/srv/irclogs.ubuntu.com/2019/08/02/#ubuntu-discuss.txt

tomreynhmm, no 18.04.3 postponement message at https://lists.ubuntu.com/archives/ubuntu-announce/ yet - https://wiki.ubuntu.com/BionicBeaver/ReleaseSchedule still says 2019-08-01 - probably tomorrow then01:00
* tomreyn zzz01:01
sarnoldtomreyn: hah, I went looking through #ubuntu-release logs.. got directed to #ubuntu-devel logs .. and the conversation was with *you* :)01:04
sarnoldtomreyn: I read these as suggesting that it'll be *next* week, not today01:05
tomreynsarnold: okay, *almost* in bed now ;) so i'm just pointing out that (while i'm aware the release will be delayed, since this was indeed discussed in #ubuntu-devel - i also asked whether there'd be a postponement announcement - and the plan was to send one, but there is none - at least not yet - and the release schedule still states it'll release on the past day.01:08
tomreynmaybe i'm just nit picking, yould just like to have some (non irc) statement i could pass on.01:10
tomreyns/yould just/I would just prefer/01:10
tomreynsarnold: and re-reading what you just said here, maybe you're just joking aboiut how you misunderstood something and i'm just too tired to get this. ;-)01:12
tomreyneither way, bon nuit.01:12
sarnoldtomreyn: good morning :) by the time you read this I'll have asked someone to post somethiong more formal :)01:14
lotuspsychjegood morning to all03:52
lordievaderGood morning06:53
marcoagpintoHeya!!!07:23
immuhi....07:27
RikMillstomreyn: well, it's not now plausible to get the QA done on images for a release before middle of next week IMO, even if release declares the ones being prepared good for testing07:42
lotuspsychjehey TJ-08:02
lotuspsychjeTJ-: yes, that dmesg was on the flickering boot -2308:03
TJ-lotuspsychje: ahhh, has tjalt's kernel builds located the issue yet?08:05
lotuspsychjeTJ-: im currently testing Linux Rootbox 5.0.0-rc1 #12 and now learning what bisect is..08:05
TJ-I'm only here trying to solve a failure of 'systemctl suspend' so I can travel - I'm 1.5 hours behind schedule right now, grrr08:05
lotuspsychjeOerHeks: you fixxed your -23 bug?08:14
OerHekslotuspsychje, by booting recovery & using the dpkg option to check packages08:14
lotuspsychjeok08:15
lotuspsychjedidnt see new users reporting things for now..08:15
lotuspsychjeim still working on mine08:15
jeremy31lotuspsychje: do you have the flicker without having nomodeset in grub?10:27
lotuspsychjejeremy31: yes, thats the original issue, update to 5.0.0.23 without nomodeset10:27
lotuspsychjenomodeset, works without flickering, but backlight dont work then10:28
jeremy31And you have Intel UHD 620?10:28
lotuspsychjeyes10:29
jeremy31Not much in the changelog from -21 to -2310:32
lotuspsychjejeremy31: i went from 4.18 to 5.0.0.23 (hwe)10:33
lotuspsychjeso didnt test -2110:33
lotuspsychjemaybe its all related to kernel 5?10:33
jeremy31It could be, I have a 620 but am still using 4.1510:35
lotuspsychjefeel free to risk your system :p10:35
jeremy31I might try 5.0.0-12 and see if it works,, https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1824216 might be the cause10:36
ubot5Ubuntu bug 1824216 in linux (Ubuntu Disco) "Linux 5.0 black screen on boot, display flickers (i915 regression with certain laptop panels)" [Undecided,Fix released]10:36
lotuspsychjelemme read, looks promising10:37
jeremy31Got to head to work10:39
lotuspsychjehave fun jeremy3110:39
BluesKajHi folks12:16
tomreynsarnold: good morning, and thanks! :)12:22
tomreynRikMills: hey there, thanks for your reply. i'm not pushing for a new fixed release date, but it'd be great to see a "it'll have to be later than originally planned", with bonus points for a 3 word explanation, type announcement. right now it's just that the schedules release has not happened, and there's (besides us few who know) no statement to the public on it.12:26
