I just noticed the results of the Honeynet Project's Challenge 7: Forensic Analysis of a Compromised Server have finally been posted today. Just got done reading one of the submissions and it's pretty good if anyone is interested in how to analyze a Linux incident involving evidence from memory and the file system.
View 2 Repliesthis is the allert i got:Code:Summary:Your system may be seriously compromised! /usr/sbin/NetworkManager tried to loada kernel module.Detailed Description:SELinux has prevented NetworkManager from loading a kernel module. All confinedprograms that need to load kernel modules should have already had policy writtenfor them. If a compromised application tries to modify the kernel this AVC willbe generated. This is a serious issue.Your system may very well be compromised.Allowing Access:Contact your security administrator and report this issue.Additional Information:
Source Context system_u:system_r:NetworkManager_t:s0
Target Context system_u:system_r:NetworkManager_t:s0
Target Objects None [ capability ]
[code]....
Today any web browser I use has randomly been brining me to URL... at random intervals.I've run chkrootkit from a live cd, and rkhunter, clamav, f-prot, and bitdefender, nothing's unusual.All the definitions were up to date.I'm wondering if its possible that my router got hacked. I'm not sure this is even possible, but it's acting weird. Tried reflashing its firmware, didn't fix it.
View 5 Replies View RelatedLooks like my firefox has been compromised and i have a packet sniffer. Not sure what to do.Should I just delete the suspicous files? here's the chkrootkit log:
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
[code]....
A site belonging to the Savannah GNU free software archive was attacked recently, leading to a compromise of encrypted passwords and enabling the attackers to access restricted project material.The compromise was the result of a SQL injection attack against the savannah.gnu.org site within the last couple of days and the site is still offline now. A notice on the site says that the group has finished the process of restoring all of the data from a clean backup and bringing up access to some resources, but is still in the middle of adjusting its security settings.
View 4 Replies View RelatedThe infrastructure of the Fedora Project was compromised over the weekend and an account belonging to a Fedora contributor was taken over by an attacker. However, Fedora officials said they don't believe that the attacker was able to push any changes to the Fedora package system or make any actual changes to the infrastructure.
The attack appears to have targeted one specific user account, which had some high-value privileges. The attacker was able to compromise the account externally, and then had the ability to connect remotely to some Fedora systems. The attacker also changed the account's SSH key, Fedora officials said.
I have an OpenSSH server running on Ubuntu 10.04, and it works fine.
I'm concerned that my SSH key may have been compromised and would like to replace it.
I tried replacing keys before and reinstalling OpenSSH and SSH before but ran into terrible trouble so I'm asking for instruction before touching anything this time.
Code:
laeg@skyrocket:~/.ssh$ ls
authorized_keys id_rsa id_rsa.ppk id_rsa.pub known_hosts
Code:
laeg@skyrocket:/etc/ssh$ ls
[Code]....
So can I just synpaptic 'fully' uninstall SHH (although probably even less necessary than..) and OpenSHH, backup sshd_config, delete the two dirs referenced above, reinstall both packages, insert my sshd_config backup, and then start from scratch following the guides linked below?
I have a server connected to the internet placed in a DMZ that was running ProFTPD. A couple of weeks ago there was a security threat uncovered that would grant access to external users through a buffer overflow. Of course I patched my ProFTPD quite often after that to secure my server. Now my problem is that the servers of ProFTPD were compromised and that source code with a back-door was released. To make matters worse compromised systems notify the hacker they are infected. is there any way to ensure I don't have a root-kit installed short of reinstalling the system?
View 4 Replies View Relatedsecond time clamav detects the malware on laptop underubuntu:winnow.compromised.ts.jsexploit.5.UNOFFICIALwinnow.spam.ts.domains.158.UNOFFICIALgspace.js: winnow.malware.cm.miscspam.387929.UNOFFICIALwhat does this mean, is it serious and what is the origin of this infection?
