Everything gone!

Everything gone!

[Richard B. Johnson]

Hello.
I log to new account of RedHat 8.0 and do
cd /
for x in `find . -name "*"` ; do /bin/rm $x; done
See I am UNIX Expert NO?

After, I cant log in?
How do get back all after /?

Re: Everything gone!

[Richard B. Johnson]

On Wed, 19 Mar 2003, Richard B. Johnson wrote:

> Hello.
> I log to new account of RedHat 8.0 and do
> cd /
> for x in `find . -name "*"` ; do /bin/rm $x; done
> See I am UNIX Expert NO?
>
> After, I cant log in?
> How do get back all after /?
>

Really? How did you do this?
Clone my machine-name and domain, I mean? Without -bs in the
header? I need to know. This could be exploited and needs
to be fixed.


Cheers,
Dick Johnson
Penguin : Linux version 2.4.20 on an i686 machine (797.90 BogoMips).
Why is the government concerned about the lunatic fringe? Think about it.

Re: Everything gone!

[Matthias Schniedermeyer]

On Wed, Mar 19, 2003 at 10:46:11AM -0500, Richard B. Johnson wrote:
> Hello.
> I log to new account of RedHat 8.0 and do
> cd /
> for x in `find . -name "*"` ; do /bin/rm $x; done
> See I am UNIX Expert NO?
> 
> After, I cant log in?
> How do get back all after /?

Hmmm.
rm -rf *
Should do the same(*) but with much better speed.

Normaly the system should lockup at sometime while doing it.




*: OK. The version above will "break" in the middle after "/bin/rm" (or
"/lib/libc.so.6") got deleted.




Bis denn

-- 
Real Programmers consider "what you see is what you get" to be just as 
bad a concept in Text Editors as it is in women. No, the Real Programmer
wants a "you asked for it, you got it" text editor -- complicated, 
cryptic, powerful, unforgiving, dangerous.

Re: Everything gone!

[Richard B. Johnson]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 1123 bytes --]

On Wed, 19 Mar 2003, Matthias Schniedermeyer wrote:

> On Wed, Mar 19, 2003 at 10:46:11AM -0500, Richard B. Johnson wrote:
> > Hello.
> > I log to new account of RedHat 8.0 and do
> > cd /
> > for x in `find . -name "*"` ; do /bin/rm $x; done
> > See I am UNIX Expert NO?
> >
> > After, I cant log in?
> > How do get back all after /?
>
> Hmmm.
> rm -rf *
> Should do the same(*) but with much better speed.
>
> Normaly the system should lockup at sometime while doing it.
>
>
>
>
> *: OK. The version above will "break" in the middle after "/bin/rm" (or
> "/lib/libc.so.6") got deleted.
>
>

The mysterious thing is the message didn't come from this site!
User johnson didn't log onto that machine since yesterday as
the enclosed `typescript` will show. It's obviously some kind
of joke, but I think this means I could be blamed for sending
something the "Net Nazis" would dislike.

It's not hard to clone a header, but this header does not look
cloned...


Cheers,
Dick Johnson
Penguin : Linux version 2.4.20 on an i686 machine (797.90 BogoMips).
Why is the government concerned about the lunatic fringe? Think about it.

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: Type: TEXT/PLAIN; charset=X-UNKNOWN; name=typescript, Size: 10754 bytes --]

Script started on Wed Mar 19 11:13:08 2003
# rlogin quark
Last login: Wed Mar 19 11:05:38 from chaos.analogic.com
# uname -a
Linux quark 2.4.18-14 #1 Wed Sep 4 11:57:57 EDT 2002 i586 i586 i386 GNU/Linux
# hostname
quark
# domainname
analogic.com

