Date: Fri, 17 Dec 2004 21:10:19 +0500 From: "tester" <tester@mail.mydsl.net.pk> To: freebsd-hackers@freebsd.org Subject: Re: freebsd-hackers Digest, Vol 91, Issue 7 Message-ID: <20041217160843.M12936@mail.mydsl.net.pk> In-Reply-To: <20041217120106.CE9FB16A4FD@hub.freebsd.org> References: <20041217120106.CE9FB16A4FD@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
how did you CHANGED the limit to (800pkt/sec). this would be around 12Mb/sec traffic. On Fri, 17 Dec 2004 12:01:06 +0000 (GMT), freebsd-hackers-request wrote > Send freebsd-hackers mailing list submissions to > freebsd-hackers@freebsd.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > or, via email, send a message with subject or body 'help' to > freebsd-hackers-request@freebsd.org > > You can reach the person managing the list at > freebsd-hackers-owner@freebsd.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of freebsd-hackers digest..." > > Today's Topics: > > 1. -CURRENT problems with WCCP/high load (Gaspar Chilingarov) > 2. Strange command histories in hacked shell server (Ganbold) > 3. Re: -CURRENT problems with WCCP/high load (Andre Oppermann) > 4. Re: brute3.tar.gz (John Von Essen) > 5. Re: Multi-volume compressed dumps on DVDs (Dag-Erling Sm?rgrav) > > 6. Re: duplicate CVS modules in merged CVSROOT (Dag-Erling > Sm?rgrav) > 7. Re: using two keyboards at the same time (Dag-Erling Sm?rgrav) > 8. Re: duplicate CVS modules in merged CVSROOT (Dmitry Morozovsky) > 9. Re: duplicate CVS modules in merged CVSROOT (Roman Kurakin) > 10. Re: nfs within jail (Matt) > 11. USB video? (David Gilbert) > 12. Re: nfs within jail (David Scheidt) > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 16 Dec 2004 00:46:05 +0400 (AMT) > From: "Gaspar Chilingarov" <nm@web.am> > Subject: -CURRENT problems with WCCP/high load > To: freebsd-hackers@freebsd.org > Message-ID: <53000.217.113.1.123.1103143565.squirrel@webmail.web.am> > Content-Type: text/plain;charset=utf-8 > > Hello! > > machine panics under load (800pkt/sec, 600-800 kByte/sec traffik) > > I got a dual pIII 1Ghz machine with todays -current, > ipfirewall_forward option enabled, several Intel Express cards > inside. kernel is GENERIC with some stripped drivers, witness, > invariants, debugging etc disabled. compiled with -O2 -pipe, no arch > flags. > > running squid with wccp2 patch, loaded modules -- acpi, ipfw, if_gre. > > on another side is a cisco router which redirects traffic to freebsd > box using wccp2. > > after running several seconds under the load -- 7-10 seconds > computer panics with in process swi:net. > > kernel world compilation run without any failures or crashes -- so > i'm sure, that this is a software problem. > > anyone interested in kernel corefile or not ? I can provide any additional > information if anyone interested. > > please reply directly to my mail address, i'm not on list ) > > with best regards , Gaspar Chilingarov > > ------------------------------ > > Message: 2 > Date: Thu, 16 Dec 2004 20:31:05 +0800 > From: Ganbold <ganbold@micom.mng.net> > Subject: Strange command histories in hacked shell server > To: freebsd-security@freebsd.org > Cc: freebsd-hackers@freebsd.org > Message-ID: <6.2.0.14.2.20041216195558.030b0eb0@202.179.0.80> > Content-Type: text/plain; charset="us-ascii"; format=flowed > > Hi, > > Sorry for cross posting. > > I have with FreeBSD 5.3-stable server which serves as a public shell > server. > > FreeBSD public.ub.mng.net 5.3-STABLE FreeBSD 5.3-STABLE #6: Wed Nov > 24 > 15:55:36 ULAT 2004 > tsgan@public.ub.mng.net:/usr/obj/usr/src/sys/PSH i386 > > It has ssh and proftp-1.2.10 daemons. > > However it was hacked and I'm trying to analyze it and having some > difficulties. > > Machine is configured in such way that