===========================================================
                        LINUX NEWS
            Resources & Links From CramSession.com
                Thursday, January 31, 2002
===========================================================

-----------------
TABLE OF CONTENTS
-----------------

1) Sean's Notes

2) Linux News

	Loki Shuts Its Doors
	Mandrake Releases 8.2 Beta
	Red Hat Unveils Secure Enterprise Services
	Another Word on Solaris for x86

3) Linux Resources

	Fistful o' Links
	Linux+ Study Tips
	Using rndc to Administer BIND
	BIND Upgrading Gotchas
	Touching Up Scanned Images With the GIMP

4) App o' the week


~~~~~~~~~~~~~~~~~~~~~~ ADVERTISEMENT ~~~~~~~~~~~~~~~~~~~~~~~

Get the skills, knowledge and credentials you need to excel
in your career by attending University of Phoenix Online.
Earn your degree at the times and places that work best for
you. Our proven Web-based format lets you complete your
education in the most efficient and convenient way possible.
There's no commuting. No crowded classrooms. No schedule
conflicts. You simply click into class and start learning.

Learn more at http://ad.brainbuzz.com/?RC06&AIH07

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

For information on how to advertise in this newsletter
please contact mailto:adsales@CramSession.com or visit
http://cramsession.com/marketing/default.asp

===========================================================
1) Sean's Notes
===========================================================

A couple of weeks ago I posed a question to the Linux-General
board, asking what you'd do if you thought your machine was
cracked.

http://boards.cramsession.com/boards/vbm.asp?mE7750

One thing a script kiddie will do upon gaining entry to a system
is install a Root Kit.  The purpose of the kit is to gather
information (mostly passwords) about the other users, clean up
after the attack (logs), and to leave a back door.

Along with the back door is usually a replacement of some system
binaries to hide the existence of the root kit itself.  If you
checked the process listing and saw "password_sniffer" running,
you'd probably be a bit suspicious.  Likewise, if the promiscuous
flag on an ethernet card were set (meaning that the card is
capturing all data on the LAN), that might set off a warning bell.
To combat this, root kits install tainted versions of some system
utilities that will return "cleaned-up" results.

So one day you log in, and something doesn't seem right, but
according to "ps", everything is.  What do you trust?

kvanhaaren was quick to note that /proc has a directory for each
process id that's running.  The /proc directory is special, since
the files don't really exist on any disk.  It's a place that the
kernel can report on anything from devices, to processes, to
network activity.  When you work with the files in that directory,
you're talking to the kernel.

One thing to do might be to compare the number of processes that
ps reports to the number of directories in /proc that refer to
processes:

# ls /proc | egrep '^[0-9]+$' | wc -l
    127
# ps -ef | wc -l
    127

The numbers may differ by one, since in the first case we're
causing three processes to be run, versus two in the second.

Since the numbers are the same, I should be able to assume that
my copy of ps is reporting the proper processes.

Different numbers would mean that ps is hiding something from me.
Now, my objective should be to quickly find out what pids are
running, but not being shown by ps, so I can kill them off.
Replacing /bin/ps may take too much time, or I might have already
taken this machine off the network (which is probably a good idea).

The most direct way would be to dump a list of pids from each
method into a file, and use "diff".

# cd /tmp/
# ps -ef | awk '$2 ~ /[0-9]/ {print $2}'  | sort -n > fromps
# ls /proc | egrep '^[0-9]+$' | sort -n > fromproc
# diff fromps fromproc
94,96c94,96
< 6565
< 6566
< 6567
---
> 6568
> 6569
> 6570

Here, I can see that three process IDs differ.  Since the PIDs
are consecutive, I know that they're the PIDs of the commands I
just ran, so no worries.  What if I saw:

< 6565
< 6566
< 6567
---
> 21221
> 21222
> 21223
> 6568
> 6569
> 6570

I'd know that 21221 - 21223 are being hidden from me.
/proc/21221/cmdline would tell me what the name of the process
was.  Repeat for the next two, then "kill -9" 'em.

Two orders of business remain before you even think of getting
back in business.

Remember the command lines you wrote down earlier?  Try to
find 'em.  If "linsniffer" was the name of one of the binaries,
use find to locate it.

# find / -name linsniffer -print
/dev/ida/.inet/linsniffer

As you can see, the rootkit is hidden in /dev/ida/.inet.  Tar
up those files for evidence, and then get rid of them.

Next thing to do is to preserve the logs.  /var/log/messages,
/var/log/maillog, and /var/log/secure must be saved.  (If the
attack happened a while ago, you might have rolled over the logs
into something.N.gz).  Any log you can find (samba, apache), save
it.  You're going to want to try to find any signs of the attacker.

Your RPM database (if you use it), might still be intact.  We
might have taken a shortcut in the first step, but this is still
no guarantee.

# rpm -qf `which ps`
procps-2.0.6-5
# rpm -V procps
S.5....T   /bin/ps

Once you're back in action, carefully check what's been changed:

# rpm -Va

and replace any RPMs that look fishy.

Being hacked by script kiddies isn't the end of the world.
As a good friend put it, it's "a little wake up call for all of
us to make sure our versions are current and machines properly
locked down."  If it happens to you, turn it into a learning
experience.

Some tools that might help you from becoming the victim of a
script kiddie:

http://www.tripwire.org/ - Keeps an offline database of
signatures on key binaries, such that you can quickly figure
out what's been changed.

http://www.psionic.com/abacus/logcheck - Periodically checks
your system logs for suspicious activity, and mails the
