freebsd-hackers Digest, Vol 91, Issue 7
tester
tester at mail.mydsl.net.pk
Fri Dec 17 08:13:55 PST 2004
how did you CHANGED the limit to (800pkt/sec). this would be around 12Mb/sec
traffic.
On Fri, 17 Dec 2004 12:01:06 +0000 (GMT), freebsd-hackers-request wrote
> Send freebsd-hackers mailing list submissions to
> freebsd-hackers at freebsd.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> or, via email, send a message with subject or body 'help' to
> freebsd-hackers-request at freebsd.org
>
> You can reach the person managing the list at
> freebsd-hackers-owner at freebsd.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of freebsd-hackers digest..."
>
> Today's Topics:
>
> 1. -CURRENT problems with WCCP/high load (Gaspar Chilingarov)
> 2. Strange command histories in hacked shell server (Ganbold)
> 3. Re: -CURRENT problems with WCCP/high load (Andre Oppermann)
> 4. Re: brute3.tar.gz (John Von Essen)
> 5. Re: Multi-volume compressed dumps on DVDs (Dag-Erling Sm?rgrav)
>
> 6. Re: duplicate CVS modules in merged CVSROOT (Dag-Erling
> Sm?rgrav)
> 7. Re: using two keyboards at the same time (Dag-Erling Sm?rgrav)
> 8. Re: duplicate CVS modules in merged CVSROOT (Dmitry Morozovsky)
> 9. Re: duplicate CVS modules in merged CVSROOT (Roman Kurakin)
> 10. Re: nfs within jail (Matt)
> 11. USB video? (David Gilbert)
> 12. Re: nfs within jail (David Scheidt)
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 16 Dec 2004 00:46:05 +0400 (AMT)
> From: "Gaspar Chilingarov" <nm at web.am>
> Subject: -CURRENT problems with WCCP/high load
> To: freebsd-hackers at freebsd.org
> Message-ID: <53000.217.113.1.123.1103143565.squirrel at webmail.web.am>
> Content-Type: text/plain;charset=utf-8
>
> Hello!
>
> machine panics under load (800pkt/sec, 600-800 kByte/sec traffik)
>
> I got a dual pIII 1Ghz machine with todays -current,
> ipfirewall_forward option enabled, several Intel Express cards
> inside. kernel is GENERIC with some stripped drivers, witness,
> invariants, debugging etc disabled. compiled with -O2 -pipe, no arch
> flags.
>
> running squid with wccp2 patch, loaded modules -- acpi, ipfw, if_gre.
>
> on another side is a cisco router which redirects traffic to freebsd
> box using wccp2.
>
> after running several seconds under the load -- 7-10 seconds
> computer panics with in process swi:net.
>
> kernel world compilation run without any failures or crashes -- so
> i'm sure, that this is a software problem.
>
> anyone interested in kernel corefile or not ? I can provide any additional
> information if anyone interested.
>
> please reply directly to my mail address, i'm not on list )
>
> with best regards , Gaspar Chilingarov
>
> ------------------------------
>
> Message: 2
> Date: Thu, 16 Dec 2004 20:31:05 +0800
> From: Ganbold <ganbold at micom.mng.net>
> Subject: Strange command histories in hacked shell server
> To: freebsd-security at freebsd.org
> Cc: freebsd-hackers at freebsd.org
> Message-ID: <6.2.0.14.2.20041216195558.030b0eb0 at 202.179.0.80>
> Content-Type: text/plain; charset="us-ascii"; format=flowed
>
> Hi,
>
> Sorry for cross posting.
>
> I have with FreeBSD 5.3-stable server which serves as a public shell
> server.
>
> FreeBSD public.ub.mng.net 5.3-STABLE FreeBSD 5.3-STABLE #6: Wed Nov
> 24
> 15:55:36 ULAT 2004
> tsgan at public.ub.mng.net:/usr/obj/usr/src/sys/PSH i386
>
> It has ssh and proftp-1.2.10 daemons.
>
> However it was hacked and I'm trying to analyze it and having some
> difficulties.
>
> Machine is configured in such way that everyone can create an
> account itself. Some user dir permissions: ... drwxr-xr-x 2 root
> wheel 512 Mar 29 2004 new drwx------ 3 tamiraad unix
> 512 Apr 9 2004 tamiraad drwxr-xr-x 6 tsgan tsgan
> 1024 Dec 16 17:51 tsgan drwx------ 4 tugstugi unix
> 512 Dec 13 20:34 tugstugi drwxr-xr-x 5 unix unix
> 512 Dec 13 12:37 unix ... User should log on as new with password
> new to create an account.
