> > > After updating libssl09 to the latest stable (0.9.4-6.woody.2)
version.
> > > And running the openssl-sslv2-master script from
> > > (http://cert.uni-stuttgart.de/advisories/openssl-sslv2-master.php)
>
> > The test program is being stupid and just looking at the version string.
> > It sees 0
On Tuesday, 2002-09-17 at 21:10:14 -0400, Noah L. Meyerhans wrote:
> On Wed, Sep 18, 2002 at 10:55:24AM +1000, Jeroen de Leeuw den Bouter wrote:
> > After updating libssl09 to the latest stable (0.9.4-6.woody.2) version.
> > And running the openssl-sslv2-master script from
> > (http://cert.uni-stu
On Wed, Sep 18, 2002 at 10:55:24AM +1000, Jeroen de Leeuw den Bouter wrote:
> After updating libssl09 to the latest stable (0.9.4-6.woody.2) version.
> And running the openssl-sslv2-master script from
> (http://cert.uni-stuttgart.de/advisories/openssl-sslv2-master.php)
The test program is being st
Hi All,
After updating libssl09 to the latest stable (0.9.4-6.woody.2) version.
And running the openssl-sslv2-master script from
(http://cert.uni-stuttgart.de/advisories/openssl-sslv2-master.php)
It still gives me the following warning...
VULNERABLE: does not detect small overflow
I did a greb
also sprach Michelle Konzack <[EMAIL PROTECTED]> [2002.09.14.1334 +0200]:
> It may be a very big security problem...
at least i can't reproduce that on a grsecurity 1.9.6 enabled kernel.
--
martin; (greetings from the heart of the sun.)
\ echo mailto: !#^."<*>"|tr "<*> mailto:
On Wed, Sep 18, 2002 at 10:55:24AM +1000, Jeroen de Leeuw den Bouter wrote:
> After updating libssl09 to the latest stable (0.9.4-6.woody.2) version.
> And running the openssl-sslv2-master script from
> (http://cert.uni-stuttgart.de/advisories/openssl-sslv2-master.php)
The test program is being s
Hi.
Jean Christophe ANDRÃ0/00 wrote:
But may be the main point is: is it really possible to have multiple
instance of the .bugtraq program?!? If so, all of them would join the
network and should receive the mail-sleep-kill command!
I've seen two processes running on an infected server. But whe
Hi.
Andrew Pimlott wrote:
Yes, if your apache isn't up-to-date.
http://www.google.com/search?q=apache%20directory%20listing%20bug
Is apache 1.3.26-0woody1 vulnerable to that? As far as I could see the
answer should be no, right?
Bye, Mike
Hi All,
After updating libssl09 to the latest stable (0.9.4-6.woody.2) version.
And running the openssl-sslv2-master script from
(http://cert.uni-stuttgart.de/advisories/openssl-sslv2-master.php)
It still gives me the following warning...
VULNERABLE: does not detect small overflow
I did a greb
Hi.
Jean Christophe ANDRÃ0/00 wrote:
Are you using the VirtualHost capability on this server?
Yes.
If so, you should be aware of using some _default_:* entry to catch
all access not using (or using a bad) hostname for VirtualHost.
I just tried to forge a http request targetting at a non-sp
Hi.
KevinL wrote:
"killall .bugtraq" would be suitable as well, and it would "destroy"
every other instance of the program that is running currently. Even if
detecting the current PPID does not work for whatever reason.
*chuckle*
Solaris is vulnerable to this bug? Solaris "killall" kills _eve
KevinL écrivait :
> On Wed, 2002-09-18 at 06:05, Michael Renzmann wrote:
> > "killall .bugtraq" would be suitable as well, and it would "destroy"
> > every other instance of the program that is running currently. Even if
> > detecting the current PPID does not work for whatever reason.
>
> Solar
On Wed, 2002-09-18 at 06:05, Michael Renzmann wrote:
> "killall .bugtraq" would be suitable as well, and it would "destroy"
> every other instance of the program that is running currently. Even if
> detecting the current PPID does not work for whatever reason.
