Re: who owns the ports?
#! /bin/sh
# adaptible for upd also
export TCPPRTS=`netstat -na -t | grep "^tcp" | sed "s/^[^:]*:\(.\).*/\1/g"
| sort -nu`
echo "Active tcp ports:" $TCPPRTS
for PRT in ${TCPPRTS} ; do
echo port number $PRT : `grep "[^0123456789]${PRT}\/tcp" /etc/services`
export TPID=`fuser ${PRT}/tcp | cut -d ':' -f 2`
ps wax | awk '{print $1" "$5 }' | grep ${TPID}
done
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
[joey@finlandia.infodrom.north.de: [SECURITY] [DSA 027-1] New OpenSSH packages released]
a note to sparc users (and others): the versions of ssh and ssh-askpass-gnome referenced below and to be found at http://security.debian.org/dists/stable/updates/main/binary-sparc/ssh_1.2.3-9.2_sparc.deb http://security.debian.org/dists/stable/updates/main/binary-sparc/ssh-askpass-gnome_1.2.3-9.2_sparc.deb have earlier version numbers than the packages uploaded on Jan 28 (e.g, ssh_1.2.3-9.3_sparc.deb), which fixed the lack of pam support (http://www.debian.org/security/2001/dsa-025 - was there a reason why only some users noticed that problem?). the version numbering seems to have gotten a touch off... looks like the pam support remains present. andy - Forwarded message from Martin Schulze <[EMAIL PROTECTED]> - > Date: Fri, 9 Feb 2001 00:08:58 +0100 > From: Martin Schulze <[EMAIL PROTECTED]> > To: Debian Security Announcements > Subject: [SECURITY] [DSA 027-1] New OpenSSH packages released > Reply-To: [EMAIL PROTECTED] > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > - > Debian Security Advisory DSA-027-1 [EMAIL PROTECTED] > http://www.debian.org/security/ Martin Schulze > February 8, 2001 > - > > Package: openssh > Vulnerability : remote memory overwrite, key exchange problem > Type : remote exploit > Debian-specific: no > > This upload fixes: > > 1. Prior versions of OpenSSH are vulnerable to a remote arbitrary > memory overwrite attack which may eventually lead into a root > exploit. No exploit program is known yet but expected to come up > soon. > > 2. CORE-SDI has described a problem with regards to RSA key exchange > and a Bleichenbacher attack to gather the session key from an ssh > session. > > We recommend you upgrade your openssh package immediately. > > wget url > will fetch the file for you > dpkg -i file.deb > will install the referenced file. > > You may use an automated update by adding the resources from the > footer to the proper configuration. > > > Debian GNU/Linux 2.2 alias potato > - > > Potato was released for the alpha, arm, i386, m68k, powerpc and sparc > architectures. > > > Source archives: > > > http://security.debian.org/dists/stable/updates/main/source/openssh_1.2.3-9.2.diff.gz > MD5 checksum: b823b3a94de32533cb35c23a9b956c5c > > http://security.debian.org/dists/stable/updates/main/source/openssh_1.2.3-9.2.dsc > MD5 checksum: bae514efd776c6007944677e767c60a0 > > http://security.debian.org/dists/stable/updates/main/source/openssh_1.2.3.orig.tar.gz > MD5 checksum: 6aad0cc9ceca55f138ed1ba4cf660349 > > Intel ia32 architecture: > > > http://security.debian.org/dists/stable/updates/main/binary-i386/ssh-askpass-gnome_1.2.3-9.2_i386.deb > MD5 checksum: 0283cfa29a7ac7e7857a6e86202d > > http://security.debian.org/dists/stable/updates/main/binary-i386/ssh_1.2.3-9.2_i386.deb > MD5 checksum: e093ef0bc4201860c66edc859f064e71 > > Motorola 680x0 architecture: > > > http://security.debian.org/dists/stable/updates/main/binary-m68k/ssh-askpass-gnome_1.2.3-9.2_m68k.deb > MD5 checksum: a7f52d223f5755dacc09c20bbaf10d3e > > http://security.debian.org/dists/stable/updates/main/binary-m68k/ssh_1.2.3-9.2_m68k.deb > MD5 checksum: 50cbe82d6f733357350cbedebc6b58a6 > > Sun Sparc architecture: > > > http://security.debian.org/dists/stable/updates/main/binary-sparc/ssh_1.2.3-9.2_sparc.deb > MD5 checksum: c2b2aefe74ba8852f0ac0bb2a3145892 > > http://security.debian.org/dists/stable/updates/main/binary-sparc/ssh-askpass-gnome_1.2.3-9.2_sparc.deb > MD5 checksum: d0de50b38fd8b517aa2b62fd15d5fcd4 > > Alpha architecture: > > > http://security.debian.org/dists/stable/updates/main/binary-alpha/ssh-askpass-gnome_1.2.3-9.2_alpha.deb > MD5 checksum: 5be857c6395f02bb9b454bfb13621b06 > > http://security.debian.org/dists/stable/updates/main/binary-alpha/ssh_1.2.3-9.2_alpha.deb > MD5 checksum: e55ef711299a60f5ee5df935a5db4931 > > PowerPC architecture: > > > http://security.debian.org/dists/stable/updates/main/binary-powerpc/ssh-askpass-gnome_1.2.3-9.2_powerpc.deb > MD5 checksum: 343c30fec20cf21f7075d86eed9f66f5 > > http://security.debian.org/dists/stable/updates/main/binary-powerpc/ssh_1.2.3-9.2_powerpc.deb > MD5 checksum: 12d7876a78d4eb9485b1aec8da28d3f9 > > ARM architecture: > > > http://security.debian.org/dists/stable/updates/main/binary-arm/ssh-askpass-gnome_1.2.3-9.2_arm.deb > MD5 checksum: fc55f1ec0dfba1175f7060235a6d6d09 > > http://security.debian.org/dists/stable/updates/main/binary-arm/ssh_1.2.3-9.2_arm.deb > MD5 checksum: 3e01291dedf24d01e5645734ec2c4cfb > > Architecture indep
Re: who owns the ports?
On Thursday 08 February 2001 21:21, Rolf Kutz wrote: > Wade Richards ([EMAIL PROTECTED]) wrote: > > I've got a rescue CD with most of the packages on it, and most(*) of > > those packages include MD5 sums for all the files. > > > > There should be a way to, after booting up on my rescue CD, check all > > my files against the MD5 checksums on the CD (ignoring the conffiles, > > of course). > > Tripwire Try the package debsum, it is a tool to handle md5sums for installed packages > > > Better yet, for the packages that are not on my CD, it could get the > > MD5s from the FTP archive. > > > > Does anyone know of such a feature already in the rescue disks? > > No, but you can do it with tripwire. > > cu, > Rolf
[joey@finlandia.infodrom.north.de: [SECURITY] [DSA 027-1] New OpenSSH packages released]
a note to sparc users (and others): the versions of ssh and ssh-askpass-gnome referenced below and to be found at http://security.debian.org/dists/stable/updates/main/binary-sparc/ssh_1.2.3-9.2_sparc.deb http://security.debian.org/dists/stable/updates/main/binary-sparc/ssh-askpass-gnome_1.2.3-9.2_sparc.deb have earlier version numbers than the packages uploaded on Jan 28 (e.g, ssh_1.2.3-9.3_sparc.deb), which fixed the lack of pam support (http://www.debian.org/security/2001/dsa-025 - was there a reason why only some users noticed that problem?). the version numbering seems to have gotten a touch off... looks like the pam support remains present. andy - Forwarded message from Martin Schulze <[EMAIL PROTECTED]> - > Date: Fri, 9 Feb 2001 00:08:58 +0100 > From: Martin Schulze <[EMAIL PROTECTED]> > To: Debian Security Announcements <[EMAIL PROTECTED]> > Subject: [SECURITY] [DSA 027-1] New OpenSSH packages released > Reply-To: [EMAIL PROTECTED] > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > - > Debian Security Advisory DSA-027-1 [EMAIL