>
> Accounting is enabled and kern.securelevel is set to 2.
> Only one account 'tsgan' is in wheel group and only tsgan gan become
> root using su.
>
> Following is the some strange output from grave-robber (coroner
> toolkit): ...
> Dec 13 04 20:18:40 5 m.c -rw-rw---- tugstugi smmsp
/var/spool/clientmqueue/dfiBDCIeD0001529
>
> Dec 13 04 20:34:58 512 m.. drwx------ tugstugi unix /home/tugstugi
>
> Dec 13 04 20:35:57 512 ..c drwx------ tugstugi unix /home/tugstugi
> Dec 14 04 00:19:56 0 m.c -rw-rw-rw- tugstugi
> unix /home/tugstugi/.myrc
>
> Dec 14 04 00:20:50 9665 m.. -rw-r--r-- tugstugi
> unix /home/tsgan/.tmp/known_hosts
> 9665 m.c -rw-r--r-- tugstugi
> unix /home/tugstugi/.ssh/known_hosts
>
> Dec 15 04 19:12:21 1002 m.c -rw------- tugstugi
> unix /home/tugstugi/.shrc
> ...
> Somehow he seems like copied /home/tugstugi/.ssh/known_hosts to
> home/tsgan/.tmp/known_hosts.
> I don't know why.
>
> Following is lastcomm output:
> ...
> sshd -F tugstugi __ 0.16 secs Tue
> Dec 14 23:01 sh - tugstugi #C:5:0x1
> 0.03 secs Tue Dec 14 23:02 su - tugstugi
> #C:5:0x1 0.02 secs Tue Dec 14 23:38 ... sshd -F
> tugstugi __ 0.08 secs Tue Dec 14 22:41 sh
> - tugstugi #C:5:0x1 0.02 secs Tue Dec 14 22:41
> who - tugstugi #C:5:0x1 0.00 secs Tue
> Dec 14 22:52 su - tugstugi #C:5:0x1
> 0.02 secs Tue Dec 14 22:48 sh - tsgan
> #C:5:0x1 0.00 secs Tue Dec 14 22:48 ls -
> tsgan #C:5:0x1 0.00 secs Tue Dec 14 22:52 su
> - tsgan #C:5:0x1 0.02 secs Tue Dec 14 22:49
> csh - root #C:5:0x1 0.03 secs Tue
> Dec 14 22:49 ...
>
> In above I think he already hijacked my account and root password so
> he used su to become root.
>
> sshd -F tsgan __ 0.02 secs Tue
> Dec 14 00:27 sh - tsgan ttyp0
> 0.02 secs Tue Dec 14 00:27 cat - tsgan
> ttyp0 0.00 secs Tue Dec 14 00:28 su -
> tsgan ttyp0 0.00 secs Tue Dec 14 00:28 sleep
> - tsgan ttyp0 0.00 secs Tue Dec 14 00:27 ^^^^^^
> stty - tsgan ttyp0 0.00 secs Tue
> Dec 14 00:27 stty - tsgan ttyp0
> 0.00 secs Tue Dec 14 00:27 ^^^^^^ fortune - tsgan
> ttyp0 0.00 secs Tue Dec 14 00:27 ...
>
> I don't quite understand why he used sleep and stty commands in
> above. My suspect is tty hijacking. Am I right? Correct me if I'm wrong.