everyone can create an > account itself. Some user dir permissions: ... drwxr-xr-x 2 root > wheel 512 Mar 29 2004 new drwx------ 3 tamiraad unix > 512 Apr 9 2004 tamiraad drwxr-xr-x 6 tsgan tsgan > 1024 Dec 16 17:51 tsgan drwx------ 4 tugstugi unix > 512 Dec 13 20:34 tugstugi drwxr-xr-x 5 unix unix > 512 Dec 13 12:37 unix ... User should log on as new with password > new to create an account. > > Accounting is enabled and kern.securelevel is set to 2. > Only one account 'tsgan' is in wheel group and only tsgan gan become > root using su. > > Following is the some strange output from grave-robber (coroner > toolkit): ... > Dec 13 04 20:18:40 5 m.c -rw-rw---- tugstugi smmsp /var/spool/clientmqueue/dfiBDCIeD0001529 > > Dec 13 04 20:34:58 512 m.. drwx------ tugstugi unix /home/tugstugi > > Dec 13 04 20:35:57 512 ..c drwx------ tugstugi unix /home/tugstugi > Dec 14 04 00:19:56 0 m.c -rw-rw-rw- tugstugi > unix /home/tugstugi/.myrc > > Dec 14 04 00:20:50 9665 m.. -rw-r--r-- tugstugi > unix /home/tsgan/.tmp/known_hosts > 9665 m.c -rw-r--r-- tugstugi > unix /home/tugstugi/.ssh/known_hosts > > Dec 15 04 19:12:21 1002 m.c -rw------- tugstugi > unix /home/tugstugi/.shrc > ... > Somehow he seems like copied /home/tugstugi/.ssh/known_hosts to > home/tsgan/.tmp/known_hosts. > I don't know why. > > Following is lastcomm output: > ... > sshd -F tugstugi __ 0.16 secs Tue > Dec 14 23:01 sh - tugstugi #C:5:0x1 > 0.03 secs Tue Dec 14 23:02 su - tugstugi > #C:5:0x1 0.02 secs Tue Dec 14 23:38 ... sshd -F > tugstugi __ 0.08 secs Tue Dec 14 22:41 sh > - tugstugi #C:5:0x1 0.02 secs Tue Dec 14 22:41 > who - tugstugi #C:5:0x1 0.00 secs Tue > Dec 14 22:52 su - tugstugi #C:5:0x1 > 0.02 secs Tue Dec 14 22:48 sh - tsgan > #C:5:0x1 0.00 secs Tue Dec 14 22:48 ls - > tsgan #C:5:0x1 0.00 secs Tue Dec 14 22:52 su > - tsgan #C:5:0x1 0.02 secs Tue Dec 14 22:49 > csh - root #C:5:0x1 0.03 secs Tue > Dec 14 22:49 ... > > In above I think he already hijacked my account and root password so > he used su to become root. > > sshd -F tsgan __ 0.02 secs Tue > Dec 14 00:27 sh - tsgan ttyp0 > 0.02 secs Tue Dec 14 00:27 cat - tsgan > ttyp0 0.00 secs Tue Dec 14 00:28 su - > tsgan ttyp0 0.00 secs Tue Dec 14 00:28 sleep > - tsgan ttyp0 0.00 secs Tue Dec 14 00:27 ^^^^^^ > stty - tsgan ttyp0 0.00 secs Tue > Dec 14 00:27 stty - tsgan ttyp0 > 0.00 secs Tue Dec 14 00:27 ^^^^^^ fortune - tsgan > ttyp0 0.00 secs Tue Dec 14 00:27 ... > > I don't quite understand why he used sleep and stty commands in > above. My suspect is tty hijacking. Am I right? Correct me if I'm wrong. > > sleep - tugstugi #C:5:0x2 0.00 secs Tue > Dec 14 00:24 stty - tugstugi #C:5:0x2 > 0.00 secs Tue Dec 14 00:24 stty - tugstugi > #C:5:0x2 0.00 secs Tue Dec 14 00:24 ... id - > tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:24 sleep > - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:24 > stty - tugstugi #C:5:0x2 0.00 secs Tue > Dec 14 00:24 stty - tugstugi #C:5:0x2 > 0.00 secs Tue Dec 14 00:24 id - tugstugi > #C:5:0x2 0.00 secs Tue Dec 14 00:24 cat - > tsgan #C:5:0x2 0.00 secs Tue Dec 14 00:24 ls > - tsgan #C:5:0x2 0.00 secs Tue Dec 14 00:24 > su - tsgan #C:5:0x2 0.02 secs Tue > Dec 14 00:23 sh - tugstugi #C:5:0x2 > 0.00 secs Tue Dec 14 00:23 ls - tugstugi > #C:5:0x2 0.00 secs Tue Dec 14 00:23 id - > tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:23 ls > - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:23 > sleep - tugstugi #C:5:0x2 0.00 secs Tue > Dec 14 00:23 stty - tugstugi #C:5:0x2 > 0.00 secs Tue Dec 14 00:23 stty - tugstugi > #C:5:0x2 0.00 secs Tue Dec 14 00:23 ls - > tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:23 id > - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:23 > ls - tugstugi #C:5:0x2 0.00 secs Tue > Dec 14 00:23 cat - tsgan #C:5:0x2 > 0.00 secs Tue Dec 14 00:23 su - tsgan > #C:5:0x2 0.02 secs Tue Dec 14 00:23 cat - > tsgan #C:5:0x2 0.00 secs Tue Dec 14 00:22 sleep > - tsgan #C:5:0x2 0.00 secs Tue Dec 14 00:22 > stty - tsgan #C:5:0x2 0.00 secs Tue > Dec 14 00:22 stty - tsgan #C:5:0x2 > 0.00 secs Tue Dec 14 00:22 fortune - tsgan > #C:5:0x2 0.00 secs Tue Dec 14 00:22 ... One more strange thing is > "#C:5:0x2". What is this? > > Again I'm suspecting that, this guy hijacked my tty and got tsgan > and then he could log my keystroke and get root password. Am I right? > > Please give me some advice and info regarding this kind of hack. > What should I do in order to secure my shell server? I mean except > securelevel, unneeded services etc. > Can somebody give me some hints on file and directory permissions? > Is there anybody who has similar server config and already had such > issues and problems? I appreciate very much if somebody will help me > in this regard. > > thanks in advance, > > Ganbold > > ------------------------------ > > Message: 3 > Date: Thu, 16 Dec 2004 14:22:05 +0100 > From: Andre Oppermann <andre@freebsd.org> > Subject: Re: -CURRENT problems with WCCP/high load > To: nm@web.am > Cc: freebsd-hackers@freebsd.org > Message-ID: <41C18BFD.4050109@freebsd.org> > Content-Type: text/plain; charset=UTF-8; format=flowed > > Gaspar Chilingarov wrote: > > Hello! > > > > machine panics under load (800pkt/sec, 600-800 kByte/sec traffik) > > > > > > I got a dual pIII 1Ghz machine with todays -current, ipfirewall_forward option > > enabled, several Intel Express cards inside. kernel is GENERIC with some > > stripped drivers, witness, invariants, debugging etc disabled. compiled with > > -O2 -pipe, no arch flags. > > > > running squid with wccp2 patch, loaded modules -- acpi, ipfw, if_gre. > > > > on another side is a cisco router which redirects traffic to freebsd box using > > wccp2. > > > > after running several seconds under the load -- 7-10 seconds computer panics > > with in process swi:net. > > > > kernel world compilation run without any failures or crashes -- so i'm sure, > > that this is a software problem. > > > > anyone interested in kernel corefile or not ? I can provide any additional > > information if anyone interested. > > > > please reply directly to my mail address, i'm not on list ) > > We need a backtrace. A description how to obtain backtraces is in > the FreeBSD handbook. > > -- > Andre > > ------------------------------ > > Message: 4 > Date: Thu, 16 Dec 2004 08:49:57 -0500 (EST) > From: John Von Essen <john@essenz.com> > Subject: Re: brute3.tar.gz > To: Peter Jeremy <PeterJeremy@optushome.com.au> > Cc: hackers@freebsd.org > Message-ID: <20041216083803.A87235@beck.quonix.net> > Content-Type: TEXT/PLAIN; charset=US-ASCII > > Running tcpdump to a file worked out. This morning I was able to > find the source machine by looking at that packet capture file. > Someone gained legitimate access to the box via ssh using the oracle > user. My stupid incompetent DBA's never set the password to > something that wouldn't be obvious, like something other then > oracle/oracle. ARgh! I hate DBA's - all they do is mess shit up... > and yet they make more money then sysadmins > (at least at this company). > > -john > > On Thu, 16 Dec 2004, Peter Jeremy wrote: > > > On Wed, 2004-Dec-15 18:55:20 -0500, John Von Essen wrote: > > >Whatever this thing is, its tricky. It only runs a few times a day, so it > > >is tough to find the culprit source with ethereal unless I run ethereal > > >all day. In packet capture mode. > > > > Depending on how much disk space you have spare on your firewall and > > how much ssh traffic you get normally, running "tcpdump -w ... port 22" > > for a day or so may be