On Sat, Aug 16, 2014 at 02:34:21AM -0400, Todd Zimmermann wrote:
> Lots of good stuff in base and the ports collection. mtree can be
> extended to check file integrity for anything you've modified and
> other local stuff (something I need to do).
thanks, mtree is neat, glad to know about it
security(8) uses it too
and on that note, I realized I hadn't received my daily security(8)
email in a while, I broke my root=scott alias when fiddling with smtpd
configuration and forgot to fix it, otherwise I would have likely
noticed the breach sooner...live and learn
> OpenBSD has always rocked for providing very current versions of
> snort. barnyard2 compiles cleanly on obsd.
The funny thing is that I have a book on Snort on my reading list. Time
to read it. I'll checkout barnyard2 as well.
> IIRC swatch can email you on log events. i.e. I know I haven't logged
> onto the server for 2 weeks, why was there an unsuccessful (or yikes
> successful) su/sudo attempt at 0237 when I was sleeping.
>
> Got sagan-1.0.0RC4 set up earlier and was greeted with this alert:
>
> [**] [1001:1] sagan_blacklist: Address found in blacklist [**]
> [Classification: Blacklist] [Priority: 1]
> 2014-08-15 22:58:01 61.174.51.214:1514 -> 127.0.0.1:1514 daemon warning
> Message: Aug 15 22:57:55.617311 rule 7/(match) block in on rl0:
> 61.174.51.214.6000 > xxx.xxx.xxx.xxx.22: S 1496842240:1496842240(0)
> win 16384 [tos 0x20]
>
> And snort (timestamps are messed up):
> 04/21-15:21:46.000067 [**] [1:2100528:6] <snort> GPL SCAN loopback
> traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2]
> {UDP} 127.0.0.1:53 -> 172.xxx.xxx.xxx:31105
> 12/30-19:03:17.000065 [**] [1:2100528:6] <snort> GPL SCAN loopback
> traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2]
> {UDP} 127.0.0.1:53 -> 172.xxx.xxx.xxx:3117
>
> So you're not alone. Good Luck
Thank you. I'll checkout swatch and sagan too.
Also, another emailer suggested I submit the files to virustotal.com. I
did and all of them were recognized as malware, all but one had been
uploaded to them before:
https://www.virustotal.com/en/file/f9ff2f398e479a3e4dbb36c8b1a61e737ed18d6249bf0c2dc9abf4f0fe9ca665/analysis/
https://www.virustotal.com/en/file/53f0ba09b70923874ff84fb0061087a880c8583f4f9b5cee2deaa0d55a9ffdc9/analysis/
https://www.virustotal.com/en/file/50e83cea2ebcb0a8fc806a1ad19db3b052438ca585c4da6ab50048d0f640c27c/analysis/
https://www.virustotal.com/en/file/4c703e03afbda5411dda6e653b8c9bca48fd5b9187a730656b3a9da4b2a593ee/analysis/
https://www.virustotal.com/en/file/29f89dc1da6da3fa2fa951c3453d63ff82eab3159020012a90763df279a75e25/analysis/
https://www.virustotal.com/en/file/ab8c46065f2ae116e09d168d6cca940e8f472c80bb4b354c8e594081525da31a/analysis/
https://www.virustotal.com/en/file/2c22dfc1ea336737349bb51c60be268c42a1e965aaab292cb6ba9a4a4fa31171/analysis/
If anyone reading this knows where I can read up on (those specific)
exploits, please let me know, perhaps I can figure out where my
vulnerability is/was if I know more about how they work.