*chuckle*
Solaris is vulnerable to
> Klez can forge its From: field.
but the recipient email server does not "know" this ;-)
>
> This one time, at band camp, [EMAIL PROTECTED] wrote:
> > ScanMail has detected a virus during a real-time scan of the
> email traffic.
> >
> > Date: 9/17/2002 23:4:45
> > Subject: Let's b
Michael Renzmann écrivait :
> I'm wondering if there is a way to get an directory listing from apache
> if there is an index.html available in that directory.
>
> The story behind that question: I put a large file on the webserver that
> was intended for download for a friend. The only one I tol
On Tue, Sep 17, 2002 at 11:24:31PM +0200, Michael Renzmann wrote:
> I'm wondering if there is a way to get an directory listing from apache
> if there is an index.html available in that directory.
Yes, if your apache isn't up-to-date.
http://www.google.com/search?q=apache%20directory%20listi
Klez can forge its From: field.
This one time, at band camp, [EMAIL PROTECTED] wrote:
> ScanMail has detected a virus during a real-time scan of the email traffic.
>
> Date: 9/17/2002 23:4:45
> Subject: Let's be friends
> Virus: WORM_KLEZ.H
> File:color.exe
> From: debian
Hi all.
Maybe that's a little bit offtopic, but it is somehow related to
security, so... :)
I'm wondering if there is a way to get an directory listing from apache
if there is an index.html available in that directory.
The story behind that question: I put a large file on the webserver that
ScanMail has detected a virus during a real-time scan of the email traffic.
Date: 9/17/2002 23:4:45
Subject: Let's be friends
Virus: WORM_KLEZ.H
File:color.exe
From: debian-security
To: [EMAIL PROTECTED];
Action: Uncleanable, Deleted;
Scanned by ScanMail for Lot
also sprach Michelle Konzack <[EMAIL PROTECTED]> [2002.09.14.1334 +0200]:
> It may be a very big security problem...
at least i can't reproduce that on a grsecurity 1.9.6 enabled kernel.
--
martin; (greetings from the heart of the sun.)
\ echo mailto: !#^."<*>"|tr "<*> mailto
Hi.
Jean Christophe ANDRÃ0/00 wrote:
> But may be the main point is: is it really possible to have multiple
> instance of the .bugtraq program?!? If so, all of them would join the
> network and should receive the mail-sleep-kill command!
I've seen two processes running on an infected server. But
Hi.
Andrew Pimlott wrote:
> Yes, if your apache isn't up-to-date.
> http://www.google.com/search?q=apache%20directory%20listing%20bug
Is apache 1.3.26-0woody1 vulnerable to that? As far as I could see the
answer should be no, right?
Bye, Mike
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED
Hi.
Jean Christophe ANDRÃ0/00 wrote:
The problem will be: every command that slapper executes runs with the
uid of the infiltrated ssl webserver.
So the kill will also run as the same uid...
*bing* Ok, got the point. I forgot that the uid is allowed to kill
processes with it's own uid.
So
Hi.
Jean Christophe ANDRÃ0/00 wrote:
> Are you using the VirtualHost capability on this server?
Yes.
> If so, you should be aware of using some _default_:* entry to catch
> all access not using (or using a bad) hostname for VirtualHost.
I just tried to forge a http request targetting at a non-
Hi.
KevinL wrote:
>>"killall .bugtraq" would be suitable as well, and it would "destroy"
>>every other instance of the program that is running currently. Even if
>>detecting the current PPID does not work for whatever reason.
> *chuckle*
> Solaris is vulnerable to this bug? Solaris "killall" k
KevinL écrivait :
> On Wed, 2002-09-18 at 06:05, Michael Renzmann wrote:
> > "killall .bugtraq" would be suitable as well, and it would "destroy"
> > every other instance of the program that is running currently. Even if
> > detecting the current PPID does not work for whatever reason.
>
> Sola
Hi.
