On Fri, Aug 22, 2003 at 10:32:27AM -0400, Matt Zimmerman wrote:
On Wed, Aug 20, 2003 at 05:23:30PM +0200, Adam ENDRODI wrote:
You don't need an executable stack to get control of execution, you only
need to be able to change the instruction pointer, which is stored on
the stack (as
On Fri, Aug 22, 2003 at 10:32:27AM -0400, Matt Zimmerman wrote:
On Wed, Aug 20, 2003 at 05:23:30PM +0200, Adam ENDRODI wrote:
You don't need an executable stack to get control of execution, you only
need to be able to change the instruction pointer, which is stored on
the stack (as
On Fri, Aug 22, 2003 at 06:35:37PM -0400, Phillip Hofmeister wrote:
On Fri, 22 Aug 2003 at 10:32:27AM -0400, Matt Zimmerman wrote:
It is often the case that the attacker doesn't know the exact location
of structures in memory; there are techniques for finding out. I'm sure
that the
On Fri, Aug 22, 2003 at 06:35:37PM -0400, Phillip Hofmeister wrote:
On Fri, 22 Aug 2003 at 10:32:27AM -0400, Matt Zimmerman wrote:
It is often the case that the attacker doesn't know the exact location
of structures in memory; there are techniques for finding out. I'm sure
that the
* Matt Zimmerman ([EMAIL PROTECTED]) wrote:
On Fri, Aug 22, 2003 at 06:35:37PM -0400, Phillip Hofmeister wrote:
I would be willing to maintain a grsec kernel image with PaX and temp.
file symlink blocking if someone would be willing to sponsor it (hint,
hint)
I really do not have the
On Sat, Aug 23, 2003 at 10:14:24AM +0100, Dale Amon wrote:
Does anyone know when a grsec patch set will be available for 2.6.0t3
or know of one updated to work with 2.4.22rc2?
Yeah, I know, they are still experimental...
This would be a great question posed to the GrSecurity forum,
On Fri, Aug 22, 2003 at 06:35:37PM -0400, Phillip Hofmeister wrote:
On Fri, 22 Aug 2003 at 10:32:27AM -0400, Matt Zimmerman wrote:
It is often the case that the attacker doesn't know the exact location of
structures in memory; there are techniques for finding out. I'm sure that
the authors
On Sat, Aug 23, 2003 at 10:14:24AM +0100, Dale Amon wrote:
Does anyone know when a grsec patch set will be available for 2.6.0t3
or know of one updated to work with 2.4.22rc2?
Yeah, I know, they are still experimental...
This would be a great question posed to the GrSecurity forum,
On Wed, Aug 20, 2003 at 05:23:30PM +0200, Adam ENDRODI wrote:
On Thu, Aug 14, 2003 at 12:00:40PM -0400, Matt Zimmerman wrote:
No, it really doesn't. It might stop some common implementations of
exploits, but that's about it. There are many papers available which
describe the shortcomings
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Fri, 22 Aug 2003 at 10:32:27AM -0400, Matt Zimmerman wrote:
It is often the case that the attacker doesn't know the exact location of
structures in memory; there are techniques for finding out. I'm sure that
the authors of PaX do not
On Wed, Aug 20, 2003 at 05:23:30PM +0200, Adam ENDRODI wrote:
On Thu, Aug 14, 2003 at 12:00:40PM -0400, Matt Zimmerman wrote:
No, it really doesn't. It might stop some common implementations of
exploits, but that's about it. There are many papers available which
describe the shortcomings
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Fri, 22 Aug 2003 at 10:32:27AM -0400, Matt Zimmerman wrote:
It is often the case that the attacker doesn't know the exact location of
structures in memory; there are techniques for finding out. I'm sure that
the authors of PaX do not
On Thu, Aug 14, 2003 at 12:00:40PM -0400, Matt Zimmerman wrote:
On Wed, Aug 13, 2003 at 09:00:51PM -0400, valerian wrote:
It actually does a very good job of stopping any kind of stack-smashing
attack dead in its tracks (both the stack and heap are marked as
non-executable). That takes
On Wed, Aug 20, 2003 at 05:23:30PM +0200, Adam ENDRODI wrote:
No, it really doesn't. It might stop some common implementations of
exploits, but that's about it. There are many papers available which
describe the shortcomings of this kind of prevention.
Could you provide some pointers on
On Wed, Aug 20, 2003 at 05:23:30PM +0200, Adam ENDRODI wrote:
No, it really doesn't. It might stop some common implementations of
exploits, but that's about it. There are many papers available which
describe the shortcomings of this kind of prevention.
