-Original Message-
From: Michael Stone [mailto:[EMAIL PROTECTED]
Sent: donderdag 21 juli 2005 4:24
To: debian-security-announce@lists.debian.org
Subject: [SECURITY] [DSA 763-1] New zlib packages fix buffer overflow
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
-
Hi.
A server I take care of has been hacked twice in the last three days. It is
running Debian GNU/Linux, obviously. I ask you for advice on how this
happened, what happened, and what to do to avoid this.
The first hack happened on Tuesday, the machine was runnign Debian 3.0 plus
patches
Hi.
On Thursday 21 July 2005 20:31, Andras Got wrote:
The users, the ones the machines was hacked, were they existing users on
the machine?
I don't know which user account got hacked, if this was what has happened.
Do you use AllowUsers or AllowGroup?
No. I hate to admit I didn't know that
Hi,
Karsten Dambekalns írta:
Hi.
On Thursday 21 July 2005 20:31, Andras Got wrote:
The users, the ones the machines was hacked, were they existing users on
the machine?
I don't know which user account got hacked, if this was what has happened.
It's important to know whether it's an
On Thu, Jul 21, 2005 at 08:17:38PM +0200, Karsten Dambekalns wrote:
Now, I find it unlikely to see the same local root exploit in 2.4.18 and
2.6.7.
They are both old kernels, compile your own and apply suitable patches.
Grsecurity is one, and it doesn't need any particular configuration.
Karsten Dambekalns [EMAIL PROTECTED] writes:
Hi.
On Thursday 21 July 2005 20:31, Andras Got wrote:
The users, the ones the machines was hacked, were they existing users on
the machine?
I don't know which user account got hacked, if this was what has happened.
Did you check the last lock?
Hi.
Thanks for your reply!
Another question came up here. Is it really likely to be a SSH brute force
break in, or could the attacker have been able to log in some other way? What
is currently possible in that respect on a machien that runs ssh, apache,
php, exim and nothing else (all as of
On Thu, Jul 21, 2005 at 11:49:53PM +0200, Karsten Dambekalns wrote:
Another question came up here. Is it really likely to be a SSH brute force
break in, or could the attacker have been able to log in some other way? What
is currently possible in that respect on a machien that runs ssh,
Hi.
On Thursday 21 July 2005 22:52, Goswin von Brederlow wrote:
I don't know which user account got hacked, if this was what has
happened.
Did you check the last lock? Maybe the attacker didn't remove the
traces there.
He ran the mentioned logclean binary, the content of wtmp is not to be
Goswin von Brederlow [EMAIL PROTECTED] writes:
Karsten Dambekalns [EMAIL PROTECTED] writes:
Hi.
On Thursday 21 July 2005 20:31, Andras Got wrote:
The users, the ones the machines was hacked, were they existing users on
the machine?
I don't know which user account got hacked, if this was
Hi.
On Friday 22 July 2005 00:14, Ulf Harnhammar wrote:
On Thu, Jul 21, 2005 at 11:49:53PM +0200, Karsten Dambekalns wrote:
way? What is currently possible in that respect on a machien that runs
ssh, apache,
^^
php,
Hi.
On Friday 22 July 2005 00:00, Rob Sims wrote:
On Thu, Jul 21, 2005 at 11:49:53PM +0200, Karsten Dambekalns wrote:
way? What is currently possible in that respect on a machien that runs
ssh, apache, php, exim and nothing else (all as of Debian 3.1)?
Didn't one of your logs show
Hi,
For a monitor script I thought I'd use the -t switch of the last command
hoping to get only the latest entries from wtmp. Seems there's something
wrong there, since it will return all entries in wtmp regardless. Before
I submit a bugreport I'd like to know if anyone on the list has noticed
In gmane.linux.debian.devel.security, you wrote:
Now, I find it unlikely to see the same local root exploit in 2.4.18 and
2.6.7. How did he gain root access?
Are you sure it's 2.6.7 and not 2.6.8, the Sarge kernel?
Anyway, there are several unfixed local privilege escalation security
issues in
I don't know what type of php applications you are using with apache, but
with php I would recommend to use something like 'modsecurity' for apache,
configuring modsecurity to your needs and have apache chrooted. For
iptables, something like firehol can help you to setup iptables quickly.
--
15 matches
Mail list logo