mpg123 suddenly started playing a police siren occationly. I checked the process once I heard it, and root was the process owner. How could this happen? Have someone broke into my computer? If so - how could I verify an attack? I run Ubuntu 9.10.
View 2 RepliesQuote:
The 605-page PDF document reads like a listing of the pros and cons for a huge array of defensive and counterintelligence approaches and technologies that an entity might adopt in defending its networks. Of particular interest to me was the section on deception technologies, which discusses the use of honeynet technology to learn more about attackers� methods, as well as the potential legal and privacy aspects of using honeynets. Another section delves into the challenges of attributing the true origin(s) of a computer network attack.
I may not be a code worrior, yet I have been a Ubuntu convert from Apple for about 3yrs now. Since 1984-2006 now hackers or viruses. And Until now Ubuntu has been clean, well I have been good with repos, etc.
1. Recently I found "Odd" behavior with my Amarok 1.4 player, ffmpeg, winff.
2. During a Synaptic upgrade there were some "unauthorized changes". I have seen this before due to some of my software, so I ignored it. . .
To my bewilderment, "It" erased Amarok 1.4 player, ffmpeg, winff, all image kernels, claimed domain over my system permissions, and external HD. B4 I shutdown, downloaded LUCID 10.4. . . restarted, then copied over all info possible to minimize a complete delete of my system. Upon restart, indeed all kernel images were gone, Only live CD allowed me access to repartition my HD.
NOW. I have Lucid running, and have been denied access to my external HD and partitioned (internal HD). I used Nautilus to copy over files to my internal laptop HD, yet permissions continue to be an issue. The INFECTED FOLDERS are owned by "User 999-user#999. I must micro manage every folder and file to gain "partial permission". The dialog box stutters and never allows me to go down to "Root"
Using Opera 10.61 and 10.62, I find that any secure website I access, such as a bank, the lock icon in the address bar is replaced by a question mark. Clicking on it brings up a window, stating that the connection is not secure, that the server does not support TLS Renegotiation. Doing some internet searches for "opera tls renegotiation" brought me to a page at the Opera website, where they discuss this issue. The issue is generic, not limited to Opera, affecting the TLS protocol, and it potentially enables a man-in-the-middle to renegotiate a "secure" connection between a server and client, issuing own commands to the server. Opera has addressed the problem on the client end, but now servers need to be upgraded too. None of the HTTPS sites I have tried have upgraded their servers, if the information provided by the Opera browser is correct.
My questions: how feasible is such a MITM attack, what level of resources would such an attack require? What, if anything, would the attacker need to know about the client and/or server to mount the attack? Would I be better off using Firefox, or is Firefox simply oblivious of the problem and not issuing warnings for that reason?
I have just configured Centos 5.5 LocalMailServer with fetchmail and sendmail , Proxy with Squid and FileServer with samba. Now my concern is security.. How can i protect my server with outside attack. Will I need to block some ports or I need special tools or script so no one from outside can attack my machine. My machine is working on intranet with local ip only.. No web server or static ip exists. Machine is connected with ADSL router to access internet.
View 5 Replies View Relatedhow can I track a Dos and DDoS attack on a server . Does linux have any goiod known command line utilities and log files to us e in this way?
View 1 Replies View RelatedI have implemented two machines one for honeypot(192.168.100.10) and another(192.168.100.20) to remotely log the honeypot log file using syslog. Inside honeypot I emulated another 3 machines with services on virtual IPs of that same block.Now honeypot is working and I can see the logs generating as I did a portscan(nmap) on those virtual IPs from .20 machine.All of the machines are running ubuntu.
But does anyone know any s/w or tools which originally attackers use so that I can get a clear picture of what happens from the logs. Having problems creating these attack scenarios.
i have 1 question no more because i got many ddos attack and my load is 95++ what is the best program to stop DDOS Attack ?
View 14 Replies View RelatedI got alarm on Firestarter showing attack from samba service on port 139 . Is that ok for my host computer ? or a serious attack .
View 9 Replies View RelatedI went away from home for a few days, ... Now I am back at home and noticed, that my server is going out with 100% available bandwidth. The server is mainly Http / Ftp / Mail server, so I stopped all services, to see which one it is. ervices stopped, still 100Mbps go out like ants in the flood.