>
> sleep - tugstugi #C:5:0x2 0.00 secs Tue
> Dec 14 00:24 stty - tugstugi #C:5:0x2
> 0.00 secs Tue Dec 14 00:24 stty - tugstugi
> #C:5:0x2 0.00 secs Tue Dec 14 00:24 ... id -
> tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:24 sleep
> - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:24
> stty - tugstugi #C:5:0x2 0.00 secs Tue
> Dec 14 00:24 stty - tugstugi #C:5:0x2
> 0.00 secs Tue Dec 14 00:24 id - tugstugi
> #C:5:0x2 0.00 secs Tue Dec 14 00:24 cat -
> tsgan #C:5:0x2 0.00 secs Tue Dec 14 00:24 ls
> - tsgan #C:5:0x2 0.00 secs Tue Dec 14 00:24
> su - tsgan #C:5:0x2 0.02 secs Tue
> Dec 14 00:23 sh - tugstugi #C:5:0x2
> 0.00 secs Tue Dec 14 00:23 ls - tugstugi
> #C:5:0x2 0.00 secs Tue Dec 14 00:23 id -
> tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:23 ls
> - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:23
> sleep - tugstugi #C:5:0x2 0.00 secs Tue
> Dec 14 00:23 stty - tugstugi #C:5:0x2
> 0.00 secs Tue Dec 14 00:23 stty - tugstugi
> #C:5:0x2 0.00 secs Tue Dec 14 00:23 ls -
> tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:23 id
> - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:23
> ls - tugstugi #C:5:0x2 0.00 secs Tue
> Dec 14 00:23 cat - tsgan #C:5:0x2
> 0.00 secs Tue Dec 14 00:23 su - tsgan
> #C:5:0x2 0.02 secs Tue Dec 14 00:23 cat -
> tsgan #C:5:0x2 0.00 secs Tue Dec 14 00:22 sleep
> - tsgan #C:5:0x2 0.00 secs Tue Dec 14 00:22
> stty - tsgan #C:5:0x2 0.00 secs Tue
> Dec 14 00:22 stty - tsgan #C:5:0x2
> 0.00 secs Tue Dec 14 00:22 fortune - tsgan
> #C:5:0x2 0.00 secs Tue Dec 14 00:22 ... One more strange thing is
> "#C:5:0x2". What is this?
>
> Again I'm suspecting that, this guy hijacked my tty and got tsgan
> and then he could log my keystroke and get root password. Am I right?
>
> Please give me some advice and info regarding this kind of hack.
> What should I do in order to secure my shell server? I mean except
> securelevel, unneeded services etc.
> Can somebody give me some hints on file and directory permissions?
> Is there anybody who has similar server config and already had such
> issues and problems? I appreciate very much if somebody will help me
> in this regard.
>
> thanks in advance,
>
> Ganbold
>
> ------------------------------
>
> Message: 3
> Date: Thu, 16 Dec 2004 14:22:05 +0100
> From: Andre Oppermann <andre at freebsd.org>
> Subject: Re: -CURRENT problems with WCCP/high load
> To: nm at web.am
> Cc: freebsd-hackers at freebsd.org
> Message-ID: <41C18BFD.4050109 at freebsd.org>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> Gaspar Chilingarov wrote:
> > Hello!
> >
> > machine panics under load (800pkt/sec, 600-800 kByte/sec traffik)
> >
> >
> > I got a dual pIII 1Ghz machine with todays -current, ipfirewall_forward option
> > enabled, several Intel Express cards inside. kernel is GENERIC with some
> > stripped drivers, witness, invariants, debugging etc disabled. compiled with
> > -O2 -pipe, no arch flags.
> >
> > running squid with wccp2 patch, loaded modules -- acpi, ipfw, if_gre.
> >
> > on another side is a cisco router which redirects traffic to freebsd box using
> > wccp2.
> >
> > after running several seconds under the load -- 7-10 seconds computer panics
> > with in process swi:net.
> >
> > kernel world compilation run without any failures or crashes -- so i'm sure,
> > that this is a software problem.
> >
> > anyone interested in kernel corefile or not ? I can provide any additional
> > information if anyone interested.
> >
> > please reply directly to my mail address, i'm not on list )
>
> We need a backtrace. A description how to obtain backtraces is in
> the FreeBSD handbook.
>
> --
> Andre
>
> ------------------------------
>
> Message: 4
> Date: Thu, 16 Dec 2004 08:49:57 -0500 (EST)
> From: John Von Essen <john at essenz.com>
> Subject: Re: brute3.tar.gz
> To: Peter Jeremy <PeterJeremy at optushome.com.au>
> Cc: hackers at freebsd.org
> Message-ID: <20041216083803.A87235 at beck.quonix.net>
> Content-Type: TEXT/PLAIN; charset=US-ASCII
>
> Running tcpdump to a file worked out. This morning I was able to
> find the source machine by looking at that packet capture file.
> Someone gained legitimate access to the box via ssh using the oracle
> user. My stupid incompetent DBA's never set the password to
> something that wouldn't be obvious, like something other then
> oracle/oracle. ARgh! I hate DBA's - all they do is mess shit up...
> and yet they make more money then sysadmins
> (at least at this company).
>
> -john
>
> On Thu, 16 Dec 2004, Peter Jeremy wrote:
>
> > On Wed, 2004-Dec-15 18:55:20 -0500, John Von Essen wrote:
> > >Whatever this thing is, its tricky. It only runs a few times a day, so it
> > >is tough to find the culprit source with ethereal unless I run ethereal
> > >all day. In packet capture mode.
