For any new readers. You might want to start at the bottom and read this in chronological order. Update: Since my first encounter with Nimbda I've discovered that all the disk activity, that first caught my attention, WAS NOT caused by Nimbda. It was just an incredible coincidence that they both happened at the same time.
12:45 pm -- I've been watching this Nimda thing. It attempted to enter my system 15 time yesterday from 4 different ip numbers. I guess it's mostly harmless. But I wish it would stop.
1 pm -- Interesting thing. I've been experimenting with port forwarding. My local net is connected to the internet via an ATT Broadband Cable Modem. Attached to the modem is a Linksys router. My machines are attached to a hub which is attached to the router. In order to have the linux Quadra accessible from the outside world I can turn on "port forwarding" which causes connection requests to selected ports to be directed to the port on the quadra. A few days back I enabled forwarding for telnet. That works with no apprent problem. This morning I enabled port 80 for HTTP (web pages). Within minutes of turning this on, I believe I was attacked. I was working at another computer when I heard the Quadra start accessing its hard disk. It's done that from time to time, for a second or two, but this continued. I first looked to see if the one person I've given access (for MY testing purposes) had telnetted in. He didn't appear to have (although I'm still learning how to check these things.) Next I wanted to check web accesses. I knew there was a log file, but I wasn't certain where it was. It took me a few minutes, but I finally found it. By now the disk accesses had stopped. But the access log now contained the following entries: (For clarity I've removed the ip and timestamp from the log entries, I've summarized them in the first two lines.)
all are from: 24.100.61.120
all during a 4 sec period starting: [24/Jan/2002:06:31:23 -0500]
"GET /scripts/root.exe?/c+dir HTTP/1.0" 404 210
"GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 208
"GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218
"GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218
"GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
"GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249
"GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249
"GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../
winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 265
"GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231
"GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231
"GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231
"GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231
"GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215
"GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215
"GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
"GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
(BTW, for a weird reason the clock on my machine is set wrong, but I knew that the timestamps on these hits were from just a few minutes earlier.) I'm not 100% how to read these log entries, but it appears that somone was trying to fire-off two DOS files called root.exe and cmd.exe. It tried this is numerous directories. Those files don't exist on this machine, so no problem (I hope!). But it was unnerving. So I guess I'm now officially a System Admin. I've been attacked. Any insights into this would be welcome. Email me 5:00 pm -- My "attack" has been repeated three times this afternoon. Maybe it's not an attack. But it sure seems suspicious. The first sequence came from one ip address, the 2nd-4th came from a second address. I've turned off the port forwarding on HTTP for now. I need to do some research to understand this better. 11:59 pm -- Well it turns out that the "attack" was from the Nimda worm trying to exploit my system. But I'm OK (knock wood), due to the fact that it only infects Windows systems. Thanks to Sarah for figuring out that it was Nimda. According to reports from other sites. It has no overtly damaging effect on linux machines. But it does waste bandwidth, serving up 404 messages for each exploratory attempt. There's a way the minimize this by redirecting these particular accesses. I may implement that later. I've turned Port 80 forwarding back on. In the morning I'll be curious to see how many times it probes me. (heh!).
I'm still here. I've been distracted for the past couple of days with some non-linux related things. I did manage to figure out the trailing slash thing. As I suspected, there's a "setting" in one of the apache config files that deals with this. But it's not as simple as setting AddTrailingSlash = ON. A quick read of the doc suggests that there may be some ramifications to doing this, so it's on my list to go back soon and make sure I understand it. Here's the relevant doc: http://httpd.apache.org/docs/misc/rewriteguide.html More later.
9:20 pm -- Linux-wise, I goofed off most of today. This morning I surrendered to the evil vi and installed the text editor nano. (I had decided that, if I'm gonna be a serious linux stud, I needed to get more comfortable with vi. Usually, when I get into vi, I can sometimes maybe actually insert some text, and then I spend the rest of the time trying to remember how to Save and Quit... But I give up. Life's too short.) Nano is very much like pico, which I've used in the past and liked. Apparently the pico license is incompatible with the Debian license so they offer nano instead. At the same time that I downloaded and installed nano, I attempted to do apache too. But I didn't try it out till this evening. Of course it didn't work. It seems that what I downloaded, and (partially) installed, this morning, was the SSL version of apache. But since I didn't answer the cerificate registration questions right, it wasn't able to install. So tonight I removed the ssl version and installed the plain vanilla version instead. It took a couple of tries to fill in some config info, including guessing at some things, like ServerName=quadra.da4.com. And it works! I am able to view a sample front page from my Mac browser. Next: get it to automatically open index.htm. Right now it only does index.html. I need to create sample pages for the user accounts to make sure that works too. Also, I want to add-in perl and php support. Getting there! 9:50 pm -- That was quick. I figured out how to make it look for index.htm as a default. And I tested that it will serve pages from user accounts too. Although, on the user account page, it requires a trailing / on the URL, eg. <domain>/~username/
OK! Now I have ftp access working. I struggled with this for an hour or so last night. After installing ftpd, and making what seemed to be the correct entries in /etc/inetd.conf, it still wouldn't allow me to connect from another machine. The problem seems to have been that ftpd was NOT a good choice. The installer pointed that out to me when I orginally chose it, but I thought it'd be OK. But I couldn't get it to work so I figured it was time to try the RECOMENDED course of action. So I went back into (the evil) dselect and installed wu-ftpd. During install it asked me a few questions about access & accounts, and it did some settings for me, and THAT may be what made the diff. But it works now. So I'm happy. Next on the list is to install apache. BTW In the back of my head I know that there may be some security issues with the way I've configured these things. Anyone reading this who can give me some pointers about this subject would be welcome hodgson@da4.com.