tomreynbut maybe i'm asking too much. how were delays handled in the past?12:27
tomreyn(i.e., was there an advisory when there were any?)12:27
marcoagpintoBluesKaj! tomreyn!!!!! Hello guys!!!!12:33
marcoagpintoI was brushing my theeth12:33
tomreynoh so you do have some left?12:33
marcoagpintoyes12:34
tomreynthat's good, and hello.12:34
marcoagpintoI use special toothpaste12:34
marcoagpinto:)12:34
tomreyn"cola neutralizer"12:34
marcoagpintoand drink special milk with vitamine D and Calcium12:34
marcoagpintoyes, exactly12:34
marcoagpintothe only light I usually get is from the computer screen12:35
tomreynyour efforts are impressive, but you're really runing yourself if you go on like this - don't do it. :-/12:36
marcoagpinto:(12:37
tomreynsleep and walking around in the fresh air are really good, even though i never trusted my parents on that. ;-)12:38
marcoagpinto:)12:38
marcoagpintobbl13:28
RikMillstomreyn: last time there was an email like this: https://lists.ubuntu.com/archives/ubuntu-release/2019-February/004694.html14:12
RikMillsI have not seen why there is no one this time14:12
tomreynhehe, i like the second paragraph (pet bugs).14:13
tomreynRikMills: thanks for finding this14:13
RikMillstomreyn: all I saw frok Adam (infinity) this time on IRC wasL14:14
tomreyni think adam worked all night and just needed sleep, and no one else was available14:14
RikMills[16:21] <infinity> RikMills: [16:21] <infinity> RikMills: It was delayed due to kernel issues, but a notice wasn't sent (yet) for reasons.14:14
tomreynah for reasons, ok.14:14
RikMillsextra bit of copy/paste there, but 'reasons'...14:14
tomreynlet's wait then. ;)14:15
RikMillsmaybe something security? who knows14:15
tomreyncould be anything, including what his /away message says14:16
RikMillswell at the moment 'dkms modules suddenly asploding' is one bug14:17
tomreynwhile i appreciate it, please don't share internal info with me in case you're just doing so.14:18
RikMillstomreyn: you are in #ubuntu-release where that was said. its public14:19
tomreynoh good :)14:19
tomreyni missed it14:19
RikMillseasy done14:21
* RikMills goes back to poking stuff on Eoan14:21
tomreyn:) thanks14:21
Rojolahi15:51
Rojolatomreyn, so, I solved it like this:15:52
Rojolaat first, I installed 'cpanminus'15:52
Rojola'git' and 'make' were already installed15:52
Rojolathen I cloned imapsync's github repo15:52
Rojolanow, the cool part is:  when I run "make install" I get a list of missing perl modules15:53
Rojolaand it tells me the exact command I need to install them15:53
Rojolathat's what I needed 'cpanminus' for15:53
Rojolaafter that, 'make install'  could work if all dependencies are met15:54
RojolaI also needed 'libssl-dev' and 'libpar-packer-perl'15:54
Rojolatomreyn?15:55
lotuspsychjehow can we help you Rojola15:56
Rojolalotuspsychje, thanks, I am good15:56
Rojolalotuspsychje, no need for help15:56
Rojolalotuspsychje, the user tomreyn asked me to explain the solution in here15:57
lotuspsychjeok mate15:57
tomreynRojola: i'm here, sorry, too much chatting ;)15:58
Rojolatomreyn, sure, np15:59
tomreynRojola: cool, so you found a solution which works for oyu?15:59
tomreynRojola: i did have a quick look at the ubuntu specific installation instructions for imapsync. it looked doable, if those dependencies were satisfyable.16:00
Rojolatomreyn, yes the solution works16:01
tomreynRojola: i guess you could alk debian to package this software, but they may require the developer to relicense it under a DFSG-free license16:01
Rojolatomreyn, I have known imapsync since so, so, so many years... I really wanted to use _this_ tool16:02
Rojolawhat's wrong with the license?16:02
Rojolais it illegal?16:02
Rojoladon't scare me man!16:02
RikMillstomreyn: https://lists.ubuntu.com/archives/ubuntu-release/2019-August/004787.html16:02
RojolaI got a really, really stupid question... please bear with me:   After I successfully installed something via "make install"16:03