Ralf Dreibrodt wrote:
experiences.
i asked a friend, what i could say for "erfahrungen" in english, he
answered hedrivings, so fast, that i didn't doubt.
Ah, I see... english for runaways ;)
Bye, Mike
On Wed, 2002-09-18 at 06:05, Michael Renzmann wrote:
> "killall .bugtraq" would be suitable as well, and it would "destroy"
> every other instance of the program that is running currently. Even if
> detecting the current PPID does not work for whatever reason.
*chuckle*
Solaris is vulnerable t
Ralf Dreibrodt écrivait :
> you want to use a backdoor to get access a server, on which you are not
> allowed to get access. after that you want to modify the server (killing
> processes, deleting files) and you use the server without permission (for
> sending mail).
>
> well, IANAL, but you shoul
Michael Renzmann wrote:
>
> > i already made some bad hedrivings a few years ago with something like
> > this...
>
> But one thing I would like to know: what do you mean with "hedrivings"? :)
experiences.
i asked a friend, what i could say for "erfahrungen" in english, he
answered hedrivings, so
J.C. André écrivait :
> >May be something like this (root mail, some wait, virus self-kill):
> > /bin/ls -la /tmp | /bin/mail -s "You have been infected by the Slapper
> > worm" root
> > /bin/sleep 300 # to wait for the propagation, some network are slow
> > /bin/kill -9 $PPID # *MUST* CHE
Hi.
Opinions?
you want to use a backdoor to get access a server, on which you are not
allowed to get access. [...]
I know this can rise problems. We recently had a discussion like this
which showed up good arguments for both sides. Asking a lawyer won't be
of much help because they can't k
Hi,
> hedrivings
sorry, i forgot to change this to experience...hedrivings is only for german
people ;)
Hi,
Michael Renzmann wrote:
>
> Opinions?
you want to use a backdoor to get access a server, on which you are not
allowed to get access.
after that you want to modify the server (killing processes, deleting files)
and you use the server without permission (for sending mail).
well, IANAL, but yo
Hi.
Jean Christophe ANDRÃ0/00 wrote:
Same idea here this night! :)
Hehe :)
I was thinking about the *good* way to do it...
May be something like this (root mail, some wait, virus self-kill):
/bin/ls -la /tmp | /bin/mail -s "You have been infected by the Slapper worm"
root
/bin/sleep 300
> Klez can forge its From: field.
but the recipient email server does not "know" this ;-)
>
> This one time, at band camp, [EMAIL PROTECTED] wrote:
> > ScanMail has detected a virus during a real-time scan of the
> email traffic.
> >
> > Date: 9/17/2002 23:4:45
> > Subject: Let's
Michael Renzmann écrivait :
> I'm wondering if there is a way to get an directory listing from apache
> if there is an index.html available in that directory.
>
> The story behind that question: I put a large file on the webserver that
> was intended for download for a friend. The only one I to
Michael Renzmann écrivait :
> Hi all.
> How about the following idea: one could use the udp "command language"
> that is implemented within the slapper worm to issue some commands for
> self-deletion of the worm and informing the root user of every system
> about how to close the hole. As far as
On Tue, Sep 17, 2002 at 11:24:31PM +0200, Michael Renzmann wrote:
> I'm wondering if there is a way to get an directory listing from apache
> if there is an index.html available in that directory.
Yes, if your apache isn't up-to-date.
http://www.google.com/search?q=apache%20directory%20list
Klez can forge its From: field.
This one time, at band camp, [EMAIL PROTECTED] wrote:
> ScanMail has detected a virus during a real-time scan of the email traffic.
>
> Date: 9/17/2002 23:4:45
> Subject: Let's be friends
> Virus: WORM_KLEZ.H
> File:color.exe
> From: debia
Hi all.
Maybe that's a little bit offtopic, but it is somehow related to
security, so... :)
I'm wondering if there is a way to get an directory listing from apache
if there is an index.html available in that directory.
The story behind that question: I put a large file on the webserver that
Hi all.
