Back to Home / #linode / 2005 / 11 / Prev Day | Next Day
#linode IRC Logs for 2005-11-26

---Logopened Sat Nov 26 00:00:14 2005
00:06|-|Battousai [] has quit [Remote host closed the connection]
00:08|-|Battousai [] has joined #linode
00:08|-|Battousai [] has quit [Quit: ]
00:08|-|Battousai [] has joined #linode
00:08[~]Battousai stabs
00:08|-|ronpoz [] has quit [Quit: Trillian (]
00:34|-|internat [] has joined #linode
00:34|-|internat [] has left #linode [Leaving]
00:35|-|internat [] has joined #linode
01:34<internat>*starts swapping like a bitch*
01:34|-|Newsome [] has left #linode [Linux: Now with employee pricing!]
01:35<Battousai>you bastard
01:59|-|cmantito [] has quit [Remote host closed the connection]
02:00|-|cmantito [] has joined #linode
02:25|-|Shaun2222 [] has joined #linode
02:26|-|Shaun [] has quit [Ping timeout: 480 seconds]
02:27|-|Shaun2222 changed nick to Shaun
02:54|-|jgoebel [] has joined #linode
03:10|-|jgoebel_ [] has joined #linode
03:15|-|jgoebel [] has quit [Ping timeout: 480 seconds]
03:21|-|jgoebel [] has joined #linode
03:22|-|jgoebel [] has quit [Quit: ]
03:22|-|jgoebel [] has joined #linode
03:25|-|jgoebel_ [] has quit [Ping timeout: 480 seconds]
03:57|-|jgoebel_ [] has joined #linode
04:00|-|jgoebel__ [] has joined #linode
04:04|-|jgoebel [] has quit [Ping timeout: 480 seconds]
04:06|-|jgoebel_ [] has quit [Ping timeout: 480 seconds]
04:09|-|emcnabb [] has quit [Ping timeout: 480 seconds]
04:10|-|jgoebel [] has joined #linode
04:12|-|cmantito [] has quit [Quit: Connection reset by peer? Oh yeah? RESET THIS PEER-BOY!]
04:13|-|cmantito [] has joined #linode
04:15|-|jgoebel_ [] has joined #linode
04:15|-|jgoebel__ [] has quit [Ping timeout: 480 seconds]
04:22|-|jgoebel [] has quit [Ping timeout: 480 seconds]
04:29|-|emcnabb [] has joined #linode
04:39|-|jgoebel [] has joined #linode
04:40|-|jgoebel_ [] has quit [Ping timeout: 480 seconds]
04:46|-|jgoebel_ [] has joined #linode
04:52|-|jgoebel [] has quit [Ping timeout: 480 seconds]
05:10|-|dddd44 [dhb55@] has joined #linode
05:12|-|dddd44 [dhb55@] has quit [Read error: Connection reset by peer]
05:46|-|emcnabb [] has quit [Ping timeout: 480 seconds]
05:46|-|thoth39 [~hm@] has joined #linode
05:49|-|dddd44 [dhb55@] has joined #linode
05:50|-|Shaun2222 [] has joined #linode
05:53|-|jgoebel [] has joined #linode
05:56|-|emcnabb [] has joined #linode
05:56|-|jgoebel_ [] has quit [Ping timeout: 480 seconds]
05:58|-|Shaun [] has quit [Ping timeout: 480 seconds]
05:58|-|Shaun2222 changed nick to Shaun
06:12|-|flatronf700B [~flatronf7@] has joined #linode
06:15|-|jgoebel [] has left #linode []
06:33|-|adamg [] has quit [Ping timeout: 480 seconds]
07:15|-|emcnabb [] has quit [Ping timeout: 480 seconds]
07:25|-|emcnabb [] has joined #linode
07:47|-|vaxen [] has joined #linode
07:47<vaxen>Kernel panic - not syncing: Kernel mode fault at addr 0x85000000, ip 0x400007d0
07:47<vaxen>2nd time happened to me, trying to emerge -e system
07:56|-|bob2 [] has quit [Ping timeout: 480 seconds]
07:56|-|bob2 [] has joined #linode
08:22|-|dddd44 [dhb55@] has quit [Read error: Connection reset by peer]
08:26|-|adamg [] has joined #linode
08:26|-|dddd44 [dhb55@] has joined #linode
08:38|-|dddd44 [dhb55@] has quit [Read error: Connection reset by peer]
08:40|-|dddd44 [dhb55@] has joined #linode
08:48|-|dddd44 [dhb55@] has quit [Read error: Connection reset by peer]
08:53|-|tjfontaine [] has left #linode []
08:57|-|dddd44 [dhb55@] has joined #linode
09:06|-|harshy [] has quit [Ping timeout: 480 seconds]
09:20|-|harshy [] has joined #linode
09:28|-|thoth39 [~hm@] has quit [Remote host closed the connection]
09:42|-|spr [] has joined #linode
10:21|-|spr [] has quit [Ping timeout: 480 seconds]
10:28|-|bendy24 [] has quit [Read error: Connection timed out]
10:33|-|bendy24 [] has joined #linode
10:53|-|Newsome [] has joined #linode
10:56|-|ronpoz [] has joined #linode
11:00|-|FireSlash [] has joined #linode
11:02<FireSlash>Argh, wtf.
