Hello.
I log to new account of RedHat 8.0 and do
cd /
for x in `find . -name "*"` ; do /bin/rm $x; done
See I am UNIX Expert NO?
After, I cant log in?
How do get back all after /?
On Wed, 19 Mar 2003, Richard B. Johnson wrote:
> Hello.
> I log to new account of RedHat 8.0 and do
> cd /
> for x in `find . -name "*"` ; do /bin/rm $x; done
> See I am UNIX Expert NO?
>
> After, I cant log in?
> How do get back all after /?
>
Really? How did you do this?
Clone my machine-name and domain, I mean? Without -bs in the
header? I need to know. This could be exploited and needs
to be fixed.
Cheers,
Dick Johnson
Penguin : Linux version 2.4.20 on an i686 machine (797.90 BogoMips).
Why is the government concerned about the lunatic fringe? Think about it.
On Wed, Mar 19, 2003 at 10:46:11AM -0500, Richard B. Johnson wrote:
> Hello.
> I log to new account of RedHat 8.0 and do
> cd /
> for x in `find . -name "*"` ; do /bin/rm $x; done
> See I am UNIX Expert NO?
>
> After, I cant log in?
> How do get back all after /?
Hmmm.
rm -rf *
Should do the same(*) but with much better speed.
Normaly the system should lockup at sometime while doing it.
*: OK. The version above will "break" in the middle after "/bin/rm" (or
"/lib/libc.so.6") got deleted.
Bis denn
--
Real Programmers consider "what you see is what you get" to be just as
bad a concept in Text Editors as it is in women. No, the Real Programmer
wants a "you asked for it, you got it" text editor -- complicated,
cryptic, powerful, unforgiving, dangerous.
On Wed, 19 Mar 2003, Matthias Schniedermeyer wrote:
> On Wed, Mar 19, 2003 at 10:46:11AM -0500, Richard B. Johnson wrote:
> > Hello.
> > I log to new account of RedHat 8.0 and do
> > cd /
> > for x in `find . -name "*"` ; do /bin/rm $x; done
> > See I am UNIX Expert NO?
> >
> > After, I cant log in?
> > How do get back all after /?
>
> Hmmm.
> rm -rf *
> Should do the same(*) but with much better speed.
>
> Normaly the system should lockup at sometime while doing it.
>
>
>
>
> *: OK. The version above will "break" in the middle after "/bin/rm" (or
> "/lib/libc.so.6") got deleted.
>
>
The mysterious thing is the message didn't come from this site!
User johnson didn't log onto that machine since yesterday as
the enclosed `typescript` will show. It's obviously some kind
of joke, but I think this means I could be blamed for sending
something the "Net Nazis" would dislike.
It's not hard to clone a header, but this header does not look
cloned...
Cheers,
Dick Johnson
Penguin : Linux version 2.4.20 on an i686 machine (797.90 BogoMips).
Why is the government concerned about the lunatic fringe? Think about it.
Le mer 19/03/2003 ? 17:04, Matthias Schniedermeyer a ?crit :
> rm -rf *
> Should do the same(*) but with much better speed.
>
> Normaly the system should lockup at sometime while doing it.
>
>
>
>
> *: OK. The version above will "break" in the middle after "/bin/rm" (or
> "/lib/libc.so.6") got deleted.
That would be surprising. Did you actually try it ? :)
Xav
Xavier Bestel wrote:
> Le mer 19/03/2003 ? 17:04, Matthias Schniedermeyer a ?crit :
>
>
>>rm -rf *
>>Should do the same(*) but with much better speed.
>>
>>Normaly the system should lockup at sometime while doing it.
>>
>>
>>
>>
>>*: OK. The version above will "break" in the middle after "/bin/rm" (or
>>"/lib/libc.so.6") got deleted.
>
>
> That would be surprising. Did you actually try it ? :)
The complex version that you snipped would break because it invokes rm
for each file. The simpler version he gave would not break at that
point because it is already running. Hence the footnote ton the word
'same'.
HTH,
Eli
--------------------. "If it ain't broke now,
Eli Carter \ it will be soon." -- crypto-gram
eli.carter(a)inet.com `-------------------------------------------------
On Wed, 19 Mar 2003, Xavier Bestel wrote:
> Le mer 19/03/2003 ? 17:04, Matthias Schniedermeyer a ?crit :
>
> > rm -rf *
> > Should do the same(*) but with much better speed.
