freebsd-hackers Digest, Vol 91, Issue 7

tester tester at mail.mydsl.net.pk
Fri Dec 17 08:13:55 PST 2004


how did you  CHANGED the limit to (800pkt/sec). this would be around 12Mb/sec
traffic.


On Fri, 17 Dec 2004 12:01:06 +0000 (GMT), freebsd-hackers-request wrote
> Send freebsd-hackers mailing list submissions to
> 	freebsd-hackers at freebsd.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> or, via email, send a message with subject or body 'help' to
> 	freebsd-hackers-request at freebsd.org
> 
> You can reach the person managing the list at
> 	freebsd-hackers-owner at freebsd.org
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of freebsd-hackers digest..."
> 
> Today's Topics:
> 
>    1. -CURRENT problems with WCCP/high load  (Gaspar Chilingarov)
>    2. Strange command histories in hacked shell server (Ganbold)
>    3. Re: -CURRENT problems with WCCP/high load (Andre Oppermann)
>    4. Re: brute3.tar.gz (John Von Essen)
>    5. Re: Multi-volume compressed dumps on DVDs (Dag-Erling Sm?rgrav)
> 
>    6. Re: duplicate CVS modules in merged CVSROOT (Dag-Erling 
> Sm?rgrav)
>    7. Re: using two keyboards at the same time (Dag-Erling Sm?rgrav)
>    8. Re: duplicate CVS modules in merged CVSROOT (Dmitry Morozovsky)
>    9. Re: duplicate CVS modules in merged CVSROOT (Roman Kurakin)
>   10. Re: nfs within jail (Matt)
>   11. USB video? (David Gilbert)
>   12. Re: nfs within jail (David Scheidt)
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Thu, 16 Dec 2004 00:46:05 +0400 (AMT)
> From: "Gaspar Chilingarov" <nm at web.am>
> Subject: -CURRENT problems with WCCP/high load 
> To: freebsd-hackers at freebsd.org
> Message-ID: <53000.217.113.1.123.1103143565.squirrel at webmail.web.am>
> Content-Type: text/plain;charset=utf-8
> 
> Hello!
> 
> machine panics under load (800pkt/sec, 600-800 kByte/sec traffik)
> 
> I got a dual pIII 1Ghz machine with todays -current, 
> ipfirewall_forward option enabled, several Intel Express cards 
> inside. kernel is GENERIC with some stripped drivers, witness, 
> invariants, debugging etc disabled. compiled with -O2 -pipe, no arch 
> flags.
> 
> running squid with wccp2 patch, loaded modules -- acpi, ipfw, if_gre.
> 
> on another side is a cisco router which redirects traffic to freebsd 
> box using wccp2.
> 
> after running several seconds under the load -- 7-10 seconds 
> computer panics with in process swi:net.
> 
> kernel world compilation run without any failures or crashes -- so 
> i'm sure, that this is a software problem.
> 
> anyone interested in kernel corefile or not ? I can provide any additional
> information if anyone interested.
> 
> please reply directly to my mail address, i'm not on list )
> 
> with best regards , Gaspar Chilingarov
> 
> ------------------------------
> 
> Message: 2
> Date: Thu, 16 Dec 2004 20:31:05 +0800
> From: Ganbold <ganbold at micom.mng.net>
> Subject: Strange command histories in hacked shell server
> To: freebsd-security at freebsd.org
> Cc: freebsd-hackers at freebsd.org
> Message-ID: <6.2.0.14.2.20041216195558.030b0eb0 at 202.179.0.80>
> Content-Type: text/plain; charset="us-ascii"; format=flowed
> 
> Hi,
> 
> Sorry for cross posting.
> 
> I have with FreeBSD 5.3-stable server which serves as a public shell 
> server.
> 
> FreeBSD public.ub.mng.net 5.3-STABLE FreeBSD 5.3-STABLE #6: Wed Nov 
> 24 
> 15:55:36 ULAT 2004     
> tsgan at public.ub.mng.net:/usr/obj/usr/src/sys/PSH  i386
> 
> It has ssh and proftp-1.2.10 daemons.
