RHP Studios is planning a Maysville Linux Users Group. If you are interested in helping with this task or interested in joining, please contact Ed Wiget.
We will also post security related information specific to linux on this page.
Linux Important Announcements
April 4, 2001
Adore worm targets linux - The third Linux worm in less than three months hit the Internet this week.
Known as the Adore worm, the program is designed to create so-called back doors in the security of Linux systems and send information identifying the compromised systems to four different e-mail addresses hosted on servers in China and the United States.
NOTE: RHP Studios installed/managed Linux systems can not be infected by this worm that exploits older versions of 4 seperate packages. This worm also installs modified version of ICMP and PS, which would clearly show up during a file system check using MD5 hashes.
March 23, 2001
SANS - Late last night, the SANS Institute (through its Global Incident Analysis Center) uncovered a dangerous new worm that appears to be spreading rapidly across the Internet. It scans the Internet looking for Linux computers with a known vulnerability. It infects the vulnerable machines, steals the password file (sending it to a China.com site), installs other hacking tools, and forces the newly infected machine to begin scanning the Internet looking for other victims.
Linux Tips & Tricks
Make your mouse scream acrossed the screen.
For those of you using Linux with a graphical user interface, you can configure any part of it....looks, feel, sounds, ETC. This is a quick trick for changing your mouse speed. First open up a terminal window, depending on your Dektop environment, this could vary. The command xset is used to change mouse speed. Its format is:
xset m [acc_mult[/acc_div] [thr]]
The two important parameters are acceleration and threshold, meaning that it will move X (acceleration) amount of times as fast when it travels X (threshold) amount of pixels.
xset m 12 2
....means we have our acceleration to 12, yet turned the threshold down to 2 pixels. This will definately make your mouse scream acrossed the screen.
Change your screen resolution quickly
The quickest way to change your screen resolution is by pressing Ctrl-Alt and either the + or - key at the same time. Using the + key cycles forward in your X configuration file and the - key cycles backwards.
Monitor your system log in real-time
You can monitor your system log in real-time, and can even choose what you want to monitor. Open a terminal window, change to Super User by typing su- and entering the password. To monitor all of the logfile, simply type tail -f /var/log/messages If you want to monitor only part of the log entries, such as a firewall DENY entry, you would use tail -f /var/log/messages | grep DENY*
If you are online with Linux, or any operating system, install a firewall
If you need help installing or configuring a firewall for you linux system, contact us. We can customize a firewall based on your individual needs, or we have a firewall script for commercial use that we guaranty cannot be breached. You may also find a firewall script designed by a friend of mine at http://www.a2600.com/~woog that will serve the needs of most home users. His firewall script is easy to set up, is documented nicely for those who need instructions, and like most stuff for linux....its FREE!
Redhat Linux v7.0 Loses Internet Connection
RHP Studios identified a bug in Redhat Linux v7.0 and posted a message to the Redhat Bugtrack database in which it will lose its internet connection for an unknown reason. This was first seen while reviewing the beta version, and later confirmed with the final release and a fresh install. This will occur every few days on the cable internet connection here in Maysville. If you are running a gateway system with DHCP on one ethernet card and static addresses on the internal card, you will find the problem only affects the DHCP (pump) controlled card. About this same time, others also reported a similar problem. If you are having this same problem, to fix it, simply remove the pump rpm package by opening a terminal window, su - and enter password, then type rpm -e pump. Your DHCP leases will now be handled by dhcpcd and will fix the problem.
Redhat Linux v6.2 and 7.0 LPR Vulnerability
January 18, 2001
Someone posted information concerning a Redhat Linux Server being hacked to SecurityFocus.com newsgroup. This is from their posting:
"They got in through "lpd" printer service which "yes" on all our production servers is disabled. They then ran ./hack.sh and Synscan"
Redhack Linux has had an update to the LPRng package since 04-Oct-2000 that would have patched this vulnerability. The updated package is available at their web site: http://www.redhat.com
It seems that someone has created a Worm that searches Redhat Linux servers still running the vulnerable LPRng package. Here is the information I have found concerning this:
Note: RHP Studios clients who are running Redhat Linux v6.2 or 7.0 are NOT affected by this worm or vulnerability. Those running the LPRng package that this worm exploits have been patched since the fix was issued by Redhat Linux on October 04, 2000. Those clients running stand-alone/dedicated Web Servers do not have the LPRng package installed on the Web Servers. As with any computer system connected to any network, you should only install software/services that are needed for the systems functions to reduce the possibility of exploits in services or software that is not used. Regular updates should be performed by running up2date. RHP Studios checks for any needed updates daily and applies them for each of our clients. LPRng package is not needed on a dedicated web server. Because this information/exploit is due to a worm, this information will also be posted on the Virus News.
If you are not a RHP Studios client, you should update your Redhat Linux Packages by either running up2date after su to root, or by clicking on the next two links (one for Redhat Linux version 6.2 and the other for Redhat Linux version 7.0).
Redhat Linux v6.2 Updates - http://www.redhat.com/support/errata/rh62-errata-security.html
Redhat Linux v7.0 Updates - http://www.redhat.com/support/errata/rh7-errata-security.html
More Information can be found below concerning this exploit and worm:
Redhat worm touts instant noodles
An Internet worm cobbled together from pre-existing scripts is spreading rapidly through Redhat Linux systems, leaving in its wake a trail of defaced Web pages touting the virtues of instant Oriental noodles.
LPRng is almost certainly vulnerable to remote-root compromise on account of a format string bug. The flaw is almost identical to the rpc.statd one I found; namely a faulty syslog() wrapper. This is becoming a very common flaw.
F-SECURE VIRUS DESCRIPTIONS: RAMEN - ALIAS: LINUX.RAMEN,LINUX/RAMEN - LINUX WORM
"Ramen affects systems running a default installations of Red Hat Linux 6.2 and 7.0. It attempts to infect the system by exploiting two known security vulnerabilities."
BBC NEWS: LINUX VIRUS INFECTION FEARS; RAMEN HITS RED HAT
"The webmasters who have had to deal with the problem are those running sites using Redhat Linux. Servers have been invaded by a worm that replaces the site's main page with one showing an image of a Ramen instant noodle packet."
LINUXPLANET: RAMEN AND THE DANGER OF DEFAULT LINUX CONFIGURATIONS
The security field is all aflutter about a worm that takes advantage of well-known security lapses in Red Hat Linux -- lapses that most experienced Linux system administrators addressed back in September 2000. And while the so-called Ramen worm doesn't do a whole lot of damage to Linux systems, it does point out the need for constant awareness to security issues -- beginning with the default configurations offered by most Linux distributions. Kevin Reichard reports.