PROTECTED] > http://www.debian.org/security/ Martin Schulze > February 8, 2001 > - > > Package: openssh > Vulnerability : remote memory overwrite, key exchange problem > Type : remote exploit > Debian-specific: no > > This upload fixes: > > 1. Prior versions of OpenSSH are vulnerable to a remote arbitrary > memory overwrite attack which may eventually lead into a root > exploit. No exploit program is known yet but expected to come up > soon. > > 2. CORE-SDI has described a problem with regards to RSA key exchange > and a Bleichenbacher attack to gather the session key from an ssh > session. > > We recommend you upgrade your openssh package immediately. > > wget url > will fetch the file for you > dpkg -i file.deb > will install the referenced file. > > You may use an automated update by adding the resources from the > footer to the proper configuration. > > > Debian GNU/Linux 2.2 alias potato > - > > Potato was released for the alpha, arm, i386, m68k, powerpc and sparc > architectures. > > > Source archives: > > >http://security.debian.org/dists/stable/updates/main/source/openssh_1.2.3-9.2.diff.gz > MD5 checksum: b823b3a94de32533cb35c23a9b956c5c > http://security.debian.org/dists/stable/updates/main/source/openssh_1.2.3-9.2.dsc > MD5 checksum: bae514efd776c6007944677e767c60a0 > >http://security.debian.org/dists/stable/updates/main/source/openssh_1.2.3.orig.tar.gz > MD5 checksum: 6aad0cc9ceca55f138ed1ba4cf660349 > > Intel ia32 architecture: > > >http://security.debian.org/dists/stable/updates/main/binary-i386/ssh-askpass-gnome_1.2.3-9.2_i386.deb > MD5 checksum: 0283cfa29a7ac7e7857a6e86202d > >http://security.debian.org/dists/stable/updates/main/binary-i386/ssh_1.2.3-9.2_i386.deb > MD5 checksum: e093ef0bc4201860c66edc859f064e71 > > Motorola 680x0 architecture: > > >http://security.debian.org/dists/stable/updates/main/binary-m68k/ssh-askpass-gnome_1.2.3-9.2_m68k.deb > MD5 checksum: a7f52d223f5755dacc09c20bbaf10d3e > >http://security.debian.org/dists/stable/updates/main/binary-m68k/ssh_1.2.3-9.2_m68k.deb > MD5 checksum: 50cbe82d6f733357350cbedebc6b58a6 > > Sun Sparc architecture: > > >http://security.debian.org/dists/stable/updates/main/binary-sparc/ssh_1.2.3-9.2_sparc.deb > MD5 checksum: c2b2aefe74ba8852f0ac0bb2a3145892 > >http://security.debian.org/dists/stable/updates/main/binary-sparc/ssh-askpass-gnome_1.2.3-9.2_sparc.deb > MD5 checksum: d0de50b38fd8b517aa2b62fd15d5fcd4 > > Alpha architecture: > > >http://security.debian.org/dists/stable/updates/main/binary-alpha/ssh-askpass-gnome_1.2.3-9.2_alpha.deb > MD5 checksum: 5be857c6395f02bb9b454bfb13621b06 > >http://security.debian.org/dists/stable/updates/main/binary-alpha/ssh_1.2.3-9.2_alpha.deb > MD5 checksum: e55ef711299a60f5ee5df935a5db4931 > > PowerPC architecture: > > >http://security.debian.org/dists/stable/updates/main/binary-powerpc/ssh-askpass-gnome_1.2.3-9.2_powerpc.deb > MD5 checksum: 343c30fec20cf21f7075d86eed9f66f5 > >http://security.debian.org/dists/stable/updates/main/binary-powerpc/ssh_1.2.3-9.2_powerpc.deb > MD5 checksum: 12d7876a78d4eb9485b1aec8da28d3f9 > > ARM architecture: > > >http://security.debian.org/dists/stable/updates/main/binary-arm/ssh-askpass-gnome_1.2.3-9.2_arm.deb > MD5 checksum: fc55f1ec0dfba1175f7060235a6d6d09 > >http://security.debian.org/dists/stable/updates/main/binary-arm/ssh_1.2.3-9.2_arm.deb > MD5 checksum: 3e01291dedf24d01e5645734ec2c4cfb > > Architecture in
Re: who owns the ports?