Could you provide some pointers on
On Thu, 14 Aug 2003 at 08:22:37PM -0400, Colin Walters wrote:
On Wed, 2003-08-13 at 21:00, valerian wrote:
Well capabilities are only one of the things that grsec implements. You
can also restrict a process to access various parts of the filesystem.
There's no reason /usr/sbin/apache
On Thu, 14 Aug 2003 at 10:12:06PM -0400, Colin Walters wrote:
On Wed, 2003-08-13 at 00:20, Adam Majer wrote:
So, now I don't run a Debian kernel at all - only a monolithic
(no modules) kernel
This doesn't provide very much security. For example:
http://www.phrack.org/show.php?p=58a=7
On Wed, 2003-08-13 at 16:02, Colin Walters wrote:
Let me give an example of how SELinux protects my machine (verbum.org).
My blog is a Python script (pyblosxom) which runs in a domain called
httpd_user_script_t.
Oh, and what I forgot to mention about this domain is that it doesn't
have
Hi,
maybe a legitimate user account combined with a local root exploit have
been used to crack the server. Does this server has any legitimate user
accounts? Are you sure you trust this users? Are you sure they (or you)
don't write their passwords on a piece of paper?
Who has local access to the
On Thu, 07 Aug 2003 03:00:12 +0200, Peter Cordes wrote:
sshd logs IP addresses of connections. Was the IP address for those did
not receive id connections inside your site, or does it belong to an ISP
somewhere, or what? If it's a local address, and not a computer lab, that
might give you
Hello
On Wed, Aug 06, 2003 at 04:01:39PM +0200, Thijs Welman wrote:
I'm puzzled about how they managed to get those processes running (as
root). There are no local accounts, other than some accounts for the
sysadmins. Does anyone have any idea how they might have done this?
Most times,
*** REPLY SEPARATOR ***
On 12.08.2003 at 23:20 Adam Majer wrote:
On Thu, Aug 07, 2003 at 07:03:13PM +0200, Thijs Welman wrote:
Hi,
Thanks. I forgot to mantion that i am subscribed to
debian-security-announce as well (ofcourse ;)). As far as the kernel
updates are
On Wed, Aug 13, 2003 at 09:00:51PM -0400, valerian wrote:
It actually does a very good job of stopping any kind of stack-smashing
attack dead in its tracks (both the stack and heap are marked as
non-executable). That takes care of most vulnerabilities, both known and
unknown.
No, it really
Hi,
Last sunday, August 3rd 2003, one of my servers was hacked which i, by
coincidence, was able to catch 'in progress'.
My loganalyzer showed four Did not receive identification string from
w.x.y.z logentries from sshd. This happens all the time and i certainly
don't check all of them out, but i
On Wed, Aug 13, 2003 at 07:08:59PM -0400, Colin Walters wrote:
But Linux capabilities are so weak. They won't protect an apache master
process that runs as root from scribbling over /etc/passwd and giving an
attacker a new uid 0 shell account, for example. At that point it's
really game
On Wed, Aug 06, 2003 at 04:01:39PM +0200, Thijs Welman wrote:
All packages are unmodified releases from Debian stable and, yes, i do
update packes from security.debian.org as soon as there are any updates. :)
If you don't also subscribe to debian-security-announce, then you are
missing
On Wed, 06 Aug 2003 16:01:39 +0200, Thijs Welman [EMAIL PROTECTED]
wrote:
My loganalyzer showed four Did not receive identification string from
w.x.y.z logentries from sshd. This happens all the time and i certainly
don't check all of them out, but i happen to do so this time.
That's probably
On Thu, Aug 07, 2003 at 07:03:13PM +0200, Thijs Welman wrote:
Hi,
Thanks. I forgot to mantion that i am subscribed to
debian-security-announce as well (ofcourse ;)). As far as the kernel
updates are concerned: i use my own kernel. At this moment that's 2.4.21
with Alan Cox' patches
On Thu, 7 Aug 2003, Thijs Welman wrote:
Thanks. I forgot to mantion that i am subscribed to
debian-security-announce as well (ofcourse ;)). As far as the kernel
updates are concerned: i use my own kernel. At this moment that's 2.4.21
with Alan Cox' patches (ac4). Could be there's an exploit
On Wed, 2003-08-13 at 00:20, Adam Majer wrote:
So, now I don't run a Debian kernel at all - only a monolithic
(no modules) kernel with grsecurity.net patches. Then I set
up the ACL system (more or less) so that all of the services
that can be used to break into the system are quite useless
On Wed, Aug 13, 2003 at 04:02:41PM -0400, Colin Walters wrote:
Why? Because SELinux doesn't solely associate security with executable
pathnames. If someone takes over control of the apache process via a
buffer overflow or whatever, they don't need /bin/ls to list a
directory; they can just as
On Wed, 2003-08-13 at 18:39, valerian wrote:
grsec handles this by allowing you to restrict Linux capabilities for a
process. For example, there's no reason /usr/sbin/apache should have
access to CAP_SYS_ADMIN (allows mount/umount, amongst other things) or
CAP_SYS_PTRACE (run ptrace) or
On Wed, Aug 13, 2003 at 09:00:51PM -0400, valerian wrote:
It actually does a very good job of stopping any kind of stack-smashing
attack dead in its tracks (both the stack and heap are marked as
non-executable). That takes care of most vulnerabilities, both known and
unknown.