I updated the system, made a backup, installed IPtraf. It seems that I have something 'installed' and my server is running something to attack User computers. It seems to try to find something on random IP's random ports. I am a little bit confused now. As long as my sites are running, I'm ~OK~ but sooner or later I would like to have my bandwidth back. How could I try to hunt down which service/app/process got hacked?
It seems that the monetary system of our society got now more enemy's than friends. Capitalism seems to reach it's end. But my server is serving also ART! Sooner or later we will need to pay copyright even for our thoughts. I was reading today, that the French president wants to punish file sharing as his wife made 3 albums, and wants to get some money ..
Attack Sneaks Rootkits Into Linux Kernel Quote: A researcher at Black Hat Europe this week will demonstrate a more stealthy way to hack Linux
Apr 14, 2009 | 04:21 PM
By Kelly Jackson Higgins
DarkReading
Kernel rootkits are tough enough to detect, but a researcher this week has demonstrated an even sneakier method of hacking Linux. The attack attack exploits an oft-forgotten function in Linux versions 2.4 and above in order to quietly insert a rootkit into the operating system kernel as a way to hide malware processes, hijack system calls, and open remote backdoors into the machine, for instance. At Black Hat Europe this week in Amsterdam, Anthony Lineberry, senior software engineer for Flexilis, will demonstrate how to hack the Linux kernel by exploiting the driver interface to physically addressable memory in Linux, called /dev/mem.
"One of bonuses of this [approach] is that most kernel module rootkits make a lot noise when they are inserting [the code]. This one is directly manipulating" the memory, so it's less noticeable, he says. The /dev/mem "device" can be opened like a file, and you can read and write to it like a text file, Lineberry says. It's normally used for debugging the kernel, for instance.
Lineberry has developed a proof-of-concept attack that reads and writes to kernel memory as well as stores code inside the kernel, and he plans to release a framework at Black Hat that lets you use /dev/mem to "implement rootkit-like behaviors," he says. The idea of abusing /dev/mem to hack the Linux kernel is not really new, he says. "People have known what you can do with these /dev/mem devices, but I have never seen any rootkits with dev/mem before," he says.
Quote: "The problem with kernel-based rootkits is that the rootkit can mitigate [detection] because it has control," he says. "It's a race in the kernel to see who's going to see who first." [URL]
I have full hdd encryption with a rather long key. The thing is the FBI might just show up at my house one day and have a warrant for my PC, and who wants the government looken through there life? I have a few plans on geting my PC shut down before they can get there hands on it. This is all well and good, but if they can sniff my key from the ram It doesn't matter what my key is or weather they find the computer on or off. Anyhow, i was wondering if there was some way I could add a script to the shut-down process that would over-write the ram.
View 11 Replies View RelatedI have been receiving attack alerts. And I would like to root out the source of the problem. I'll give you the messages. If you could help me prevent this hacker from even being able to attempt these things please any advice is helpful. There have been memory stack attempts, failed sys_admin conversion attempts, password file write attempts etc.....
[Code]...
This is an excerpt from the Linux man page for mktemp command: "mktemp is provided to allow shell scripts to safely use temporary files. Traditionally, many shell scripts take the name of the program with the PID as a suffix and use that as a temporary filename. This kind of naming scheme is predictable and the race condition. It creates is easy for an attacker to win. A safer, though still inferior approach is to make a temporary directory using the same naming scheme. While this does allow one to guarantee that a temporary file will not be subverted, it still allows a simple denial of service attack. For these reasons it is suggested that mktemp be used instead."
- How can a denial-of-service attack be carried out if a directory name is known?
- Why is it important to use mktemp to generate a sufficiently random file/directory name for temporary files?
Mint 8 (Ubuntu 9.10, Karmic Koala), FF 3.5.8 with noscript, betterprivacy, ghostery, torbutton Complete newbie regarding wireshark or netactview but I was advised to try one of these to determine if a Firefox add-on was using Tor.
View 6 Replies View RelatedI'm not concerned about this since this traffic is generated from the loopback address, but would like to find out what it is.
[code]...
I searched Using my User Name and did not find the post post made for this problem.Still the search using the User name does not return the first post or this.