> 
> However it was hacked and I'm trying to analyze it and having some 
> difficulties.
> 
> Machine is configured in such way that everyone can create an 
> account itself. Some user dir permissions: ... drwxr-xr-x  2 root    
>    wheel         512 Mar 29  2004 new drwx------  3 tamiraad   unix  
>         512 Apr  9  2004 tamiraad drwxr-xr-x  6 tsgan      tsgan     
>    1024 Dec 16 17:51 tsgan drwx------  4 tugstugi   unix         
>  512 Dec 13 20:34 tugstugi drwxr-xr-x  5 unix       unix         
>  512 Dec 13 12:37 unix ... User should log on as new with password 
> new to create an account.
> 
> Accounting is enabled and kern.securelevel is set to 2.
> Only one account 'tsgan' is in wheel group and only tsgan gan become 
> root using su.
> 
> Following is the some strange output from grave-robber (coroner 
> toolkit): ...
> Dec 13 04 20:18:40        5 m.c -rw-rw---- tugstugi smmsp   
/var/spool/clientmqueue/dfiBDCIeD0001529
> 
> Dec 13 04 20:34:58      512 m.. drwx------ tugstugi unix     /home/tugstugi
> 
> Dec 13 04 20:35:57      512 ..c drwx------ tugstugi unix     /home/tugstugi
> Dec 14 04 00:19:56        0 m.c -rw-rw-rw- tugstugi 
> unix     /home/tugstugi/.myrc
> 
> Dec 14 04 00:20:50     9665 m.. -rw-r--r-- tugstugi 
> unix     /home/tsgan/.tmp/known_hosts
>                         9665 m.c -rw-r--r-- tugstugi 
> unix     /home/tugstugi/.ssh/known_hosts
> 
> Dec 15 04 19:12:21     1002 m.c -rw------- tugstugi 
> unix     /home/tugstugi/.shrc
> ...
> Somehow he seems like copied /home/tugstugi/.ssh/known_hosts to 
> home/tsgan/.tmp/known_hosts.
> I don't know why.
> 
> Following is lastcomm output:
> ...
> sshd             -F      tugstugi         __         0.16 secs Tue 
> Dec 14 23:01 sh               -       tugstugi         #C:5:0x1  
>  0.03 secs Tue Dec 14 23:02 su               -       tugstugi        
>  #C:5:0x1   0.02 secs Tue Dec 14 23:38 ... sshd             -F     
>  tugstugi         __         0.08 secs Tue Dec 14 22:41 sh           
>     -       tugstugi         #C:5:0x1   0.02 secs Tue Dec 14 22:41 
> who              -       tugstugi         #C:5:0x1   0.00 secs Tue 
> Dec 14 22:52 su               -       tugstugi         #C:5:0x1  
>  0.02 secs Tue Dec 14 22:48 sh               -       tsgan           
>  #C:5:0x1   0.00 secs Tue Dec 14 22:48 ls               -      
>  tsgan            #C:5:0x1   0.00 secs Tue Dec 14 22:52 su           
>     -       tsgan            #C:5:0x1   0.02 secs Tue Dec 14 22:49 
> csh              -       root             #C:5:0x1   0.03 secs Tue 
> Dec 14 22:49 ...
> 
> In above I think he already hijacked my account and root password so 
> he used su to become root.
> 
> sshd             -F      tsgan            __         0.02 secs Tue 
> Dec 14 00:27 sh               -       tsgan            ttyp0     
>  0.02 secs Tue Dec 14 00:27 cat              -       tsgan           
>  ttyp0      0.00 secs Tue Dec 14 00:28 su               -      
>  tsgan            ttyp0      0.00 secs Tue Dec 14 00:28 sleep        
>     -       tsgan            ttyp0      0.00 secs Tue Dec 14 00:27 ^^^^^^
> stty             -       tsgan            ttyp0      0.00 secs Tue 
> Dec 14 00:27 stty             -       tsgan            ttyp0     
>  0.00 secs Tue Dec 14 00:27 ^^^^^^ fortune          -       tsgan    
>         ttyp0      0.00 secs Tue Dec 14 00:27 ...
