-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
Debian Security Advisory DSA 449-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Martin Schulze
February 24th, 2004
On Mon, Feb 23, 2004 at 12:50:27PM +0100, Dariush Pietrzak wrote:
samhain (in unstable, should be easy to backport) which has some
interesting features.
And those interesting features should make you cautious before you deploy
samhain in production environment. I find it rather intrusive.
In what sense? Logging to syslog/email/external database and signing the
Bringing machine to knees seems pretty intrusive to me.
Samhain runs as deamon, and IIRC it scans running processes and does other
things in effort to detect trojans and lkms. This activity used to boost
idle load avg
On Wed, Feb 18, 2004 at 02:15:36AM +0100, Javier Fern?ndez-Sanguino Pe?a wrote:
On Tue, Feb 17, 2004 at 03:12:44PM -0600, Hhayes wrote:
I have a Debian box running as a file server on a network with 50 users. So
(...)
saved the file, resulting in a file that no other users can write to. Has
Alohá!
Noah Meyerhans wrote:
On Tue, Feb 24, 2004 at 09:14:05AM +0200, Sneferu wrote:
Looks like there are a lot of false positives on it.
It looks like there are a lot of false positives with chkrootkit in
general. Seriously, has anybody here ever had chkrootkit detect an
actual
On Tue, Feb 24, 2004 at 10:37:44AM -0500, Noah Meyerhans wrote:
On Tue, Feb 24, 2004 at 09:14:05AM +0200, Sneferu wrote:
Looks like there are a lot of false positives on it.
It looks like there are a lot of false positives with chkrootkit in
general. Seriously, has anybody here ever
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Tue, 24 Feb 2004 14:32:26 +0100,
Greg [EMAIL PROTECTED] wrote:
I am running Debian on a Dec Alpha PC164.
I decided to run chkrootkit and was surprised by the following line.
Checking `bindshell'... INFECTED (PORTS: 1524 31337)
I am not
I've been asked to place a sniffer on a network that handles HIPPA data,
and watch for e-mail containing certain strings. I figured that mailsnarf
would be the best way to do this.
Right.
In testing, if I run:
mailsnarf -i eth2 . tcp
I get all email.
If I run
mailsnarf -i eth2 .*STD.* tcp,
On Tue, Feb 24, 2004 at 06:11:20PM -0500, [EMAIL PROTECTED] wrote:
I've been asked to place a sniffer on a network that handles HIPPA data,
and watch for e-mail containing certain strings. I figured that mailsnarf
would be the best way to do this.
Aside from any of hte technical details of
I've been asked to place a sniffer on a network that handles HIPPA
data, and watch for e-mail containing certain strings. I figured that
mailsnarf would be the best way to do this.
Aside from any of hte technical details of this, I'm kind of wondering
how this fits into HIPPA and it's
free2.org wrote:
since a few days there is no more valid Release.gpg file for woody and non-US
apt-check-sigs says NO VALID SIGNATURE
no problem with sarge, sid and security updates
i do have the ftp master keys 2003 and 2004
Looking at some ftp mirrors, it seems that Release.gpg has been updated
On Tue, Feb 24, 2004 at 06:19:48PM -0500, John Keimel wrote:
On Tue, Feb 24, 2004 at 06:11:20PM -0500, [EMAIL PROTECTED] wrote:
I've been asked to place a sniffer on a network that handles HIPPA data,
and watch for e-mail containing certain strings. I figured that mailsnarf
would be the
On Tue, Feb 24, 2004 at 05:20:01PM -0600, elijah wright wrote:
I've been asked to place a sniffer on a network that handles HIPPA
data, and watch for e-mail containing certain strings. I figured that
mailsnarf would be the best way to do this.
Aside from any of hte technical
John Keimel wrote:
On Tue, Feb 24, 2004 at 06:11:20PM -0500, [EMAIL PROTECTED] wrote:
I've been asked to place a sniffer on a network that handles HIPPA data,
and watch for e-mail containing certain strings. I figured that mailsnarf
would be the best way to do this.
Aside from any of hte
I am running Debian on a Dec Alpha PC164.
I decided to run chkrootkit and was surprised by the following line.
Checking `bindshell'... INFECTED (PORTS: 1524 31337)
I am not sure how no interpret this. I have checked logs, as well as binary
checks and everything seems fine. Can someone help
On Tuesday 24 February 2004 07:53, Greg wrote:
I am running Debian on a Dec Alpha PC164.
I decided to run chkrootkit and was surprised by the following line.
Checking `bindshell'... INFECTED (PORTS: 1524 31337)
Try a nmap port scan from the outside to your ip address. If those ports are
You might not be hacked after all.
