On Mon, Nov 27, 2006 at 04:27:24PM -0500, J. Oquendo wrote: > Tavis Ormandy wrote: > > >I'm not sure what you mean by modification, I simply subsituted the name > >for the logfile I use. > > > >Thanks, Tavis. > > > > > So for the third time now. Explain to me how I am backdooring someone's > system.
J, Please calm down. You have made a programming error in your script that attempts to eliminate the minor `log noise` from incorrect ssh logins with a script that can be subverted to execute arbitrary shell commands. > > [EMAIL PROTECTED] include]# uname -a > Linux int-mrkt 2.6.18-1.2200.fc5 #1 Sat Oct 14 16:59:26 EDT 2006 i686 > i686 i386 GNU/Linux > [EMAIL PROTECTED] include]# awk '/error retrieving/{getline;print $13}' > /var/log/secure|sort -ru > 222.171.20.252 > 211.137.74.58 > > My logs parse out addresses not named and there is no redirection going > on. Yes, but you assume a fixed format of the log entries. This is not the case. The string "error retrieving" is easily placed in the log by setting it as your username and attempting to login. You also assume that the multiple log entries generated by a failed login are logged atomically (ie, no other log entries will appear between these two entries), this is also not the case. > If you want to say "Hey... It should be written as such" then gladly > do so. But posting "hey you're backdooring the planet" like a jackass is > moronic. J, you asked people to install your "security tool" which contacts you with enough information to find out who installed it and where, and contains several rather obvious security flaws. If I mistook stupidity for malice, I apologise. > Line by line on my machines it does what it needs to do and it > does so just fine. This is because your logs dont contain any entries specially crafted by an attacker to subvert your machine. I'm sure some members of the list are already attempting this on your web server, so you can check your logs for examples. > Did you see any notes of Gentoo on the comments? I > didn't because I don't use it, never have, don't care to. So if it does > something different on Gentoo, let's use the brain for a moment... "Gee > this works horrible on Gentoo. The author is a shitty writer... I think > I should let him know" as opposed to "Oh my gawd he's backdooring you". It's a standard format J, my log entries look identical to yours. It has nothing to do with Gentoo. Thanks, Tavis. -- ------------------------------------- [EMAIL PROTECTED] | finger me for my pgp key. ------------------------------------------------------- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/