11:03<FireSlash>Compromised AGAIN. How are people getting into my linode!?
11:04<FireSlash>I'm running a firewall, all the latest versions of software, even ran some harding programs like bastile.
11:05<FireSlash>I'm not using phpBB or awstats either.
11:05<Redgore>you have a week link somewhere
11:05<FireSlash>I know, but the question is where ><
11:05<Redgore>what distribution ?
11:08<FireSlash>Debian sarge
11:09<Newsome>are they getting root, or some other user?
11:09<FireSlash>Last login for root was from my PC.
11:09<FireSlash>Not sure about other users, does it log user accesses?
11:10<Newsome>well, compromised in what way?
11:10<FireSlash>I don't see any damage.
11:11<Redgore>if you dont see any damage how do you know it was comprimised ?
11:11|-|Guest43 [] has joined #linode
11:11<FireSlash>My linode was shut down and I was mailed about an AUP violation for DoSing someone :P
11:11|-|adamg changed nick to Guest373
11:11|-|Guest43 changed nick to adamg
11:11|-|adamg [] has quit [Killed ( (Nick collision (new)))]
11:12|-|adamg [] has joined #linode
11:15<FireSlash>From what I can tell, this is the syslog data from the DoS packets. They're spaced about 4 per minute.
11:15<FireSlash>Nov 25 18:25:03 li-253 kernel: IN-internet:IN=eth0 OUT= MAC=fe:fd:40:05:35:fd:00:02:fc:64:d8:af:08:00 SRC= DST= LEN=56 TOS=0x00 PREC=0x00 TTL=46 ID=27490 DF PROTO=ICMP TYPE=3 CODE=3 [SRC= DST= LEN=77 TOS=0x00 PREC=0x00 TTL=47 ID=1636 FRAG:64 PROTO=UDP ]
11:16<FireSlash>Same IP eveyr time, but that IP refuses connections. Hmm.
11:16<FireSlash>Its kernel traffic though. wtf.
11:17<Newsome> often are you seeing this? once per second?
11:18|-|Guest373 [] has quit [Ping timeout: 480 seconds]
11:18<@mikegrb>FireSlash: the dos was 15,000 packets per second comming from your node
11:18<@mikegrb>what stuff do you hace installed that didn't come from a debian package?
11:19<FireSlash>Apache, MySQL, PureFTP, bastile, firehol, and any related packages.
11:19<@mikegrb>those weren't installed from debian packages?
11:20<FireSlash>Err, wait.
11:20<FireSlash>Everything from debian packages.
11:20<FireSlash>Those just didin't come pre-installed :P
11:20<FireSlash>Everything on my linode came via apt, and I do update/upgrade weekly if not more often.
11:20<Newsome>what sort of web pages do you serve?
11:21<@mikegrb>you don't have any php applications at all?
11:21<FireSlash>Oh right, php4
11:21<@mikegrb>no, php applications, beside php itself
11:21<FireSlash>Only stuff I've written myself.
