RE: [Samba] Huh... 2.2.8 exploit?!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, 30 Jun 2003, Vizitiu, Ciprian wrote: Jun 30 16:17:39 server smbd[28856]: [2003/06/30 16:17:39, 0] lib/fault.c:fault_report(38) Jun 30 16:17:39 server smbd[28856]: === Jun 30 16:17:39 server smbd[28856]: [2003/06/30 16:17:39, 0] lib/fault.c:fault_report(39) Jun 30 16:17:39 server smbd[28856]: INTERNAL ERROR: Signal 11 in pid 28856 (2.2.8) ^^^ 2.2.8 is vunerable. 2.2.8a is not. cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE/AYkHIR7qMdg1EfYRAkwGAKDr0g1I9/Z9+vMiNKbhbFsEbM9kCACff5Mz /wkgqFUipSUFvWchx81VPfg= =ZHZC -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Huh... 2.2.8 exploit?!
... By my mistake a 2.2.8a-1 running on RH8 was exposed to the Internet. It was cracked in a matter of hours. I noticed it because they've deleted my smbd. :-| I'm ready to reinstall the machine, if there are any logs that anybody is interested into please say it now. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Huh... 2.2.8 exploit?!
Hi. ... By my mistake a 2.2.8a-1 running on RH8 was exposed to the Internet. It was cracked in a matter of hours. I noticed it because they've deleted my smbd. :-| 2.2.8a cracked? Isn't this supposed to be the most stable release? I'm ready to reinstall the machine, if there are any logs that anybody is interested into please say it now. Please send them to me. Thank you. -- Nejc Skoberne Grajska 5 SI-5220 Tolmin E-mail: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Huh... 2.2.8 exploit?!
On Mon, Jun 30, 2003 at 06:08:02PM +0200, Vizitiu, Ciprian wrote: ... By my mistake a 2.2.8a-1 running on RH8 was exposed to the Internet. It was cracked in a matter of hours. I noticed it because they've deleted my smbd. :-| I'm ready to reinstall the machine, if there are any logs that anybody is interested into please say it now. Were there any other ports open ? We are not aware of any securty holes in 2.2.8a (and one of the Samba Team who is a member of ISS has been testing it on an open Internet connected machine for many weeks now). Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Huh... 2.2.8 exploit?!
Vizitiu, Ciprian rta: ... By my mistake a 2.2.8a-1 running on RH8 was exposed to the Internet. It was cracked in a matter of hours. I noticed it because they've deleted my smbd. :-| I'm ready to reinstall the machine, if there are any logs that anybody is interested into please say it now. Are you really shure, that the computer was breaked through samba, you can be sure only if just the samba ports (137,138,139,445) was opened to the Internet?! -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Huh... 2.2.8 exploit?!
Are you really shure, that the computer was breaked through samba, you can be sure only if just the samba ports (137,138,139,445) was opened to the Internet?! Yes, totally agree with you. Maybe my message was... No, for sure my message was badly formulated. I had a RH8 machine with qmail, latest pure-ftpd and latest Courier IMAP and samba. It was exposed to the Internet and was cracked. From logs like: Jun 30 16:17:39 server smbd[28856]: [2003/06/30 16:17:39, 0] lib/fault.c:fault_report(38) Jun 30 16:17:39 server smbd[28856]: === Jun 30 16:17:39 server smbd[28856]: [2003/06/30 16:17:39, 0] lib/fault.c:fault_report(39) Jun 30 16:17:39 server smbd[28856]: INTERNAL ERROR: Signal 11 in pid 28856 (2.2.8) Jun 30 16:17:39 server smbd[28856]: Please read the file BUGS.txt in the distribution Jun 30 16:17:39 server smbd[28856]: [2003/06/30 16:17:39, 0] lib/fault.c:fault_report(41) Jun 30 16:17:39 server smbd[28856]: === Jun 30 16:17:39 server smbd[28856]: [2003/06/30 16:17:39, 0] lib/util.c:smb_panic(1094) Jun 30 16:17:39 server smbd[28856]: PANIC: internal error Jun 30 16:17:39 server smbd[28856]: Jun 30 16:19:03 server kernel: Unable to handle kernel paging request at virtual address 8491bb2e Jun 30 16:19:03 server kernel: printing eip: Jun 30 16:19:03 server kernel: 8491bb2e Jun 30 16:19:03 server kernel: *pde = Jun 30 16:19:03 server kernel: Oops: Jun 30 16:19:03 server kernel: lp parport e1000 iptable_filter ip_tables reiserfs mousedev keybdev hid input usb-ohci usbcore ext3 jbd ips sd_mod scsi_mod Jun 30 16:19:03 server kernel: CPU:0 Jun 30 16:19:03 server kernel: EIP:0010:[8491bb2e]Not tainted Jun 30 16:19:03 server kernel: EFLAGS: 00010283 ... to me *it looks* like a samba exploit. Please note that the trigger for the whole issue was the absence of smbd file. It was deleted. And that stopped Winbind auth from working so I started to investigate the issue then I saw the logs and then looked at the firewall rules that I've modified short time ago and found the real mistake. Is it better now? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Huh... 2.2.8 exploit?!