tomreynRojola: no, no, it's just custom, meaning they need to verify it's compatible with their licensing requirements.16:03
Rojolacan I delete the directory where I have the sources?16:03
Rojolagit clone ....  <== there I get a directory16:03
Rojolathen I "make install" it16:03
Rojolacan I delete the cloned git-directory then?16:04
RojolaI have been keeping all these directories but I wonder if I need to16:04
tomreynRikMills: Thanks so much to you and Dimitry!16:04
tomreyn*Dimitri16:04
Rojolatomreyn, would you like to ask people about packing imapsync and contacting the developer?16:04
tomreynRojola: not really, no, you should file a RFP bug (do a web search on this) against debian.16:05
Rojolawould Debian even care what I have to say?16:06
RojolaI mean, who am I?16:06
tomreynit will really need someone to want to make it happen, i.e. someone packaging it. if you know how to do this, file an ITP bug instead.16:06
tomreynbut a RFP is an option to point out that there is a demand for someone packaging it.16:07
tomreynhttps://wiki.debian.org/RFP16:08
tomreynhttps://wiki.debian.org/ITP16:08
Rojolathank you tomreyn !16:08
tomreynRojola: you can remove the git repository if you did 'make install' (and are not planning to install updates by updating git and running make install again)16:09
Rojolathank you tomreyn16:10
RikMillshttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=91958716:10
ubot5Debian bug 919587 in wnpp "ITP: imapsync -- Email IMAP tool for syncing, and migrating email mailboxes between two imap servers, one way, and without duplicates." [Wishlist,Open]16:10
tomreynyou're welcome, Rojola16:10
Rojolatomreyn, ooooh, too sweet of you!! You just added that?16:10
Rojolathank you tomreyn16:10
tomreynno i did not, read it carefully. also RikMills pointed you to this, not i ;)16:11
wasanzyI found this after scanning my infected server with ClamAv:16:25
wasanzyhttps://paste.debian.net/1094080/16:25
tomreynwasanzy: thanks for joining. can you run    sha256sum /var/lib/postgresql/10/main/postgresq116:28
tomreynwasanzy: that's in case it's still there. and did you find out how the system got infected in the first place?16:29
wasanzyed3b7209ee905cc5a2a2b33f351511c895ea6913428536b9e162eb487a24528f  /var/lib/postgresql/10/main/postgresq116:29
tomreynhttps://www.virustotal.com/gui/file/ed3b7209ee905cc5a2a2b33f351511c895ea6913428536b9e162eb487a24528f/detection16:30
wasanzytomreyn: am not able to determine how the system got infected yet16:30
tomreynso that's "just" the miner, it remains unclear what caused the infection16:30
tomreynwasanzy: the fact that the file is located in /var/lib/postgresql/... and the file is owned (i think you said so earlier, better double check this) by system user "postgres" suggests that it may have been stored that as the result of an sql injection16:32
tomreynso you should check the softwares which were interacting with the postgresql server on this computer for SQLI vulnerabilities. before you do this, though, also check what you didn't allow remote access to postgresql.16:33
wasanzytomreyn: Ok I will do further checks16:33
tomreyni'm saying all of this assuming the production server has been taken offline since and you're just anylzing the compromise while someone lese s preparing to bring a replacement system live.16:34
wasanzyyea the server is no more in production16:38
tomreyn\o/16:40
tomreynwasanzy: see if you have other files in /var/lib/postgresql/10/main/ which were changed recently and may not belong there. you can generate hashes against them and check those against virustotal (without risking to disclose sensible data) by just placing the hash on the url.16:43
tomreynto find sql injections in web applications you have running, the most common approach is using "sqlmap". but this is for later, i guess.16:44
tomreynyou could also use static alaysis utilities if you have their source code available.16:44