No, it really
On Wed, 2003-08-13 at 00:20, Adam Majer wrote:
So, now I don't run a Debian kernel at all - only a monolithic
(no modules) kernel
This doesn't provide very much security. For example:
http://www.phrack.org/show.php?p=58a=7
On Thu, Aug 07, 2003 at 07:03:13PM +0200, Thijs Welman wrote:
Hi,
Thanks. I forgot to mantion that i am subscribed to
debian-security-announce as well (ofcourse ;)). As far as the kernel
updates are concerned: i use my own kernel. At this moment that's 2.4.21
with Alan Cox' patches
*** REPLY SEPARATOR ***
On 12.08.2003 at 23:20 Adam Majer wrote:
On Thu, Aug 07, 2003 at 07:03:13PM +0200, Thijs Welman wrote:
Hi,
Thanks. I forgot to mantion that i am subscribed to
debian-security-announce as well (ofcourse ;)). As far as the kernel
updates are
On Wed, 2003-08-13 at 00:20, Adam Majer wrote:
So, now I don't run a Debian kernel at all - only a monolithic
(no modules) kernel with grsecurity.net patches. Then I set
up the ACL system (more or less) so that all of the services
that can be used to break into the system are quite useless
On Wed, Aug 13, 2003 at 04:02:41PM -0400, Colin Walters wrote:
Why? Because SELinux doesn't solely associate security with executable
pathnames. If someone takes over control of the apache process via a
buffer overflow or whatever, they don't need /bin/ls to list a
directory; they can just as
On Wed, 2003-08-13 at 18:39, valerian wrote:
grsec handles this by allowing you to restrict Linux capabilities for a
process. For example, there's no reason /usr/sbin/apache should have
access to CAP_SYS_ADMIN (allows mount/umount, amongst other things) or
CAP_SYS_PTRACE (run ptrace) or
On Wed, Aug 13, 2003 at 07:08:59PM -0400, Colin Walters wrote:
But Linux capabilities are so weak. They won't protect an apache master
process that runs as root from scribbling over /etc/passwd and giving an
attacker a new uid 0 shell account, for example. At that point it's
really game
On Wed, Aug 06, 2003 at 05:56:47PM +0200, Thijs Welman wrote:
Alan James wrote:
Maybe they brute forced the root password ? Do you have
PermitRootLogin yes in sshd_config ?
No, i didn't at that moment. But there's no sign of an succesfull root
login. Not in ps aux, not in netstat and no ssh
On Thu, Aug 07, 2003 at 01:27:20PM -0400, Eric LeBlanc wrote:
Since 7 years, I always use custom kernels, and I never had problems (bugs
nor exploits).
In 7 years, you've never encountered a bug in the kernel? You are
fortunate indeed.
--
- mdz
--
To UNSUBSCRIBE, email to [EMAIL
On Wed, 06 Aug 2003 17:50:06 +0200, Alan James wrote:
You say that you have apache and php4 installed. Are you running any php
applications that may have been compromised ? Although I'd expect those
to leave the attacker with access to www-data rather than root.
Maybe this has been combined
Thanx for the replies so far.
Christian Hammers wrote:
Try nmap to see which services are reachable from the network.
