root login denied. But by what?
Hi, Logcheck has just given me three of the following: Jun 17 17:17:15 hexstream [877]: root login denied [username: (0), IP/port: no ip?!] Each one with a different PID. They appear in my /var/log/auth.log I've never seen this type of message before but I've recently upgraded to the latest release of stable. Does anyone know what generated the above log entries? And why is there no ip? Regards, David. -- .''`. David Ramsden [EMAIL PROTECTED] : :' :http://david.hexstream.co.uk/ `. `'` PGP key ID: 507B379B on wwwkeys.pgp.net `- Debian - when my girlfriend's away and there's nothing better to do. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: root login denied. But by what?
On Fri, Jun 17, 2005 at 10:47:49PM +0200, Marcin Owsiany wrote: On Fri, Jun 17, 2005 at 07:33:02PM +0100, David Ramsden wrote: Does anyone know what generated the above log entries? try: find /usr/sbin /sbin /usr/local/sbin \ /usr/bin /usr/local/bin /bin /usr/lib /lib -type f | \ while read f; do if strings $f | egrep -q 'no ip\?!'; then echo it's $f ! fi done Thanks for that Marcin. Worked well and found the program that caused this. It was scponly. I'm guessing a shell user ran it from an SSH session and it's generated the log entries. So nothing to worry about! Thanks once again! David. -- .''`. David Ramsden [EMAIL PROTECTED] : :' :http://david.hexstream.co.uk/ `. `'` PGP key ID: 507B379B on wwwkeys.pgp.net `- Debian - when my girlfriend's away and there's nothing better to do. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Kernel Vulnerabilities
On Sat, Nov 13, 2004 at 04:41:00PM -0800, peace bwitchu wrote: http://securitytracker.com/alerts/2004/Nov/1012165.html http://secunia.com/advisories/12669/ Does anyone have any info on these? I can't find anything in the changelogs. PoC for the first one is at: http://www.k-otik.com/exploits/2004.elfdump.c.php There is a reference in the changelog for 2.4.28-rc3: binfmt_elf: handle partial reads gracefully I'm not sure if that's the one or not? HTH. David. -- .''`. David Ramsden [EMAIL PROTECTED] : :' :http://david.hexstream.eu.org/ `. `'` PGP key ID: 507B379B on wwwkeys.pgp.net `- Debian - when you have better things to do than to fix a system. pgpjSHelY2JHy.pgp Description: PGP signature
Re: Providing secure file access on a colo-server
On Fri, Oct 08, 2004 at 07:54:39AM +0200, Sels, Roger wrote: Hello Marcus, I'd recommend sticking to scp, as you can give your users winscp. Its interface resembles major ftp clients out there and is very intuitive, so they should not have any issues using it. [snip] http://filezilla.sf.net/ is a great SFTP client. Check it out. Regards, David. -- .''`. David Ramsden [EMAIL PROTECTED] : :' :http://david.hexstream.eu.org/ `. `'` PGP key ID: 507B379B on wwwkeys.pgp.net `- Debian - when you have better things to do than to fix a system. pgpMEMiJkVfwL.pgp Description: PGP signature
Re: telnetd vulnerability from BUGTRAQ
On Mon, Sep 27, 2004 at 02:54:49PM -0700, Rick Moen wrote: Quoting Jan Minar ([EMAIL PROTECTED]): Unfortunately, scp requires a shell access http://www.sublimation.org/scponly/ I've been using scponly for a while now as a replacement for FTP. Never had any complaints or problems. I also use scponly with scpjailer [1] which creates a nice chroot environment based on BusyBox. [1] http://tjw.org/scpjailer/ David. -- .''`. David Ramsden [EMAIL PROTECTED] : :' :http://david.hexstream.eu.org/ `. `'` PGP key ID: 507B379B on wwwkeys.pgp.net `- Debian - when you have better things to do than to fix a system. pgpS89pMrRsGB.pgp Description: PGP signature
Re: Kernel Crash Bug????
On Tue, Jun 15, 2004 at 05:52:18PM +1000, Russell Coker wrote: On Tue, 15 Jun 2004 17:24, Rudy Gevaert [EMAIL PROTECTED] wrote: Would it be possible to run that program trough e.g. perl/php/... ? A use could ftp the executable and write a php script that execute it. Does PHP allow executing arbitary binaries? [snip] Yes, unless in your php.ini you have something along the lines of: disable_functions = system,passthru,shell_exec,popen,proc_open Regards, David. -- .''`. David Ramsden [EMAIL PROTECTED] : :' :http://david.hexstream.eu.org/ `. `'` PGP key ID: 507B379B on wwwkeys.pgp.net `- Debian - when you have better things to do than to fix a system. pgptxOZFGlsNP.pgp Description: PGP signature
Re: securing PHP (was: Kernel Crash Bug????)
On Tue, Jun 15, 2004 at 11:20:35AM +0200, Jeroen van Wolffelaar wrote: On Tue, Jun 15, 2004 at 10:35:33AM +0200, Rudy Gevaert wrote: On Tue, Jun 15, 2004 at 09:23:33AM +0100, David Ramsden wrote: On Tue, Jun 15, 2004 at 05:52:18PM +1000, Russell Coker wrote: Does PHP allow executing arbitary binaries? [snip] Yes, unless in your php.ini you have something along the lines of: disable_functions = system,passthru,shell_exec,popen,proc_open Can somebody point me to some documentation about securing PHP? http://php.net/security, a better solution to the above mentioned problem is 'safe_mode', which is intended to block all dangerous file access, executing, etc. See also: http://www.pookey.co.uk/php-security.xml http://www.pookey.co.uk/php-suphp.xml Regards, David. -- .''`. David Ramsden [EMAIL PROTECTED] : :' :http://david.hexstream.eu.org/ `. `'` PGP key ID: 507B379B on wwwkeys.pgp.net `- Debian - when you have better things to do than to fix a system. pgpNO1LkvUfna.pgp Description: PGP signature
Re: Advice needed, trying to find the vulnerable code on Debian webserver.