How about the following idea: one could use the udp "command language"
that is implemented within the slapper worm to issue some commands for
self-deletion of the worm and informing the root user of every system
about how to close the hole. As far as I understood there is a network
be
On Tue, 17 Sep 2002 at 09:57:40AM -0500, Hanasaki JiJi wrote:
> Yes. the ^I Tabs have been removed... However, it does not explain the
> below.. The host name does not appear in smb.conf It is a Win2000
> Professional laptop on the same network. None of the Win2000 or Samba
> configs have cha
ScanMail has detected a virus during a real-time scan of the email traffic.
Date: 9/17/2002 23:4:45
Subject: Let's be friends
Virus: WORM_KLEZ.H
File:color.exe
From: debian-security <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED];
Action: Uncleanable, Deleted;
Scanned
Hi.
Jean Christophe ANDRÃ0/00 wrote:
>>The problem will be: every command that slapper executes runs with the
>>uid of the infiltrated ssl webserver.
> So the kill will also run as the same uid...
*bing* Ok, got the point. I forgot that the uid is allowed to kill
processes with it's own uid.
Ralf Dreibrodt écrivait :
> you want to use a backdoor to get access a server, on which you are not
> allowed to get access. after that you want to modify the server (killing
> processes, deleting files) and you use the server without permission (for
> sending mail).
>
> well, IANAL, but you shou
Michael Renzmann wrote:
>
> > i already made some bad hedrivings a few years ago with something like
> > this...
>
> But one thing I would like to know: what do you mean with "hedrivings"? :)
experiences.
i asked a friend, what i could say for "erfahrungen" in english, he
answered hedrivings, s
J.C. André écrivait :
> >May be something like this (root mail, some wait, virus self-kill):
> > /bin/ls -la /tmp | /bin/mail -s "You have been infected by the Slapper
> > worm" root
> > /bin/sleep 300 # to wait for the propagation, some network are slow
> > /bin/kill -9 $PPID # *MUST* CH
Hi.
>>Opinions?
> you want to use a backdoor to get access a server, on which you are not
> allowed to get access. [...]
I know this can rise problems. We recently had a discussion like this
which showed up good arguments for both sides. Asking a lawyer won't be
of much help because they can'
Hi,
> hedrivings
sorry, i forgot to change this to experience...hedrivings is only for german
people ;)
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Hi,
Michael Renzmann wrote:
>
> Opinions?
you want to use a backdoor to get access a server, on which you are not
allowed to get access.
after that you want to modify the server (killing processes, deleting files)
and you use the server without permission (for sending mail).
well, IANAL, but y
Hi.
Jean Christophe ANDRÃ0/00 wrote:
> Same idea here this night! :)
Hehe :)
> I was thinking about the *good* way to do it...
> May be something like this (root mail, some wait, virus self-kill):
> /bin/ls -la /tmp | /bin/mail -s "You have been infected by the Slapper worm" root
> /bin/sle
On Tue, Sep 17, 2002 at 06:10:32PM +0200, Florian Weimer wrote:
> Dale Amon <[EMAIL PROTECTED]> writes:
>
> > I chatted on the phone with Henry Spencer back when the
> > zilb bug was first announced and he was of the opinion
> > that in FS it would be almost impossible to exploit. So it's
> > pro
Michael Renzmann écrivait :
> Hi all.
> How about the following idea: one could use the udp "command language"
> that is implemented within the slapper worm to issue some commands for
> self-deletion of the worm and informing the root user of every system
> about how to close the hole. As far a
On Tue, Sep 17, 2002 at 06:35:52PM +0200, Michael Renzmann wrote:
> Hi Florian.
>
> Florian Weimer wrote:
> >If you want to do your own tests (without fooling around with the
> >worm), you can use our tool:
> >
> >http://cert.uni-stuttgart.de/advisories/openssl-sslv2-master.php
>
> Great tool, th
Hi Florian.
Florian Weimer wrote:
If you want to do your own tests (without fooling around with the
worm), you can use our tool:
http://cert.uni-stuttgart.de/advisories/openssl-sslv2-master.php
Great tool, thanks.