> 
> I don't quite understand why he used sleep and stty commands in 
> above. My suspect is tty hijacking. Am I right? Correct me if I'm wrong.
> 
> sleep            -       tugstugi         #C:5:0x2   0.00 secs Tue 
> Dec 14 00:24 stty             -       tugstugi         #C:5:0x2  
>  0.00 secs Tue Dec 14 00:24 stty             -       tugstugi        
>  #C:5:0x2   0.00 secs Tue Dec 14 00:24 ... id               -      
>  tugstugi         #C:5:0x2   0.00 secs Tue Dec 14 00:24 sleep        
>     -       tugstugi         #C:5:0x2   0.00 secs Tue Dec 14 00:24 
> stty             -       tugstugi         #C:5:0x2   0.00 secs Tue 
> Dec 14 00:24 stty             -       tugstugi         #C:5:0x2  
>  0.00 secs Tue Dec 14 00:24 id               -       tugstugi        
>  #C:5:0x2   0.00 secs Tue Dec 14 00:24 cat              -      
>  tsgan            #C:5:0x2   0.00 secs Tue Dec 14 00:24 ls           
>     -       tsgan            #C:5:0x2   0.00 secs Tue Dec 14 00:24 
> su               -       tsgan            #C:5:0x2   0.02 secs Tue 
> Dec 14 00:23 sh               -       tugstugi         #C:5:0x2  
>  0.00 secs Tue Dec 14 00:23 ls               -       tugstugi        
>  #C:5:0x2   0.00 secs Tue Dec 14 00:23 id               -      
>  tugstugi         #C:5:0x2   0.00 secs Tue Dec 14 00:23 ls           
>     -       tugstugi         #C:5:0x2   0.00 secs Tue Dec 14 00:23 
> sleep            -       tugstugi         #C:5:0x2   0.00 secs Tue 
> Dec 14 00:23 stty             -       tugstugi         #C:5:0x2  
>  0.00 secs Tue Dec 14 00:23 stty             -       tugstugi        
>  #C:5:0x2   0.00 secs Tue Dec 14 00:23 ls               -      
>  tugstugi         #C:5:0x2   0.00 secs Tue Dec 14 00:23 id           
>     -       tugstugi         #C:5:0x2   0.00 secs Tue Dec 14 00:23 
> ls               -       tugstugi         #C:5:0x2   0.00 secs Tue 
> Dec 14 00:23 cat              -       tsgan            #C:5:0x2  
>  0.00 secs Tue Dec 14 00:23 su               -       tsgan           
>  #C:5:0x2   0.02 secs Tue Dec 14 00:23 cat              -      
>  tsgan            #C:5:0x2   0.00 secs Tue Dec 14 00:22 sleep        
>     -       tsgan            #C:5:0x2   0.00 secs Tue Dec 14 00:22 
> stty             -       tsgan            #C:5:0x2   0.00 secs Tue 
> Dec 14 00:22 stty             -       tsgan            #C:5:0x2  
>  0.00 secs Tue Dec 14 00:22 fortune          -       tsgan           
>  #C:5:0x2   0.00 secs Tue Dec 14 00:22 ... One more strange thing is 
> "#C:5:0x2". What is this?
> 
> Again I'm suspecting that, this guy hijacked my tty and got tsgan 
> and then he could log my keystroke and get root password. Am I right?
> 
> Please give me some advice and info regarding this kind of hack.
> What should I do in order to secure my shell server? I mean except 
> securelevel, unneeded services etc.
> Can somebody give me some hints on file and directory permissions?
> Is there anybody who has similar server config and already had such 
> issues and problems? I appreciate very much if somebody will help me 
> in this regard.