On Tue, Jun 15, 2004 at 02:32:21PM +1000, Ross Tsolakidis wrote:
Wipe, install, set up chkrootkit and run it often.
I've already done that. There was no rootkit.
An alternative to chkrootkit is rkhunter - it's a set of scripts. You
can find the web address on something like freshmeat.net or Google
easily.
[snip]
I need to find the vulnerable code on this box. And I have no idea
where to begin.
I've tried running virus scans, nothing is infected.
[snip]
The files you found within /tmp - Grep Apache's access /and/ error logs
for these file names. Other common things to grep for include the use of
uname -a, ls -l, wget, remembering you may need to substitue a
space for %20:
# grep -i 'uname%20-a' {access,error}.log
# grep -i 'wget' {access,error}.log
How about running a packet sniffer on port 80 too and monitor the
traffic. Log to a text file and grep that?
HTH.
David.
--
.''`. David Ramsden [EMAIL PROTECTED]
: :' :http://david.hexstream.eu.org/
`. `'` PGP key ID: 507B379B on wwwkeys.pgp.net
`- Debian - when you have better things to do than to fix a system.
pgpmDaMQVSeGi.pgp
Description: PGP signature
Re: Kernel Crash Bug????
On Tue, Jun 15, 2004 at 05:52:18PM +1000, Russell Coker wrote: On Tue, 15 Jun 2004 17:24, Rudy Gevaert [EMAIL PROTECTED] wrote: Would it be possible to run that program trough e.g. perl/php/... ? A use could ftp the executable and write a php script that execute it. Does PHP allow executing arbitary binaries? [snip] Yes, unless in your php.ini you have something along the lines of: disable_functions = system,passthru,shell_exec,popen,proc_open Regards, David. -- .''`. David Ramsden [EMAIL PROTECTED] : :' :http://david.hexstream.eu.org/ `. `'` PGP key ID: 507B379B on wwwkeys.pgp.net `- Debian - when you have better things to do than to fix a system. pgpIAtiLt2TfI.pgp Description: PGP signature
Re: securing PHP (was: Kernel Crash Bug????)
On Tue, Jun 15, 2004 at 11:20:35AM +0200, Jeroen van Wolffelaar wrote: On Tue, Jun 15, 2004 at 10:35:33AM +0200, Rudy Gevaert wrote: On Tue, Jun 15, 2004 at 09:23:33AM +0100, David Ramsden wrote: On Tue, Jun 15, 2004 at 05:52:18PM +1000, Russell Coker wrote: Does PHP allow executing arbitary binaries? [snip] Yes, unless in your php.ini you have something along the lines of: disable_functions = system,passthru,shell_exec,popen,proc_open Can somebody point me to some documentation about securing PHP? http://php.net/security, a better solution to the above mentioned problem is 'safe_mode', which is intended to block all dangerous file access, executing, etc. See also: http://www.pookey.co.uk/php-security.xml http://www.pookey.co.uk/php-suphp.xml Regards, David. -- .''`. David Ramsden [EMAIL PROTECTED] : :' :http://david.hexstream.eu.org/ `. `'` PGP key ID: 507B379B on wwwkeys.pgp.net `- Debian - when you have better things to do than to fix a system. pgpxc5T6Gr2YQ.pgp Description: PGP signature
Re: Advice needed, trying to find the vulnerable code on Debian webserver.
On Tue, Jun 15, 2004 at 02:32:21PM +1000, Ross Tsolakidis wrote:
Wipe, install, set up chkrootkit and run it often.
I've already done that. There was no rootkit.
An alternative to chkrootkit is rkhunter - it's a set of scripts. You
can find the web address on something like freshmeat.net or Google
easily.
[snip]
I need to find the vulnerable code on this box. And I have no idea
where to begin.
I've tried running virus scans, nothing is infected.
[snip]
The files you found within /tmp - Grep Apache's access /and/ error logs
for these file names. Other common things to grep for include the use of
uname -a, ls -l, wget, remembering you may need to substitue a
space for %20:
# grep -i 'uname%20-a' {access,error}.log
# grep -i 'wget' {access,error}.log
How about running a packet sniffer on port 80 too and monitor the
traffic. Log to a text file and grep that?
HTH.
David.
--
.''`. David Ramsden [EMAIL PROTECTED]
: :' :http://david.hexstream.eu.org/
`. `'` PGP key ID: 507B379B on wwwkeys.pgp.net
`- Debian - when you have better things to do than to fix a system.