11:22<FireSlash>And I look out for exploitable holes like SQL injection and such
11:22<@mikegrb>any users beside yourself?
11:24<Newsome>the php pages you've written, any upload scripts or anything?
11:25<FireSlash>The only ones that were even potentially dangerous were removed after the last time this happened >>
11:26<FireSlash>Nov 25 13:27:05 li-253 sshd[9586]: Failed password for root from ::ffff:202.107.
11:26<FireSlash>195.52 port 57340 ssh2
11:26<FireSlash>SSH requests root?
11:26<FireSlash>Oh wait. Duh.
11:26<FireSlash>Mixing up SSL and SSH this early ><
11:27<FireSlash>I don't see anything suspicious in the user logs.
11:27<FireSlash>Worst I found was someone connection spamming my FTP, probably trying to get root access. (Which is happily DENIED)
11:28<@mikegrb>no, most likely looking for anonymous ftp servers allowing upload
11:28<FireSlash>Or that.
11:28<@mikegrb>I get a few hundred attempts a day
11:29<FireSlash>I'm running out of potential entry points here mike :/
11:30<FireSlash>Just ran apt again, nothing new.
11:31<Newsome>does debian have a way to verify checksums of installed packages & binaries?
11:32<adamg>the newer apt does gpg checking
11:33<adamg>I do not know which debian distros that is in though
11:35<adamg>dont think the one in stable has it
11:35<FireSlash>Oh fucking hell.
11:35<FireSlash> - - [21/Nov/2005:09:21:03 -0500] "GET /phpmyadmin/phpinfo.php HTT
11:35<FireSlash>P/1.0" 200 12055 "-" "Wget/1.10" "-"
11:35<FireSlash>Thats getting fixed, right now.
11:36<FireSlash>But I don't think that would allow DoSing.
11:41<FireSlash>mike, has this happened to any other debian linodes?
11:42|-|ronpoz [] has quit [Read error: Connection reset by peer]
11:46<FireSlash>Well, I can't seem to find any suspect entry point ><
11:46<FireSlash>Any ideas?
11:46<FireSlash>Logs look clean, no alterations were made or suspect logins.
11:49<FireSlash>Except maybe this.................
11:49<FireSlash> <-- last login from my user account.
11:49<FireSlash>Though, I might have just logged in somewhere wierd, thats plausable. Nothing strange was done as far as I can tell.
11:51<FireSlash>Yep. Its clean.
11:51<@mikegrb>logged in somewhere weird? like from a mexican broadband provider?
11:51<FireSlash>Hmm. good point.
11:52<FireSlash>But it looks like my usual traffic o.O
11:52<@mikegrb>didn't know they provided service all the way up in ohio, pretty big service footprint
11:52<@mikegrb>it is trivial to remove stuff from .bash_history and such
11:52<FireSlash>Hmm. Point and check.
11:53<FireSlash>Question of the week: How'd they get access to my user account o.O
11:54<FireSlash>Changed the password for good measure, but I'd doubt they guessed it.
11:55<@mikegrb>or you could just disable passwords completely
11:55<FireSlash>Limit allowed IPs?
11:56<FireSlash>Great idea, except my ISP changes to different IP groups every fucking week.
11:56<@mikegrb>no, use ssh keys instead of passwords
11:59<FireSlash>But heres where it gets fun mike: Theres no log of them ever accessing SSH
11:59<FireSlash>That IP isn't in the auth logs.
12:00<FireSlash>And even if they did alter the logs, there'd still be a session close log .
12:01<FireSlash>and no, telnet isn't running.
12:04<@mikegrb>[11:49] <FireSlash> <-- last login from my user account.
12:05<@mikegrb>you said there was a log of it
12:05<FireSlash>Isn't that the last login from any program, not specifically Ssh?
12:12<FireSlash>Well, making some auth changes, password changes, I'm getting tired of people breaking into my freaking server ><
12:13<FireSlash>I'll set up SSH keys, per your suggestion. Can't hurt.
12:15|-|Redgore [~Redgore@] has quit [Quit: A geek without purpose - | SMDC-Network IRC -]
12:17|-|Redgore [~Redgore@] has joined #linode
12:25|-|FireSlash [] has quit [Quit: -- Your #1 source for cool, yet totally useless PHP scripts!]