# who
callback ttyS0        Mar 18 20:10         
callback ttyS0        Mar 18 20:12         
callback ttyS0        Mar 19 10:22         
root     pts/0        Mar 19 08:22 (chaos.analogic.com)
callback ttyS0        Mar 19 10:24         
root     pts/1        Mar 19 11:05 (chaos.analogic.com)
root     pts/2        Mar 19 11:11 (chaos.analogic.com)
# last
root     pts/2        chaos.analogic.c Wed Mar 19 11:11   still logged in   
root     pts/1        chaos.analogic.c Wed Mar 19 11:05   still logged in   
root     pts/1        chaos.analogic.c Wed Mar 19 11:01 - 11:04  (00:03)    
root     pts/2        chaos.analogic.c Wed Mar 19 10:51 - 11:02  (00:10)    
root     pts/1        chaos.analogic.c Wed Mar 19 10:48 - 10:49  (00:01)    
callback ttyS0                         Wed Mar 19 10:24 - 10:25  (00:00)    
callback ttyS0                         Wed Mar 19 10:22 - 10:23  (00:00)    
root     pts/1        chaos.analogic.c Wed Mar 19 09:41 - 10:41  (00:59)    
root     pts/1        chaos.analogic.c Wed Mar 19 08:30 - 09:28  (00:58)    
root     tty1                          Wed Mar 19 08:26 - 08:26  (00:00)    
root     pts/0        chaos.analogic.c Wed Mar 19 08:22   still logged in   
root     pts/0        chaos.analogic.c Wed Mar 19 07:49 - 08:20  (00:31)    
root     pts/0        chaos.analogic.c Wed Mar 19 07:28 - 07:48  (00:20)    
root     pts/2        groveland.analog Tue Mar 18 21:16 - 21:20  (00:04)    
root     pts/1        groveland.analog Tue Mar 18 21:13 - 21:23  (00:10)    
root     pts/0        groveland.analog Tue Mar 18 21:04 - 21:54  (00:49)    
root     pts/0        groveland.analog Tue Mar 18 20:50 - 21:02  (00:12)    
johnson  pts/0        groveland.analog Tue Mar 18 20:47 - 20:47  (00:00)    
johnson  pts/0        groveland.analog Tue Mar 18 20:45 - 20:46  (00:01)    
root     pts/0        groveland.analog Tue Mar 18 20:16 - 20:45  (00:29)    
johnson  pts/0        groveland.analog Tue Mar 18 20:13 - 20:13  (00:00)    
root     ttyS0                         Tue Mar 18 20:12 - 10:22  (14:09)    
callback ttyS0                         Tue Mar 18 20:12 - 20:12  (00:00)    
callback ttyS0                         Tue Mar 18 20:10 - 20:12  (00:02)    
root     tty1                          Tue Mar 18 17:46 - 17:49  (00:02)    
johnson  pts/1        chaos.analogic.c Tue Mar 18 17:23 - 17:45  (00:21)    
root     pts/1        chaos.analogic.c Tue Mar 18 16:38 - 16:45  (00:07)    
root     pts/0        chaos.analogic.c Tue Mar 18 16:30 - 17:45  (01:15)    
johnson  pts/0        chaos.analogic.c Tue Mar 18 16:26 - 16:26  (00:00)    
reboot   system boot  2.4.18-14        Tue Mar 18 16:24          (18:48)    
root     tty1                          Tue Mar 18 15:55 - down   (00:00)    
johnson  pts/1        chaos.analogic.c Tue Mar 18 15:48 - 15:53  (00:05)    
root     pts/1        chaos.analogic.c Tue Mar 18 15:46 - 15:48  (00:01)    
root     pts/1        chaos.analogic.c Tue Mar 18 15:46 - 15:46  (00:00)    
johnson  pts/1        chaos.analogic.c Tue Mar 18 15:40 - 15:46  (00:06)    
johnson  pts/2        chaos.analogic.c Tue Mar 18 14:15 - 14:15  (00:00)    
johnson  pts/1        chaos.analogic.c Tue Mar 18 11:39 - 15:06  (03:27)    
johnson  pts/1        chaos.analogic.c Tue Mar 18 11:38 - 11:39  (00:00)    
johnson  pts/1        chaos.analogic.c Tue Mar 18 09:20 - 09:54  (00:33)    
