-BEGIN PGP SIGNED MESSAGE-
-
Debian Security Advisory DSA-136-3 [EMAIL PROTECTED]
http://www.debian.org/security/Michael Stone
September 17, 2002
I have tracked a weird activity on my external interface lately (few days)
I used snort, and the portscan.log file shows the following activity:
#tail portscan.log
Sep 17 00:21:41 my ip:1489 - 207.46.197.113:80 SYN **S*
Sep 17 00:21:42 my ip:1501 - 207.46.197.113:80 SYN **S*
Sep 17
Sep 17 00:21:41 my ip:1489 - 207.46.197.113:80 SYN **S*
Sep 17 00:21:42 my ip:1501 - 207.46.197.113:80 SYN **S*
Sep 17 00:21:58 my ip:1502 - 207.46.196.102:80 SYN **S*
Sep 17 00:21:58 my ip:1503 - 207.46.196.102:80 SYN **S*
Sep 17 00:21:58 my ip:1504 - 207.68.184.62:80 SYN
On Tuesday 17 September 2002 08:36, Adrian Gheorghe wrote:
I have tracked a weird activity on my external interface lately (few days)
I used snort, and the portscan.log file shows the following activity:
#tail portscan.log
[...]
also netstat and nmap showed no open connections other than
Hi,
On Tue, 17 Sep 2002, Claudio Martins wrote:
You can check the date and size of some files like /bin/ps /bin/netstat to
see if they have timestamps consistent with the other files on the same
directories and check that their size is not too small or too big. A normal
ps should have
On Tue, Sep 17, 2002 at 12:49:34AM -0300, Peter Cordes wrote:
IIRC, the problem with zlib was that it called free(3) an extra time, or
something like that, and glibc no longer allows that. Moving the ZFREE()
obviously changes the conditions required for it to be called, so this is
very
Any input on the below syslog entry from Samba in Woody? Thank you.
nmbd[2009]: ^I^IFS 40009a03 (Samba 2.2.3a-6 for Debian)
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Tue, 17 Sep 2002, Hanasaki JiJi wrote:
Any input on the below syslog entry from Samba in Woody? Thank you.
nmbd[2009]: ^I^IFS 40009a03 (Samba 2.2.3a-6 for Debian)
Did you use tabs in your smb.conf file? (^I==tab char)?
- -- arthur - [EMAIL
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Yes. the ^I Tabs have been removed... However, it does not explain the
below.. The host name does not appear in smb.conf It is a Win2000
Professional laptop on the same network. None of the Win2000 or Samba
configs have changed in months.
nmbd[2009]: ^I^IFRED-LAPTOP2 40051003 ()
Dale Amon [EMAIL PROTECTED] writes:
I chatted on the phone with Henry Spencer back when the
zilb bug was first announced and he was of the opinion
that in FS it would be almost impossible to exploit. So it's
probably something that should be fixed but is not a high
profile issue. Not my
Noah L. Meyerhans [EMAIL PROTECTED] writes:
On Sat, Sep 14, 2002 at 08:05:53PM +0200, Guille -bisho- wrote:
I don't know if in the c-2 the worm works partially or fully. Anybody knows?
It seems that the worm does not fully works on debian.
The exploit code in the newest worm has been tested
Hi Florian.
Florian Weimer wrote:
If you want to do your own tests (without fooling around with the
worm), you can use our tool:
http://cert.uni-stuttgart.de/advisories/openssl-sslv2-master.php
Great tool, thanks.
The website of the RUS-CERT mentions in the description of the worm:
Bei
On Tue, Sep 17, 2002 at 06:35:52PM +0200, Michael Renzmann wrote:
Hi Florian.
Florian Weimer wrote:
If you want to do your own tests (without fooling around with the
worm), you can use our tool:
http://cert.uni-stuttgart.de/advisories/openssl-sslv2-master.php
Great tool, thanks.
On Tue, Sep 17, 2002 at 06:10:32PM +0200, Florian Weimer wrote:
Dale Amon [EMAIL PROTECTED] writes:
I chatted on the phone with Henry Spencer back when the
zilb bug was first announced and he was of the opinion
that in FS it would be almost impossible to exploit. So it's
probably
On Tue, 17 Sep 2002 at 09:57:40AM -0500, Hanasaki JiJi wrote:
Yes. the ^I Tabs have been removed... However, it does not explain the
below.. The host name does not appear in smb.conf It is a Win2000
Professional laptop on the same network. None of the Win2000 or Samba
configs have
Hi all.