View 4 Replies View RelatedIn my Open-Suse server I have a script, where makepasswd output(by default it generates similar passwords: cGyTbqpr, tpJ1LA, 33EXdo) is redirected to mkpasswd(which uses DES by default) in order to generate salted hash of this previously generated password. I would like to test the strength of this system. I have a quad core CPU, and if I start John The Ripper like this(I want to use -incremental:all flag):
john -incremental:all passwd
..only one core is utilized at 100%. Is there a possibility to make all four cores to crack this password? Or is this possible only after reprogramming John The Ripper? Or what is the algorithm for generating passwords with with -incremental:all flag? I mean if John generates passwords randomly in brute-force mode, then it's smart to start four different John processes simultaneously because then one of those four will find the password firs
I have a server and i think that my server is under Ddos attack. i see that server is not having much load and only few process runs but my site opens very slow. i executed the following command on my ssh:
[Code]....
I ticked the box for this when I installed Lucid, but how can I verify that it's actually performing the encryption/decryption?
View 4 Replies View RelatedI have created aprtition calls /dev/sdd4 and used mount comand I changed /etc/fstab added the new partition to that file as recomanded on http://www.cyberciti.biz/faq/linux-disk-format/
Now when I reboot my pc I get an error message
( fsck.ext3: No such file or directory while trying to open /dev/sdd2 [failed]
An error occurred during the file system check. Dropping you to a shell; the systme will reboot when you leave the shell.
Give root password for maintenance (or type Cntrol-D to continue) )
When I type the root password it is on read-only I cant chage any file.
I just ran Computer Janitor on my computer and I think it broke Synaptic. The program was cleaning up some files, but then it froze halfway through and I had to force it to quit. Since then, I can't open Synaptic package manager, the Ubuntu Software Center, nor Computer Janitor itself. When I do they either freeze and I have to force them to quite or they just don't show up on the screen, but they're stuck running in the background because System Monitor reports the processor is running at 100% and so I have to go in manually and kill the bad processes running in the background. Restarting doesn't change anything.Running Lucid Lynx on a HP dc7100, P4 3.2 Ghz, 2gb RAM.
View 2 Replies View RelatedWednesday I went to work, docked and fired up my older Dell C840 laptop (running Fedora 12). It had a long list of updates that it downloaded and installed (it had been off for about a week). When the updates were finished, I noticed that my laptop had locked up. After waiting a while, I ended up doing a cold reboot. After that, I get the Fedora symbol that fills up, and then the screen goes black with a single cursor. You can type in anything and it is reflected- even control and ALT codes. If you hit CTL- ALT-F2, it goes into a terminal mode. You can do almost anything that you'd normally do in terminal mode. The video driver is the original off the install disk, and it's never been changed- it works fine right out of the box.
If I try to start up X-Windows, I get a segmentation fault error. I've tried deleting and then re-installing some of the packages that were updated (trying this via yum), no difference. I don't know what else to do. I need to get this laptop going before next week- it's my work computer and I do use it a lot. Is there any way to get in touch with the people who wrote the updates, and file a bug report? I'm using my main (home) system right now, that for a couple of reasons needs to stay on windoze XP for a few more weeks. I've been around computers for years, but not Linux.
Context: I happened to read through an old presentation today on OpenBSD's cryptography page called "A Future-Adaptable Password Scheme". In spite of its age, it still seems relevant and useful. One of the topics it discusses is the problem of "offline" attacks, where an attacker is not slowed down by any system (or other external) security. It's attacker vs. the computational cost of guessing passwords in such a scenario.
Specific question: On several unix-like systems (including Linux), the salt helps make building rainbow tables computationally expensive. It's not enough to guess a password and hash it; the proper salt must be provided as well, or the password will not be discovered.
However, the salt (or the hashed salt) seems to be visible in /etc/shadow. For example:
Code:
foouser:$6$U9a6HdUY$U3qFDMen0wDmL0x5WHm2OWhOgzOZ4MCQxV/oY.i5RhfXCQrLifIVkBpWOd1CbCGimVCjmfxZAaud/sXDf1.mv0:14733:0:99999:7::: So in an offline attack, a rainbow table could be built using precisely that salt, correct? (Yes, I realize /etc/shadow is not readable by non-root users, but I am considering an offline attack.) Building the salt (or the hashed salt) into the hashed password seems to defeat the purpose of using a salt altogether.