tomreynask in ##security if you need more suggestions16:46
wasanzyok17:13
wasanzytomreyn: sorry I got disconnected17:13
tomreynwasanzy: did you see what i wrote, should i repeat? the last line was: ask in ##security if you need more suggestions17:21
wasanzy<tomreyn: yes I see that17:21
wasanzyam now scanning the whole system I mean root directory to see if malware is somewhere else too17:22
tomreynwasanzy: i assume you mean / and not just /root17:23
wasanzyyes /17:23
wasanzyam installing sqlmap on the system17:26
tomreynwasanzy: keep in mind there's alwass a chance that AV software may not be able to detect fresh malware. the miner was first submitted to virustotal on Nov 19, 2018, it may not have been detected by AVs for weeks or month (and many still don't detect it)17:31
wasanzytomreyn: Yes you are right17:32
tomreynwasanzy: sqlmap is for scanning against a live website over a network link. you can certainly do this locally (but don't have to, and thiose applications may behave differently when they see accesses from 127.0.0.1)17:32
wasanzyok17:33
wasanzylet me run it from my Kali Linux then17:33
wasanzyand one thing is, we don't run php powered web applications on the server17:34
tomreynit doesn't need to be PHP17:34
tomreynany web application which uses user data to run live requests (SQL) against a DB backend may be affected.,17:35
tomreyni mean user input17:36
tomreyncall for 18.04.3 pre-RC ISO testing https://lists.ubuntu.com/archives/ubuntu-release/2019-August/004788.html17:42
tomreynhttp://iso.qa.ubuntu.com/qatracker/milestones/405/builds17:42
daftykins:O17:44
wasanzyOk good17:54
tomreynwasanzy: did you notice that the last charcter of the miner is a "one" (1), not an L (l)? that's a unique identifier (i.,e. we can search the web for similar situations) and here's a cimilar one https://www.postgresql-archive.org/posgresql-log-td6021877.html17:57
tomreynwasanzy: i.e. you may have similar records in your postgresql logs in case those still exist.17:58
wasanzyinteresting17:59
tomreynthe server the malwas was downloaded from there is a cpanel server - which no longer hosts it. this may suggest this was also a compromised system.18:00
tomreyns/malwas/malware/18:01
wasanzyok18:03
tomreynthe messages printed there are by wget, which suggests that the attacker was already able to run arbitrary commands at the point when they downloaded the miner.18:04
wasanzyinterestingly, there is no "postgresq1" in any of the logs18:09
tomreynit may be encoded.18:10
tomreynbut you'Re right, it should be there if it was logged the same way as seen at https://www.postgresql-archive.org/posgresql-log-td6021877.html18:10
tomreynwhich postgresql version vwere you running on which ubuntu version, and when was it last updated?18:11
tomreynas steve atkins writes on this thread, "It's probably a compromise via postgresql open to the network with insecure settings" - that's my suspicion, too. have you been able to rule this out, yet?18:12
wasanzygrep -r "postgresq1" /var/log/*18:13
wasanzyreturn nothing18:13
tomreyndoes it have logs for this day, though?18:13
wasanzyyes the postgresql log has logs for yesterday18:14
wasanzythe system is auto update everyday18:14
tomreynand postgresql was installed from ubuntu repositories or elsewhere?18:14
wasanzyubuntu repo18:14
tomreynwhich ubuntu version?18:15
wasanzyrunning Ubuntu 18.0418:15
wasanzyLinode cloud18:15
tomreynwasanzy: hmm, so 18.04.2 then really? since we assume /var/log/audit/ was overwritten by the attacker, this actually suggests that they had elevated permissions (root access), unless poermissions were incorrectly set there. can you say which ownership and permissions were set at /var/log/audit post compromise?18:20
sarnoldI'd like to make sure wasanzy knows that the safe way forward here is to reinstall from known good media and restore clean data from backups18:23