feasible. You can add the target boxes address > > to the filter and you won't get anything except the culprit address. > > (Of course, permanently running tcpdump may or may not be practical for > > other reasons). > > > > -- > > Peter Jeremy > > > > ------------------------------ > > Message: 5 > Date: Thu, 16 Dec 2004 17:14:55 +0100 > From: des@des.no (Dag-Erling Sm?rgrav) > Subject: Re: Multi-volume compressed dumps on DVDs > To: Peter Jeremy <PeterJeremy@optushome.com.au> > Cc: freebsd-hackers@freebsd.org > Message-ID: <xzpoegudxts.fsf@dwp.des.no> > Content-Type: text/plain; charset=iso-8859-1 > > Peter Jeremy <PeterJeremy@optushome.com.au> writes: > > Has anyone looked at modifying dump/restore to support: > > 1) Dumping onto DVDs (sending the appropriate "close volume" command) > > 2) Compressed multi-volume dumps > > This means monitoring the compressed data stream and flushing the > > compress engine state at the end of each volume (so that each volume > > remains a independent entity for restore purposes). > > 'man dump', look for the -P option. > > DES > -- > Dag-Erling Smørgrav - des@des.no > > ------------------------------ > > Message: 6 > Date: Thu, 16 Dec 2004 17:16:15 +0100 > From: des@des.no (Dag-Erling Sm?rgrav) > Subject: Re: duplicate CVS modules in merged CVSROOT > To: Dmitry Morozovsky <marck@FreeBSD.org> > Cc: hackers@FreeBSD.org > Message-ID: <xzpk6ridxrk.fsf@dwp.des.no> > Content-Type: text/plain; charset=iso-8859-1 > > Dmitry Morozovsky <marck@FreeBSD.org> writes: > > It seems some checks should be added to module merging code... > > ...or somebody should stop using the merged CVSROOT. > > DES > -- > Dag-Erling Smørgrav - des@des.no > > ------------------------------ > > Message: 7 > Date: Thu, 16 Dec 2004 17:20:08 +0100 > From: des@des.no (Dag-Erling Sm?rgrav) > Subject: Re: using two keyboards at the same time > To: "Norbert Koch" <NKoch@demig.de> > Cc: freebsd-hackers@freebsd.org > Message-ID: <xzpfz26dxl3.fsf@dwp.des.no> > Content-Type: text/plain; charset=iso-8859-1 > > "Norbert Koch" <NKoch@demig.de> writes: > > if (select (maxfd, & ofds, NULL, NULL, NULL) == -1) > > maxfd + 1 > > DES > -- > Dag-Erling Smørgrav - des@des.no > > ------------------------------ > > Message: 8 > Date: Thu, 16 Dec 2004 20:32:15 +0300 (MSK) > From: Dmitry Morozovsky <marck@FreeBSD.org> > Subject: Re: duplicate CVS modules in merged CVSROOT > To: Dag-Erling Sm?rgrav<des@des.no> > Cc: hackers@FreeBSD.org > Message-ID: <20041216203126.E26781@woozle.rinet.ru> > Content-Type: TEXT/PLAIN; charset=US-ASCII > > On Thu, 16 Dec 2004, [iso-8859-1] Dag-Erling Sm?rgrav wrote: > > DS> > It seems some checks should be added to module merging code... > DS> > DS> ...or somebody should stop using the merged CVSROOT. > > In general, yes. But then, all cvsup mirror infrastructure should be > converted, which is non-trivial and long process. > > Sincerely, > > D.Marck [DM5020, MCK-RIPE, > DM3-RIPN] > --------------------------------------------------------------------------- > *** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- > marck@FreeBSD.org *** > --------------------------------------------------------------------------- > > ------------------------------ > > Message: 9 > Date: Fri, 17 Dec 2004 00:09:45 +0300 > From: Roman Kurakin <rik@cronyx.ru> > Subject: Re: duplicate CVS modules in merged CVSROOT > To: Dag-Erling Sm?rgrav<des@des.no> > Cc: Dmitry Morozovsky <marck@FreeBSD.org> > Message-ID: <41C1F999.2080008@cronyx.ru> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > Dag-Erling Smørgrav: > > >Dmitry Morozovsky <marck@FreeBSD.org> writes: > > > > > >>It seems some checks should be added to module merging code... > >> > >> > > > >...or somebody should stop using the merged