Port State Service
22/tcp openssh
80/tcp openhttp
443/tcpopenhttps
from within the campus network adds:
Port State
Hi,
Matt Zimmerman wrote:
If you don't also subscribe to debian-security-announce, then you are
missing important things like kernel updates. There are several local root
exploits in the stock woody kernel which have been fixed by security updates
that would not be installed automatically. You
On Thu, Aug 07, 2003 at 07:03:13PM +0200, Thijs Welman wrote:
Matt Zimmerman wrote:
If you don't also subscribe to debian-security-announce, then you are
missing important things like kernel updates. There are several local root
exploits in the stock woody kernel which have been fixed by
On Wed, Aug 06, 2003 at 04:01:39PM +0200, Thijs Welman wrote:
All packages are unmodified releases from Debian stable and, yes, i do
update packes from security.debian.org as soon as there are any updates. :)
If you don't also subscribe to debian-security-announce, then you are
missing
Hi,
Matt Zimmerman wrote:
If you don't also subscribe to debian-security-announce, then you are
missing important things like kernel updates. There are several local root
exploits in the stock woody kernel which have been fixed by security updates
that would not be installed automatically.
On Thu, 7 Aug 2003, Thijs Welman wrote:
Thanks. I forgot to mantion that i am subscribed to
debian-security-announce as well (ofcourse ;)). As far as the kernel
updates are concerned: i use my own kernel. At this moment that's 2.4.21
with Alan Cox' patches (ac4). Could be there's an exploit
On Thu, Aug 07, 2003 at 07:03:13PM +0200, Thijs Welman wrote:
Matt Zimmerman wrote:
If you don't also subscribe to debian-security-announce, then you are
missing important things like kernel updates. There are several local root
exploits in the stock woody kernel which have been fixed by
On Thu, Aug 07, 2003 at 01:27:20PM -0400, Eric LeBlanc wrote:
Since 7 years, I always use custom kernels, and I never had problems (bugs
nor exploits).
In 7 years, you've never encountered a bug in the kernel? You are
fortunate indeed.
--
- mdz
On Thu, 07 Aug 2003 03:00:12 +0200, Peter Cordes wrote:
sshd logs IP addresses of connections. Was the IP address for those did
not receive id connections inside your site, or does it belong to an ISP
somewhere, or what? If it's a local address, and not a computer lab, that
might give you
On Wed, 06 Aug 2003 17:50:06 +0200, Alan James wrote:
You say that you have apache and php4 installed. Are you running any php
applications that may have been compromised ? Although I'd expect those
to leave the attacker with access to www-data rather than root.
Maybe this has been combined
Hi,
maybe a legitimate user account combined with a local root exploit have
been used to crack the server. Does this server has any legitimate user
accounts? Are you sure you trust this users? Are you sure they (or you)
don't write their passwords on a piece of paper?
Who has local access to the
- Original Message -
From: Thijs Welman [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, August 06, 2003 5:56 PM
Subject: Re: Debian Stable server hacked
Thanx for the replies so far.
[...]
Thought of that myself. Checked the apache logfiles and went through the
scripts
Hi,
Last sunday, August 3rd 2003, one of my servers was hacked which i, by
coincidence, was able to catch 'in progress'.
My loganalyzer showed four Did not receive identification string from
w.x.y.z logentries from sshd. This happens all the time and i certainly
don't check all of them out, but
Hello
On Wed, Aug 06, 2003 at 04:01:39PM +0200, Thijs Welman wrote:
I'm puzzled about how they managed to get those processes running (as
root). There are no local accounts, other than some accounts for the
sysadmins. Does anyone have any idea how they might have done this?
Most times,
A few thoughts on potenital problems:
Thijs Welman wrote:
Unfortunately i don't have the resources to get an IDS system up and
running...
A bare-bones IDS isn't all thet extreme to build, especially if you are
only interested in a single network. Debian stable + snort source
package from
On Wed, 06 Aug 2003 16:01:39 +0200, Thijs Welman [EMAIL PROTECTED]
wrote:
My loganalyzer showed four Did not receive identification string from
w.x.y.z logentries from sshd. This happens all the time and i certainly
don't check all of them out, but i happen to do so this time.
That's probably
Hello,
Was anyone else logged in at the time? Perhaps one of your admins had a
weak or compromised password?
Install johntheripper if you want to check for weak passwords :D a great
program!
Hobbs.
FOR ALL YOUR UNIX/LINUX QUESTIONS, visit: http://unixforum.co.uk
--
Thanx for the replies so far.
Christian Hammers wrote:
Try nmap to see which services are reachable from the network.
Port State Service
22/tcp openssh
80/tcp openhttp
443/tcpopenhttps
from within the campus network adds:
Port State
- Original Message -
From: Thijs Welman [EMAIL PROTECTED]
To: debian-security@lists.debian.org
Sent: Wednesday, August 06, 2003 5:56 PM
Subject: Re: Debian Stable server hacked
Thanx for the replies so far.
[...]
Thought of that myself. Checked the apache logfiles and went through
62 matches
Mail list logo