View 9 Replies View RelatedI remotely access to my OPENsuse 11. I am using TightVNC program. There is nothing wrong with accessing. But I have to start an analysis program, an this analysis takes about 4 to 6 hours. Therefore, I want to disconnect and let my analysis continue.But after disconnecting from suse, the program i started stops to work. Does anybody know how not to kill the program while i am not connected?
View 6 Replies View RelatedWhen I run:Quote:mount -t davfs http://xxxx/webdav /home/USER1I get:Quote:Please enter the username to authenticate with serverhttp://xxxx/webdav or hit enter for none.
Username: USER1
Please enter the password to authenticate user USER1 with server
http://xxxx/webdav or hit enter for none.
[code]....
An interesting challenge involving diskless booting a PC
View 1 Replies View RelatedI just found these in my setroubleshoot logs and what the hell is going on:
Quote:
Summary:
Your system may be seriously compromised!
Detailed Description:
[SELinux is in permissive mode. This access was not denied.]
SELinux has prevented semodule from modifying $TARGET. This denial indicates semodule was trying to modify the selinux policy configuration. All applications that need this access should have already had policy written for them. If a compromised application tries to modify the SELinux policy this AVC will be generated. This is a serious issue. Your system may very well be compromised.
Allowing Access:
Contact your security administrator and report this issue.
Additional Information:
Source Context staff_u:staff_r:staff_t:s0
Target Context system_u:object_r:semanage_store_t:s0
Target Objects modules [ dir ]
[code]....
This isn't even the half of it either, there are other warnings in between them about netfilter_contexts unlink operations and /usr/sbin/semodule "rmdir" operations on modules.
All I can remember doing earlier was switching into permissive mode to change the type of a WINE application, the legitimacy of which - for system security purposes - I don't doubt. That, and generating policy for it which I tried running the install script for after changing the type didn't work. Neither of those actions seem like they'd try to remove the modules directory.
I Have RHEL4 running on IBM X3550 server, we request IBM support regarding issues with this server, they will request for IBM DSA logs. The logs are quite extensive and cover almost all server config & can identify hardware issues with drivers...etc. I want to know if there is a way to analysis those logs offline without sending them to IBM support?
View 3 Replies View RelatedWe're using Munin for trend analysis purposes, but would like to use it to generate custom reports. One way I envision this is:
* The report is created as a web-page on the munin server, such as [URL]
* The layout of the report is customized based on the project
* The report will be triggered by a cron-job, and I will be notified by email when the report is completed
Does anyone know if this type of script/job allready exists?
I have problem when I deloy project honeynet with honeywall 1.4. can upload again for me honeywall version 1.3 or 1.0.
View 5 Replies View RelatedI'm using gpg to encrypt and sign a file on a linux machine.using the same keys the file is encrypted and signed on a windows machine and the file sizes are different.
I then encrypted and signed on another windows machine and again the file sizes are different. Does GPG use some random stuff from the machine during encryption?
I've installed ClamTK on my Kubuntu 9.10 installation, since it's connected to a Windows7 machine.When I ran a scan, it found 9 'viruses', but they are all within my home directory > Opera/mail/store and are either status Phishing.Heuristics.Email.SpoofedDomain OR HTML.Phishing.Bank-593.I recently synced my Hotmail into Opera, so I checked the corresponding dates in my Hotmail account and deleted the emails which I thought were related, however, after clearing down my Opera history, etc., re-booting my PC and re-scanning, the results are the same.How do I clear down these files?
View 1 Replies View RelatedI am a newbie in ubuntu. I did clamscan on my ubuntu /, and I got the result message as follow. it shows "486 errors" I am wondering if the result is OK or I need to do some action on it.
Known viruses: 968595
Engine version: 0.96.5
Scanned directories: 28067
Scanned files: 131696
Infected files: 0
Total errors: 486
Data scanned: 9020.40 MB
Data read: 17800.31 MB (ratio 0.51:1)
Time: 1349.479 sec (22 m 29 s)"
Also, my engine is 0.96.5. The latest version is 0.97. But "aptitude upgrade" can not upgrade the engine to 0.97. I understand 0.97 is still on testing. I am wondering if I can just stay with 0.96.5 and wait for the 0.97 passing all tests. if so, does it cause any security issue?