CVSROOT. > > > I suggest to add prefixes like src_cut, port_cut while merging. > > rik > > >DES > > > > > > ------------------------------ > > Message: 10 > Date: Thu, 16 Dec 2004 19:12:53 -0800 > From: Matt <mhersant@comcast.net> > Subject: Re: nfs within jail > To: hackers@freebsd.org > Message-ID: <41C24EB5.8050603@comcast.net> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > stefan.schmidt@stadtbuch.de wrote: > > >Matt, > > > >there's nfsshell, an FTP-like client. > >just google for nfsshell. > > > >Won't help in case of NFS4, I guess :-( > > > >Stefan > > > > > > > Thanks. I'd like to try the nfsshell, but I can't get it to build. > It doesn't appear to be a port either. I'm an amateur C coder at > best. Could someone take a quick look? It's a very small program. > Sources are here: http://www.cs.vu.nl/pub/leendert/nfsshell.tar.gz > Release doesn't use autoconfig. Build dies with error: > > nfs.c:53:27: sys/sysmacros.h: No such file or directory > > Thanks for any help. > > ------------------------------ > > Message: 11 > Date: Fri, 17 Dec 2004 00:00:53 -0500 > From: David Gilbert <dgilbert@dclg.ca> > Subject: USB video? > To: freebsd-hackers@freebsd.org > Message-ID: <16834.26629.534978.397993@canoe.dclg.ca> > Content-Type: text/plain; charset=us-ascii > > Ok ... this is a wacky product. Sometimes you end up with a cord > that just looks wrong ... two ends that shouldn't go together (like > the X10 computer module I have --- it has a power "block" that plugs > into the wall and provides a phone jack. Then there's a cable that > goes phone jack to serial --- that's just wrong.) .... similarly, > USB2 to VGA is just wrong: > > http://www.tigerdirect.ca/applications/searchtools/item- > Details.asp?EdpNo=1088606&sku=T26-1034&CMP=EMC-TIGEREMAIL&SRCCODE=CANEM268 > > That all said, is there some standard for USB video and do we plan to > support it? > > Dave. > > -- > ============================================================================ > |David Gilbert, Independent Contractor. | Two things can only > be | |Mail: dave@daveg.ca | equal if > and only if they | |http://daveg.ca | > are precisely opposite. | > =========================================================GLO================ > > ------------------------------ > > Message: 12 > Date: Fri, 17 Dec 2004 02:34:05 -0500 > From: David Scheidt <dmschei@attglobal.net> > Subject: Re: nfs within jail > To: Matt <mhersant@comcast.net> > Cc: hackers@freebsd.org > Message-ID: <41C28BED.9070508@attglobal.net> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > Matt wrote: > > > stefan.schmidt@stadtbuch.de wrote: > > > >> Matt, > >> > >> there's nfsshell, an FTP-like client. > >> just google for nfsshell. > >> > >> Won't help in case of NFS4, I guess :-( > >> > >> Stefan > >> > >> > >> > > Thanks. I'd like to try the nfsshell, but I can't get it to build. > > It doesn't appear to be a port either. I'm an amateur C coder at > > best. Could someone take a quick look? It's a very small program. > > Sources are here: http://www.cs.vu.nl/pub/leendert/nfsshell.tar.gz > > Release doesn't use autoconfig. Build dies with error: > > > > nfs.c:53:27: sys/sysmacros.h: No such file or directory > > > > Commenting this line out is sufficent to compile. You then need to > change the LIBS line in the make file, removing -lsocket, -lnsl, and > -lrpcsoc. That's enough to make it link. I'm unable to actually > see if it'll work, though. > > David > > ------------------------------ > > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" > > End of freebsd-hackers Digest, Vol 91, Issue 7 > ********************************************** -- GOL BrainNet Online (http://forums.gol.net.pk)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041217160843.M12936>