Read this: http://www.webhostgear.com/25.html
Also some googling might help ;-)
http://www.google.ro/search?q=%27bindshell%27...+INFECTED+%28PORTS%3A++1524+31337ie=UTF-8oe=UTF-8hl=robtnG=Caut%C4%83meta=
Looks like there are a lot of false positives on it.
May be you have installed fakebo?
Billy
31337 - are your runing portsentry on that machine ?
Quote from the www.chkrootkit.org site:
I'm running PortSentry/klaxon. What's wrong with the bindshell test?
If you're running PortSentry/klaxon or another program that binds itself
to unused ports probably chkrootkit will give you a false
On Mon, Feb 23, 2004 at 12:50:27PM +0100, Dariush Pietrzak wrote:
samhain (in unstable, should be easy to backport) which has some
interesting features.
And those interesting features should make you cautious before you deploy
samhain in production environment. I find it rather intrusive.
In what sense? Logging to syslog/email/external database and signing the
Bringing machine to knees seems pretty intrusive to me.
Samhain runs as deamon, and IIRC it scans running processes and does other
things in effort to detect trojans and lkms. This activity used to boost
idle load avg
On Wed, Feb 18, 2004 at 02:15:36AM +0100, Javier Fern?ndez-Sanguino Pe?a wrote:
On Tue, Feb 17, 2004 at 03:12:44PM -0600, Hhayes wrote:
I have a Debian box running as a file server on a network with 50 users. So
(...)
saved the file, resulting in a file that no other users can write to. Has
On Tue, Feb 24, 2004 at 09:14:05AM +0200, Sneferu wrote:
Looks like there are a lot of false positives on it.
It looks like there are a lot of false positives with chkrootkit in
general. Seriously, has anybody here ever had chkrootkit detect an
actual rootkit? Questions about its output
Alohá!
Noah Meyerhans wrote:
On Tue, Feb 24, 2004 at 09:14:05AM +0200, Sneferu wrote:
Looks like there are a lot of false positives on it.
It looks like there are a lot of false positives with chkrootkit in
general. Seriously, has anybody here ever had chkrootkit detect an
actual
On Tue, Feb 24, 2004 at 10:37:44AM -0500, Noah Meyerhans wrote:
On Tue, Feb 24, 2004 at 09:14:05AM +0200, Sneferu wrote:
Looks like there are a lot of false positives on it.
It looks like there are a lot of false positives with chkrootkit in
general. Seriously, has anybody here ever
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Tue, 24 Feb 2004 14:32:26 +0100,
Greg [EMAIL PROTECTED] wrote:
I am running Debian on a Dec Alpha PC164.
I decided to run chkrootkit and was surprised by the following line.
Checking `bindshell'... INFECTED (PORTS: 1524 31337)
I am not
I've been asked to place a sniffer on a network that handles HIPPA data,
and watch for e-mail containing certain strings. I figured that mailsnarf
would be the best way to do this.
Right.
In testing, if I run:
mailsnarf -i eth2 . tcp
I get all email.
If I run
mailsnarf -i eth2 .*STD.* tcp,
On Tue, Feb 24, 2004 at 06:11:20PM -0500, [EMAIL PROTECTED] wrote:
I've been asked to place a sniffer on a network that handles HIPPA data,
and watch for e-mail containing certain strings. I figured that mailsnarf
would be the best way to do this.
Aside from any of hte technical details of
I've been asked to place a sniffer on a network that handles HIPPA
data, and watch for e-mail containing certain strings. I figured that
mailsnarf would be the best way to do this.
Aside from any of hte technical details of this, I'm kind of wondering
how this fits into HIPPA and it's
free2.org wrote:
since a few days there is no more valid Release.gpg file for woody and non-US
apt-check-sigs says NO VALID SIGNATURE
no problem with sarge, sid and security updates
i do have the ftp master keys 2003 and 2004
Looking at some ftp mirrors, it seems that Release.gpg has been
On Tue, Feb 24, 2004 at 06:19:48PM -0500, John Keimel wrote:
On Tue, Feb 24, 2004 at 06:11:20PM -0500, [EMAIL PROTECTED] wrote:
I've been asked to place a sniffer on a network that handles HIPPA data,
and watch for e-mail containing certain strings. I figured that mailsnarf
would be the
On Tue, Feb 24, 2004 at 05:20:01PM -0600, elijah wright wrote:
I've been asked to place a sniffer on a network that handles HIPPA
data, and watch for e-mail containing certain strings. I figured that
mailsnarf would be the best way to do this.
Aside from any of hte technical
John Keimel wrote:
On Tue, Feb 24, 2004 at 06:11:20PM -0500, [EMAIL PROTECTED] wrote:
I've been asked to place a sniffer on a network that handles HIPPA data,
and watch for e-mail containing certain strings. I figured that mailsnarf
would be the best way to do this.
Aside from any of hte
33 matches
Mail list logo