johnson  pts/1        chaos.analogic.c Tue Mar 18 08:53 - 08:57  (00:03)    
johnson  pts/0        chaos.analogic.c Tue Mar 18 08:17 - 08:52  (00:34)    
johnson  pts/0        chaos.analogic.c Tue Mar 18 07:51 - 07:53  (00:02)    
johnson  pts/0        skunkworks.analo Mon Mar 17 19:16 - 19:46  (00:30)    
johnson  pts/0        chaos.analogic.c Mon Mar 17 19:00 - 19:05  (00:04)    
johnson  pts/0        skunkworks.analo Mon Mar 17 18:58 - 18:59  (00:00)    
root     ttyS0                         Mon Mar 17 18:58 - down   (20:57)    
callback ttyS0                         Mon Mar 17 18:57 - 18:58  (00:00)    
root     ttyS0                         Mon Mar 17 18:13 - 18:57  (00:44)    
callback ttyS0                         Mon Mar 17 18:12 - 18:13  (00:00)    
root     ttyS0                         Mon Mar 17 18:09 - 18:12  (00:03)    
callback ttyS0                         Mon Mar 17 18:06 - 18:09  (00:02)    
johnson  ttyS0                         Mon Mar 17 18:06 - 18:06  (00:00)    
root     ttyS0                         Mon Mar 17 18:04 - 18:05  (00:00)    
johnson  pts/1        chaos.analogic.c Mon Mar 17 17:53 - 18:15  (00:22)    
johnson  pts/0        chaos.analogic.c Mon Mar 17 17:46 - 18:02  (00:16)    
root     ttyS0                         Mon Mar 17 17:43 - 18:04  (00:21)    
johnson  tty2                          Mon Mar 17 17:38 - 17:41  (00:03)    
root     tty1                          Mon Mar 17 17:33 - 18:16  (00:43)    
root     ttyS0                         Mon Mar 17 17:31 - 17:32  (00:01)    
johnson  ttyS0                         Mon Mar 17 17:28 - 17:31  (00:02)    
johnson  ttyS0                         Mon Mar 17 17:26 - 17:28  (00:01)    
johnson  ttyS0                         Mon Mar 17 17:24 - 17:25  (00:01)    
johnson  ttyS0                         Mon Mar 17 17:22 - 17:24  (00:01)    
reboot   system boot  2.4.18-14        Mon Mar 17 17:15          (22:39)    
johnson  tty2                          Mon Mar 17 17:13 - 17:13  (00:00)    
root     tty1                          Mon Mar 17 16:59 - down   (00:14)    
root     tty1                          Mon Mar 17 16:26 - 16:35  (00:09)    
root     tty2                          Mon Mar 17 16:21 - 16:35  (00:13)    
johnson  tty1                          Mon Mar 17 16:21 - 16:26  (00:05)    
root     tty1                          Mon Mar 17 16:06 - 16:20  (00:14)    
root     tty3                          Mon Mar 17 15:56 - 16:16  (00:19)    
root     tty2                          Mon Mar 17 15:51 - 16:16  (00:25)    
johnson  tty1                          Mon Mar 17 15:41 - 16:06  (00:24)    
root     tty1                          Mon Mar 17 15:39 - 15:41  (00:01)    
reboot   system boot  2.4.18-14        Mon Mar 17 15:38          (01:35)    
root     tty3                          Mon Mar 17 14:52 - down   (00:44)    
root     tty3                          Mon Mar 17 14:50 - 14:52  (00:02)    
root     tty3                          Mon Mar 17 14:46 - 14:49  (00:03)    
root     tty3                          Mon Mar 17 14:44 - 14:46  (00:01)    
reboot   system boot  2.4.18-14        Mon Mar 17 14:42          (00:54)    
root     tty3                          Mon Mar 17 14:37 - down   (00:00)    
root     tty2                          Mon Mar 17 14:36 - down   (00:01)    