results to you.

http://www.thenewbiesarea.com/unix.shtml - A collection of
script kiddie tools like root kits.  I believe it's important
to know the tools that will be used against you, but be
careful and responsible with these!

Long live the Penguin,

Sean
mailto:swalberg@cramsession.com

P.S. - If you've sent me mail in the past couple of weeks
and I didn't get back to you, please resend. Some messages
to my address were bouncing. Make sure to use @cramsession.com
instead of the old @brainbuzz.com address. Thanks!

===========================================================
2) Linux News
===========================================================

---------------------
Loki Shuts Its Doors
---------------------
It was reported before that Loki Software had filed for
bankruptcy protection, but the latest news is that they're
folding up for good. Loki ports popular games from Windows
to Linux, and it's a sad thing to see them go.

http://slashdot.org/article.pl?sid/01/24/032223&mode=thread

---------------------------
Mandrake Releases 8.2 Beta
---------------------------
For those of you that just have to be on the leading edge,
Mandrake has made available a beta of their next release.
It's got the 2.4.17 kernel, and some new utilities. The
screenshots of the DiskDrake application look interesting,
proving to make file sharing as easy under Linux as it
is with Windows, while still retaining the security and
efficiency that brought you over in the first place.

http://www.linux-mandrake.com/en/82beta.php3

-------------------------------------------
Red Hat Unveils Secure Enterprise Services
-------------------------------------------
In conjunction with their Red Hat Network, which allows
administrators to keep multiple machines up to date easily,
Red Hat announced that they're adding security services to
the mix. I'm happy to see the company addressing the needs of
the enterprise, since a managed security service has to be
more efficient than having a bunch of people sitting around
installing the latest Win2K hotfix.

http://www.redhat.com/about/presscenter/2002/press_linuxworld.html

--------------------------------
Another Word on Solaris for x86
--------------------------------
Newsforge.com interviewed a marketing guy from Sun about the
news that they'll be dropping the x86 port of Solaris. No good
news for Solaris fans here, but the Open Source advocates in
the crowd will like what this article has to say.

http://www.newsforge.com/article.pl?sid/01/28/1637218

===========================================================
3) Linux Resources
===========================================================

------------------
Fistfull O' Links
------------------
Long time site member NovellDude passed along 20 odd Linux-
related links guaranteed to keep you informed. There are news
sites, distribution vendor sites, and even a handy place to
pick up cheap CDs. Thanks, ND!

http://boards.cramsession.com/boards/vbm.asp?mF6665

------------------
Linux+ Study Tips
------------------
It's no secret that the Linux+ exam is slightly slanted
towards Red Hat, despite its claim of being vendor neutral.
As with most exams, the content also lags current technology
somewhat. If you're using Red Hat 7.2 to prepare for this
exam, then this posting from the author of a Linux+ book
will certainly interest you, as it points out where your
system will be different from what's expected on the exam.

http://boards.cramsession.com/boards/vbm.asp?mF8888

------------------------------
Using rndc to Administer BIND
------------------------------
rndc is a great utility to manage BIND servers, as it lets
you remotely reload zones, or get debugging information.
This article walks through the setup and use of this utility,
including how to properly control its use.

http://www.netadmintools.com/article.php?sid%

-----------------------
BIND Upgrading Gotchas
-----------------------
I wish I knew about this one when I made the change to BIND 9.
To say there are some behavioral differences between v8 and
v9 would be an understatement. This page lists nine common
problems people encounter (and solutions, of course).

http://sysadmin.oreilly.com/news/dnsandbind_0401.html

-----------------------------------------
Touching Up Scanned Images With the GIMP
-----------------------------------------
I must be cursed. Not only do I take bad pictures, but
whenever I scan them in they look even worse. Am I worried?
No! This article taught me the fine art of touching up
photos with everyone's favourite image editor, the GIMP.

http://www.geocities.com/SiliconValley/Haven/5179/

===========================================================
4) App o' the week
===========================================================
If you've got the task of managing multiple Unix firewalls,
or you're contemplating Unix as a firewall solution, look
at this site. The Firewall Builder has a Checkpoint-like GUI,
supports multiple firewalls, and can even push out new rules
to iptables or ipfilter clients. It even supports all the
different NATting rules, and the ability to add rules to
protect the firewall itself. As if this isn't good enough,
it's even got good documentation (including a tutorial!)

http://www.fwbuilder.org/

===========================================================
(C) 2002 BrainBuzz.com, Inc. All Rights Reserved.
===========================================================

_______________________________________________________

         This message is from CramSession.com.

You are currently subscribed to the
   Hottest Linux News and Resources
   as: sean@ertw.com

To un-subscribe from this newsletter by e-mail:
   send a blank email message to:
   mailto:leave-linuxnews-3825955Y@list.cramsession.com

-------------------------------------------------------

To Subscribe to this newsletter by e-mail:
   send a blank email message to:
   mailto:join-linuxnews@list.cramsession.com
_______________________________________________________