How about the following idea: one could use the udp command language
that is implemented within the slapper worm to issue some commands for
self-deletion of the worm and informing the root user of every system
about how to close the hole. As far as I understood there is a network
Hi.
Jean Christophe ANDRÃ0/00 wrote:
Same idea here this night! :)
Hehe :)
I was thinking about the *good* way to do it...
May be something like this (root mail, some wait, virus self-kill):
/bin/ls -la /tmp | /bin/mail -s You have been infected by the Slapper worm root
/bin/sleep 300
Hi,
Michael Renzmann wrote:
Opinions?
you want to use a backdoor to get access a server, on which you are not
allowed to get access.
after that you want to modify the server (killing processes, deleting files)
and you use the server without permission (for sending mail).
well, IANAL, but
Hi,
hedrivings
sorry, i forgot to change this to experience...hedrivings is only for german
people ;)
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Hi.
Opinions?
you want to use a backdoor to get access a server, on which you are not
allowed to get access. [...]
I know this can rise problems. We recently had a discussion like this
which showed up good arguments for both sides. Asking a lawyer won't be
of much help because they can't
J.C. André écrivait :
May be something like this (root mail, some wait, virus self-kill):
/bin/ls -la /tmp | /bin/mail -s You have been infected by the Slapper
worm root
/bin/sleep 300 # to wait for the propagation, some network are slow
/bin/kill -9 $PPID # *MUST* CHECK IF IT
Michael Renzmann wrote:
i already made some bad hedrivings a few years ago with something like
this...
But one thing I would like to know: what do you mean with hedrivings? :)
experiences.
i asked a friend, what i could say for erfahrungen in english, he
answered hedrivings, so fast,
Ralf Dreibrodt écrivait :
you want to use a backdoor to get access a server, on which you are not
allowed to get access. after that you want to modify the server (killing
processes, deleting files) and you use the server without permission (for
sending mail).
well, IANAL, but you should
Hi.
Jean Christophe ANDRÃ0/00 wrote:
The problem will be: every command that slapper executes runs with the
uid of the infiltrated ssl webserver.
So the kill will also run as the same uid...
*bing* Ok, got the point. I forgot that the uid is allowed to kill
processes with it's own uid.
So I
ScanMail has detected a virus during a real-time scan of the email traffic.
Date: 9/17/2002 23:4:45
Subject: Let's be friends
Virus: WORM_KLEZ.H
File:color.exe
From: debian-security [EMAIL PROTECTED]
To: [EMAIL PROTECTED];
Action: Uncleanable, Deleted;
Scanned
Hi all.
Maybe that's a little bit offtopic, but it is somehow related to
security, so... :)
I'm wondering if there is a way to get an directory listing from apache
if there is an index.html available in that directory.
The story behind that question: I put a large file on the webserver that
On Tue, Sep 17, 2002 at 11:24:31PM +0200, Michael Renzmann wrote:
I'm wondering if there is a way to get an directory listing from apache
if there is an index.html available in that directory.
Yes, if your apache isn't up-to-date.
Michael Renzmann écrivait :
I'm wondering if there is a way to get an directory listing from apache
if there is an index.html available in that directory.
The story behind that question: I put a large file on the webserver that
was intended for download for a friend. The only one I told
Klez can forge its From: field.
but the recipient email server does not know this ;-)
This one time, at band camp, [EMAIL PROTECTED] wrote:
ScanMail has detected a virus during a real-time scan of the
email traffic.
Date: 9/17/2002 23:4:45
Subject: Let's be friends
On Wed, 2002-09-18 at 06:05, Michael Renzmann wrote:
killall .bugtraq would be suitable as well, and it would destroy
every other instance of the program that is running currently. Even if
detecting the current PPID does not work for whatever reason.
*chuckle*
Solaris is vulnerable to this
KevinL écrivait :
On Wed, 2002-09-18 at 06:05, Michael Renzmann wrote:
killall .bugtraq would be suitable as well, and it would destroy
every other instance of the program that is running currently. Even if
detecting the current PPID does not work for whatever reason.
Solaris is
Hi.