sarnoldforensics is fun and good but don't pretend you can bring this system back online in any useful way18:23
tomreynthis made me think we're beyond this point <wasanzy> yea the server is no more in production18:24
sarnoldgood good18:25
tomreynbut it's good you're stressing the need to recover properly18:25
tomreyni'm not yet convinced of this ;)18:25
tomreyn^ wasanzy: you got a recommendation from a member of the ubuntu security team there. ;)18:26
tomreyn(hope you don't mind the full disclosure, sarnold)18:30
sarnoldtomreyn: indeed, I don't mind; it's not particularly hidden in any event :)18:31
tomreynright18:31
wasanzyinteresting help coming up18:38
wasanzysarnold: only two users are permitted to execute sudo su and one user who can run commands with with sudo but any sudo command throws alert18:41
wasanzytomreyn: ^^ sorry18:42
wasanzyroot owns the /var/log/auditd18:45
tomreynwasanzy: so if you assume the attacker deleted those logs you know what this means.18:54
tomreyn(where "the attacker" was most likely some fully automated malware)18:54
wasanzyI assumed the file was tempted with because I could not see yesterday nor any other date entries in the log except today.18:56
tomreynwasanzy: this still suggests someone gained root access to tamper with it18:57
wasanzythis is interesting19:00
lotuspsychjewb TJ-19:21
TJ-lotuspsychje: solved your issue yet?19:22
lotuspsychjeTJ-: still bisecting kernels with tjaalton19:22
lotuspsychjeTJ-: i need to kernel param fastboot=0 now too19:23
TJ-That feeling of deja-vu you get when searching for a bug report that describes an issue you're experiencing, only to find you reported it 18 months ago!!19:32
lotuspsychjeTJ-: i actually found similiar flickering ubuntu bugs19:34
lotuspsychjejeremy31 also found a kernel 5 bug interesting19:34
lotuspsychjehttps://bugs.launchpad.net/ubuntu/+source/linux/+bug/182421619:35
ubot5Ubuntu bug 1824216 in linux (Ubuntu Disco) "Linux 5.0 black screen on boot, display flickers (i915 regression with certain laptop panels)" [Undecided,Fix released]19:35
lotuspsychjehttps://bugs.launchpad.net/ubuntu/+source/linux/+bug/155077919:35
ubot5Ubuntu bug 1550779 in linux (Ubuntu) "[drm:intel_cpu_fifo_underrun_irq_handler [i915]] *ERROR* CPU pipe A FIFO underrun" [Medium,Confirmed]19:35
TJ-lotuspsychje: Doesn't surprise me at all; end of last year/start of this I was in the Intel IRc channel helping someone else with an issue and the development process really struck me as 'through mud at the wall and hope it sticks' - I got the real feeling that no-one really understood the hardware or the driver in-total. In fact I got the feeling Intel deliberately keep the Open-source developers in19:38
TJ-the dark about core hardware functionality based on their conversations.19:38
TJ-oops, s/through/throw/19:39
jellyTJ-, #intel-gfx here on freenode?19:50
TJ-jelly: I'd have to check it was many months ago19:51
* jelly greps logs for TJ- 19:51
TJ-jelly: yes, I have a log-file for that channel19:51
jellyMay 22 13:08:52 <--     TJ- (root@2a02:[...]:484) has left #intel-gfx ("WeeChat 1.9.1")19:53
lotuspsychjehttps://bugs.launchpad.net/ubuntu/+source/xorg/+bug/183881819:56
ubot5Ubuntu bug 1838818 in xorg (Ubuntu) "intel graphic" [Undecided,New]19:56
lotuspsychjefresh in, we better keep an eye on kernel 5 & graphics19:56
TJ-we can add this to a similiar harder-to-find regression in iwlwifi too, I still suffer using any kernel later than 4.1719:56
lotuspsychjeout for today, my kernel lost is huge lol19:58
daftykinsa wild TJ- ! \o20:23
daftykinsTJ-: ever seen hdparm get used to set an ATA password, then the one set doesn't work immediately after - and the drive becomes useless? that's the situation i've got!20:25
daftykins(it was during an attempt at a secure erase of an SSD)20:26
TJ-daftykins: not seen, but read of, and I *think* I also read of a fix, but it may have been manfufacturer specific20:47