On Thursday 08 February 2001 21:21, Rolf Kutz wrote: > Wade Richards ([EMAIL PROTECTED]) wrote: > > I've got a rescue CD with most of the packages on it, and most(*) of > > those packages include MD5 sums for all the files. > > > > There should be a way to, after booting up on my rescue CD, check all > > my files against the MD5 checksums on the CD (ignoring the conffiles, > > of course). > > Tripwire Try the package debsum, it is a tool to handle md5sums for installed packages > > > Better yet, for the packages that are not on my CD, it could get the > > MD5s from the FTP archive. > > > > Does anyone know of such a feature already in the rescue disks? > > No, but you can do it with tripwire. > > cu, > Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: who owns the ports?
Wade Richards ([EMAIL PROTECTED]) wrote: > I've got a rescue CD with most of the packages on it, and most(*) of > those packages include MD5 sums for all the files. > > There should be a way to, after booting up on my rescue CD, check all > my files against the MD5 checksums on the CD (ignoring the conffiles, > of course). Tripwire > Better yet, for the packages that are not on my CD, it could get the > MD5s from the FTP archive. > > Does anyone know of such a feature already in the rescue disks? No, but you can do it with tripwire. cu, Rolf
Re: who owns the ports?
All this discussion about the possibility of "script kiddies" installing root kits, and overwriting various important system files, makes me think of a useful potential feature. And since this is Debian, I figure there's a good chance that this useful feature already exists, and I just don't know about it. I've got a rescue CD with most of the packages on it, and most(*) of those packages include MD5 sums for all the files. There should be a way to, after booting up on my rescue CD, check all my files against the MD5 checksums on the CD (ignoring the conffiles, of course). Better yet, for the packages that are not on my CD, it could get the MD5s from the FTP archive. Does anyone know of such a feature already in the rescue disks? Thanks, --- Wade (*)On a slightly off-topic topic, why is it that only most of the packages contain MD5 checksums? Is the package maintainer required to do this, or can it be done auto-magically when a package is uploaded?
Re: who owns the ports?
Wade Richards ([EMAIL PROTECTED]) wrote: > I've got a rescue CD with most of the packages on it, and most(*) of > those packages include MD5 sums for all the files. > > There should be a way to, after booting up on my rescue CD, check all > my files against the MD5 checksums on the CD (ignoring the conffiles, > of course). Tripwire > Better yet, for the packages that are not on my CD, it could get the > MD5s from the FTP archive. > > Does anyone know of such a feature already in the rescue disks? No, but you can do it with tripwire. cu, Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: who owns the ports?