Jean Christophe ANDRÃ0/00 wrote:
Are you using the VirtualHost capability on this server?
Yes.
If so, you should be aware of using some _default_:* entry to catch
all access not using (or using a bad) hostname for VirtualHost.
I just tried to forge a http request targetting at a
Hi.
Andrew Pimlott wrote:
Yes, if your apache isn't up-to-date.
http://www.google.com/search?q=apache%20directory%20listing%20bug
Is apache 1.3.26-0woody1 vulnerable to that? As far as I could see the
answer should be no, right?
Bye, Mike
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
Hi.
Jean Christophe ANDRÃ0/00 wrote:
But may be the main point is: is it really possible to have multiple
instance of the .bugtraq program?!? If so, all of them would join the
network and should receive the mail-sleep-kill command!
I've seen two processes running on an infected server. But
also sprach Michelle Konzack [EMAIL PROTECTED] [2002.09.14.1334 +0200]:
It may be a very big security problem...
at least i can't reproduce that on a grsecurity 1.9.6 enabled kernel.
--
martin; (greetings from the heart of the sun.)
\ echo mailto: !#^.*|tr * mailto:;
Hi All,
After updating libssl09 to the latest stable (0.9.4-6.woody.2) version.
And running the openssl-sslv2-master script from
(http://cert.uni-stuttgart.de/advisories/openssl-sslv2-master.php)
It still gives me the following warning...
VULNERABLE: does not detect small overflow
I did a
On Wed, Sep 18, 2002 at 10:55:24AM +1000, Jeroen de Leeuw den Bouter wrote:
After updating libssl09 to the latest stable (0.9.4-6.woody.2) version.
And running the openssl-sslv2-master script from
(http://cert.uni-stuttgart.de/advisories/openssl-sslv2-master.php)
The test program is being
On Tuesday, 2002-09-17 at 21:10:14 -0400, Noah L. Meyerhans wrote:
On Wed, Sep 18, 2002 at 10:55:24AM +1000, Jeroen de Leeuw den Bouter wrote:
After updating libssl09 to the latest stable (0.9.4-6.woody.2) version.
And running the openssl-sslv2-master script from
I have tracked a weird activity on my external interface lately (few days)
I used snort, and the portscan.log file shows the following activity:
#tail portscan.log
Sep 17 00:21:41 my ip:1489 - 207.46.197.113:80 SYN **S*
Sep 17 00:21:42 my ip:1501 - 207.46.197.113:80 SYN **S*
Sep 17
Sep 17 00:21:41 my ip:1489 - 207.46.197.113:80 SYN **S*
Sep 17 00:21:42 my ip:1501 - 207.46.197.113:80 SYN **S*
Sep 17 00:21:58 my ip:1502 - 207.46.196.102:80 SYN **S*
Sep 17 00:21:58 my ip:1503 - 207.46.196.102:80 SYN **S*
Sep 17 00:21:58 my ip:1504 - 207.68.184.62:80 SYN
On Tuesday 17 September 2002 08:36, Adrian Gheorghe wrote:
I have tracked a weird activity on my external interface lately (few days)
I used snort, and the portscan.log file shows the following activity:
#tail portscan.log
[...]
also netstat and nmap showed no open connections other than
Hi,
On Tue, 17 Sep 2002, Claudio Martins wrote:
You can check the date and size of some files like /bin/ps /bin/netstat to
see if they have timestamps consistent with the other files on the same
directories and check that their size is not too small or too big. A normal
ps should have
On Tue, Sep 17, 2002 at 12:49:34AM -0300, Peter Cordes wrote:
IIRC, the problem with zlib was that it called free(3) an extra time, or
something like that, and glibc no longer allows that. Moving the ZFREE()
obviously changes the conditions required for it to be called, so this is
very
Any input on the below syslog entry from Samba in Woody? Thank you.
nmbd[2009]: ^I^IFS 40009a03 (Samba 2.2.3a-6 for Debian)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Tue, 17 Sep 2002, Hanasaki JiJi wrote:
Any input on the below syslog entry from Samba in Woody? Thank you.
nmbd[2009]: ^I^IFS 40009a03 (Samba 2.2.3a-6 for Debian)
Did you use tabs in your smb.conf file? (^I==tab char)?
