Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.os.linux.security > #198

Re: Security breach?

From Bit Twister <BitTwister@mouse-potato.com>
Newsgroups comp.os.linux.security
Subject Re: Security breach?
Date 2013-01-12 00:08 +0000
Organization A noiseless patient Spider
Message-ID <slrnkf1ac7.mae.BitTwister@wb.home.test> (permalink)
References (1 earlier) <slrnkevaie.4qm.BitTwister@wb.home.test> <i1OHs.32904$3S5.11697@newsfe18.iad> <XnsA1452A741B196MyBigKitty@216.196.97.131> <slrnkevu1b.sfk.BitTwister@wb.home.test> <XnsA145ABD95DD64MyBigKitty@216.196.97.131>

Show all headers | View raw

On Fri, 11 Jan 2013 15:53:52 -0600, Ohmster wrote:
>
> Well, with selinux enabled, *nothing* works anymore. Not samba, ssh may 
> have issues, httpd, ftpd, everything is broken and is a major hassle to 
> get working again, if it is possible at all.

Of course its possible, otherwise they would quit using it.

> Now I am sure that the 
> people who wrote selinux did not mean to disable the entire daemon system 
> and there must be some, clear documentation on how to make it work, but I 
> cannot find it. No GUI or easy to understand docs that I can find. 
> Pointers?

Can not remember where I saw it, but there was some command line magic
where you could ask it to tell you what you needed to get an application
registered. Here are all my links. Text after the ! are comments/keywords
I use to find stuff in my urls file.
http://www.linuxnix.com/2012/09/basics-of-selinux-in-linux.html  ! documentation
http://ejohansson.se/archives/2007/11/04/selinux-subversion-and-mod_svn/
http://people.redhat.com/dwalsh/SELinux/Presentations/ManageRHEL5.pdf
http://fedoraproject.org/wiki/SELinux
http://www.redhatmagazine.com/2007/08/21/a-step-by-step-guide-to-building-a-new-selinux-policy-module/   ! howto
http://www.it-observer.com/pdf/dl/demystifying_selinux.pdf ! security secure linux
http://www.linuxdevcenter.com/pub/a/linux/excerpt/selnx_1/index.html ! documentation Adding Permissions Using SELinux



>>> Gotta be a rootkit or something.
>> 
>> And there lies the rub. There is no telling what is installed unless 
>> you take the drive to another system and really dig into it.
>> This assumes you know what you are doing and do not infect the new
>> system. 
>
> I would have to wipe and reinstall this system and I do not want to 
> reinfect it. However, I have many config files that I will need, not to 

I find it much easier to create install/change scripts to modify
config files. Old config files can dink up new releases.  :(


> I have enabled mail in previous installs of Fedora, the whole thing was 
> no good, my IP was blocked every step of the way for being a cable IP 
> block. So much for mail server. I did use my ISP, Comcast as the mail 
> agent, but this too was a disastor. They just do not want individuals 
> running mail servers and I do understand why. Spam boxes were built and 
> sold for this very reason and are totally banned.

I use postfix. It sends in my id/pw then ships out any email in the queue.
As far as my ISP is concerned, it looks like a dumb mail client sending
a lot of email pretty fast.


>
> I read up a little on rkhunter and it seems to take the tripwire 
> approach, meaning I would initially need a clean system to install it on, 
> not much good once system is infected.

You would be correct as far as infected bin/ files but it might find some
malware files.

>
> Yes it is on the same LAN but I doubt it was cracked through the Windows 
> 7 machine which is up to date with Avast installed and updated.

Heheheh, saw a report a few months ago indicating new malware app released
every second. Your AV software has to catch a copy of malware, check it out,
test detection logic, add to database.

> This 
> machine never connects to Linux but for samba 

Yup, see some articles about samba shares used as attack vector

> when I want and ssh w/PuTTY when I need it.

And that is malware can grab id/pw.

>
> You think the machine will power itself back on, all by itself or by 
> remote command when it is not even turned on? 
> I would sure like to see that!

It is possible with Wake on demand nic and enabled in bios.

>  But I will pull the cable if you think it prudent. 

All I am saying is the machine needs to be disconnected as long as it is
infected. Malware could restart/bring up the network. 


> I do want to be 
> able to power it up and recsue my files though, and I would like to be 
> able to do it with LAN access, if at all possible. 

Oh it is possible. And very possible for malware to get back on to the
internet through your win box.

> How to do it? Pull 
> cablemodem plug and run on LAN only while getting files or can I block 
> just the Linux machine from Internet while running it?

Pulling the cablemodem plug would prevent Internet access all right,
assuming no wireless connections from any LAN systems.

>
>> Any internet content, flash, pdf, gif, MP3, WMA, WMV, MP2,..., might
>> contain malware.
>
> ...really. Oh this really bits. Any way to scan files for malware in 
> Linux?

