Hi all.
Ted Roby wrote:
I suggest popa3d from http://www.openwall.com but I'm not sure
if you can use it in standalone mode.
How about the combination of popa3d with postfix? Does this team up
well? I thought of using qpopper, but I'm willing to think that over
again if qpopper has major
Hi all.
Ted Roby wrote:
I suggest popa3d from http://www.openwall.com but I'm not sure
if you can use it in standalone mode.
How about the combination of popa3d with postfix? Does this team up
well? I thought of using qpopper, but I'm willing to think that over
again if qpopper has major
Andrea Grandi (LevOn Inf.) wrote:
subscribe
Does that mean one can send mails to the list without being subscribed?
Maybe this should be changed then in order to keep spammers away... just
a thought.
Bye, Mike
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe.
Andrea Grandi (LevOn Inf.) wrote:
subscribe
Does that mean one can send mails to the list without being subscribed?
Maybe this should be changed then in order to keep spammers away... just
a thought.
Bye, Mike
Hi.
Matt Andreko wrote:
When does it end with the unsubscribes?
When does it end with people complaining about the unsubscribes that has
been sent to the list?
Bye, Mike
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Hi.
Matt Andreko wrote:
When does it end with the unsubscribes?
When does it end with people complaining about the unsubscribes that has
been sent to the list?
Bye, Mike
Hi all.
One question I think that is not very off topic: what mailinglists,
besides bugtraq, would you recommend for someone who wants to keep track
of current security problems? My interest is mainly in security issues
with wireless lan equipment (such as the two security wholes in current
Hi all.
One question I think that is not very off topic: what mailinglists,
besides bugtraq, would you recommend for someone who wants to keep track
of current security problems? My interest is mainly in security issues
with wireless lan equipment (such as the two security wholes in current
Hi.
Anton Zinoviev wrote:
3. In the log-files of exim I have a huge list of e-mail addresses
of spammers (such as [EMAIL PROTECTED]). Can I do something
useful with them?
As they most possibly are forged: no. Drop them in the dustbin and
forget about them. It is not worth
Hi.
Tom Cook wrote:
Yea... you are getting nice... LaMer... i am a system administrador and
a coder... so...shut up.
*sigh* there was a time when trolls studied their field before they
started posting.
Trolls never know something about the field they are talking about, but
they claim they
Hi.
Tom Cook wrote:
Yea... you are getting nice... LaMer... i am a system administrador and
a coder... so...shut up.
*sigh* there was a time when trolls studied their field before they
started posting.
Trolls never know something about the field they are talking about, but
they claim they
Hi.
Zeno Davatz wrote:
I am just gonna deinstall portsentry - why did I install it in the first
place???
In order to get informed in cases when there are (more or less) obvious
port scans? :)
Bye, Mike
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble?
Hi.
Zeno Davatz wrote:
I am just gonna deinstall portsentry - why did I install it in the first
place???
In order to get informed in cases when there are (more or less) obvious
port scans? :)
Bye, Mike
Hi.
Is there any known issue to a http request for a file named a.out? I
was just wondering, because I had such a request today from a box which
was in a .mil domain... he/she downloaded the source of slapper there,
watched the index file (which is quite boring so far :)) and then tried
to
Hi.
Is there any known issue to a http request for a file named a.out? I
was just wondering, because I had such a request today from a box which
was in a .mil domain... he/she downloaded the source of slapper there,
watched the index file (which is quite boring so far :)) and then tried
to
Hi.
Javier Fernández-Sanguino Peña wrote:
Did you take a look at the Referer of those access?
It might help you to track it down...
That's just might be how they get them in the first place. If you buddy
downloaded the file and then contacted google.com there are chances that
his browser sent
Hi.
Ralf Dreibrodt wrote:
at least netscape only sends a referer if i used a link.
Right, that was one aspect that I forgot.
what about the easiest questions:
- did you used ssl or do you trust all the providers between your friend
and your server?