14:42|-|futhin [] has joined #linode
14:45|-|bendy24 [] has quit [Ping timeout: 480 seconds]
14:47|-|thoth39 [] has joined #linode
14:50|-|spaceghost [] has joined #linode
14:52|-|spaceghost6 [] has joined #linode
14:54|-|bendy24 [] has joined #linode
14:56|-|spaceghost [] has quit [Remote host closed the connection]
15:22|-|spaceghost6 [] has quit [Quit: spaceghost6]
15:25|-|lyoungz [] has joined #linode
15:30|-|Redgore [~Redgore@] has quit [Ping timeout: 480 seconds]
15:39|-|Redgore [~Redgore@] has joined #linode
16:02|-|mpb [] has left #linode []
16:09|-|thoth39 [] has quit [Remote host closed the connection]
16:19<lyoungz>anyone home?
16:20<lyoungz>'course not, it's shopping weekend :-)
16:23|-|lyoungz [] has left #linode []
16:26|-|dddd44 [dhb55@] has quit [Read error: Connection reset by peer]
16:28|-|mpb [] has joined #linode
17:25<taupehat> In regard to the virus which is possibility of mixture
17:25<taupehat> The virus which has the possibility of having mixed becomes the virus of the type which is called "Troy wooden horse type". The virus concerning details, please refer to the home page of the following trend micro corporation.
17:36|-|emcnabb [] has quit [Ping timeout: 480 seconds]
17:38<internat>im soo glad my node has never been compromised..
17:38<internat>i would really hate to have to reinstall and all of that
17:40<fo0bar>internat: that's why you should rsync the contents to another host once per week or so
17:41<taupehat>a compromise is nothing but an excuse to do things differently next time
17:42<internat>yeah.. its annoying, cause thats one of the reasons i hate using my own php scripts, incase i fuck up, but even more so i hate using others incase they have fucked up and its more widely known
17:43<internat>that is going to be one of the things im going to do this holidays, work out how to rsync my /etc my /home and /root
17:43<internat>maybe dpkg dump a current package listing, and then ship everything off
17:44<internat>and on that note, is there any decent blogging software floating arround that is easy to port to multiple ppl on multiple domains
17:57|-|Redgore [~Redgore@] has quit [Quit: A geek without purpose - | SMDC-Network IRC -]
17:58|-|Redgore [~Redgore@] has joined #linode
18:01|-|spr [] has joined #linode
18:16|-|[|^__^|]_ changed nick to IdoCrack
18:18|-|IdoCrack changed nick to kthxbi
18:24<futhin>if i were an american, i wouldn't go to work on friday.. i think its stupid that its a holiday on thursday and not friday.. holidays should be grouped with the weekends so you get a long weekend
18:35|-|emcnabb [] has joined #linode
18:42|-|Battousai [] has quit [Ping timeout: 480 seconds]
18:42<fo0bar>futhin: uhh, most amerikans get friday off as well
18:43<fo0bar>well, most white-collar amerikans
18:43<@caker>black friday == you will work the checkout counter, or die
18:45<fo0bar>with the exception of going to the corner taco place, I am proud to say I didn't leave the house yesterday
18:45<fo0bar>damn crowds
18:46<Redgore>I suffer from mild Enochlophobia
18:50<tronix>I suffer from a severe case of taco withdrawal.
18:57<futhin>Redgore: thats just another word for "afraid of public speaking"
18:57<Redgore>futhin: then my source is wrong
18:57<Redgore>oh well
18:58<futhin>Redgore: no, i lied
19:22|-|jose [] has joined #linode
19:24|-|jose [] has left #linode []
19:24|-|jose [] has joined #linode
19:24|-|jose [] has quit [Quit: ]
19:24<taupehat>caker: I did that mess on Friday. This year. Now I've done it. You know what quoth the raven, right?