You are missing the point. You are watching a youtube video and the
streaming content contains the exploit.

Back to comp.os.linux.security | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

Security breach? Ohmster <root@dev.nul> - 2013-01-10 23:29 -0600
  Re: Security breach? Bit Twister <BitTwister@mouse-potato.com> - 2013-01-11 05:59 +0000
    Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-11 06:10 +0000
      Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 02:45 -0600
        Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-11 20:44 +0000
          Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 15:06 -0600
            Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-11 22:26 +0000
          Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 16:45 -0600
            Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-12 00:24 +0000
              Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 19:34 -0600
                Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-12 02:16 +0000
                Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 21:04 -0600
                Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-12 05:44 +0000
                Re: Security breach? Ohmster <root@dev.nul> - 2013-01-12 16:29 -0600
                Re: Security breach? Bit Twister <BitTwister@mouse-potato.com> - 2013-01-13 03:01 +0000
                Re: Security breach? GangGreene <GangGreene@example.com> - 2013-01-13 07:24 -0500
                Re: Security breach? Bit Twister <BitTwister@mouse-potato.com> - 2013-01-13 14:51 +0000
                Re: Security breach? GangGreene <GangGreene@example.com> - 2013-01-13 10:45 -0500
                Re: Security breach? Jim Beard <jdbeard@patriot.net> - 2013-01-13 12:21 -0500
                Re: Security breach? GangGreene <GangGreene@example.com> - 2013-01-13 12:59 -0500
                Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-13 20:40 +0000
                Re: Security breach? GangGreene <GangGreene@example.com> - 2013-01-13 16:14 -0500
                Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-13 23:51 +0000
                Re: Security breach? GangGreene <GangGreene@example.com> - 2013-01-14 09:59 -0500
                Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-14 17:39 +0000
                Re: Security breach? GangGreene <GangGreene@example.com> - 2013-01-14 16:16 -0500
                Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-14 21:48 +0000
                Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-13 20:35 +0000
          Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 17:05 -0600
            Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-12 00:26 +0000
      Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 03:10 -0600
        Re: Security breach? Bit Twister <BitTwister@mouse-potato.com> - 2013-01-11 11:31 +0000
          Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 15:53 -0600
            Re: Security breach? Aragorn <stryder@telenet.be.invalid> - 2013-01-11 23:05 +0100
              Re: Security breach? Richard Kettlewell <rjk@greenend.org.uk> - 2013-01-11 22:14 +0000
                Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 16:47 -0600
                Re: Security breach? Bit Twister <BitTwister@mouse-potato.com> - 2013-01-12 00:26 +0000
                Re: Security breach? Richard Kettlewell <rjk@greenend.org.uk> - 2013-01-12 09:23 +0000
                Re: Security breach? Ohmster <root@dev.nul> - 2013-01-12 16:31 -0600
                Re: Security breach? Ohmster <root@dev.nul> - 2013-01-12 16:36 -0600
                Re: Security breach? Aragorn <stryder@telenet.be.invalid> - 2013-01-13 14:45 +0100
              Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 16:39 -0600
            Re: Security breach? Bit Twister <BitTwister@mouse-potato.com> - 2013-01-12 00:08 +0000
        Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-11 20:50 +0000
          Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 15:19 -0600
            Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-11 22:30 +0000
              Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 16:49 -0600
    Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 02:36 -0600
    Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 02:52 -0600
  Re: Security breach? "David W. Hodgins" <dwhodgins@nomail.afraid.org> - 2013-01-11 03:10 -0500
    Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 02:39 -0600
  Re: Security breach? Richard Kettlewell <rjk@greenend.org.uk> - 2013-01-11 10:53 +0000
    Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 15:12 -0600
      Re: Security breach? Aragorn <stryder@telenet.be.invalid> - 2013-01-11 22:53 +0100
        Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 15:57 -0600
          Re: Security breach? Aragorn <stryder@telenet.be.invalid> - 2013-01-11 23:29 +0100
            Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 16:55 -0600
              Re: Security breach? Aragorn <stryder@telenet.be.invalid> - 2013-01-11 23:59 +0100
                Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 17:07 -0600
                Re: Security breach? Aragorn <stryder@telenet.be.invalid> - 2013-01-12 00:24 +0100
                Re: Security breach? `blindshell' ...INFECTED (PORTS: 465) Ohmster <root@dev.nul> - 2013-01-11 17:48 -0600
                Re: Security breach? `blindshell' ...INFECTED (PORTS: 465) Ohmster <root@dev.nul> - 2013-01-11 18:07 -0600
            Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-12 00:16 +0000
              Re: Security breach? Aragorn <stryder@telenet.be.invalid> - 2013-01-12 12:13 +0100
                Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-12 18:30 +0000
      Re: Security breach? Richard Kettlewell <rjk@greenend.org.uk> - 2013-01-11 22:07 +0000
        Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 17:22 -0600

csiph-web