pgpgtxFBKrBuW.pgp
Description: PGP signature
Re: tty's messages
On Mon, Dec 22, 2003 at 10:23:56AM +0200, EErdem wrote: Hi, From i've set up iptables i've get this messages continual on tty's (console): [snip] So i can't use tty's [F1 to F6]. How can i solve this? [snip] Edit /etc/init.d/klogd and add -c 4 (for example) to KLOGD= so it reads: KLOGD=-c 4 Then /etc/init.d/klogd restart - Adjust the 4 (which refers to the loglevel, such as warn, crit etc.) to your needs. HTH, David. -- .''`. David Ramsden [EMAIL PROTECTED] : :' :http://david.hexstream.eu.org/ `. `'` PGP key ID: 507B379B on wwwkeys.pgp.net `- Debian - when you have better things to do than to fix a system. pgp0.pgp Description: PGP signature
Re: tty's messages
On Mon, Dec 22, 2003 at 10:23:56AM +0200, EErdem wrote: Hi, From i've set up iptables i've get this messages continual on tty's (console): [snip] So i can't use tty's [F1 to F6]. How can i solve this? [snip] Edit /etc/init.d/klogd and add -c 4 (for example) to KLOGD= so it reads: KLOGD=-c 4 Then /etc/init.d/klogd restart - Adjust the 4 (which refers to the loglevel, such as warn, crit etc.) to your needs. HTH, David. -- .''`. David Ramsden [EMAIL PROTECTED] : :' :http://david.hexstream.eu.org/ `. `'` PGP key ID: 507B379B on wwwkeys.pgp.net `- Debian - when you have better things to do than to fix a system. pgpBLtXOIVOr3.pgp Description: PGP signature
Re: execute permissions in /tmp
On Mon, Jul 14, 2003 at 01:02:33AM -0400, bda wrote: On Sun, Jul 13, 2003 at 11:55:45PM -0400, Matt Zimmerman wrote: If the user can read files in /tmp, they can execute the code in them. What problem is noexec /tmp supposed to solve? In the event that the machine gets popped (depending on the vector of attack), it makes it that much more difficult for the intruder to run exploits on the machine, as it's possible that they cannot write to any directory but /tmp. (This is admittedly unlikely as if they're exploiting a service, that service can mostly likely write SOMEWHERE, which allows for the execution of code; ignoring the fact that the attacker has likely already gained the ability to run arbitrary commands.) I'd like to agree. noexec almost certainly better than nothing at all! Say for example, something is exploited via a website attack and commands are executed via some PHP code - The attacker hasn't got a shell and can't see what's going on so noexec may fool them in to thinking the security is /too/ good, their code doesn't work etc. and they'll leave it. ..as I said, better than nothing. On a side note: For those people who have made /tmp part of / (i.e. /tmp isn't a partition and isn't mounted).. I created a file using dd and /dev/zero of around 20Mb. Then used mkfs to make it in to a file system and mounted it as /tmp with noexec and other permissions. Although I believe there is tmpfs for this? It may seem like putting a pebble in front of a tank, but the only defense we have is a many-layered security policy. Security by obscurity isn't it? At least you'd have the little bit of extra padding there. Regards, David. -- .''`. David Ramsden [EMAIL PROTECTED] : :' :http://david.hexstream.eu.org/ `. `'` PGP key ID: 507B379B on wwwkeys.pgp.net `- Debian - when you have better things to do than to fix a system. pgp0.pgp Description: PGP signature
Re: execute permissions in /tmp
On Mon, Jul 14, 2003 at 01:02:33AM -0400, bda wrote: On Sun, Jul 13, 2003 at 11:55:45PM -0400, Matt Zimmerman wrote: If the user can read files in /tmp, they can execute the code in them. What problem is noexec /tmp supposed to solve? In the event that the machine gets popped (depending on the vector of attack), it makes it that much more difficult for the intruder to run exploits on the machine, as it's possible that they cannot write to any directory but /tmp. (This is admittedly unlikely as if they're exploiting a service, that service can mostly likely write SOMEWHERE, which allows for the execution of code; ignoring the fact that the attacker has likely already gained the ability to run arbitrary commands.) I'd like to agree. noexec almost certainly better than nothing at all! Say for example, something is exploited via a website attack and commands are executed via some PHP code - The attacker hasn't got a shell and can't see what's going on so noexec may fool them in to thinking the security is /too/ good, their code doesn't work etc. and they'll leave it. ..as I said, better than nothing. On a side note: For those people who have made /tmp part of / (i.e. /tmp isn't a partition and isn't mounted).. I created a file using dd and /dev/zero of around 20Mb. Then used mkfs to make it in to a file system and mounted it as /tmp with noexec and other permissions. Although I believe there is tmpfs for this? It may seem like putting a pebble in front of a tank, but the only defense we have is a many-layered security policy. Security by obscurity isn't it? At least you'd have the little bit of extra padding there. Regards, David. -- .''`. David Ramsden [EMAIL PROTECTED] : :' :http://david.hexstream.eu.org/ `. `'` PGP key ID: 507B379B on wwwkeys.pgp.net `- Debian - when you have better things to do than to fix a system. pgpTSMr9iLKcx.pgp Description: PGP signature
Re: recommendations for FTP server
On Fri, Jun 20, 2003 at 02:24:22PM -0400, Matt Zimmerman wrote: On Fri, Jun 20, 2003 at 12:56:01PM -0400, Stephen Gran wrote: I am thinking about setting up an FTP server to be used by myself and a couple of friends. The box it will be running on is basically stock Woody, and is currently only running apache and NAT'ing for a LAN. I'd like the FTP server to not allow anonymous logins (which I assume most can do), chroot users to their home directories, and have some sort of encrypted connections (over SSL would be nice). I have thought about just using sftp, but currently ssh connections are rerouted to another box on the LAN, and I'd like to leave that set up as is, if possible. You could run sshd on another port. Really, if you want encryption and no anonymous connections, sftp is the right tool for the job. I went against running an FTP server for my users and went for using SFTP (part of sshd). For users who just have a standard web package (so they have no shell access) I give them a shell called 'scponly-c', from the package scponly which can be found at http://www.sublimation.org/scponly/ So they can only use SFTP and/or scp to upload files, no shell access. They are also chroot'ed to their home directory for a bit of added security. I haven't had any reported problems. You need to provide the programs they'll need though, like ls, pwd etc. etc. in their home directory as they are running in a chroot (if you take that option - It is possible without the chroot). HTH, David. -- .''`. David Ramsden [EMAIL PROTECTED] : :' :http://portal.hexstream.eu.org/ `. `'` PGP key ID: 507B379B on wwwkeys.pgp.net `- Debian - when you have better things to do than to fix a system. pgp0.pgp Description: PGP signature
Re: recommendations for FTP server