I am running Fedora 14 with KDE on my IBM T60p Thinkpad laptop. The wireless network adapter is Intel PRO/Wireless 3945ABG. The wireless network uses WPA2 with AES encryption.
Until yesterday my wireless worked fine. I originally installed wlassistant and it enabled my Network Manager to work with WPA2. My XP on the same machine still works on wireless without any issues, so both the adapter hardware and the router are eliminated as sources of the problem.
Yesterday I booted up my Linux and noticed there were 20+ security updates and I installed them all. It asked me to logoff and log back in. I did, and since then my wireless is dead as a doorknob. When the wireless adapter initializes it prompts me for the WPA2 password, however the password is visible in the password field. I click to accept it but it cant connect. Network manager just sits there waiting for authentication and nothing happens. The wpa_supplicant service is disabled, however I honestly cant remember if it was enabled before, considering that I use wlassistant. If I enable it, still nothing happens.
Anyway, thinking that the security updates possibly broke wlassistant, I uninstalled it and installed the latest version. The old version was 12, the new one is 13. It makes no difference though.I always use my laptop on wireless, therefore I am dead in the water.
Its really frustrating how something always breaks on this OS. It resembles a leaky boat that always has at least one hole. By the time I plug it another one appears, so I spend 90% of my Linux time fixing problems and have the remaining 10% for work and play. Windows and Mac work out of the box and apparently thats what 99% of users want, hence the 1% market share
Anyway, sorry about this, however losing my network connectivity from installing security updates really ticked me off. Its pretty unacceptable. Anyone has any ideas which recent fixes may be to blame? I am sure it didnt only happen to me.
I installed the latest security update for squeeze. It entailed an update of the kernel. Now when it boots, it give continuous kernel error messages about "can't enumerate usb .... " I have a custom kernel compiled from source (not sure about the patch level) from the same kernel 2.6.32. It seems to work OK. Should I worry about the security of this custom kernel or should I try to recompile it? I don't really know how to do any patching of the kernel source.
View 5 Replies View RelatedIs there any way to verify if packets being trafficked over a certain port are valid for the service you want to use this port for?
One obvious example that probably clarifies my question:
When I open port 443 (outgoing or incoming) for https/ssl traffic, I don't want this port to be used for say openvpn traffic.
Thus: when someone wants to surf to a website with https, it should be ok but if someone wants to connect to his home openvpn server over that same port, it should be blocked.
this is not on the master node, but rather the node that is being replicated to. The problem occurs when i query using ldapsearch or an `getent passwd` EG ldapsearch:
Code:
[root@cakeslave ~]# ldapsearch -x -b 'cn=Christian Unger,ou=People,dc=example,dc=org' -D "cn=replica,dc=example,dc=org" -H ldaps://cakeslave.example.org -w cakewalk
ldap_bind: Can't contact LDAP server (-1)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
[code]....
The cacert.pem in /etc/ssl/certs and /etc/openldap/certificate are identical (check using md5sum). I have done an strace and found that it looks at /etc/pki/tls/cert.pem .
I was looking at my firewall(firestarter) logs. It shows that a program named Master's Paradise has been trying to make connections to outside from my computer on port 3129. Why would I have something like this on my machine? Is this something I need to be worried about?? Or is some legitimate program using port 3129 and the firewall log is still showing it as Master's Paradise?
View 9 Replies View RelatedI have windows computer and it is being hacked.About month ago or more some one hacked my router and install new firmware from Firmware Version: Talisman/Basic V1.2.9a
My router is linksys and SSID got changed to sveasoft.I had WPA set up and MAC filtering .
Some one hacked my router and change Firmware Version.And user name and password also got change to just admin.
Well now I got a pop up from my Kaspersky saying network attack scan.generic.TCP 74.63.245.168
only thing I can find on it http://whatismyipaddress.com/ip/74.63.245.168
It is Limestone Networks in Dallas.
Some strang things have been happing to my computer in past 4 months and is getting worse.
I have no firewall or router now.And have not gone to the store and get new router yet and I'm thinking of formatting my computer and putting linux and get good firewall like zone-alarm.