped as part of the single-user shutdown :-) | 11:21 |
twb | As it happens, "telinit 1" is ignored just like shutdown (which amounts to telinit 0). | 11:21 |
twb | I would like to blame upstart for this, but honestly it's more likely to be the mangling that openvz has done to the kernel's innars. | 11:22 |
twb | *innards | 11:22 |
=== apachelogger_ is now known as apachelogger | ||
=== MenZa_ is now known as MenZa | ||
=== jdstrand_ is now known as jdstrand | ||
ZipmaO^ | Hi | 19:27 |
ZipmaO^ | Is there some way to track a user accounts shell command history? | 19:27 |
ZipmaO^ | I have e useracc that I used for samba and therefore had a trivial password. The account was hacked from ssh and now I want to know what they did | 19:28 |
ropetin | ZipmaO^: they probably covered their tracks, but what about the .bash_history file in their home directory? | 19:34 |
ZipmaO^ | the account had /bin/sh shell at the moment | 19:35 |
ZipmaO^ | non- | 19:35 |
ropetin | So as far as I know, no, there is no way to get a list of their commands | 19:35 |
ZipmaO^ | and was not admin | 19:35 |
ZipmaO^ | ok | 19:35 |
ZipmaO^ | can i search for files with a specific ownership? | 19:36 |
ZipmaO^ | I found files that I think they created in /var/tmp/.www/ | 19:36 |
cemc | ZipmaO^: try 'man find', and search for -uid, -user | 19:36 |
ropetin | yup, find would be good, combined with grep | 19:36 |
ZipmaO^ | ok, really thanks for the help | 19:37 |
cemc | something along the lines of: find . -user 'foo' (find all the files with owner foo in the current directory and below, aka recursive) | 19:37 |
cemc | well this actually will find directories too, see -type | 19:38 |
ZipmaO^ | I didn't mind much when I noticed that someone logged in as the account when I ran "lastlog" | 19:38 |
ZipmaO^ | so I changed the shell then to /bin/false to prevent it again | 19:38 |
ZipmaO^ | But earlier today I noticed in syslog that somekind of cron-job was running every minute | 19:38 |
cemc | oops :) sounds like you got hacked, or something ;0 | 19:39 |
ZipmaO^ | found it in the hacked accounts crontab and it led me to /var/tmp/.www/ | 19:39 |
ZipmaO^ | yep.. | 19:39 |
ZipmaO^ | well the accound had the same name as passwd | 19:39 |
ZipmaO^ | Kinda scary but I guess I don't have to worry that much since the acc isn't in the sudoers list? | 19:42 |
cemc | weell... | 19:45 |
cemc | you _really_ want to check everything, you never know | 19:45 |
yann2 | ZipmaO^ > check /tmp, often stuff in there :) | 19:47 |
ZipmaO^ | ok, will do :) | 19:50 |
ZipmaO^ | Thanks for the help guys | 19:50 |
cjwatson | ZipmaO^: unfortunately, local root escalation is one of the more common categories of vulnerabilities, so I'd second the suggestion to check everything very carefully indeed | 20:23 |
ZipmaO | Cjwatson, I don't really understand the term "local root escalation" ? | 21:07 |
andol | ZipmaO: Basically a vulnerability which allows a local non-root user to gain root status. It doesn't have to be a regular user, it can also be a system user, running one of your daemons. | 21:11 |
ZipmaO | how would that be possible? | 21:12 |
ZipmaO | Or more important: what to check? | 21:13 |
=== MianoSM1 is now known as mianosm1 | ||
=== mianosm1 is now known as MianoSM1 | ||
ZipmaO | admin group, sudoers list, user shells? | 21:13 |
ZipmaO | running daemons processes? | 21:13 |
=== jussi01 is now known as android | ||
=== android is now known as jussi01 | ||
ZipmaO | noone? | 21:49 |
mattt | hello | 21:51 |
mattt | what's the question | 21:52 |
cemc | ZipmaO: that's the problem... what to check... if there was an exploit and the hacker gained root access, he could've hid a backdoor, or something bad like anywhere... | 21:53 |
ZipmaO | ok. | 21:54 |
ZipmaO | I see | 21:54 |
cemc | the smartest thing to do is probably a clean install, | 21:54 |
cemc | but if not... you have check everything | 21:54 |
ZipmaO | probably less efficient | 21:54 |
ZipmaO | I don't have that much configuration on the server | 21:54 |
cemc | not sure how is it done on ubuntu, but on redhat I did a rpm -Va, that checked every rpm installed, | 21:54 |
cemc | every package for changes, then I went over the list of changes etc | 21:55 |
cemc | check crontab, check stuff in /etc, users, change passwords, firewall ssh, let nobody in ;) | 21:55 |
ZipmaO | I just ran "sudo find / -ignore_readdir_race -user *****" | 21:55 |
ZipmaO | just the files that I talked about earlier /var/tmp/.www/ | 21:56 |
ZipmaO | seemed like a script hack that installed an IRC-bot | 21:56 |
cemc | mhm | 21:57 |
mattt | ZipmaO: what was the file ownership of those files? | 21:57 |
cemc | probably apache | 21:57 |
cemc | ;) | 21:57 |
mattt | yeah :) check for mambo/phpbb/etc. | 21:57 |
ZipmaO | all the files in that folder matched ownership of the username | 21:57 |
ZipmaO | found some more files now.. | 22:25 |
ZipmaO | /proc/5303 | 22:25 |
ZipmaO | what are those folders used for? | 22:25 |
cemc | proc/<pid>/ contains info about that process which is running and has that process ID | 22:27 |
cemc | do a ps ax |grep 5303 | 22:27 |
cemc | and you'll see what process that is | 22:27 |
cemc | better yet, do 'ps axu |grep 5303', so you can see the user the process is running as | 22:28 |
=== andresmujica2 is now known as andresmujica | ||
ZipmaO | ok | 22:49 |
ZipmaO | thanks cmec | 22:49 |
ZipmaO | the hacked user owns that catalouge | 22:49 |
ZipmaO | root 5303 3.0 0.2 13680 4860 ? S 22:19 2:43 /usr/sbin/smbd -D | 22:50 |
ZipmaO | Doesn't seem weird since it's a samba user | 22:50 |
ZipmaO | ? | 22:50 |
cemc | what did you find in /proc/5303 exactly | 22:51 |
ZipmaO | sec.. | 22:51 |
ZipmaO | well.. quite many folders and files | 22:54 |
ZipmaO | weird thing though, ran the find command again | 22:54 |
ZipmaO | and didn't report any files under /proc this time | 22:54 |
ZipmaO | Well well.. | 23:01 |
ZipmaO | Guess I'll do an reinstall asap | 23:01 |
ZipmaO | just to be sure.. | 23:02 |
cemc | yep, that's probably the best thing | 23:03 |
=== asac_ is now known as asac |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!