On Fri, Jun 20, 2003 at 02:24:22PM -0400, Matt Zimmerman wrote: On Fri, Jun 20, 2003 at 12:56:01PM -0400, Stephen Gran wrote: I am thinking about setting up an FTP server to be used by myself and a couple of friends. The box it will be running on is basically stock Woody, and is currently only running apache and NAT'ing for a LAN. I'd like the FTP server to not allow anonymous logins (which I assume most can do), chroot users to their home directories, and have some sort of encrypted connections (over SSL would be nice). I have thought about just using sftp, but currently ssh connections are rerouted to another box on the LAN, and I'd like to leave that set up as is, if possible. You could run sshd on another port. Really, if you want encryption and no anonymous connections, sftp is the right tool for the job. I went against running an FTP server for my users and went for using SFTP (part of sshd). For users who just have a standard web package (so they have no shell access) I give them a shell called 'scponly-c', from the package scponly which can be found at http://www.sublimation.org/scponly/ So they can only use SFTP and/or scp to upload files, no shell access. They are also chroot'ed to their home directory for a bit of added security. I haven't had any reported problems. You need to provide the programs they'll need though, like ls, pwd etc. etc. in their home directory as they are running in a chroot (if you take that option - It is possible without the chroot). HTH, David. -- .''`. David Ramsden [EMAIL PROTECTED] : :' :http://portal.hexstream.eu.org/ `. `'` PGP key ID: 507B379B on wwwkeys.pgp.net `- Debian - when you have better things to do than to fix a system. pgplusA9qMc0n.pgp Description: PGP signature
Re: Advice Needed On Recent Rootings
On Sun, 2003-05-25 at 14:04, Jayson Vantuyl wrote: We've had a number of hacked boxen recently. It appears a certain person (Romanian we think) is specifically targeting us and our customers (looks like he hit a machine and found connections from others in their logs, went from there). We have no idea how he's getting in, but we've got his rootkit fairly nailed down (he uses a few slightly different ones). We've caught a few systems as he was breaking in (we have .bash_history files and the site he downloads his rootkits from). The part that bothers me is that all of these systems were updated to the newest versions on debian.security.org (if apt-get was doing its job) and firewalled down to just the ports we needed (22, 25, 53, 80). [snip] I've found that when running a system were the users can put up their web pages.. most insecure. It's virtually impossible to know what each user is running under their web space.. An exploitable version of PHPNuke for example, leading to the web server privs. and from there, who knows. So if you can't think of any service that may have been exploited due to being up to date with security.debian.org maybe think about what users are running under their webspace. That's a bit of a stab in the dark but something I feel admins. overlook (ntoe to self: look at running Apache in chroot jail :-p). So maybe they gained access to a system via something like the above, then found out a common username/password (root, for example) and is able to login to the other machines via SSH - No need to exploit. Some things to think about possibly. Good luck! David. -- .''`. David Ramsden [EMAIL PROTECTED] : :' :http://portal.hexstream.eu.org/ `. `'` PGP key ID: 507B379B on wwwkeys.pgp.net `- Debian - when you have better things to do than to fix a system. pgpcFYVihC2VG.pgp Description: PGP signature
NIS (mis)configuration and MySQL alternative.
Hi, I'm using NIS on my network. It's locked down as much as it can be from the outside world (ipfilter and tcp_wrappers) but I've just noticed any normal use can use ypcat to look at the shadow map and obviously be able to see other users encrypted passwords. Although root isn't listed it's still a security risk for other users. Is it possible to stop any normal user from viewing the shadow map, via ypcat? I've also been looking in to alternatives to NIS (although NIS works very well, it's not the most of secure ways as I've said above!). LDAP is one way but I'm not confident enough to try this - I don't have any knowledge of it and when I tried it on a test network, it was a nightmare and didn't work 100%. Documentation seems a bit thin and/or out-of-date currently. Anyway, I searched for some alternatives on freshmeat and one that uses MySQL and nsswitch came up. It's also possible to use encryption (SSL/SSH IIRC) for the connection. Has anyone tried this? Feedback most welcome :) Thanks and regards, David. -- .''`. David Ramsden [EMAIL PROTECTED] : :' :http://portal.hexstream.eu.org/ `. `'` PGP key ID: 507B379B on wwwkeys.pgp.net `- Debian - when you have better things to do than to fix a system. pgpdSmxPo7Cng.pgp Description: PGP signature
Re: Have I been hacked?
On Wed, May 07, 2003 at 02:51:39PM +0100, Ian Goodall wrote: I am running a debian woody server and when I checked the last users yesterday I a large number of logins in the list. On running the command today I get the following: dev1:/home/ian# last ian pts/0172.16.3.195 Wed May 7 14:49 still logged in team1pts/0blue99.ex.ac.uk Wed May 7 13:21 - 13:57 (00:35) I have run chkrootkit but nothing was found. [snip] Could it be that wtmp has been rotated? If the wtmp gets to a certain size or date (I can't remember exactly) it normally gets rotated. If you cd /var/log and then ls -l |grep wtmp you'll probably see wtmp.X - Where X is a number, like 1 where the file has been rotated. HTH, David. -- .''`. David Ramsden [EMAIL PROTECTED] : :' :http://portal.hexstream.eu.org/ `. `'` PGP key ID: 507B379B on wwwkeys.pgp.net `- Debian - when you have better things to do than to fix a system. pgpqcdsHsAim2.pgp Description: PGP signature
Snort exploit in wild.
Hi, Noticed on vil.mcafee.com that a proof of concept exploit for Snort to exploit the vuln. found in v1.8 through to 1.9.1. Packet Storm Security have this proof of concept on their site (local exploit at the moment). It uses a call-back technique to spawn a shell on the attackers machine, via a connection from the compromised machine. I've not tried this on my Debian machines yet, so can't say if it works - You'd need the return address for Debian as only Slackware is support in this proof of concept. What's the status of a patch from Debian Security? No DSA yet either. I know this has been brought up a few times already but now an exploit exists in the wild. As a workaround, I could disable snort (granted) but also, how can I use /etc/apt/preferences to update /just/ snort to a non-vuln. version from another branch (unstable/testing)? What line do I need in /etc/apt/sources.list? And how easy is it to downgrade to the stable version if something goes wrong or a patch is released from Debian? Thanks for all the help and regards, David. -- .''`. David Ramsden [EMAIL PROTECTED] : :' :http://portal.hexstream.eu.org/ `. `'` PGP key ID: 507B379B on wwwkeys.pgp.net `- Debian - when you have better things to do than to fix a system. pgpHiO0wzneXY.pgp Description: PGP signature
Re: Snort exploit in wild.