- -- arthur - [EMAIL
Yes. the ^I Tabs have been removed... However, it does not explain the
below.. The host name does not appear in smb.conf It is a Win2000
Professional laptop on the same network. None of the Win2000 or Samba
configs have changed in months.
nmbd[2009]: ^I^IFRED-LAPTOP2 40051003 ()
Dale Amon [EMAIL PROTECTED] writes:
I chatted on the phone with Henry Spencer back when the
zilb bug was first announced and he was of the opinion
that in FS it would be almost impossible to exploit. So it's
probably something that should be fixed but is not a high
profile issue. Not my
Noah L. Meyerhans [EMAIL PROTECTED] writes:
On Sat, Sep 14, 2002 at 08:05:53PM +0200, Guille -bisho- wrote:
I don't know if in the c-2 the worm works partially or fully. Anybody knows?
It seems that the worm does not fully works on debian.
The exploit code in the newest worm has been tested
Hi Florian.
Florian Weimer wrote:
If you want to do your own tests (without fooling around with the
worm), you can use our tool:
http://cert.uni-stuttgart.de/advisories/openssl-sslv2-master.php
Great tool, thanks.
The website of the RUS-CERT mentions in the description of the worm:
Bei
On Tue, Sep 17, 2002 at 06:35:52PM +0200, Michael Renzmann wrote:
Hi Florian.
Florian Weimer wrote:
If you want to do your own tests (without fooling around with the
worm), you can use our tool:
http://cert.uni-stuttgart.de/advisories/openssl-sslv2-master.php
Great tool, thanks.
On Tue, Sep 17, 2002 at 06:10:32PM +0200, Florian Weimer wrote:
Dale Amon [EMAIL PROTECTED] writes:
I chatted on the phone with Henry Spencer back when the
zilb bug was first announced and he was of the opinion
that in FS it would be almost impossible to exploit. So it's
probably
On Tue, 17 Sep 2002 at 09:57:40AM -0500, Hanasaki JiJi wrote:
Yes. the ^I Tabs have been removed... However, it does not explain the
below.. The host name does not appear in smb.conf It is a Win2000
Professional laptop on the same network. None of the Win2000 or Samba
configs have
Hi all.
How about the following idea: one could use the udp command language
that is implemented within the slapper worm to issue some commands for
self-deletion of the worm and informing the root user of every system
about how to close the hole. As far as I understood there is a network
Michael Renzmann écrivait :
Hi all.
How about the following idea: one could use the udp command language
that is implemented within the slapper worm to issue some commands for
self-deletion of the worm and informing the root user of every system
about how to close the hole. As far as I
Hi.
Jean Christophe ANDRÃ0/00 wrote:
Same idea here this night! :)
Hehe :)
I was thinking about the *good* way to do it...
May be something like this (root mail, some wait, virus self-kill):
/bin/ls -la /tmp | /bin/mail -s You have been infected by the Slapper worm
root
/bin/sleep 300
Hi,
hedrivings
sorry, i forgot to change this to experience...hedrivings is only for german
people ;)
Hi.
Opinions?
you want to use a backdoor to get access a server, on which you are not
allowed to get access. [...]
I know this can rise problems. We recently had a discussion like this
which showed up good arguments for both sides. Asking a lawyer won't be
of much help because they can't
J.C. André écrivait :
May be something like this (root mail, some wait, virus self-kill):
/bin/ls -la /tmp | /bin/mail -s You have been infected by the Slapper
worm root
/bin/sleep 300 # to wait for the propagation, some network are slow
/bin/kill -9 $PPID # *MUST* CHECK IF IT
Michael Renzmann wrote:
i already made some bad hedrivings a few years ago with something like
this...
But one thing I would like to know: what do you mean with hedrivings? :)
experiences.
i asked a friend, what i could say for erfahrungen in english, he
answered hedrivings, so fast,
Hi.
Ralf Dreibrodt wrote:
experiences.
i asked a friend, what i could say for erfahrungen in english, he
answered hedrivings, so fast, that i didn't doubt.
Ah, I see... english for runaways ;)
Bye, Mike
Hi.
Jean Christophe ANDRÃ0/00 wrote:
The problem will be: every command that slapper executes runs with the
uid of the infiltrated ssl webserver.
So the kill will also run as the same uid...