TJ-daftykins: password was ASCII? how many characters - could it have exceeded the internal length limit in which case you just need to type less characters20:48
daftykinsTJ-: i fed it "blargh" :D20:49
daftykinsfrom a 14.04.3 live session20:49
TJ-daftykins: hmmm and what does the kernel log report when trying to unlock it?20:50
daftykinsah didn't read anything from the log, 14.04.3 gives this annoying sense data error, 14.04.1 just gives an I/O error20:51
daftykinsi read a claim that some kernel broke the function which causes the former20:51
TJ-well without seeing the logs and what hdparm reports its hard to guess20:51
TJ-is it possible the SSD coincidentally died due to/during the Secure Erase step?20:52
daftykinsokie dokie, i'll throw some notes together sometime - i've kind of given up on the thing entirely though, fancy a 128GB mSATA drive? ;)20:52
daftykinsah i didn't get that far, only the password creation20:52
TJ-is the SSD directly connected on SATA or via a USB bridge ?20:53
daftykinsi have a SATA adapter, i'd anticipate problems with bridge chips20:53
TJ-whats the make/model of SSD?20:54
daftykinsthe drive in question is an OEM SanDisk U100 which came in a Samsung laptop, no surprises both companies don't want to help20:54
daftykinsonly desktop support minions who don't know what an ATA password is20:54
TJ-this one ? https://ssd.userbenchmark.com/SpeedTest/2827/SanDisk-SSD-U100-128GB20:55
daftykinspretty much20:56
TJ-could you use this (windows) tool to create the (Linux) bootable USB image to try with?  https://kb.sandisk.com/app/answers/detail/a_id/16678/~/secure-erase-and-sanitize20:59
daftykinsthe problem is now that the password is set, the drive is locked20:59
TJ-I was thinking along the lines that the Sandisk tool might have a way to deal with that21:00
TJ-something that hdparm isn't aware of21:00
daftykinsat least from in Windows with the drive on a secondary channel, the utility runs a secure erase and some other kind of wipe and claims it worked - but nothing changes... but yeah i could try preparing the bootable media, i suspect it'll be no different21:01
daftykinsi've found and tried many different utilities, some from a DOS environment - everything errors with the password i set21:01
TJ-is it possible you mistyped ? is the command history in the clear so you can confirm the password you think you set, is the one actually set?21:02
daftykinsi think the 14.04.3 kernel and utility are to blame, nah i definitely had it 100%21:03
TJ-well as far as I recall hdparm does direct access to the device - I'm not sure the kernel gets involved aside from passing the command/data to the drive21:04
daftykinshmm, i found a comment that using 16.04 or above's kernel has changed something that ruins the functions21:05
TJ-really, where's that?21:05
daftykinsah not sure i can dig it up now, let's have a quick try21:05
daftykinshere's an example of the error 14.04.3 would give...21:11
daftykinsSG_IO: bad/missing sense data, sb[]:  70 00 05 00 00 00 00 0a 04 51 40 00 21 04 0021:11
daftykinsi've chopped the values at the end and those aren't necessarily identical to what i got21:11
daftykinsthe drive wasn't frozen at this point, like some results online suggest21:12
TJ-that missing sense data was after setting the password though?21:15
daftykinsyep, that's on any attempt at unlock since21:16
daftykinsno luck finding the post talking about the kernel/release having an impact21:17
TJ-the only related report I can find is with a USB bridge, and the solution there was a direct-connect, which you already have https://bbs.archlinux.org/viewtopic.php?id=16047621:25
daftykinsmmm21:25
daftykinslots talk about unfreezing too, but that also doesn't apply21:25
daftykinswell, having a rough time with a pet health related drama here so i'm heading off early \o22:55

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!