On Fri, Apr 25, 2003 at 12:13:38PM +0200, Marcel Weber wrote: David Ramsden wrote: [snip] Following the advice from heise.de [1] it should be enough to comment out the line: preprocessor stream4_reassemble in your /etc/snort/snort.conf as the vulnerability is in this module. Of course you will loose some information. But saver is better ;-) [snip] [1] (http://www.heise.de/newsticker/result.xhtml?url=/newsticker/data/pab-16.04.03-000/default.shtmlwords=Snort) Thank you for the information. I had a quick look on the bug tracking system for Debian and found information for the RPC decoder exploit, so have commented that out. I'll now disable what's been suggested and wait for a DSA. Thanks for the information on this Marcel. Kind regards, David. -- .''`. David Ramsden [EMAIL PROTECTED] : :' :http://portal.hexstream.eu.org/ `. `'` PGP key ID: 507B379B on wwwkeys.pgp.net `- Debian - when you have better things to do than to fix a system. pgp5yi8ycYeGX.pgp Description: PGP signature
Re: Snort exploit in wild.
- Forwarded message from Marcel Weber [EMAIL PROTECTED] - From: Marcel Weber [EMAIL PROTECTED] To: David Ramsden [EMAIL PROTECTED] Cc: debian-security@lists.debian.org Subject: Re: Snort exploit in wild. X-Virus-Scanned: by AMaViS and OpenAntivirus ScannerDaemon X-Spam-Status: No, hits=-4.4 required=5.0 tests=IN_REP_TO version=2.20 X-Spam-Level: David Ramsden wrote: Hi, Noticed on vil.mcafee.com that a proof of concept exploit for Snort to exploit the vuln. found in v1.8 through to 1.9.1. Packet Storm Security have this proof of concept on their site (local exploit at the moment). It uses a call-back technique to spawn a shell on the attackers machine, via a connection from the compromised machine. I've not tried this on my Debian machines yet, so can't say if it works - You'd need the return address for Debian as only Slackware is support in this proof of concept. What's the status of a patch from Debian Security? No DSA yet either. I know this has been brought up a few times already but now an exploit exists in the wild. As a workaround, I could disable snort (granted) but also, how can I use /etc/apt/preferences to update /just/ snort to a non-vuln. version from another branch (unstable/testing)? What line do I need in /etc/apt/sources.list? And how easy is it to downgrade to the stable version if something goes wrong or a patch is released from Debian? Thanks for all the help and regards, David. Hi Following the advice from heise.de [1] it should be enough to comment out the line: preprocessor stream4_reassemble in your /etc/snort/snort.conf as the vulnerability is in this module. Of course you will loose some information. But saver is better ;-) Regards Marcel [1] (http://www.heise.de/newsticker/result.xhtml?url=/newsticker/data/pab-16.04.03-000/default.shtmlwords=Snort) - End forwarded message - -- .''`. David Ramsden [EMAIL PROTECTED] : :' :http://portal.hexstream.eu.org/ `. `'` PGP key ID: 507B379B on wwwkeys.pgp.net `- Debian - when you have better things to do than to fix a system. pgpKunnn53SX5.pgp Description: PGP signature
Re: HELP, my Debian Server was hacked!
On Thu, Apr 24, 2003 at 11:19:34AM +0200, Mauro Chiarugi wrote: Il Tue, 22 Apr 2003 17:48:23 -0500 (CDT) David Ehle s? che favelando sibill?: nightly apt-get update apt-get upgrade But if it asks human interaction?? How can i do?? apt-get --assume-yes upgrade That'll answer 'yes' to any questions asked (like, asking you if you want to install the package). I'm not a huge fan of doing this, without me actually executing it because it may break something or stop a service etc. etc. I have a shell script that's in /etc/cron.daily that looks like: #!/bin/sh # apt-get update apt-get --assume-yes --simulate upgrade #EOF So when it's executed, it does an apt-get update as normal and then does a simulated upgrade. So it shows you what would happen if there are packages to be upgraded but it doesn't actually apply it. With any output to STDOUT from cron, you get an email about it so this way I can look at these everyday and see which servers have updates availble for them and what will happen if I apply them. HTH, David. -- .''`. David Ramsden [EMAIL PROTECTED] : :' :http://portal.hexstream.eu.org/ `. `'` PGP key ID: 507B379B on wwwkeys.pgp.net `- Debian - when you have better things to do than to fix a system. pgpVUzBt1Y9OZ.pgp Description: PGP signature
Re: HELP, my Debian Server was hacked!
On Thu, Apr 24, 2003 at 01:16:49PM +, simon raven wrote: Le Thu, Apr 24, 2003 at 08:48:27 -0400, Raymond Wood a ?crit: On Thu, Apr 24, 2003 at 02:17:48PM +0200, Adam ENDRODI imagined: [snip] Details on how to implement this have been discusssed in the list several times and an adequate answer can be found in the Debian Security FAQ. Upon request, I can send the perl script we're using on daily basis. [snip] I would be most interested in seeing the perl script. as would i :). eric Me too please - Sorry for replying to the list. Lost the original posters email address. Thanks and regards, David. -- .''`. David Ramsden [EMAIL PROTECTED] : :' :http://portal.hexstream.eu.org/ `. `'` PGP key ID: 507B379B on wwwkeys.pgp.net `- Debian - when you have better things to do than to fix a system. pgpJ5Wr5e8gm1.pgp Description: PGP signature
iptables with no module support?
Hi, I'm building a 'secure' server. I downloaded the 2.4.20 kernel source from kernel.org and patched with grsecurity (latest patch). I also disabled loadable modules or any module support in the kernel for added security - So everything is compiled in to the kernel. However, iptables won't work, saying it can't initialise iptables table 'filter' and saying do you need to insmod?. So does iptables require module support? I don't want to use modules though! :-) Surely the Netfilter people would have thought of this? I can't find an option to allow ipchains compatibility either - Does this no longer exist? So any workarounds, fixes etc. etc. would be most welcome. Thanks and regards, David. -- .''`. David Ramsden [EMAIL PROTECTED] : :' :http://portal.hexstream.eu.org/ `. `'` `- Debian - when you have better things to do than to fix a system. pgpvmCgHiKTU2.pgp Description: PGP signature
Re: iptables with no module support?