> >
> > Depending on how much disk space you have spare on your firewall and
> > how much ssh traffic you get normally, running "tcpdump -w ... port 22"
> > for a day or so may be feasible. You can add the target boxes address
> > to the filter and you won't get anything except the culprit address.
> > (Of course, permanently running tcpdump may or may not be practical for
> > other reasons).
> >
> > --
> > Peter Jeremy
> >
>
> ------------------------------
>
> Message: 5
> Date: Thu, 16 Dec 2004 17:14:55 +0100
> From: des at des.no (Dag-Erling Sm?rgrav)
> Subject: Re: Multi-volume compressed dumps on DVDs
> To: Peter Jeremy <PeterJeremy at optushome.com.au>
> Cc: freebsd-hackers at freebsd.org
> Message-ID: <xzpoegudxts.fsf at dwp.des.no>
> Content-Type: text/plain; charset=iso-8859-1
>
> Peter Jeremy <PeterJeremy at optushome.com.au> writes:
> > Has anyone looked at modifying dump/restore to support:
> > 1) Dumping onto DVDs (sending the appropriate "close volume" command)
> > 2) Compressed multi-volume dumps
> > This means monitoring the compressed data stream and flushing the
> > compress engine state at the end of each volume (so that each volume
> > remains a independent entity for restore purposes).
>
> 'man dump', look for the -P option.
>
> DES
> --
> Dag-Erling Smørgrav - des at des.no
>
> ------------------------------
>
> Message: 6
> Date: Thu, 16 Dec 2004 17:16:15 +0100
> From: des at des.no (Dag-Erling Sm?rgrav)
> Subject: Re: duplicate CVS modules in merged CVSROOT
> To: Dmitry Morozovsky <marck at FreeBSD.org>
> Cc: hackers at FreeBSD.org
> Message-ID: <xzpk6ridxrk.fsf at dwp.des.no>
> Content-Type: text/plain; charset=iso-8859-1
>
> Dmitry Morozovsky <marck at FreeBSD.org> writes:
> > It seems some checks should be added to module merging code...
>
> ...or somebody should stop using the merged CVSROOT.
>
> DES
> --
> Dag-Erling Smørgrav - des at des.no
>
> ------------------------------
>
> Message: 7
> Date: Thu, 16 Dec 2004 17:20:08 +0100
> From: des at des.no (Dag-Erling Sm?rgrav)
> Subject: Re: using two keyboards at the same time
> To: "Norbert Koch" <NKoch at demig.de>
> Cc: freebsd-hackers at freebsd.org
> Message-ID: <xzpfz26dxl3.fsf at dwp.des.no>
> Content-Type: text/plain; charset=iso-8859-1
>
> "Norbert Koch" <NKoch at demig.de> writes:
> > if (select (maxfd, & ofds, NULL, NULL, NULL) == -1)
>
> maxfd + 1
>
> DES
> --
> Dag-Erling Smørgrav - des at des.no
>
> ------------------------------
>
> Message: 8
> Date: Thu, 16 Dec 2004 20:32:15 +0300 (MSK)
> From: Dmitry Morozovsky <marck at FreeBSD.org>
> Subject: Re: duplicate CVS modules in merged CVSROOT
> To: Dag-Erling Sm?rgrav<des at des.no>
> Cc: hackers at FreeBSD.org
> Message-ID: <20041216203126.E26781 at woozle.rinet.ru>
> Content-Type: TEXT/PLAIN; charset=US-ASCII
>
> On Thu, 16 Dec 2004, [iso-8859-1] Dag-Erling Sm?rgrav wrote:
>
> DS> > It seems some checks should be added to module merging code...
> DS>
> DS> ...or somebody should stop using the merged CVSROOT.
>
> In general, yes. But then, all cvsup mirror infrastructure should be
> converted, which is non-trivial and long process.
>
> Sincerely,
>
> D.Marck [DM5020, MCK-RIPE,
> DM3-RIPN]
> ---------------------------------------------------------------------------
> *** Dmitry Morozovsky --- D.Marck --- Wild Woozle ---
> marck at FreeBSD.org ***
> ---------------------------------------------------------------------------
>
> ------------------------------
>
> Message: 9
> Date: Fri, 17 Dec 2004 00:09:45 +0300
> From: Roman Kurakin <rik at cronyx.ru>
> Subject: Re: duplicate CVS modules in merged CVSROOT
> To: Dag-Erling Sm?rgrav<des at des.no>
> Cc: Dmitry Morozovsky <marck at FreeBSD.org>
> Message-ID: <41C1F999.2080008 at cronyx.ru>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Dag-Erling Smørgrav:
>
> >Dmitry Morozovsky <marck at FreeBSD.org> writes:
> >
> >
> >>It seems some checks should be added to module merging code...