All this discussion about the possibility of "script kiddies" installing root kits, and overwriting various important system files, makes me think of a useful potential feature. And since this is Debian, I figure there's a good chance that this useful feature already exists, and I just don't know about it. I've got a rescue CD with most of the packages on it, and most(*) of those packages include MD5 sums for all the files. There should be a way to, after booting up on my rescue CD, check all my files against the MD5 checksums on the CD (ignoring the conffiles, of course). Better yet, for the packages that are not on my CD, it could get the MD5s from the FTP archive. Does anyone know of such a feature already in the rescue disks? Thanks, --- Wade (*)On a slightly off-topic topic, why is it that only most of the packages contain MD5 checksums? Is the package maintainer required to do this, or can it be done auto-magically when a package is uploaded? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Apt-get package verification
On Thu, 08 Feb 2001, Christian Hammers wrote: > > Currently it won't. :-\ You would have to get the packages yourself > > and check the md5sums. > Which were of course altered by the cracker. Bad idea. Just subscribe to debian-devel-changes or debian-changes @lists.debian.org, the .changes files are sent there; they are signed by the uploader's gpg key, and contain all the md5sums. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh pgp9DwGazzXga.pgp Description: PGP signature
Re: sources.list
I ran apt-setup and it automatically added my local mirrors. I'm not sure if it wipes your previous sources.list though... GBY
Re: Apt-get package verification
> Currently it won't. :-\ You would have to get the packages yourself > and check the md5sums. Which were of course altered by the cracker. Bad idea. bye, -christian- -- Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 [EMAIL PROTECTED] Internet & Security for ProfessionalsFax 0241/911879 WESTEND ist CISCO Systems Partner - Premium Certified
Apt-get package verification
Anybody know if apt will do any sort of verification of checksums or anything to validate the package is from debian? I'm using apt to automate priority security updates on several of my customers firewalls and i'm curious that is somebody poisons some routes and/or dns caches, we could have serious trouble. Thanks for your comments (new to debian) Schwack clint sand
Re: Apt-get package verification
On Thu, 08 Feb 2001, Christian Hammers wrote: > > Currently it won't. :-\ You would have to get the packages yourself > > and check the md5sums. > Which were of course altered by the cracker. Bad idea. Just subscribe to debian-devel-changes or debian-changes @lists.debian.org, the .changes files are sent there; they are signed by the uploader's gpg key, and contain all the md5sums. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh PGP signature
Re: sources.list
I ran apt-setup and it automatically added my local mirrors. I'm not sure if it wipes your previous sources.list though... GBY -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Apt-get package verification
> Currently it won't. :-\ You would have to get the packages yourself > and check the md5sums. Which were of course altered by the cracker. Bad idea. bye, -christian- -- Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 [EMAIL PROTECTED] Internet & Security for ProfessionalsFax 0241/911879 WESTEND ist CISCO Systems Partner - Premium Certified -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Where to get updates
On Thu, 8 Feb 2001, Desai, Jason wrote: > Hello. > > Can someone tell me the difference between packages in the > dists/potato-proposed-updates and packages on the security.debian.org site? > I had been using the proposed-updates in my sources.list file for a while, > but I have not found the updated bind package there. But I did find it on > the security.debian.org site. > > Thanks for any help. > > Jase The proposed updates are bug updates to packages that are going to be put into the next release of potato. However security.debian.org is for priority security updates, if you are using potato then you should have that in your sources file as well. Take care - Rab -- Robert Lazzurs | "All that is etched in stone is The Lazzurs Administration | truly only scribbled in sand" +44 7092 157408 | -ARL [EMAIL PROTECTED] | EB chat client http://www.everybuddy.com AIM:lazzurs ICQ:66324927| ER-Web http://www.elite.uk.com/er Yahoo:arl666_uk MSN:arl666 | Join EFF http://www.eff.org
sources.list
I have recently been to the www.debian.org looking for the latest sites to add to my sources.list file. I could not find them even though I know that I have seen them there before. Could anyone give me a hand and let me know what entries to include there. I am currently using: #STABLE deb http://http.us.debian.org/debian potato main contrib non-free deb http://non-us.debian.org/debian-non-US potato/non-US main contrib non-free deb http://security.debian.org/debian-security potato/updates main contrib non-free #STABLE SOURCE # Uncomment if you want the apt-get source function to work #deb-src http://http.us.debian.org/debian stable main contrib non-free #deb-src http://non-us.debian.org/debian-non-US stable non-US #HELIX CODE deb http://spidermonkey.helixcode.com/distributions/debian unstable main #added in by me for alsa # WOODY #deb http://llug.sep.bnl.gov/debian woody main contrib non-free Any suggestions to improving the above list would be appreciated. Gary * Cisco Certified Academy Instructor * * Empowering the Internet Generation * *Are you ready?* * mailto:[EMAIL PROTECTED]* * http://www.cisco.com/edu *
Apt-get package verification
Anybody know if apt will do any sort of verification of checksums or anything to validate the package is from debian? I'm using apt to automate priority security updates on several of my customers firewalls and i'm curious that is somebody poisons some routes and/or dns caches, we could have serious trouble. Thanks for your comments (new to debian) Schwack clint sand -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: who owns the ports?