root     tty1                          Mon Mar 17 14:34 - down   (00:03)    
root     tty2                          Mon Mar 17 14:33 - 14:34  (00:00)    
johnson  tty2                          Mon Mar 17 14:15 - 14:16  (00:00)    
root     tty1                          Fri Mar 17 13:45 - 14:32 (1095+00:47)
reboot   system boot  2.4.18-14        Fri Mar 17 13:44         (1095+00:53)
root     tty1                          Fri Mar 14 17:48 - down   (00:00)    
johnson  tty1                          Fri Mar 14 17:48 - 17:48  (00:00)    
root     tty1                          Fri Mar 14 17:47 - 17:48  (00:00)    
reboot   system boot  2.4.18-14        Fri Mar 14 17:46          (00:02)    
root     tty2                          Fri Mar 14 17:35 - down   (00:08)    
johnson  tty3                          Fri Mar 14 17:24 - 17:32  (00:08)    
root     tty2                          Fri Mar 14 17:18 - 17:32  (00:13)    
callback tty2                          Fri Mar 14 17:18 - 17:18  (00:00)    
root     tty1                          Fri Mar 14 17:13 - down   (00:30)    
johnson  tty2                          Fri Mar 14 17:12 - 17:18  (00:05)    
johnson  tty2                          Fri Mar 14 17:12 - 17:12  (00:00)    
johnson  tty2                          Fri Mar 14 17:11 - 17:12  (00:01)    
johnson  tty2                          Fri Mar 14 17:09 - 17:10  (00:00)    
rjohnson tty2                          Fri Mar 14 17:09 - 17:09  (00:00)    
johnson  tty2                          Fri Mar 14 17:02 - 17:08  (00:06)    
johnson  tty2                          Fri Mar 14 17:01 - 17:02  (00:01)    
rjohnson tty2                          Fri Mar 14 16:59 - 17:01  (00:01)    
root     tty3                          Fri Mar 14 16:45 - 17:23  (00:38)    
johnson  tty2                          Fri Mar 14 16:10 - 16:59  (00:49)    
root     tty1                          Fri Mar 14 16:06 - 17:13  (01:07)    
reboot   system boot  2.4.18-14        Fri Mar 14 16:04          (01:39)    
root     tty1                          Fri Mar 14 13:37 - down   (00:05)    
rjohnson tty2                          Fri Mar 14 13:16 - 13:37  (00:20)    
johnson  tty2                          Fri Mar 14 13:15 - 13:16  (00:01)    
johnson  pts/0        chaos.analogic.c Fri Mar 14 12:49 - down   (00:54)    
johnson  tty1                          Fri Mar 14 12:42 - 13:37  (00:55)    
reboot   system boot  2.4.18-14        Fri Mar 14 12:40          (01:02)    
johnson  pts/0        chaos.analogic.c Thu Mar 13 16:20 - 16:20  (00:00)    
root     tty1                          Thu Mar 13 16:04 - down   (00:37)    
johnson  tty1                          Thu Mar 13 16:02 - 16:03  (00:00)    
root     tty1                          Thu Mar 13 16:00 - 16:02  (00:02)    
reboot   system boot  2.4.18-14        Thu Mar 13 15:59          (00:42)    
root     tty1                          Thu Mar 13 15:46 - down   (00:10)    
reboot   system boot  2.4.18-14        Thu Mar 13 15:45          (00:11)    
root     :1                            Thu Mar 13 15:41 - down   (00:02)    
root     :0                            Thu Mar 13 15:38 - down   (00:04)    
root     :0                            Thu Mar 13 15:30 - 15:38  (00:07)    
johnson  :0                            Thu Mar 13 15:17 - 15:29  (00:11)    
reboot   system boot  2.4.18-14        Thu Mar 13 15:15          (00:28)    