On Wed, Apr 23, 2003 at 12:22:40PM -0400, Stephen Walker wrote: David, You do not need modules to run netfilter, just compile the required modules into the kernel. I have a 2.4.20 server that is iptables enabled without loadable modules so I know it works. Thanks for that Steve. Works now. I went in to make menuconfig and had another look and I missed the Netfilter configuration sub-menu that appears, when you select you want to use Netfilter - Red face, slap forehead and say D'oh!. Thanks for the replies on this [problem/user error :-p] (delete as appropriate). Kind regards, David. -- .''`. David Ramsden [EMAIL PROTECTED] : :' :http://portal.hexstream.eu.org/ `. `'` PGP key ID: 507B379B on wwwkeys.pgp.net `- Debian - when you have better things to do than to fix a system. pgp1Njr77LGlD.pgp Description: PGP signature
Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
- Original Message - From: Christian Hammers [EMAIL PROTECTED] To: Marc Demlenne [EMAIL PROTECTED] Cc: DouRiX [EMAIL PROTECTED]; Lutz Kittler [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Tuesday, April 01, 2003 2:04 PM Subject: Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels] [snip] What's the real effect of modifying /proc/sys/kernel/modprobe by, e.g. echo unexisting_binary /proc/sys/kernel/modprobe Can we trust this solution ? NO, it does not prevent the exploit. It does prevent the km3.c example exploit but not e.g. http://isec.pl/cliph/isec-ptrace-kmod-exploit.c I'd have to disagree with you there. I've done this to one Debian box (3.0 running 2.2.20) and it does stop the above exploit: $ echo /this/doesnt/exist /proc/sys/kernel/modprobe $ gcc isec-ptrace-kmod-exploit.c -o isec-ptrace-kmod-exploit $ ./isec-ptrace-kmod-exploit $ [+] Attached to 18765 (gets stuck here - have to use Ctrl+C) $ You have to patch the kernel or load and compile the following module: http://www.securiteam.com/tools/5SP082K5GK.html (no-ptrace-module.c) The above is probably the better solution. But you can't beat patching the kernel, if it'll work - When are Debian going to release a DSA on this? :) I'm running 2.2.19 from when I upgraded from 2.2r2 and can't apt-get the kernel-source-2.2.19 and same for 2.2.20. Most annoying. I don't want to upgrade to 2.4.x yet. If I could get the source for 2.2.19 or 2.2.20 from Debian then I could copy the configuration file from /boot as .config and then just apply the kernel patch and make oldconfig without having to re-do the config again. Downloading the source from kernel.org and trying to use the config in /boot has 'new features' and things. (I'm not too confident at compiling the kernel and the default Debian one is fine!). Regards, David. -- David Ramsden http://portal.hexstream.eu.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [d-security] Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
- Original Message - From: Christian Hammers [EMAIL PROTECTED] To: David Ramsden [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, April 01, 2003 4:48 PM Subject: Re: [d-security] Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels] [snip] Can it be that you had loaded no-ptrace-module.o or someone patched your kernel? See: [snip] It's the 2.2.20 kernel from Debian (did an apt-get install of the .deb kernel-image package). I then did: echo '/this/doesnt/exist' /proc/sys/kernel/modprobe And tried what you did Christian. See below: $ uname -r 2.2.20 $ gcc ptrace-kmod.c -o ptrace-kmod $ ls -al ptrace-kmod* -rwxr-xr-x1 scarlet scarlet 9028 Apr 1 17:40 ptrace-kmod -rw-r--r--1 scarlet scarlet 3736 Apr 1 17:37 ptrace-kmod.c $ id uid=1007(scarlet) gid=1007(scarlet) groups=1007(scarlet) $ ./ptrace-kmod [-] Unable to attach: Operation not permitted Killed $ ./ptrace-kmod $ ./ptrace-kmod [+] Attached to 25763 $ ./ptrace-kmod [+] Attached to 25770 $ id uid=1007(scarlet) gid=1007(scarlet) groups=1007(scarlet) $ cat /proc/sys/kernel/modprobe /this/doesnt/exist $ I've made sure no no-ptrace module is loaded and I'm sure the kernel hasn't been patched. I can echo '/sbin/modprobe' /proc/sys/kernel/modprobe and try the above and I'll get a root prompt first time. Maybe it doesn't work for the 2.4.x kernel series? Can anyone else try this maybe and report back :-) Cheers. David. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
- Original Message - From: Christian Hammers [EMAIL PROTECTED] To: Marc Demlenne [EMAIL PROTECTED] Cc: DouRiX [EMAIL PROTECTED]; Lutz Kittler [EMAIL PROTECTED]; debian-security@lists.debian.org Sent: Tuesday, April 01, 2003 2:04 PM Subject: Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels] [snip] What's the real effect of modifying /proc/sys/kernel/modprobe by, e.g. echo unexisting_binary /proc/sys/kernel/modprobe Can we trust this solution ? NO, it does not prevent the exploit. It does prevent the km3.c example exploit but not e.g. http://isec.pl/cliph/isec-ptrace-kmod-exploit.c I'd have to disagree with you there. I've done this to one Debian box (3.0 running 2.2.20) and it does stop the above exploit: $ echo /this/doesnt/exist /proc/sys/kernel/modprobe $ gcc isec-ptrace-kmod-exploit.c -o isec-ptrace-kmod-exploit $ ./isec-ptrace-kmod-exploit $ [+] Attached to 18765 (gets stuck here - have to use Ctrl+C) $ You have to patch the kernel or load and compile the following module: http://www.securiteam.com/tools/5SP082K5GK.html (no-ptrace-module.c) The above is probably the better solution. But you can't beat patching the kernel, if it'll work - When are Debian going to release a DSA on this? :) I'm running 2.2.19 from when I upgraded from 2.2r2 and can't apt-get the kernel-source-2.2.19 and same for 2.2.20. Most annoying. I don't want to upgrade to 2.4.x yet. If I could get the source for 2.2.19 or 2.2.20 from Debian then I could copy the configuration file from /boot as .config and then just apply the kernel patch and make oldconfig without having to re-do the config again. Downloading the source from kernel.org and trying to use the config in /boot has 'new features' and things. (I'm not too confident at compiling the kernel and the default Debian one is fine!). Regards, David. -- David Ramsden http://portal.hexstream.eu.org/