Signal 11, mmm, that could be a memory error(hardware). Is the hardware certified? (www.memtest86.com) HTH Oliver Vizitiu, Ciprian wrote: Are you really shure, that the computer was breaked through samba, you can be sure only if just the samba ports (137,138,139,445) was opened to the Internet?! Yes, totally agree with you. Maybe my message was... No, for sure my message was badly formulated. I had a RH8 machine with qmail, latest pure-ftpd and latest Courier IMAP and samba. It was exposed to the Internet and was cracked. From logs like: -- Oliver Schulze L. [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Huh... 2.2.8 exploit?!
Hi. Signal 11, mmm, that could be a memory error(hardware). Is the hardware certified? (www.memtest86.com) If it was a hardware error; why would be smbd deleted? -- Nejc Skoberne Grajska 5 SI-5220 Tolmin E-mail: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Huh... 2.2.8 exploit?!
Signal 11, mmm, that could be a memory error(hardware). Is the hardware certified? (www.memtest86.com) :-D ... Well it's a IBM e-server. No, I didn't change the original memory modules. If it was a hardware error; why would be smbd deleted? Good question. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Huh... 2.2.8 exploit?!
For that matter, why would smbd (but not the system logs) be deleted in the first place? Jun 30 2:37am They hang the man and flog the woman That steal the goose from off the common, But let the greater villain loose That steals the common from the goose. --English folk poem, circa 1764 On Mon, 30 Jun 2003, Vizitiu, Ciprian wrote: Signal 11, mmm, that could be a memory error(hardware). Is the hardware certified? (www.memtest86.com) :-D ... Well it's a IBM e-server. No, I didn't change the original memory modules. If it was a hardware error; why would be smbd deleted? Good question. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Huh... 2.2.8 exploit?!
Le lun 30/06/2003 à 08:38, Rashkae a écrit : For that matter, why would smbd (but not the system logs) be deleted in the first place? on which FS type on does smbd reside ? Jun 30 2:37am They hang the man and flog the woman That steal the goose from off the common, But let the greater villain loose That steals the common from the goose. --English folk poem, circa 1764 On Mon, 30 Jun 2003, Vizitiu, Ciprian wrote: Signal 11, mmm, that could be a memory error(hardware). Is the hardware certified? (www.memtest86.com) :-D ... Well it's a IBM e-server. No, I didn't change the original memory modules. If it was a hardware error; why would be smbd deleted? Good question. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- *** [EMAIL PROTECTED] OpenPGP public key: http://www.amakuru.net/dmorel.asc 28192ef126bc871757cb7d97f4a44536 signature.asc Description: Ceci est une partie de message=?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?= -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Huh... 2.2.8 exploit?!
Le lun 30/06/2003 à 08:38, Rashkae a écrit : For that matter, why would smbd (but not the system logs) be deleted in the first place? on which FS type on does smbd reside ? ext3. But it served files from a [Homes] on a ReiserFS -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