Well I figured out why I can't get the telnet and ftp daemons to work. They aren't installed. Duh! In the final stages of the install process the instructions said "... or you can just stop now and most of the sofware is already there." So I did stop. And ftpd and telnetd were two, of the MANY, things that never got installed (no man pages!!!). So now I'm sitting through the long process (including two false starts) while all these things get installed. I'm optimistic that this will do the trick, but we'll see. 10 pm -- Success! After a seemingly endless installation process I can now telnet to the quadra from another machine. Now I can stash the quadra in a closet and work with it from my Mac. Next, to get ftp going. It turns out that the endless install process STILL didn't install ftpd. So back into the belly of the beast.
5 am -- FYI (and For My I) here is my list of immediate goals for setting up linux, in chronological order:
Outline bullet means that item is done. 12 noon -- Not really linux specific, but here's an interetsing song parody about perl: http://www.suberic.net/~dmm/perlsong.html 1 pm -- Getting ready to start full install. Been thinking about how to partition the disk. Right now the MacOS stuff is using about 85meg of space. I tried manually slimming down the System, but that didn't gain me much. Right now it stands at 55 meg. I'm thinking that I have an old System 7 Installer CD around here somewhere. If I could find that I could do a minimum install and see what that comes out to. That CD will also be useful for after I repartition. 5:45 pm -- I found a System 7 CD that is bootable! I'm now experimenting to find the settings for a minimum install that supports ethernet and file share. Custom Install from Sys 7.6 CD:
[Later note: I installed Mac OS File Sharing and OT because I thought that I would need to be able do internet accesses, and copy things from my other machines, from the Mac OS, in order to complete the install process. In fact, I never needed these. I was able to get all the rest of the linux install pieces via the net from within the installer(s).] 6:10 pm -- OK, those settings did the trick. Here are the new disk sizes:
Partitions created
7:15 pm -- Installing linux. I'm using the these instructions to lead me through the process. http://www.mac.linux-m68k.org/docs/debian-2.2-mac68k-install.php I'm not convinced that I did the "last" step (Installing more packages) right. I wanted to skip it, as the instruction say I can. At first I got in a loop and ended back at, "You dont' need PCMCIA". So I went through the whole process and tried to say "No Thanks" at the end. But it ended up "updating" a bunch of things anyway. 8:35 -- Install complete!!! 11:40 pm -- Spent the rest of the evening trying to figure out how to enable telnet and ftp access to machine. I think I'm getting close. The proper entries need to be made in /etc/inetd.conf and maybe some other conf file as well.
I'm starting with the tools, distribution and docs from this site: http://www.mac.linux-m68k.org/ Here are two of the versions that I'm starting out with
I'm having trouble downloading a ramdisk to use. The one linked to by http://www.mac.linux-m68k.org/docs/gettingstarted.php is a broken link. I've been trying to figure the correct link by trial-and-error, but with no luck. I found a different ramdisk at http://homepage.mac.com/mavsftwre/shareware02.html. Using it produces this as the final few lines of kernal install debug text:
EXT2-fs warning: checktime reached, running e2fsck receommended
VFS: Mounted root (ext2 filesystem)
kmod: failed to exec /sbin/modprobe -s -k binfmt-4c46, errno = 2
kmod: failed to exec /sbin/modprobe -s -k binfmt-4c46, errno = 2
VFS: Cannot open root device 00:00
Kernel panic: VFS: Unable to mount root fs on 00:00
I'm not sure how to interpret that. Is the ramdisk working? Is that the problem? Or is it something else? OK, now I finally downloaded what seems to be the recomended ramdisk ftp://ftp.debian.org//debian/dists/potato/main/disks-m68k/current/mac/root.bin but using it produces this, as final few lines of kernal install:
VFS: Mounted root (ext2 filesystem)
VFS: Cannot open root device 00:00
Kernel panic: VFS: Unable to mount root fs on 00:00
Note: although keyboard doesn't seem to work in either case described above, leaving system idle for some minutes results in the screen dimming. And hitting the spacebar brings the screen back. So the keyboard is being sensed at least a little. Next things to try:
I just waited for the screen to darken again. Moving the mouse DOES NOT restore screen. But hitting a random letter-key DOES. So the keyboard seems to be working, kinda. Eureka! Reading the full install instructions, I realized that I had failed to add one other item to the settings in the booter. I needed "root=/dev/ram" as the command line Now it boots all the way into the setup screens. So this apparently mean that I CAN install linux on this machine! Now it's time to read all the install docs.
I am a fairly capable, and very adventurous, computer user. A long-time Mac user (since 1984), & programmer (Basic, Z80 asm, Pascal, C, C++, Perl, PHP). These days I do alot of web development and site management in perl and PHP. I'm a comfortable linux user. But I have never installed linux, nor admin'ed a linux/unix system before. My goal is to install some version/dist of linux on a Macintosh Quadra 800 (latemodel 68040 machine). I've read that there is a version of linux that MAY run on this hardware. But there are now some test I need to do to see if I can go further. At the January Seacoast NH LUG I was advised by Mad Dog (John Hall) to beware, that although I may be able to get linux up on this machine, there may be limited support and resources that will run on it. He urged me to put linux on my PowerPC instead, which he said has much better support. That's probably good advice. And I will probably eventually do that. But for now I prefer to use this older, relatively useless (as a Mac) machine for the project. I'm not all that interested in running it as much more than a simple server machine. I probably will be able to do even without any graphical/windowing system. If I can just get it to run in console mode (correct term?) and be able to telnet to it from my other machines, that will meet my immediate goals. Stay tuned. |