On Thursday 08 February 2001 03:19, Bradley M Alexander wrote: > On Wed, Feb 07, 2001 at 05:12:48PM -0500, Matthias G. Imhof wrote: > > Running lsof as root or various versions of netstat showed that > > portsentry owns these ports :-) > > This is quite true. I remember now that I had the same issue come up when I > set up portsentry. If you run it in -tcp and/or -udp mode, it will appear > that these ports are listening. However if you switch to advanced mode > (-atcp and/or -audp), these ports will not respond. But in advanced mode it doesnt show all the listening ports? What ports did it show? And it blocked the ip adress?
Where to get updates
Hello. Can someone tell me the difference between packages in the dists/potato-proposed-updates and packages on the security.debian.org site? I had been using the proposed-updates in my sources.list file for a while, but I have not found the updated bind package there. But I did find it on the security.debian.org site. Thanks for any help. Jase
Re: Where to get updates
On Thu, 8 Feb 2001, Desai, Jason wrote: > Hello. > > Can someone tell me the difference between packages in the > dists/potato-proposed-updates and packages on the security.debian.org site? > I had been using the proposed-updates in my sources.list file for a while, > but I have not found the updated bind package there. But I did find it on > the security.debian.org site. > > Thanks for any help. > > Jase The proposed updates are bug updates to packages that are going to be put into the next release of potato. However security.debian.org is for priority security updates, if you are using potato then you should have that in your sources file as well. Take care - Rab -- Robert Lazzurs | "All that is etched in stone is The Lazzurs Administration | truly only scribbled in sand" +44 7092 157408 | -ARL [EMAIL PROTECTED] | EB chat client http://www.everybuddy.com AIM:lazzurs ICQ:66324927| ER-Web http://www.elite.uk.com/er Yahoo:arl666_uk MSN:arl666 | Join EFF http://www.eff.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
sources.list
I have recently been to the www.debian.org looking for the latest sites to add to my sources.list file. I could not find them even though I know that I have seen them there before. Could anyone give me a hand and let me know what entries to include there. I am currently using: #STABLE deb http://http.us.debian.org/debian potato main contrib non-free deb http://non-us.debian.org/debian-non-US potato/non-US main contrib non-free deb http://security.debian.org/debian-security potato/updates main contrib non-free #STABLE SOURCE # Uncomment if you want the apt-get source function to work #deb-src http://http.us.debian.org/debian stable main contrib non-free #deb-src http://non-us.debian.org/debian-non-US stable non-US #HELIX CODE deb http://spidermonkey.helixcode.com/distributions/debian unstable main #added in by me for alsa # WOODY #deb http://llug.sep.bnl.gov/debian woody main contrib non-free Any suggestions to improving the above list would be appreciated. Gary * Cisco Certified Academy Instructor * * Empowering the Internet Generation * *Are you ready?* * mailto:[EMAIL PROTECTED]* * http://www.cisco.com/edu * -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: who owns the ports?