> >
> > Normaly the system should lockup at sometime while doing it.
> >
> >
> >
> >
> > *: OK. The version above will "break" in the middle after "/bin/rm" (or
> > "/lib/libc.so.6") got deleted.
>
> That would be surprising. Did you actually try it ? :)
>
> Xav
I think that, with a single instance of `rm`, not as written above,
this would complete because all the open runtime libraries would
remain mem-mapped until the last close. So, I think you could
remove everything with -rf except the programs that will return
'text file busy' errors because they are open for execution.
An, no. I am not going to try it! Well maybe sometime when I
mount an alternate root that I am going to replace.
Cheers,
Dick Johnson
Penguin : Linux version 2.4.20 on an i686 machine (797.90 BogoMips).
Why is the government concerned about the lunatic fringe? Think about it.
Le mer 19/03/2003 ? 17:51, Eli Carter a ?crit :
> Xavier Bestel wrote:
> > Le mer 19/03/2003 ? 17:04, Matthias Schniedermeyer a ?crit :
> >
> >
> >>rm -rf *
> >>Should do the same(*) but with much better speed.
> >>
> >>Normaly the system should lockup at sometime while doing it.
> >>
> >>
> >>
> >>
> >>*: OK. The version above will "break" in the middle after "/bin/rm" (or
> >>"/lib/libc.so.6") got deleted.
> >
> >
> > That would be surprising. Did you actually try it ? :)
>
> The complex version that you snipped would break because it invokes rm
> for each file. The simpler version he gave would not break at that
> point because it is already running. Hence the footnote ton the word
> 'same'.
Aah, yes; I read a bit too fast. *hides*
Xav
On Wed, 19 Mar 2003, Richard B. Johnson wrote:
> Really? How did you do this?
> Clone my machine-name and domain, I mean? Without -bs in the
> header? I need to know. This could be exploited and needs
> to be fixed.
Perhaps:
telnet target.system 25
enter SMTP commands
quit
--
-- John E. Jasen ([email protected])
-- User Error #2361: Please insert coffee and try again.
On Wed, 19 Mar 2003, John Jasen wrote:
> On Wed, 19 Mar 2003, Richard B. Johnson wrote:
>
> > Really? How did you do this?
> > Clone my machine-name and domain, I mean? Without -bs in the
> > header? I need to know. This could be exploited and needs
> > to be fixed.
>
> Perhaps:
>
> telnet target.system 25
> enter SMTP commands
> quit
Ah yes! And I just tried it! The target system was the one
that the mail was pretended to come from and it has sendmail
running and will forward from within the domain. So, that
sendmail gets a mail message as though it came directly from
itself so it will forward it.
Cheers,
Dick Johnson
Penguin : Linux version 2.4.20 on an i686 machine (797.90 BogoMips).
Why is the government concerned about the lunatic fringe? Think about it.
On Wednesday 19 March 2003 11:33 am, John Jasen wrote:
> On Wed, 19 Mar 2003, Richard B. Johnson wrote:
> > Really? How did you do this?
> > Clone my machine-name and domain, I mean? Without -bs in the
> > header? I need to know. This could be exploited and needs
> > to be fixed.
>
> Perhaps:
>
> telnet target.system 25
> enter SMTP commands
> quit
Normaly that would record the IP of the host doing the telnet.
(the first "Recieved: from" line in the log list where the original says
"Received: from localhost"....)
--
-------------------------------------------------------------------------
Jesse I Pollard, II
Email: [email protected]
Any opinions expressed are solely my own.
On Wed, 19 Mar 2003, Jesse Pollard wrote:
> On Wednesday 19 March 2003 11:33 am, John Jasen wrote:
> > On Wed, 19 Mar 2003, Richard B. Johnson wrote:
> > > Really? How did you do this?
> > > Clone my machine-name and domain, I mean? Without -bs in the
> > > header? I need to know. This could be exploited and needs
> > > to be fixed.
> >
> > Perhaps:
> >
> > telnet target.system 25
> > enter SMTP commands
> > quit
>
> Normaly that would record the IP of the host doing the telnet.
> (the first "Recieved: from" line in the log list where the original says
> "Received: from localhost"....)
Yes. I just looked at maillog on that machine and all I had was
the 'evidence' of me screwing with it to see. Apparently it wasn't
used for forwarding mail as I thought.
Cheers,
Dick Johnson
Penguin : Linux version 2.4.20 on an i686 machine (797.90 BogoMips).