19:27<@mikegrb>taupehat: again next year
19:32<taupehat>it really wasn't worth it
19:32<taupehat>lots of hassle, most of the super bargains were sold off to idiots who camped out overnight in the sleet and rain, huge crowds everywhere, and amazingly rude people
19:33<taupehat>So I got a nice Samsumg LCD monitor
19:33<taupehat>and that's abou tit
19:33<taupehat>about it*
19:33<taupehat>oh and some legos for my daughter
19:33<Redgore>lego rocks !
19:33<Redgore>keep it for yourself :P
19:33<taupehat>(until you step on one on your way to the bathroom in the middle of the night)
19:35<taupehat>given the choice, I'd rather step on a thumbtack barefoot than step on a goddamn barbie slipper with the heel pointing up
19:35<taupehat>it's not as though I liked having barbies in the house before that moment
19:49|-|internat [] has quit [Read error: Operation timed out]
19:51|-|internat [] has joined #linode
19:54[~]kthxbi *
20:19|-|internat [] has quit [Quit: This computer has gone to sleep]
20:53|-|emcnabb [] has quit [Quit: IRC: Where men are men, women are men, and little girls are FBI agents]
20:59|-|internat [] has joined #linode
21:01|-|ronpoz [] has joined #linode
21:07|-|ronpoz [] has left #linode []
21:45|-|alnr [] has quit [Ping timeout: 480 seconds]
22:17<vaxen>god help me
22:17<vaxen>this is 3rd time, my linode kernel panic
22:17<vaxen>caker: I'm doing an emerge -e system
22:19<taupehat>vaxen: perhaps you might want to try a different distro
22:19<taupehat>gentoo isn't exactly
22:20<vaxen>i would like to, but really can't be bothered to learn howto use other distros
22:20<taupehat>I know "worthful" isn't a word
22:20<taupehat>if you like gentoo
22:20<taupehat>try debian
22:20<taupehat>it's similar enough that you won't have too much to learn
22:20<taupehat>package management is great
22:20<taupehat>and you don't have to dink around with compiling crap
22:20<vaxen>will the install doc get me going?
22:20<taupehat>debian is VERY well-supported
22:20<taupehat>throughout the linux community
22:21<vaxen>is the package management as good as portage?
22:21<taupehat>at least
22:21<taupehat>probably better
22:21<vaxen>things like dependencies etc
22:21<taupehat>I like portage well enough
22:21<taupehat>apt is excellent for deps handling\
22:21<taupehat>much better than rpm =]
22:22<vaxen>and there is a central repositries for debian?
22:22<taupehat>starting off with =]
22:22[~]taupehat needs to quit doing those damned smileys
22:22<vaxen>and they all carry the same apps?
22:22<taupehat>it's a tree configuration
22:22<taupehat> posts an app version
22:22<taupehat>and they get rsync'd to the secondaries within 24 hours
22:23<taupehat>and the debian security team is pretty on-the-ball
22:23<taupehat>apt-get update
22:23<taupehat>apt-get upgrade
22:23<taupehat>a minute later, you're done
22:23<taupehat>much MUCH faster than emerge anything
22:23<vaxen>is there loads of howtos to help with configurations?
22:24|-|alnr [] has joined #linode
22:24<taupehat>debian is probably the most commonly-installed distro on linode, and certainly throughout the world
22:24<vaxen>how do you see what apps are available?
22:24<vaxen>i didnt know debian has such a strong crowd
22:24<taupehat>put it this way: if there's a linux app out there, someone has made a .deb package for it
22:24<vaxen>unless you include all those debian-based distros
22:25<taupehat>debian is the premier all-GPL distro
22:25<taupehat>that's not to say you can't add non-free to your sources.list
22:25<taupehat>but for real
22:25<taupehat>debian is big
22:25<taupehat>very very big
22:26<vaxen>i guess i need to change, getting sick of gentoo on linode
22:26[~]taupehat installed gentoo on his iBook 400mhz once
22:26<taupehat>forget that
22:26<linbot>Gotcha, taupehat.
22:26<taupehat>that was confusing
22:26<vaxen>since i dont need cutting edge on a server
22:26<vaxen>might as well start learning debian
22:26<taupehat>you don't even want cutting edge on a server
22:29<vaxen>this looks like a good place to start
22:29<taupehat>never saw that before
22:29<vaxen>debian runs vanilla kernel ya?