No SSL, but I don't trust any provider
Hi.
Javier Fernández-Sanguino Peña wrote:
Did you take a look at the Referer of those access?
It might help you to track it down...
That's just might be how they get them in the first place. If you buddy
downloaded the file and then contacted google.com there are chances that
his browser sent
Hi.
Ralf Dreibrodt wrote:
at least netscape only sends a referer if i used a link.
Right, that was one aspect that I forgot.
what about the easiest questions:
- did you used ssl or do you trust all the providers between your friend
and your server?
No SSL, but I don't trust any provider
Hi Florian.
Florian Weimer wrote:
If you want to do your own tests (without fooling around with the
worm), you can use our tool:
http://cert.uni-stuttgart.de/advisories/openssl-sslv2-master.php
Great tool, thanks.
The website of the RUS-CERT mentions in the description of the worm:
Bei
Hi all.
How about the following idea: one could use the udp command language
that is implemented within the slapper worm to issue some commands for
self-deletion of the worm and informing the root user of every system
about how to close the hole. As far as I understood there is a network
Hi.
Jean Christophe ANDRÃ0/00 wrote:
Same idea here this night! :)
Hehe :)
I was thinking about the *good* way to do it...
May be something like this (root mail, some wait, virus self-kill):
/bin/ls -la /tmp | /bin/mail -s You have been infected by the Slapper worm root
/bin/sleep 300
Hi.
Opinions?
you want to use a backdoor to get access a server, on which you are not
allowed to get access. [...]
I know this can rise problems. We recently had a discussion like this
which showed up good arguments for both sides. Asking a lawyer won't be
of much help because they can't
Hi.
Jean Christophe ANDRÃ0/00 wrote:
The problem will be: every command that slapper executes runs with the
uid of the infiltrated ssl webserver.
So the kill will also run as the same uid...
*bing* Ok, got the point. I forgot that the uid is allowed to kill
processes with it's own uid.
So I
Hi all.
Maybe that's a little bit offtopic, but it is somehow related to
security, so... :)
I'm wondering if there is a way to get an directory listing from apache
if there is an index.html available in that directory.
The story behind that question: I put a large file on the webserver that
Hi.
Jean Christophe ANDRÃ0/00 wrote:
Are you using the VirtualHost capability on this server?
Yes.
If so, you should be aware of using some _default_:* entry to catch
all access not using (or using a bad) hostname for VirtualHost.
I just tried to forge a http request targetting at a
Hi.
Andrew Pimlott wrote:
Yes, if your apache isn't up-to-date.
http://www.google.com/search?q=apache%20directory%20listing%20bug
Is apache 1.3.26-0woody1 vulnerable to that? As far as I could see the
answer should be no, right?
Bye, Mike
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
Hi.
Jean Christophe ANDRÃ0/00 wrote:
But may be the main point is: is it really possible to have multiple
instance of the .bugtraq program?!? If so, all of them would join the
network and should receive the mail-sleep-kill command!
I've seen two processes running on an infected server. But
Hi Florian.
Florian Weimer wrote:
If you want to do your own tests (without fooling around with the
worm), you can use our tool:
http://cert.uni-stuttgart.de/advisories/openssl-sslv2-master.php
Great tool, thanks.
The website of the RUS-CERT mentions in the description of the worm:
Bei
Hi all.
How about the following idea: one could use the udp command language
that is implemented within the slapper worm to issue some commands for
self-deletion of the worm and informing the root user of every system
about how to close the hole. As far as I understood there is a network
Hi.
Jean Christophe ANDRÃ0/00 wrote:
Same idea here this night! :)
Hehe :)
I was thinking about the *good* way to do it...
May be something like this (root mail, some wait, virus self-kill):
/bin/ls -la /tmp | /bin/mail -s You have been infected by the Slapper worm
root
/bin/sleep 300
Hi.