wtmp begins Thu Mar 13 15:15:11 2003
# exit
logout
^[[H^[[Jrlogin: connection closed.
# 
# 
# 
# exit
Script done on Wed Mar 19 11:15:08 2003

Re: Everything gone!

[Xavier Bestel]

Le mer 19/03/2003 à 17:04, Matthias Schniedermeyer a écrit :

> rm -rf *
> Should do the same(*) but with much better speed.
> 
> Normaly the system should lockup at sometime while doing it.
> 
> 
> 
> 
> *: OK. The version above will "break" in the middle after "/bin/rm" (or
> "/lib/libc.so.6") got deleted.

That would be surprising. Did you actually try it ? :)

	Xav

Re: Everything gone!

[Eli Carter]

Xavier Bestel wrote:
> Le mer 19/03/2003 à 17:04, Matthias Schniedermeyer a écrit :
> 
> 
>>rm -rf *
>>Should do the same(*) but with much better speed.
>>
>>Normaly the system should lockup at sometime while doing it.
>>
>>
>>
>>
>>*: OK. The version above will "break" in the middle after "/bin/rm" (or
>>"/lib/libc.so.6") got deleted.
> 
> 
> That would be surprising. Did you actually try it ? :)

The complex version that you snipped would break because it invokes rm 
for each file.  The simpler version he gave would not break at that 
point because it is already running.  Hence the footnote ton the word 
'same'.

HTH,

Eli
--------------------. "If it ain't broke now,
Eli Carter           \                  it will be soon." -- crypto-gram
eli.carter(a)inet.com `-------------------------------------------------

Re: Everything gone!

[Richard B. Johnson]

On Wed, 19 Mar 2003, Xavier Bestel wrote:

> Le mer 19/03/2003 à 17:04, Matthias Schniedermeyer a écrit :
>
> > rm -rf *
> > Should do the same(*) but with much better speed.
> >
> > Normaly the system should lockup at sometime while doing it.
> >
> >
> >
> >
> > *: OK. The version above will "break" in the middle after "/bin/rm" (or
> > "/lib/libc.so.6") got deleted.
>
> That would be surprising. Did you actually try it ? :)
>
> 	Xav

I think that, with a single instance of `rm`, not as written above,
this would complete because all the open runtime libraries would
remain mem-mapped until the last close. So, I think you could
remove everything with -rf except the programs that will return
'text file busy' errors because they are open for execution.

An, no. I am not going to try it! Well maybe sometime when I
mount an alternate root that I am going to replace.


Cheers,
Dick Johnson
Penguin : Linux version 2.4.20 on an i686 machine (797.90 BogoMips).
Why is the government concerned about the lunatic fringe? Think about it.

Re: Everything gone!

[Xavier Bestel]

Le mer 19/03/2003 à 17:51, Eli Carter a écrit :
> Xavier Bestel wrote:
> > Le mer 19/03/2003 à 17:04, Matthias Schniedermeyer a écrit :
> > 
> > 
> >>rm -rf *
> >>Should do the same(*) but with much better speed.
> >>
> >>Normaly the system should lockup at sometime while doing it.
> >>
> >>
> >>
> >>
> >>*: OK. The version above will "break" in the middle after "/bin/rm" (or
> >>"/lib/libc.so.6") got deleted.
> > 
> > 
> > That would be surprising. Did you actually try it ? :)
> 
> The complex version that you snipped would break because it invokes rm 
> for each file.  The simpler version he gave would not break at that 
> point because it is already running.  Hence the footnote ton the word 
> 'same'.

Aah, yes; I read a bit too fast. *hides*

	Xav

Re: Everything gone!

[John Jasen]

On Wed, 19 Mar 2003, Richard B. Johnson wrote:

> Really? How did you do this?
> Clone my machine-name and domain, I mean? Without -bs in the
> header? I need to know. This could be exploited and needs
> to be fixed.