Re: [d-security] Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
- Original Message - From: Christian Hammers [EMAIL PROTECTED] To: David Ramsden [EMAIL PROTECTED] Cc: debian-security@lists.debian.org Sent: Tuesday, April 01, 2003 4:48 PM Subject: Re: [d-security] Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels] [snip] Can it be that you had loaded no-ptrace-module.o or someone patched your kernel? See: [snip] It's the 2.2.20 kernel from Debian (did an apt-get install of the .deb kernel-image package). I then did: echo '/this/doesnt/exist' /proc/sys/kernel/modprobe And tried what you did Christian. See below: $ uname -r 2.2.20 $ gcc ptrace-kmod.c -o ptrace-kmod $ ls -al ptrace-kmod* -rwxr-xr-x1 scarlet scarlet 9028 Apr 1 17:40 ptrace-kmod -rw-r--r--1 scarlet scarlet 3736 Apr 1 17:37 ptrace-kmod.c $ id uid=1007(scarlet) gid=1007(scarlet) groups=1007(scarlet) $ ./ptrace-kmod [-] Unable to attach: Operation not permitted Killed $ ./ptrace-kmod $ ./ptrace-kmod [+] Attached to 25763 $ ./ptrace-kmod [+] Attached to 25770 $ id uid=1007(scarlet) gid=1007(scarlet) groups=1007(scarlet) $ cat /proc/sys/kernel/modprobe /this/doesnt/exist $ I've made sure no no-ptrace module is loaded and I'm sure the kernel hasn't been patched. I can echo '/sbin/modprobe' /proc/sys/kernel/modprobe and try the above and I'll get a root prompt first time. Maybe it doesn't work for the 2.4.x kernel series? Can anyone else try this maybe and report back :-) Cheers. David.
Re: Port 635
- Original Message - From: Netnation - Diederik de Vries [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, March 31, 2003 1:55 PM Subject: Port 635 Hi there! The last weeks, we frequently get portscanned at port 635. 635 is used for mountd. Is there some new form of exploit available, or am I getting plain paranoid? :) I'm not sure if there is or not but a buffer overflow in Sun's RPC implementation was found (see DSA 272-1). So maybe it's something related to that? mountd uses RPC and NFS is all from Sun, so I'd imagine it'd use this dietlibc? Maybe it's related to that, maybe it's not. According to sans.org [1] RPC services are the number 1 exploitable part to UNIX systems so it may just be one of those standard 'scans' you get now and then. [1] http://www.sans.org/top20/#index David. -- David Ramsden http://portal.hexstream.eu.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ptrace bug: ipsec exploit makes itself suid(0)
- Original Message - From: Christian Hammers [EMAIL PROTECTED] To: Jean Christophe ANDRÉ [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, March 21, 2003 1:18 PM Subject: ptrace bug: ipsec exploit makes itself suid(0) Hello [snip] Be carefull about the exploit owner/permission: it dynamically changes its owner/permissions to root.root/ug+s = setugid binary! Argh, you're right, what a nasty little skript! I Cc this to the mailing list so that others don't trap into this when verifying whether or not their no-ptrace-module.o prevents an explotation of the bug. First post to the list! I'd like to say that I've had no success with the no-ptrace module (NPT) (still get root and I've made sure the exploit hasn't been more than once, due to making itself suid(0)). I'm using Debain 3.0 (Stable) with kernel 2.2.19 (standard Debian install). The additional printk() I added, to help spot potential abusers did log to /var/log/messages as: [date/time] host: kernel: ptrace(): uid=0, comm= But as I've said... it has had no effect in blocking ptrace() as a workaround for this exploit. Regards, David. -- David Ramsden http://portal.hexstream.eu.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [d-security] ptrace bug: ipsec exploit makes itself suid(0)
- Original Message - From: Christian Hammers [EMAIL PROTECTED] To: David Ramsden [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, March 21, 2003 3:20 PM Subject: Re: [d-security] Re: ptrace bug: ipsec exploit makes itself suid(0) [snipped] ... - Loading the module with with: insmod -f npt.o (Have to force load the module, unfortunatly) [snipped] Compile with: -I/usr/local/src/kernel/linux-that-I-run/include/ If you do no longer have your kernel source it is sufficient to copy the /boot/config-2.4.20-my-kernel (or whatever) back, do make oldconfig make dep make bzImage make modules and then use this tree. Hi, I now have the NPT (no-ptrace) module working. I followed Christian's advice. I had to download the 2.2.19 kernel source from kernel.org as I can't apt-get kernel-source-2.2.19. I then cp'ed /boot/config-`uname -r` to /usr/src/linux and did the following: make oldconfig make dep make bzImage make modules. The compile failed on 'make modules' for some reason but I recompile npt.c using: gcc -c I/usr/src/linux/include npt.c I could then insmod this module fine and it has stopped the exploit from running and is logging to /var/log/messages fine. Thanks for your help Christian. Hope others will find this useful too! On a side note... why doesn't Debian have it's kernel source to 2.2.19 that was used in Debian available anymore? All my servers are running Debian 3.0 (Stable) with the 2.2.19 kernel from the Debian install. Thanks and regards, David. -- David Ramsden http://portal.hexstream.eu.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: determining which patches to apply...