> >>
> >>
> >
> >...or somebody should stop using the merged CVSROOT.
> >
> I suggest to add prefixes like src_cut, port_cut while merging.
>
> rik
>
> >DES
> >
> >
>
> ------------------------------
>
> Message: 10
> Date: Thu, 16 Dec 2004 19:12:53 -0800
> From: Matt <mhersant at comcast.net>
> Subject: Re: nfs within jail
> To: hackers at freebsd.org
> Message-ID: <41C24EB5.8050603 at comcast.net>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> stefan.schmidt at stadtbuch.de wrote:
>
> >Matt,
> >
> >there's nfsshell, an FTP-like client.
> >just google for nfsshell.
> >
> >Won't help in case of NFS4, I guess :-(
> >
> >Stefan
> >
> >
> >
> Thanks. I'd like to try the nfsshell, but I can't get it to build.
> It doesn't appear to be a port either. I'm an amateur C coder at
> best. Could someone take a quick look? It's a very small program.
> Sources are here: http://www.cs.vu.nl/pub/leendert/nfsshell.tar.gz
> Release doesn't use autoconfig. Build dies with error:
>
> nfs.c:53:27: sys/sysmacros.h: No such file or directory
>
> Thanks for any help.
>
> ------------------------------
>
> Message: 11
> Date: Fri, 17 Dec 2004 00:00:53 -0500
> From: David Gilbert <dgilbert at dclg.ca>
> Subject: USB video?
> To: freebsd-hackers at freebsd.org
> Message-ID: <16834.26629.534978.397993 at canoe.dclg.ca>
> Content-Type: text/plain; charset=us-ascii
>
> Ok ... this is a wacky product. Sometimes you end up with a cord
> that just looks wrong ... two ends that shouldn't go together (like
> the X10 computer module I have --- it has a power "block" that plugs
> into the wall and provides a phone jack. Then there's a cable that
> goes phone jack to serial --- that's just wrong.) .... similarly,
> USB2 to VGA is just wrong:
>
> http://www.tigerdirect.ca/applications/searchtools/item-
> Details.asp?EdpNo=1088606&sku=T26-1034&CMP=EMC-TIGEREMAIL&SRCCODE=CANEM268
>
> That all said, is there some standard for USB video and do we plan to
> support it?
>
> Dave.
>
> --
> ============================================================================
> |David Gilbert, Independent Contractor. | Two things can only
> be | |Mail: dave at daveg.ca | equal if
> and only if they | |http://daveg.ca |
> are precisely opposite. |
> =========================================================GLO================
>
> ------------------------------
>
> Message: 12
> Date: Fri, 17 Dec 2004 02:34:05 -0500
> From: David Scheidt <dmschei at attglobal.net>
> Subject: Re: nfs within jail
> To: Matt <mhersant at comcast.net>
> Cc: hackers at freebsd.org
> Message-ID: <41C28BED.9070508 at attglobal.net>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Matt wrote:
>
> > stefan.schmidt at stadtbuch.de wrote:
> >
> >> Matt,
> >>
> >> there's nfsshell, an FTP-like client.
> >> just google for nfsshell.
> >>
> >> Won't help in case of NFS4, I guess :-(
> >>
> >> Stefan
> >>
> >>
> >>
> > Thanks. I'd like to try the nfsshell, but I can't get it to build.
> > It doesn't appear to be a port either. I'm an amateur C coder at
> > best. Could someone take a quick look? It's a very small program.
> > Sources are here: http://www.cs.vu.nl/pub/leendert/nfsshell.tar.gz
> > Release doesn't use autoconfig. Build dies with error:
> >
> > nfs.c:53:27: sys/sysmacros.h: No such file or directory
> >
>
> Commenting this line out is sufficent to compile. You then need to
> change the LIBS line in the make file, removing -lsocket, -lnsl, and
> -lrpcsoc. That's enough to make it link. I'm unable to actually
> see if it'll work, though.
>
> David
>
> ------------------------------
>
> _______________________________________________
> freebsd-hackers at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"
>
> End of freebsd-hackers Digest, Vol 91, Issue 7
> **********************************************
--
GOL BrainNet Online (http://forums.gol.net.pk)
More information about the freebsd-hackers
mailing list