On Thursday 08 February 2001 03:19, Bradley M Alexander wrote: > On Wed, Feb 07, 2001 at 05:12:48PM -0500, Matthias G. Imhof wrote: > > Running lsof as root or various versions of netstat showed that > > portsentry owns these ports :-) > > This is quite true. I remember now that I had the same issue come up when I > set up portsentry. If you run it in -tcp and/or -udp mode, it will appear > that these ports are listening. However if you switch to advanced mode > (-atcp and/or -audp), these ports will not respond. But in advanced mode it doesnt show all the listening ports? What ports did it show? And it blocked the ip adress? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Where to get updates
Hello. Can someone tell me the difference between packages in the dists/potato-proposed-updates and packages on the security.debian.org site? I had been using the proposed-updates in my sources.list file for a while, but I have not found the updated bind package there. But I did find it on the security.debian.org site. Thanks for any help. Jase -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: who owns the ports?
On Wed, 7 Feb 2001, Matthias G. Imhof wrote: > Running lsof as root or various versions of netstat showed that portsentry > owns > these ports :-) Glad to hear it was a false alarm. Sorry to have alarmed you. Bye Giacomo _ Giacomo Mulas <[EMAIL PROTECTED], [EMAIL PROTECTED]> _ OSSERVATORIO ASTRONOMICO Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 216 Fax : +39 070 71180 222 _ "When the storms are raging around you, stay right where you are" (Freddy Mercury) _
Re: who owns the ports?
On Wed, 7 Feb 2001, Carl Brock Sides wrote: > My immediate guess, upon seeing anything running on 31337, is that > you've been "0wn3d", as the script kiddies put it, and maybe lsof has > been trojaned not to list the attacker's processes. > > You are running lsof as root, right? It won't show you everything as an > ordinary user. > > You don't say what version of Debian you're running. If you're running > potato or unstable on x86, with lsof-2.2 4.48-1, here's the md5sum for it: > > be8cf28300c29db5dffbea19fd613abf /usr/sbin/lsof > > If that's not it, it's a trojan. I'd guess that other useful tools for > finding out what's going on, e.g. ls and ps and fuser, have been > trojaned as well. (Although you might want to try "fuser 31337/tcp", > maybe the attacker forgot about it.) > > Reinstall fileutils, procps, psmisc, lsof-2.2, and findutils if you're > interested in further investigation. This may be not enough: recent rootkits install trojan libraries or even a trojan kernel module, and intercept system calls directly, with no need to tamper with tools. Therefore they are both more difficult to detect and more difficult to clean. To be safe you need to boot from a safe kernel and/or run statically linked utilities. A clean rescue cdrom is the safest bet. Bye Giacomo _ Giacomo Mulas <[EMAIL PROTECTED], [EMAIL PROTECTED]> _ OSSERVATORIO ASTRONOMICO Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 216 Fax : +39 070 71180 222 _ "When the storms are raging around you, stay right where you are" (Freddy Mercury) _
Re: who owns the ports?
On Wed, 7 Feb 2001, Aaron Dewell wrote: > Well, finger is probably running through inetd... Either that or you > are running that scanner detecter package that binds to every port > known in the universe. He said he checked inetd.conf, and whatever is bound to any port lsof should report it. It smells fishy... Bye Giacomo _ Giacomo Mulas <[EMAIL PROTECTED], [EMAIL PROTECTED]> _ OSSERVATORIO ASTRONOMICO Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 216 Fax : +39 070 71180 222 _ "When the storms are raging around you, stay right where you are" (Freddy Mercury) _
Re: who owns the ports?
On Wed, 7 Feb 2001, Matthias G. Imhof wrote: > Performing strobe or nmap on my system, I get, e.g., the following list: (omissis) It is very likely that your host has been compromised and a rootkit installed. Do not trust any of the utilities on that host. Instead, boot off a (trusted) rescue cd with a clean system on it, and check with it. Be careful how you take down that computer: I have seen crackers install background processes that monitor e.g. the connectivity of the computer and do an "rm -rf /" command if they suspect they have been caught. As crazy as it sounds, if your computer has indeed been compromised the safest thing may indeed be to simply cut the power off. Whatever you do, be careful. Bye Giacomo _ Giacomo Mulas <[EMAIL PROTECTED], [EMAIL PROTECTED]> _ OSSERVATORIO ASTRONOMICO Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 216 Fax : +39 070 71180 222 _ "When the storms are raging around you, stay right where you are" (Freddy Mercury) _
Re: who owns the ports?