The website of the RUS-CERT mentions in the description of the worm:
"Bei ver
Hi all.
How about the following idea: one could use the udp "command language"
that is implemented within the slapper worm to issue some commands for
self-deletion of the worm and informing the root user of every system
about how to close the hole. As far as I understood there is a network
be
On Tue, 17 Sep 2002 at 09:57:40AM -0500, Hanasaki JiJi wrote:
> Yes. the ^I Tabs have been removed... However, it does not explain the
> below.. The host name does not appear in smb.conf It is a Win2000
> Professional laptop on the same network. None of the Win2000 or Samba
> configs have ch
"Noah L. Meyerhans" <[EMAIL PROTECTED]> writes:
> On Sat, Sep 14, 2002 at 08:05:53PM +0200, Guille -bisho- wrote:
>> I don't know if in the c-2 the worm works partially or fully. Anybody knows?
>> It seems that the worm does not fully works on debian.
>
> The exploit code in the newest worm has be
Dale Amon <[EMAIL PROTECTED]> writes:
> I chatted on the phone with Henry Spencer back when the
> zilb bug was first announced and he was of the opinion
> that in FS it would be almost impossible to exploit. So it's
> probably something that should be fixed but is not a high
> profile issue. Not
Yes. the ^I Tabs have been removed... However, it does not explain the
below.. The host name does not appear in smb.conf It is a Win2000
Professional laptop on the same network. None of the Win2000 or Samba
configs have changed in months.
nmbd[2009]: ^I^IFRED-LAPTOP2 40051003 ()
^IWORKGRO
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Tue, 17 Sep 2002, Hanasaki JiJi wrote:
> Any input on the below syslog entry from Samba in Woody? Thank you.
>
> nmbd[2009]: ^I^IFS 40009a03 (Samba 2.2.3a-6 for Debian)
Did you use tabs in your smb.conf file? (^I==tab char)?
- -- arthur - [EMAI
On Tue, Sep 17, 2002 at 06:10:32PM +0200, Florian Weimer wrote:
> Dale Amon <[EMAIL PROTECTED]> writes:
>
> > I chatted on the phone with Henry Spencer back when the
> > zilb bug was first announced and he was of the opinion
> > that in FS it would be almost impossible to exploit. So it's
> > pr
Any input on the below syslog entry from Samba in Woody? Thank you.
nmbd[2009]: ^I^IFS 40009a03 (Samba 2.2.3a-6 for Debian)
On Tue, Sep 17, 2002 at 06:35:52PM +0200, Michael Renzmann wrote:
> Hi Florian.
>
> Florian Weimer wrote:
> >If you want to do your own tests (without fooling around with the
> >worm), you can use our tool:
> >
> >http://cert.uni-stuttgart.de/advisories/openssl-sslv2-master.php
>
> Great tool, t
Hi Florian.
Florian Weimer wrote:
> If you want to do your own tests (without fooling around with the
> worm), you can use our tool:
>
> http://cert.uni-stuttgart.de/advisories/openssl-sslv2-master.php
Great tool, thanks.
The website of the RUS-CERT mentions in the description of the worm:
"B
"Noah L. Meyerhans" <[EMAIL PROTECTED]> writes:
> On Sat, Sep 14, 2002 at 08:05:53PM +0200, Guille -bisho- wrote:
>> I don't know if in the c-2 the worm works partially or fully. Anybody knows?
>> It seems that the worm does not fully works on debian.
>
> The exploit code in the newest worm has b
Dale Amon <[EMAIL PROTECTED]> writes:
> I chatted on the phone with Henry Spencer back when the
> zilb bug was first announced and he was of the opinion
> that in FS it would be almost impossible to exploit. So it's
> probably something that should be fixed but is not a high
> profile issue. Not
On Tue, Sep 17, 2002 at 12:49:34AM -0300, Peter Cordes wrote:
> IIRC, the problem with zlib was that it called free(3) an extra time, or
> something like that, and glibc no longer allows that. Moving the ZFREE()
> obviously changes the conditions required for it to be called, so this is
> very pr
Yes. the ^I Tabs have been removed... However, it does not explain the
below.. The host name does not appear in smb.conf It is a Win2000
Professional laptop on the same network. None of the Win2000 or Samba
configs have changed in months.
nmbd[2009]: ^I^IFRED-LAPTOP2 40051003 ()
^IWORKGRO
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Tue, 17 Sep 2002, Hanasaki JiJi wrote:
> Any input on the below syslog entry from Samba in Woody? Thank you.