Opinions?
you want to use a backdoor to get access a server, on which you are not
allowed to get access. [...]
I know this can rise problems. We recently had a discussion like this
which showed up good arguments for both sides. Asking a lawyer won't be
of much help because they can't
Hi.
Ralf Dreibrodt wrote:
experiences.
i asked a friend, what i could say for erfahrungen in english, he
answered hedrivings, so fast, that i didn't doubt.
Ah, I see... english for runaways ;)
Bye, Mike
Hi.
Jean Christophe ANDRÃ0/00 wrote:
The problem will be: every command that slapper executes runs with the
uid of the infiltrated ssl webserver.
So the kill will also run as the same uid...
*bing* Ok, got the point. I forgot that the uid is allowed to kill
processes with it's own uid.
Hi all.
Maybe that's a little bit offtopic, but it is somehow related to
security, so... :)
I'm wondering if there is a way to get an directory listing from apache
if there is an index.html available in that directory.
The story behind that question: I put a large file on the webserver
Hi.
KevinL wrote:
killall .bugtraq would be suitable as well, and it would destroy
every other instance of the program that is running currently. Even if
detecting the current PPID does not work for whatever reason.
*chuckle*
Solaris is vulnerable to this bug? Solaris killall kills
Hi.
Jean Christophe ANDRÃ0/00 wrote:
Are you using the VirtualHost capability on this server?
Yes.
If so, you should be aware of using some _default_:* entry to catch
all access not using (or using a bad) hostname for VirtualHost.
I just tried to forge a http request targetting at a
Hi.
Andrew Pimlott wrote:
Yes, if your apache isn't up-to-date.
http://www.google.com/search?q=apache%20directory%20listing%20bug
Is apache 1.3.26-0woody1 vulnerable to that? As far as I could see the
answer should be no, right?
Bye, Mike
Hi.
Jean Christophe ANDRÃ0/00 wrote:
But may be the main point is: is it really possible to have multiple
instance of the .bugtraq program?!? If so, all of them would join the
network and should receive the mail-sleep-kill command!
I've seen two processes running on an infected server. But
Hi all.
I still have to see the worm, so I can't say for sure that you are
safe, but it's a good time to update if you haven't done so. ;-)
I have the source of the worm at hands now, as well as a working binary
that has been placed on a server. Still interested in getting hands on
that
Hi all.
As addition to my previous mail: the source is now available for
download at the following URL:
http://217.24.0.78/bugtraq.c.txt
One thing that makes me wonder: after I wrote my first few lines about
the attack on the rlx blade server that we experienced, someone gave a
correct
Hi Noah.
Noah L. Meyerhans wrote:
There are two worms. One is old, one is new. The one at
http://217.24.0.78/bugtraq.c.txt is the new one. It communicates via
UDP port 2002, though I'm not actually sure what data gets sent on that
port.
Thanks for the information.
I most probably have a
Hi.
Guille -bisho- wrote:
[bugtraq list quote]
After the program /tmp/.bugtraq starts running, it becomes a member of a
virtual network. Network members comunicate using UDP port 2002.
The program can, when instructed (using udp port 2002):
[/bugtraq list quote]
In 3 dias, about 1500
Hi.
Noah L. Meyerhans wrote:
In 3 dias, about 1500 diferent IP address tried to contact my machine at
UDP port 2002. Fortunally i have iptables configured.
That's interesting. I haven't seen any traffic to udp port 2002 in the
past couple of days at all. The worm uses the following code to
Hi.
Phillip Hofmeister wrote:
Is this log evidence of our worm?
Not exactly. Here is the log of our machine that has been attacked:
=== cut ===
[Fri Sep 13 00:45:44 2002] [error] [client 210.243.234.135] client sent
HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Fri Sep 13
Hi all.
The rlx blade server rack (better: the management blade) where my own
server is located in has been attacked. I phoned to my ISP some minutes
ago, and he described that there was a huge packet storm fired from the
internet towards the management blade.