> 
> thanks in advance,
> 
> Ganbold
> 
> ------------------------------
> 
> Message: 3
> Date: Thu, 16 Dec 2004 14:22:05 +0100
> From: Andre Oppermann <andre at freebsd.org>
> Subject: Re: -CURRENT problems with WCCP/high load
> To: nm at web.am
> Cc: freebsd-hackers at freebsd.org
> Message-ID: <41C18BFD.4050109 at freebsd.org>
> Content-Type: text/plain; charset=UTF-8; format=flowed
> 
> Gaspar Chilingarov wrote:
> > Hello!
> > 
> > machine panics under load (800pkt/sec, 600-800 kByte/sec traffik)
> > 
> > 
> > I got a dual pIII 1Ghz machine with todays -current, ipfirewall_forward option
> > enabled, several Intel Express cards inside. kernel is GENERIC with some
> > stripped drivers, witness, invariants, debugging etc disabled. compiled with
> > -O2 -pipe, no arch flags.
> > 
> > running squid with wccp2 patch, loaded modules -- acpi, ipfw, if_gre.
> > 
> > on another side is a cisco router which redirects traffic to freebsd box using
> > wccp2.
> > 
> > after running several seconds under the load -- 7-10 seconds computer panics
> > with in process swi:net.
> > 
> > kernel world compilation run without any failures or crashes -- so i'm sure,
> > that this is a software problem.
> > 
> > anyone interested in kernel corefile or not ? I can provide any additional
> > information if anyone interested.
> > 
> > please reply directly to my mail address, i'm not on list )
> 
> We need a backtrace.  A description how to obtain backtraces is in 
> the FreeBSD handbook.
> 
> -- 
> Andre
> 
> ------------------------------
> 
> Message: 4
> Date: Thu, 16 Dec 2004 08:49:57 -0500 (EST)
> From: John Von Essen <john at essenz.com>
> Subject: Re: brute3.tar.gz
> To: Peter Jeremy <PeterJeremy at optushome.com.au>
> Cc: hackers at freebsd.org
> Message-ID: <20041216083803.A87235 at beck.quonix.net>
> Content-Type: TEXT/PLAIN; charset=US-ASCII
> 
> Running tcpdump to a file worked out. This morning I was able to 
> find the source machine by looking at that packet capture file. 
> Someone gained legitimate access to the box via ssh using the oracle 
> user. My stupid incompetent DBA's never set the password to 
> something that wouldn't be obvious, like something other then 
> oracle/oracle. ARgh! I hate DBA's - all they do is mess shit up... 
> and yet they make more money then sysadmins
> (at least at this company).
> 
> -john
> 
> On Thu, 16 Dec 2004, Peter Jeremy wrote:
> 
> > On Wed, 2004-Dec-15 18:55:20 -0500, John Von Essen wrote:
> > >Whatever this thing is, its tricky. It only runs a few times a day, so it
> > >is tough to find the culprit source with ethereal unless I run ethereal
> > >all day. In packet capture mode.
> >
> > Depending on how much disk space you have spare on your firewall and
> > how much ssh traffic you get normally, running "tcpdump -w ... port 22"
> > for a day or so may be feasible.  You can add the target boxes address
> > to the filter and you won't get anything except the culprit address.
> > (Of course, permanently running tcpdump may or may not be practical for
> > other reasons).
> >
> > --
> > Peter Jeremy
> >
> 
> ------------------------------
> 
> Message: 5
> Date: Thu, 16 Dec 2004 17:14:55 +0100
> From: des at des.no (Dag-Erling Sm?rgrav)
> Subject: Re: Multi-volume compressed dumps on DVDs
> To: Peter Jeremy <PeterJeremy at optushome.com.au>
> Cc: freebsd-hackers at freebsd.org
> Message-ID: <xzpoegudxts.fsf at dwp.des.no>
> Content-Type: text/plain; charset=iso-8859-1
> 
> Peter Jeremy <PeterJeremy at optushome.com.au> writes:
> > Has anyone looked at modifying dump/restore to support:
> > 1) Dumping onto DVDs (sending the appropriate "close volume" command)
> > 2) Compressed multi-volume dumps
> >    This means monitoring the compressed data stream and flushing the
> >    compress engine state at the end of each volume (so that each volume
> >    remains a independent entity for restore purposes).