Why is the government concerned about the lunatic fringe? Think about it.
Ok, I couldn't help but try it. I've got a 2G bochs disk image for Debian
(really a 250M holey file) I can copy and throw away.
A `rm -rfv *` as root from / does:
(removes a bunch of files, including "rm" from bin and so forth), then loops printing:
removing all entries of directory `dev/pts'
removing the directory itself `dev/pts'
removing all entries of directory `dev/pts'
removing the directory itself `dev/pts'
removing all entries of directory `dev/pts'
removing the directory itself `dev/pts'
removing all entries of directory `dev/pts'
removing the directory itself `dev/pts'
removing all entries of directory `dev/pts'
removing the directory itself `dev/pts'
It's apparently having issues with removing the mount point of the devpts
filesystem.
:)
-Eric
--
------------------------------------------------------------
Eric H. Weigle -- http://public.lanl.gov/ehw/
"They that can give up essential liberty to obtain a little
temporary safety deserve neither" -- Benjamin Franklin
------------------------------------------------------------
On Wed, Mar 19, 2003 at 11:23:55AM -0700, Eric Weigle wrote:
> Ok, I couldn't help but try it. I've got a 2G bochs disk image for Debian
> (really a 250M holey file) I can copy and throw away.
>
> A `rm -rfv *` as root from / does:
>
> (removes a bunch of files, including "rm" from bin and so forth), then loops printing:
> removing all entries of directory `dev/pts'
> removing the directory itself `dev/pts'
> removing all entries of directory `dev/pts'
> removing the directory itself `dev/pts'
> removing all entries of directory `dev/pts'
> removing the directory itself `dev/pts'
> removing all entries of directory `dev/pts'
> removing the directory itself `dev/pts'
> removing all entries of directory `dev/pts'
> removing the directory itself `dev/pts'
>
> It's apparently having issues with removing the mount point of the devpts
> filesystem.
I think you should try it without devfs. I don't think that you can
remove directories in devfs. :-)
Bis denn
--
Real Programmers consider "what you see is what you get" to be just as
bad a concept in Text Editors as it is in women. No, the Real Programmer
wants a "you asked for it, you got it" text editor -- complicated,
cryptic, powerful, unforgiving, dangerous.
>>>>> "Richard" == Richard B Johnson <[email protected]> writes:
Richard> How did [they] do this?
If you look at the Received headers in the faked message, it actually
came to kernel.org from alog0102.analogic.com, from Analogic's
208.224.220.0/22 netblock, not from quark.analogic.com (in Analogic's
204.178.40.0/21 block) as it claimed:
Received: from alog0102.analogic.com ([208.224.220.117]:12804 "EHLO
quark.analogic.com") by vger.kernel.org with ESMTP
id <S263082AbTCSPfa>; Wed, 19 Mar 2003 10:35:30 -0500
If an analogic box was cracked, look at 208.224.220.117, not at quark.
The routing suggests they would not have been able to spoof the IP,
unless they did so over eg an 802.11 link at whatever site
208.224.220.0/22 is used.
-JimC
On Wed, Mar 19, 2003 at 01:12:49PM -0500, Richard B. Johnson wrote:
> > > Perhaps:
> > >
> > > telnet target.system 25
> > > enter SMTP commands
> > > quit
> >
> > Normaly that would record the IP of the host doing the telnet.
> > (the first "Recieved: from" line in the log list where the original says
> > "Received: from localhost"....)
>
> Yes. I just looked at maillog on that machine and all I had was
> the 'evidence' of me screwing with it to see. Apparently it wasn't
> used for forwarding mail as I thought.
Well, a nice way to do this is: (probably not syntactically correct..)
router# iptables -t nat -A PREROUTING -i lan0 -p tcp ! -s
local.netework/12 -d ip.of.lan0 --dport 25 -j DROP
Depending on how your network is set up, this may or may not work... my
server box itself is masq'd so this works nicely on my network.
Regards,
Josh
--
New PGP public key: 0x27AFC3EE
commence Richard B. Johnson quotation:
> I think that, with a single instance of `rm`, not as written above,
> this would complete because all the open runtime libraries would
> remain mem-mapped until the last close. So, I think you could
> remove everything with -rf except the programs that will return
> 'text file busy' errors because they are open for execution.
Linux allows files that are being executing to be unlinked. You will
get ETXTBUSY if you open the file and try to modify it, though.
--
Sean Neakums - <[email protected]>