Perhaps:

telnet target.system 25
enter SMTP commands
quit

-- 
-- John E. Jasen (jjasen@realityfailure.org)
-- User Error #2361: Please insert coffee and try again.

Re: Everything gone!

[Richard B. Johnson]

On Wed, 19 Mar 2003, John Jasen wrote:

> On Wed, 19 Mar 2003, Richard B. Johnson wrote:
>
> > Really? How did you do this?
> > Clone my machine-name and domain, I mean? Without -bs in the
> > header? I need to know. This could be exploited and needs
> > to be fixed.
>
> Perhaps:
>
> telnet target.system 25
> enter SMTP commands
> quit

Ah yes! And I just tried it! The target system was the one
that the mail was pretended to come from and it has sendmail
running and will forward from within the domain. So, that
sendmail gets a mail message as though it came directly from
itself so it will forward it.


Cheers,
Dick Johnson
Penguin : Linux version 2.4.20 on an i686 machine (797.90 BogoMips).
Why is the government concerned about the lunatic fringe? Think about it.

Re: Everything gone!

[Jesse Pollard]

On Wednesday 19 March 2003 11:33 am, John Jasen wrote:
> On Wed, 19 Mar 2003, Richard B. Johnson wrote:
> > Really? How did you do this?
> > Clone my machine-name and domain, I mean? Without -bs in the
> > header? I need to know. This could be exploited and needs
> > to be fixed.
>
> Perhaps:
>
> telnet target.system 25
> enter SMTP commands
> quit

Normaly that would record the IP of the host doing the telnet.
(the first "Recieved: from" line in the log list where the original says
"Received: from localhost"....)
-- 
-------------------------------------------------------------------------
Jesse I Pollard, II
Email: pollard@navo.hpc.mil

Any opinions expressed are solely my own.

Re: Everything gone!

[Richard B. Johnson]

On Wed, 19 Mar 2003, Jesse Pollard wrote:

> On Wednesday 19 March 2003 11:33 am, John Jasen wrote:
> > On Wed, 19 Mar 2003, Richard B. Johnson wrote:
> > > Really? How did you do this?
> > > Clone my machine-name and domain, I mean? Without -bs in the
> > > header? I need to know. This could be exploited and needs
> > > to be fixed.
> >
> > Perhaps:
> >
> > telnet target.system 25
> > enter SMTP commands
> > quit
>
> Normaly that would record the IP of the host doing the telnet.
> (the first "Recieved: from" line in the log list where the original says
> "Received: from localhost"....)

Yes. I just looked at maillog on that machine and all I had was
the 'evidence' of me screwing with it to see. Apparently it wasn't
used for forwarding mail as I thought.


Cheers,
Dick Johnson
Penguin : Linux version 2.4.20 on an i686 machine (797.90 BogoMips).
Why is the government concerned about the lunatic fringe? Think about it.

Re: Everything gone!

[Eric Weigle]

[-- Attachment #1: Type: text/plain, Size: 1095 bytes --]

Ok, I couldn't help but try it. I've got a 2G bochs disk image for Debian
(really a 250M holey file) I can copy and throw away.

A `rm -rfv *` as root from / does:

(removes a bunch of files, including "rm" from bin and so forth), then loops printing:
removing all entries of directory `dev/pts'
removing the directory itself `dev/pts'
removing all entries of directory `dev/pts'
removing the directory itself `dev/pts'
removing all entries of directory `dev/pts'
removing the directory itself `dev/pts'
removing all entries of directory `dev/pts'
removing the directory itself `dev/pts'
removing all entries of directory `dev/pts'
removing the directory itself `dev/pts'

It's apparently having issues with removing the mount point of the devpts
filesystem.