> 
> 'man dump', look for the -P option.
> 
> DES
> -- 
> Dag-Erling Smørgrav - des at des.no
> 
> ------------------------------
> 
> Message: 6
> Date: Thu, 16 Dec 2004 17:16:15 +0100
> From: des at des.no (Dag-Erling Sm?rgrav)
> Subject: Re: duplicate CVS modules in merged CVSROOT
> To: Dmitry Morozovsky <marck at FreeBSD.org>
> Cc: hackers at FreeBSD.org
> Message-ID: <xzpk6ridxrk.fsf at dwp.des.no>
> Content-Type: text/plain; charset=iso-8859-1
> 
> Dmitry Morozovsky <marck at FreeBSD.org> writes:
> > It seems some checks should be added to module merging code...
> 
> ...or somebody should stop using the merged CVSROOT.
> 
> DES
> -- 
> Dag-Erling Smørgrav - des at des.no
> 
> ------------------------------
> 
> Message: 7
> Date: Thu, 16 Dec 2004 17:20:08 +0100
> From: des at des.no (Dag-Erling Sm?rgrav)
> Subject: Re: using two keyboards at the same time
> To: "Norbert Koch" <NKoch at demig.de>
> Cc: freebsd-hackers at freebsd.org
> Message-ID: <xzpfz26dxl3.fsf at dwp.des.no>
> Content-Type: text/plain; charset=iso-8859-1
> 
> "Norbert Koch" <NKoch at demig.de> writes:
> >     if (select (maxfd, & ofds, NULL, NULL, NULL) == -1)
> 
> maxfd + 1
> 
> DES
> -- 
> Dag-Erling Smørgrav - des at des.no
> 
> ------------------------------
> 
> Message: 8
> Date: Thu, 16 Dec 2004 20:32:15 +0300 (MSK)
> From: Dmitry Morozovsky <marck at FreeBSD.org>
> Subject: Re: duplicate CVS modules in merged CVSROOT
> To: Dag-Erling Sm?rgrav<des at des.no>
> Cc: hackers at FreeBSD.org
> Message-ID: <20041216203126.E26781 at woozle.rinet.ru>
> Content-Type: TEXT/PLAIN; charset=US-ASCII
> 
> On Thu, 16 Dec 2004, [iso-8859-1] Dag-Erling Sm?rgrav wrote:
> 
> DS> > It seems some checks should be added to module merging code...
> DS> 
> DS> ...or somebody should stop using the merged CVSROOT.
> 
> In general, yes. But then, all cvsup mirror infrastructure should be 
> converted, which is non-trivial and long process.
> 
> Sincerely,
> 
> D.Marck                                        [DM5020, MCK-RIPE,
>  DM3-RIPN]
> ---------------------------------------------------------------------------
> *** Dmitry Morozovsky --- D.Marck --- Wild Woozle ---
>  marck at FreeBSD.org ***
> ---------------------------------------------------------------------------
> 
> ------------------------------
> 
> Message: 9
> Date: Fri, 17 Dec 2004 00:09:45 +0300
> From: Roman Kurakin <rik at cronyx.ru>
> Subject: Re: duplicate CVS modules in merged CVSROOT
> To: Dag-Erling Sm?rgrav<des at des.no>
> Cc: Dmitry Morozovsky <marck at FreeBSD.org>
> Message-ID: <41C1F999.2080008 at cronyx.ru>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> 
> Dag-Erling Smørgrav:
> 
> >Dmitry Morozovsky <marck at FreeBSD.org> writes:
> >  
> >
> >>It seems some checks should be added to module merging code...
> >>    
> >>
> >
> >...or somebody should stop using the merged CVSROOT.
> >
> I suggest to add prefixes like src_cut, port_cut while merging.