I was testing the security of my Ubuntu 10.04 64bit install by running a port scan from [URL] and I came upon some odd results. It appears that basically all my ports are closed, but only Port 646 is dropping packets silently. Furthermore, Port 80 is open.
View 5 Replies View RelatedI ran two scans in Zenmap: 1) Quick scan plus and 2) Quick Traceroute. Quick scan plus, under the Nmap Output tab, has a field called "Network Distance". The Quick Traceroute report under the same tab lists the HOP and RTT time. I was thinking that for a given server, the value for the Network Distance would be the same as the HOP field when initiating the scans from the same server, but they are not.
View 5 Replies View RelatedI have used the words 'Open Challenge'.I have attached a spreadsheet 'Sample file for filter.ods'.TASK: In a presentation, I would like to show what are the Topics of India on Day-1 , Day-2 , Day-3 , Day-4. That means I am going to Filter India and (Day-1, Day-2, Day-3, Day-4).
View 7 Replies View Relatedi am trying to set permissions on my wordpress install such that the wordpress admin can write to the files and directories in the wordpress tree. otherwise i have to do all the things wordpress does automatically by hand with vi.of course i would like to have permissions set as precisely as possible for security.at present the files are set to 644 (-rw-r--r--). my plan is to change permissions to 664 (-rw-rw-r--) using chmod. ie "chmod -r 664 ./wordpress".
View 4 Replies View RelatedI run Ubuntu 9.04 and was recently told by my university that my computer is massively port scanning the network. I am interesting in learning more about figuring out what is happening to stop it, but I am lost at where to begin. What steps should I take (or files to look at) to figure out what is happening?
View 3 Replies View RelatedI'm timing how long it takes to run a command foo. I'm looking to append the results from the time command to a file, and discard the results from the foo command. I tried the following, but it didn't do what I want:
$ time ./foo > /dev/null >> output_from_time_command.txt
I setup an ssh server that works fine when using the terminal, but trying to run programs like firefox fails. It will open partially and then simply hang. Less complicated programs can open successfully and run fine, but cause my remote computer to pause every 5 seconds for about a second.
View 9 Replies View RelatedWe are trying to define an appliance based on Suse for an application server and Web server Apache, so we would like to know configuration best practices for network and security, is there any paper/doc about best practices?
View 3 Replies View RelatedMy Linux server which is running my company website have been hacked. Today I saw a number of clients (customers) with some fun characters entries on my database. Access denial on really clients.
View 2 Replies View RelatedI've setup postfix using mysql tables and all works except for sending to an alias. The mysql logs show that postfix is only looking at the mailbox table for where to deliver the mail for the alias. However it is not looking in the virtual alias maps table. There are no complaints from postfix on startup to indicate that there is anything wrong, and if I send to a virtual domain listed as a relay on the server it does look up the virtual alias table... even though the domain is not hosted on the server....
So the question I have is where to look next? The mysql log shows the expected lookups from postfix EXCEPT for the virtual alias map queries.... why would it not be checking the table? Since it is not looking up the virtual alias it bounces the addresses back to sender complaining that the user doesn't exist... It does deliver to a virtal mailbox, however again it never checks the vitual alias table.... so it only delivers since there's a mailbox for it rather than needing an alias...
some basic programming/scripting/etc. ability but I am not able to do what I now need to do. I would like to have a link on a website that when a user clicked on that link, one script or another would execute based on what operating system that person is using. To wit: If a Mac User clicked on it, it would run a terminal script and would set up a served printer for him; if a PC user clicked on it, it would run a script to set up the served printer on his machine, you get the drift. The printer is being served on a Windows Server 2003 machine, the users are NOT domain users, the print server is also hosting the files, scripts, webpage.
View 11 Replies View Related