- Original Message - From: Jeremy Choy [EMAIL PROTECTED] To: debian security lists [EMAIL PROTECTED] Sent: Friday, March 21, 2003 6:42 PM Subject: determining which patches to apply... first off, is there a way to check what's installed/running for packages besides ps aux ( so I can check if the vulnerability will affect my machines ) I'd also like to know this one. Something related to apt-cache possibly? I've yet to properly look through the man page for apt-cache. and how do I know which 'fix' I should apply? I'm generally good, when it's something like apache, php, mysql as I know I have it installed. But for things like vulnerabilities in glibc. (or other library's) how do you tell if you have it or not? [snip] This is the beauty of apt-get - It'll take care of everything for you. Here is what I suggest... Make sure you have the following in /etc/apt/source.list: deb http://security.debian.org/ stable/updates main Now all you need to do is: apt-get update apt-get upgrade This will go off to all the sources in /etc/apt/sources.list and get the latest package descriptions versions etc. so your machine knows what's the latest version of packages (this is what apt-get update does). Secondly, it'll compare what you currently have installed (application, core files etc.) to what the latest versions are. If there are newer versions availble from Debian, it'll go off and download these. The important apt source is the security one - This is were Debian release security fixes for packages. What I do for all my machines is have a shell script, placed in /etc/cron.daily that contains the following: #!/bin/sh apt-get update apt-get --simulate --assume-yes upgrade apt-get autoclean Every day, this will simulate an upgrade of your packages with the latest. You can see what will be installed, what will be upgraded, if it'll work etc. etc. HTH. Regards, David. -- David Ramsden http://portal.hexstream.eu.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ptrace bug: ipsec exploit makes itself suid(0)
- Original Message - From: Christian Hammers [EMAIL PROTECTED] To: Jean Christophe ANDRÉ [EMAIL PROTECTED] Cc: debian-security@lists.debian.org Sent: Friday, March 21, 2003 1:18 PM Subject: ptrace bug: ipsec exploit makes itself suid(0) Hello [snip] Be carefull about the exploit owner/permission: it dynamically changes its owner/permissions to root.root/ug+s = setugid binary! Argh, you're right, what a nasty little skript! I Cc this to the mailing list so that others don't trap into this when verifying whether or not their no-ptrace-module.o prevents an explotation of the bug. First post to the list! I'd like to say that I've had no success with the no-ptrace module (NPT) (still get root and I've made sure the exploit hasn't been more than once, due to making itself suid(0)). I'm using Debain 3.0 (Stable) with kernel 2.2.19 (standard Debian install). The additional printk() I added, to help spot potential abusers did log to /var/log/messages as: [date/time] host: kernel: ptrace(): uid=0, comm= But as I've said... it has had no effect in blocking ptrace() as a workaround for this exploit. Regards, David. -- David Ramsden http://portal.hexstream.eu.org/
Re: [d-security] ptrace bug: ipsec exploit makes itself suid(0)
- Original Message - From: Christian Hammers [EMAIL PROTECTED] To: David Ramsden [EMAIL PROTECTED] Cc: debian-security@lists.debian.org Sent: Friday, March 21, 2003 3:20 PM Subject: Re: [d-security] Re: ptrace bug: ipsec exploit makes itself suid(0) [snipped] ... - Loading the module with with: insmod -f npt.o (Have to force load the module, unfortunatly) [snipped] Compile with: -I/usr/local/src/kernel/linux-that-I-run/include/ If you do no longer have your kernel source it is sufficient to copy the /boot/config-2.4.20-my-kernel (or whatever) back, do make oldconfig make dep make bzImage make modules and then use this tree. Hi, I now have the NPT (no-ptrace) module working. I followed Christian's advice. I had to download the 2.2.19 kernel source from kernel.org as I can't apt-get kernel-source-2.2.19. I then cp'ed /boot/config-`uname -r` to /usr/src/linux and did the following: make oldconfig make dep make bzImage make modules. The compile failed on 'make modules' for some reason but I recompile npt.c using: gcc -c I/usr/src/linux/include npt.c I could then insmod this module fine and it has stopped the exploit from running and is logging to /var/log/messages fine. Thanks for your help Christian. Hope others will find this useful too! On a side note... why doesn't Debian have it's kernel source to 2.2.19 that was used in Debian available anymore? All my servers are running Debian 3.0 (Stable) with the 2.2.19 kernel from the Debian install. Thanks and regards, David. -- David Ramsden http://portal.hexstream.eu.org/
Re: determining which patches to apply...
- Original Message - From: Jeremy Choy [EMAIL PROTECTED] To: debian security lists debian-security@lists.debian.org Sent: Friday, March 21, 2003 6:42 PM Subject: determining which patches to apply... first off, is there a way to check what's installed/running for packages besides ps aux ( so I can check if the vulnerability will affect my machines ) I'd also like to know this one. Something related to apt-cache possibly? I've yet to properly look through the man page for apt-cache. and how do I know which 'fix' I should apply? I'm generally good, when it's something like apache, php, mysql as I know I have it installed. But for things like vulnerabilities in glibc. (or other library's) how do you tell if you have it or not? [snip] This is the beauty of apt-get - It'll take care of everything for you. Here is what I suggest... Make sure you have the following in /etc/apt/source.list: deb http://security.debian.org/ stable/updates main Now all you need to do is: apt-get update apt-get upgrade This will go off to all the sources in /etc/apt/sources.list and get the latest package descriptions versions etc. so your machine knows what's the latest version of packages (this is what apt-get update does). Secondly, it'll compare what you currently have installed (application, core files etc.) to what the latest versions are. If there are newer versions availble from Debian, it'll go off and download these. The important apt source is the security one - This is were Debian release security fixes for packages. What I do for all my machines is have a shell script, placed in /etc/cron.daily that contains the following: #!/bin/sh apt-get update apt-get --simulate --assume-yes upgrade apt-get autoclean Every day, this will simulate an upgrade of your packages with the latest. You can see what will be installed, what will be upgraded, if it'll work etc. etc. HTH. Regards, David. -- David Ramsden http://portal.hexstream.eu.org/