> 
> rik
> 
> >DES
> >  
> >
> 
> ------------------------------
> 
> Message: 10
> Date: Thu, 16 Dec 2004 19:12:53 -0800
> From: Matt <mhersant at comcast.net>
> Subject: Re: nfs within jail
> To: hackers at freebsd.org
> Message-ID: <41C24EB5.8050603 at comcast.net>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> 
> stefan.schmidt at stadtbuch.de wrote:
> 
> >Matt,
> >
> >there's nfsshell, an FTP-like client.
> >just google for nfsshell.
> >
> >Won't help in case of NFS4, I guess :-(
> >
> >Stefan
> >
> >  
> >
> Thanks.  I'd like to try the nfsshell, but I can't get it to build.  
> It doesn't appear to be a port either.  I'm an amateur C coder at 
> best.  Could someone take a quick look?  It's a very small program.  
> Sources are here: http://www.cs.vu.nl/pub/leendert/nfsshell.tar.gz 
> Release doesn't use autoconfig.  Build dies with error:
> 
> nfs.c:53:27: sys/sysmacros.h: No such file or directory
> 
> Thanks for any help.
> 
> ------------------------------
> 
> Message: 11
> Date: Fri, 17 Dec 2004 00:00:53 -0500
> From: David Gilbert <dgilbert at dclg.ca>
> Subject: USB video?
> To: freebsd-hackers at freebsd.org
> Message-ID: <16834.26629.534978.397993 at canoe.dclg.ca>
> Content-Type: text/plain; charset=us-ascii
> 
> Ok ... this is a wacky product.  Sometimes you end up with a cord 
> that just looks wrong ... two ends that shouldn't go together (like 
> the X10 computer module I have --- it has a power "block" that plugs 
> into the wall and provides a phone jack.  Then there's a cable that 
> goes phone jack to serial --- that's just wrong.) .... similarly,
>  USB2 to VGA is just wrong:
> 
> http://www.tigerdirect.ca/applications/searchtools/item-
> Details.asp?EdpNo=1088606&sku=T26-1034&CMP=EMC-TIGEREMAIL&SRCCODE=CANEM268
> 
> That all said, is there some standard for USB video and do we plan to
> support it?
> 
> Dave.
> 
> -- 
> ============================================================================
> |David Gilbert, Independent Contractor.       | Two things can only 
> be     | |Mail:       dave at daveg.ca                    |  equal if 
> and only if they | |http://daveg.ca                              |   
> are precisely opposite.  |
> =========================================================GLO================
> 
> ------------------------------
> 
> Message: 12
> Date: Fri, 17 Dec 2004 02:34:05 -0500
> From: David Scheidt <dmschei at attglobal.net>
> Subject: Re: nfs within jail
> To: Matt <mhersant at comcast.net>
> Cc: hackers at freebsd.org
> Message-ID: <41C28BED.9070508 at attglobal.net>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> 
> Matt wrote:
> 
> > stefan.schmidt at stadtbuch.de wrote:
> >
> >> Matt,
> >>
> >> there's nfsshell, an FTP-like client.
> >> just google for nfsshell.
> >>
> >> Won't help in case of NFS4, I guess :-(
> >>
> >> Stefan
> >>
> >>  
> >>
> > Thanks.  I'd like to try the nfsshell, but I can't get it to build.  
> > It doesn't appear to be a port either.  I'm an amateur C coder at 
> > best.  Could someone take a quick look?  It's a very small program.  
> > Sources are here: http://www.cs.vu.nl/pub/leendert/nfsshell.tar.gz
> > Release doesn't use autoconfig.  Build dies with error:
> >
> > nfs.c:53:27: sys/sysmacros.h: No such file or directory
> >
> 
> Commenting this line out is sufficent to compile.  You then need to 
> change the LIBS line in the make file, removing -lsocket, -lnsl, and 
> -lrpcsoc.  That's enough to make it link.  I'm unable to actually 
> see if it'll work, though.
> 
> David
> 
> ------------------------------
> 
> _______________________________________________
> freebsd-hackers at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"
> 
> End of freebsd-hackers Digest, Vol 91, Issue 7
> **********************************************


--
GOL BrainNet Online (http://forums.gol.net.pk)



More information about the freebsd-hackers mailing list