*bing* Ok, got the point. I forgot that the uid is allowed to kill
processes with it's own uid.
ScanMail has detected a virus during a real-time scan of the email traffic.
Date: 9/17/2002 23:4:45
Subject: Let's be friends
Virus: WORM_KLEZ.H
File:color.exe
From: debian-security debian-security@lists.debian.org
To: [EMAIL PROTECTED];
Action: Uncleanable,
Hi all.
Maybe that's a little bit offtopic, but it is somehow related to
security, so... :)
I'm wondering if there is a way to get an directory listing from apache
if there is an index.html available in that directory.
The story behind that question: I put a large file on the webserver
Klez can forge its From: field.
This one time, at band camp, [EMAIL PROTECTED] wrote:
ScanMail has detected a virus during a real-time scan of the email traffic.
Date: 9/17/2002 23:4:45
Subject: Let's be friends
Virus: WORM_KLEZ.H
File:color.exe
From:
On Tue, Sep 17, 2002 at 11:24:31PM +0200, Michael Renzmann wrote:
I'm wondering if there is a way to get an directory listing from apache
if there is an index.html available in that directory.
Yes, if your apache isn't up-to-date.
Michael Renzmann écrivait :
I'm wondering if there is a way to get an directory listing from apache
if there is an index.html available in that directory.
The story behind that question: I put a large file on the webserver that
was intended for download for a friend. The only one I told
Klez can forge its From: field.
but the recipient email server does not know this ;-)
This one time, at band camp, [EMAIL PROTECTED] wrote:
ScanMail has detected a virus during a real-time scan of the
email traffic.
Date: 9/17/2002 23:4:45
Subject: Let's be friends
On Wed, 2002-09-18 at 06:05, Michael Renzmann wrote:
killall .bugtraq would be suitable as well, and it would destroy
every other instance of the program that is running currently. Even if
detecting the current PPID does not work for whatever reason.
*chuckle*
Solaris is vulnerable to this
KevinL écrivait :
On Wed, 2002-09-18 at 06:05, Michael Renzmann wrote:
killall .bugtraq would be suitable as well, and it would destroy
every other instance of the program that is running currently. Even if
detecting the current PPID does not work for whatever reason.
Solaris is
Hi.
KevinL wrote:
killall .bugtraq would be suitable as well, and it would destroy
every other instance of the program that is running currently. Even if
detecting the current PPID does not work for whatever reason.
*chuckle*
Solaris is vulnerable to this bug? Solaris killall kills
Hi.
Jean Christophe ANDRÃ0/00 wrote:
Are you using the VirtualHost capability on this server?
Yes.
If so, you should be aware of using some _default_:* entry to catch
all access not using (or using a bad) hostname for VirtualHost.
I just tried to forge a http request targetting at a
Hi.
Andrew Pimlott wrote:
Yes, if your apache isn't up-to-date.
http://www.google.com/search?q=apache%20directory%20listing%20bug
Is apache 1.3.26-0woody1 vulnerable to that? As far as I could see the
answer should be no, right?
Bye, Mike
Hi.
Jean Christophe ANDRÃ0/00 wrote:
But may be the main point is: is it really possible to have multiple
instance of the .bugtraq program?!? If so, all of them would join the
network and should receive the mail-sleep-kill command!
I've seen two processes running on an infected server. But
also sprach Michelle Konzack [EMAIL PROTECTED] [2002.09.14.1334 +0200]:
It may be a very big security problem...
at least i can't reproduce that on a grsecurity 1.9.6 enabled kernel.
--
martin; (greetings from the heart of the sun.)
\ echo mailto: !#^.*|tr * mailto:; [EMAIL
Hi All,
After updating libssl09 to the latest stable (0.9.4-6.woody.2) version.
And running the openssl-sslv2-master script from
(http://cert.uni-stuttgart.de/advisories/openssl-sslv2-master.php)
It still gives me the following warning...
VULNERABLE: does not detect small overflow
I did a greb
On Wed, Sep 18, 2002 at 10:55:24AM +1000, Jeroen de Leeuw den Bouter wrote:
After updating libssl09 to the latest stable (0.9.4-6.woody.2) version.
And running the openssl-sslv2-master script from
(http://cert.uni-stuttgart.de/advisories/openssl-sslv2-master.php)
The test program is being
78 matches
Mail list logo