He described that there were
Hi Jason.
Jason Sopko wrote:
The Apache worm you're infected with was posted on bugtraq earlier
today. It exploits mod_ssl and can be identified by doing a ps -ax |
grep bugtraq (it runs as the name .bugtraq). The source for it is here:
http://dammit.lt/apache-worm/apache-worm.c
Thanks a lot
Hi all.
While digging through the error.log of my apache I found two lines that
seem to hint toward a new (?) worm. I saw the first one some days ago, too:
[Sat Aug 31 21:03:49 2002] [error] [client 64.152.12.2] request failed:
erroneous characters after protocol string: CONNECT
Hi Anne.
Anne Carasik wrote:
Sounds like Code Red. We get a lot of these too, and
the Microsoft attacks don't do much to an Apache server :)
Ok, thanks for the info. I guess I didn't saw this one by now because
Code Red seems to die more and more, right? :)
Bye, Mike
Hi Andreas.
Andreas Syksa wrote:
I've seen tons of ../script/ and ../cmd.exe's as I've got several
machines with fixed ips.
I also received quite a lot of those requests, although our server is
not official by now, has no domain name (besides an work-around
solution using dyndns during the
Hi.
Vineet Kumar wrote:
Phillip Hofmeister stated that one could use the Nimda backdoor on the
server that connects our server to setup a warning message on the
attacking computer's desktop.
If you do, be prepared to go to jail...
For what reason? For telling stupid webserver
Hi Marcel.
Marcel Weber wrote:
Why not introduce an
official Internet Security Team that officially has the right to do such
things. It would be for the good of the net! They could be a part of the
ICANN or UNO or whoever.
I don't think this would be successful. It's a great idea, no doubt
Hi.
Doug Winter wrote:
It claimed that the HTTP libraries used by Nimda and Code Red were
generic, and could be fooled by sending a redirect response like:
Location: http://127.0.0.1/
Nice idea. Would it be enough to redirect them to the localhost-ip, or
should the URI of the original
Hi all.
I just wanted to let you know about some experiences with my
nimda-tarpit script that I wrote. I've been using it for a little more
than a week now.
The script is written in php, and I'm using rewrite rules to direct
nimda attacks to this script. It first displays two messages,
Hi Peter.
Peter Cordes wrote:
[tarpit for attacking worms]
I remember hearing about people doing exactly that. Maybe it was mentioned
on /. or the local LUG mailing list (http://nslug.ns.ca/).
Sounds interesting. The LUG website is unreachable at the moment, but I
will dig the slashdot
Hi Dale.
Dale Amon wrote:
The only thing you can do is to make damn certain your box does not become
part of the problem.
I'll add to that: make sure you actually check your logs. I use syslog-ng to
bring all essential realtime logging to a hardened server;
I'll add another one to that: I
Hi.
Jones, Steven wrote:
Ive found port sentry really good for detecting port scans and then routeing
the return packets to no where.
As an addition to that idea: would it be possible to cause similar
effects to HTTP-server worms with a modified tarpit? Maybe a modified
version of the
Hi Karl.
Karl Breitner wrote:
What can I say Daniel, except welcome to the harsh reality of a postmaster.
Hmm, as I'm to become a postmaster in a few days, too, I would like to
learn a bit more about that. Most probably this list is not intended for
chat like this, so I would be happy to
I must be really hard for some people to read the footer lines of every
mail they receive over this mailinglist... since I subscribed here to
this list (4 days or so) every day at least one of those unsubscribe
mails have been arriving. Or am I the only subscriber who receives
messages with
Hi Simon.
Simon Fuhrmann wrote:
[...]
Or am I the only subscriber who receives messages with this footer text:
[...]
I can calm you, I get this footer too ;-)
Oh, great *phew* :)
Meanwhile the first poster injected a really good idea into my mind...
why not filter away those messages? As
60 matches
Mail list logo