:)
-Eric 

-- 
------------------------------------------------------------
        Eric H. Weigle -- http://public.lanl.gov/ehw/
"They that can give up essential liberty to obtain a little
temporary safety deserve neither" -- Benjamin Franklin
------------------------------------------------------------

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: Everything gone!

[Matthias Schniedermeyer]

On Wed, Mar 19, 2003 at 11:23:55AM -0700, Eric Weigle wrote:
> Ok, I couldn't help but try it. I've got a 2G bochs disk image for Debian
> (really a 250M holey file) I can copy and throw away.
> 
> A `rm -rfv *` as root from / does:
> 
> (removes a bunch of files, including "rm" from bin and so forth), then loops printing:
> removing all entries of directory `dev/pts'
> removing the directory itself `dev/pts'
> removing all entries of directory `dev/pts'
> removing the directory itself `dev/pts'
> removing all entries of directory `dev/pts'
> removing the directory itself `dev/pts'
> removing all entries of directory `dev/pts'
> removing the directory itself `dev/pts'
> removing all entries of directory `dev/pts'
> removing the directory itself `dev/pts'
> 
> It's apparently having issues with removing the mount point of the devpts
> filesystem.

I think you should try it without devfs. I don't think that you can
 remove directories in devfs. :-)




Bis denn

-- 
Real Programmers consider "what you see is what you get" to be just as 
bad a concept in Text Editors as it is in women. No, the Real Programmer
wants a "you asked for it, you got it" text editor -- complicated, 
cryptic, powerful, unforgiving, dangerous.

Re: Everything gone!

[James H. Cloos Jr.]

>>>>> "Richard" == Richard B Johnson <root@chaos.analogic.com> writes:

Richard> How did [they] do this?

If you look at the Received headers in the faked message, it actually
came to kernel.org from alog0102.analogic.com, from Analogic's
208.224.220.0/22 netblock, not from quark.analogic.com (in Analogic's
204.178.40.0/21 block) as it claimed:

Received: from alog0102.analogic.com ([208.224.220.117]:12804 "EHLO
	quark.analogic.com") by vger.kernel.org with ESMTP
	id <S263082AbTCSPfa>; Wed, 19 Mar 2003 10:35:30 -0500

If an analogic box was cracked, look at 208.224.220.117, not at quark.

The routing suggests they would not have been able to spoof the IP,
unless they did so over eg an 802.11 link at whatever site
208.224.220.0/22 is used.  

-JimC

Re: Everything gone!

[Joshua Kwan]

[-- Attachment #1: Type: text/plain, Size: 919 bytes --]

On Wed, Mar 19, 2003 at 01:12:49PM -0500, Richard B. Johnson wrote:
> > > Perhaps:
> > >
> > > telnet target.system 25
> > > enter SMTP commands
> > > quit
> >
> > Normaly that would record the IP of the host doing the telnet.
> > (the first "Recieved: from" line in the log list where the original says
> > "Received: from localhost"....)
> 
> Yes. I just looked at maillog on that machine and all I had was
> the 'evidence' of me screwing with it to see. Apparently it wasn't
> used for forwarding mail as I thought.

Well, a nice way to do this is: (probably not syntactically correct..)

router# iptables -t nat -A PREROUTING -i lan0 -p tcp ! -s 
local.netework/12 -d ip.of.lan0 --dport 25 -j DROP

Depending on how your network is set up, this may or may not work... my 
server box itself is masq'd so this works nicely on my network.

Regards,
Josh

-- 
New PGP public key: 0x27AFC3EE

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: Everything gone!

[Sean Neakums]

commence  Richard B. Johnson quotation:

> I think that, with a single instance of `rm`, not as written above,
> this would complete because all the open runtime libraries would
> remain mem-mapped until the last close. So, I think you could
> remove everything with -rf except the programs that will return
> 'text file busy' errors because they are open for execution.

Linux allows files that are being executing to be unlinked.  You will
get ETXTBUSY if you open the file and try to modify it, though.

-- 
Sean Neakums - <sneakums@zork.net>