On Wed, 7 Feb 2001, Matthias G. Imhof wrote: > Running lsof as root or various versions of netstat showed that portsentry owns > these ports :-) Glad to hear it was a false alarm. Sorry to have alarmed you. Bye Giacomo _ Giacomo Mulas <[EMAIL PROTECTED], [EMAIL PROTECTED]> _ OSSERVATORIO ASTRONOMICO Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 216 Fax : +39 070 71180 222 _ "When the storms are raging around you, stay right where you are" (Freddy Mercury) _ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: who owns the ports?
On Wed, 7 Feb 2001, Carl Brock Sides wrote: > My immediate guess, upon seeing anything running on 31337, is that > you've been "0wn3d", as the script kiddies put it, and maybe lsof has > been trojaned not to list the attacker's processes. > > You are running lsof as root, right? It won't show you everything as an > ordinary user. > > You don't say what version of Debian you're running. If you're running > potato or unstable on x86, with lsof-2.2 4.48-1, here's the md5sum for it: > > be8cf28300c29db5dffbea19fd613abf /usr/sbin/lsof > > If that's not it, it's a trojan. I'd guess that other useful tools for > finding out what's going on, e.g. ls and ps and fuser, have been > trojaned as well. (Although you might want to try "fuser 31337/tcp", > maybe the attacker forgot about it.) > > Reinstall fileutils, procps, psmisc, lsof-2.2, and findutils if you're > interested in further investigation. This may be not enough: recent rootkits install trojan libraries or even a trojan kernel module, and intercept system calls directly, with no need to tamper with tools. Therefore they are both more difficult to detect and more difficult to clean. To be safe you need to boot from a safe kernel and/or run statically linked utilities. A clean rescue cdrom is the safest bet. Bye Giacomo _ Giacomo Mulas <[EMAIL PROTECTED], [EMAIL PROTECTED]> _ OSSERVATORIO ASTRONOMICO Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 216 Fax : +39 070 71180 222 _ "When the storms are raging around you, stay right where you are" (Freddy Mercury) _ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: who owns the ports?
On Wed, 7 Feb 2001, Aaron Dewell wrote: > Well, finger is probably running through inetd... Either that or you > are running that scanner detecter package that binds to every port > known in the universe. He said he checked inetd.conf, and whatever is bound to any port lsof should report it. It smells fishy... Bye Giacomo _ Giacomo Mulas <[EMAIL PROTECTED], [EMAIL PROTECTED]> _ OSSERVATORIO ASTRONOMICO Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 216 Fax : +39 070 71180 222 _ "When the storms are raging around you, stay right where you are" (Freddy Mercury) _ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: who owns the ports?
On Wed, 7 Feb 2001, Matthias G. Imhof wrote: > Performing strobe or nmap on my system, I get, e.g., the following list: (omissis) It is very likely that your host has been compromised and a rootkit installed. Do not trust any of the utilities on that host. Instead, boot off a (trusted) rescue cd with a clean system on it, and check with it. Be careful how you take down that computer: I have seen crackers install background processes that monitor e.g. the connectivity of the computer and do an "rm -rf /" command if they suspect they have been caught. As crazy as it sounds, if your computer has indeed been compromised the safest thing may indeed be to simply cut the power off. Whatever you do, be careful. Bye Giacomo _ Giacomo Mulas <[EMAIL PROTECTED], [EMAIL PROTECTED]> _ OSSERVATORIO ASTRONOMICO Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 216 Fax : +39 070 71180 222 _ "When the storms are raging around you, stay right where you are" (Freddy Mercury) _ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