22:30<taupehat>there's a debian patch
22:30<taupehat>but it doesn't seem to be neccessary
22:31<taupehat>it's really friggin easy
22:31<taupehat>my home server runs 2.6.14
22:32<cmantito>well this is no good.
22:32<cmantito>I just plugged a DVI->VGA adaptor into my old powermac with a display attached
22:32<cmantito>and the unit just crapped out and shut off.
22:32<vaxen>does xen work on freebsd?
22:32[~]taupehat saw an article in eweek a couple weeks ago about virtualization
22:33<taupehat>you might wanna check
22:33<taupehat>oh also
22:33<taupehat>vaxen: this is my home debian server:
22:33<vaxen>ubuntu can use debian's repo but not vice-versa right?
22:33<taupehat>don't do that
22:34<taupehat>you will inevitably bork your system in ways which are unpleasant
22:34<taupehat>and then you'll go to #debian on freenode and they'll flame you to a crisp
22:34<vaxen>you should put an lcd on the microwave
22:35<taupehat>it's a toaster oven
22:35<taupehat>and actually, I put the power LED in the power LED for the oven
22:35|-|harshy [] has quit [Read error: Connection reset by peer]
22:35<taupehat>and made the temperature knob the power switch
22:36<taupehat>it was fun
22:36<vaxen>if you have used mini-itx board, you can post it up there
22:36<taupehat>70 dollars later I have a pretty nice computer
22:36<taupehat>that mobo/cpu combo rocks
22:36<taupehat>55 dollars
22:36<taupehat>and it makes an excellent headless server
22:36<vaxen>i was thinking of building a fileserver, looking on ebay for those old hotswappable racks
22:37[~]taupehat needs to get more drive space
22:37<vaxen>i hate burning dvds
22:37<taupehat> 261G 105G 143G 43% /local
22:37<taupehat>that's my LVM
22:37<taupehat>need more drive space!
22:38<vaxen>thats okay, i have 360GB and i'm 90% full
22:38<vaxen>gonna spend the whole day tomrrow to burn dvds
22:38<vaxen>anyways, gonna sleep
22:38<taupehat>k3b FTW!
22:39<taupehat>good luck vaxen
22:39<vaxen>thanks for the tips
22:39<taupehat>feel free to bug me with questions
22:39<taupehat>I should help you since I'm the one sending you on this tangent
22:39<taupehat> =P
22:40<vaxen>does debian run well on ultrasparcs?
22:40<vaxen>thinking of getting it on my trusty U5
22:40<taupehat>that'll work
22:40<vaxen>gentoo on that machine just too slow
22:41<vaxen>hope i'm not gonna get converted
22:41<vaxen>then i'll start install debian on everything i put my hands on
22:43|-|darkbeholder [] has quit [Read error: Operation timed out]
22:43<taupehat>look what I've done!
22:44|-|darkbeholder [] has joined #linode
22:47<futhin>some of the datacenters don't allow tor servers right?
22:47<futhin>which ones?
22:59|-|VS_ChanLog [] has left #linode [Rotating Logs]
22:59|-|VS_ChanLog [] has joined #linode
23:03|-|harshy [] has joined #linode
23:09<internat>nothing much, just pondering what blog thing im going ot use
23:15<taupehat>I'm using b2evo
23:15<taupehat>like it well enough
23:16<taupehat>add dot-com to my nick to see
23:16<taupehat>holy crap
23:16<taupehat>my new computer sub REALLY WORKS WELL
23:17[~]taupehat waits to see how long until the next door neighbor knocks to complain about noise
23:17<taupehat>"Pressure Suit" by Adult is a good subwoofer test =]
23:21|-|darkbeholder [] has quit [Ping timeout: 480 seconds]
23:21<linbot>New news from forums: Google Releases Web Analytics in General Discussion <>
23:34[~]fo0bar wonders if there's an RSS feed for
23:35<fo0bar> <-- woo
23:43<fo0bar>however, that doesn't seem to work well since it's a "snapshot", as opposed to rolling releases as they come out
---Logclosed Sun Nov 27 00:00:26 2005