>
> nmbd[2009]: ^I^IFS 40009a03 (Samba 2.2.3a-6 for Debian)
Did you use tabs in your smb.conf file? (^I==tab char)?
- -- arthur - [EMA
Any input on the below syslog entry from Samba in Woody? Thank you.
nmbd[2009]: ^I^IFS 40009a03 (Samba 2.2.3a-6 for Debian)
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
On Tue, Sep 17, 2002 at 12:49:34AM -0300, Peter Cordes wrote:
> IIRC, the problem with zlib was that it called free(3) an extra time, or
> something like that, and glibc no longer allows that. Moving the ZFREE()
> obviously changes the conditions required for it to be called, so this is
> very p
Hi,
On Tue, 17 Sep 2002, Claudio Martins wrote:
> You can check the date and size of some files like /bin/ps /bin/netstat to
> see if they have timestamps consistent with the other files on the same
> directories and check that their size is not too small or too big. A normal
> ps should have a
On Tuesday 17 September 2002 08:36, Adrian Gheorghe wrote:
> I have tracked a weird activity on my external interface lately (few days)
> I used "snort", and the portscan.log file shows the following activity:
>
> #tail portscan.log
>
> [...]
>
> also netstat and nmap showed no open connections ot
> Sep 17 00:21:41 :1489 -> 207.46.197.113:80 SYN **S*
> Sep 17 00:21:42 :1501 -> 207.46.197.113:80 SYN **S*
> Sep 17 00:21:58 :1502 -> 207.46.196.102:80 SYN **S*
> Sep 17 00:21:58 :1503 -> 207.46.196.102:80 SYN **S*
> Sep 17 00:21:58 :1504 -> 207.68.184.62:80 SYN **S*
> Sep 17 0
I have tracked a weird activity on my external interface lately (few days)
I used "snort", and the portscan.log file shows the following activity:
#tail portscan.log
Sep 17 00:21:41 :1489 -> 207.46.197.113:80 SYN **S*
Sep 17 00:21:42 :1501 -> 207.46.197.113:80 SYN **S*
Sep 17 00:21:58 :15
Hi,
On Tue, 17 Sep 2002, Claudio Martins wrote:
> You can check the date and size of some files like /bin/ps /bin/netstat to
> see if they have timestamps consistent with the other files on the same
> directories and check that their size is not too small or too big. A normal
> ps should have
On Tuesday 17 September 2002 08:36, Adrian Gheorghe wrote:
> I have tracked a weird activity on my external interface lately (few days)
> I used "snort", and the portscan.log file shows the following activity:
>
> #tail portscan.log
>
> [...]
>
> also netstat and nmap showed no open connections o
> Sep 17 00:21:41 :1489 -> 207.46.197.113:80 SYN **S*
> Sep 17 00:21:42 :1501 -> 207.46.197.113:80 SYN **S*
> Sep 17 00:21:58 :1502 -> 207.46.196.102:80 SYN **S*
> Sep 17 00:21:58 :1503 -> 207.46.196.102:80 SYN **S*
> Sep 17 00:21:58 :1504 -> 207.68.184.62:80 SYN **S*
> Sep 17
I have tracked a weird activity on my external interface lately (few days)
I used "snort", and the portscan.log file shows the following activity:
#tail portscan.log
Sep 17 00:21:41 :1489 -> 207.46.197.113:80 SYN **S*
Sep 17 00:21:42 :1501 -> 207.46.197.113:80 SYN **S*
Sep 17 00:21:58 :1
83 matches
Mail list logo
