[Coco] Re: Not sure about the Barden issue
John E. Malmberg
wb8tyw at qsl.net
Wed Jul 28 20:03:45 EDT 2004
Boisy G. Pitre wrote:
> There was no hacking going on at all.
I was referring to hacking in the generic term as any unauthorized use
of your server.
> The system log shows a normal login through SSH that would not have
> raised any flags with me whatsoever.
Does that log show the originating I.P. address?
> Since this fiasco, my machine has locked up repeatedly and I am
> currently looking at it to figure out if (a) the same individual placed
> some type of rogue application on the server
Assuming that the account given out was not privileged, there should be
limited places that it can put such an application.
> or (b) someone from this group is targeting my IP address as a means of
> revenge. So if anyone on this list is taking advantage of this situation
> by attempting to raze my system, please stop. My attempts to provide a
> service to CoCo folks is providing me more grief than it's worth,
On Monday at least one new worm came out, and that is attacking many
systems, even if your system is not vulnerable to infection, just the
traffic on your network segment can cause problems.
I would be surprised if someone was specifically targeting you, as I
recall only seeing helpful posts from you, never anything controversial.
I have seen small UNIX systems overwhelmed to the point of being
shutdown just from the default I/O buffer allocations being exhausted
from similar network activity. Usually that can be fixed with tuning.
In the case of that specific UNIX system, I had to run a script that
rebuilt the kernel.
Not having specific knowledge of LINUX, I do not know how to check for
such things on it.
As I stated before, if your configuration allows you to direct the X-11
output of other computers to yours, the former security settings
available to X-11 allowed those remote computers to slave your keyboard,
mouse, and screen with out any visible indication. Which means that any
user of those computers could have access to anything that was displayed
on your screen, or typed in at the keyboard. So checking your X-11
access permissions may be needed.
For some X-11 configurations, the default is wide open unless you
implement restrictions. For the current SUSE distribution, it appears
to be locked down.
Since the Hotmail server indicated that HTTP access was used, I sent to
your gmane munged address some further places to look for things that
the person may have left behind with out realizing it. Gmane claims
that it sent the message.
If they displayed an X-11 gui application back to their computer, it's
I.P. address may also be in one of the data files, particularly in
Personal Opinion Only
More information about the Coco