Re: Anti Virus for Debian
When I started here we had a copy of McAfee for linux (ie I don't know how much it cost) but they weren't using it - as I use it on my desktop I was going to put it on my machine.the idea being that I could remotely scan my users machines from my machine (I have found the windows McAfee has problems seeing some virus files when run on an already infected machine - anti McAfee viruses). But instead I saw this really cool project: http://www.amavis.org/ It is an opensource tool that you can install on your companies mail server, that adds an extra queue to either sendmail, or postfix, or qmail and another one (can't remember atm), which scans all mail before delivering it or sending it out to another server. We didn't have 1 AnnaK virus hit (although I got quite a few messages from the server). It will integrate with just about any virus scanning product available for Linux (and they have a list of about 10 to choose from). Just make sure the process limit for scanning is appropriate for your hardware - the default is 50and we had to lower that for our poor little server..it didn't crash, but was acting really weird after recovering from a load = 75 :) But yeah - it is a great tool - and it works :))) oh the docs kinda suck a little bit.but just use your head when following them (their FAQ I think mentions they need to write better install instructions) - come to think of it I should have written down what I did and emailed it to the maintainers. If anyone wants to even do a test install and email them with those steps - I think sendmail is already done.. Luke Christopher Curtis wrote: > > I think your best bet is here: > > http://www.sophos.com/downloads/products/unix.html > > They're pricey (~$1,000/yr for 10 workstations) and don't support > Linux/SPARC, but support Linux/i386, Linux/Alpha, and Solaris/SPARC, so > if you're willing to pony up the $$$ they may be the most likely source. > > Chris > > Mario Zuppini wrote: > > > > I would also like to know of virus scanners especially for mail servers ie > > sendmail > > that will work on a SPARC ??? > > > > there are a few that work under i386 ie like amavris etc can be found on > > freshmeat.net > > but nothing will work under a sparc > > > > - Original Message - > > From: "Matthew Sherborne" <[EMAIL PROTECTED]> > > To: > > Sent: Tuesday, February 20, 2001 1:41 PM > > Subject: Anti Virus for Debian > > > > > Are there any gpl or similar anti-virus programs for linux ? > > > > > > Any reccomendations ? > > > > > > GBY > > > > > > > > > > > > -- > > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > > with a subject of "unsubscribe". Trouble? Contact > > [EMAIL PROTECTED] > > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Luke Worthy, Systems Administrator Sinewave Interactive Pty Ltd Level 3, 493 St Kilda Road, Melbourne Victoria, Australia 3004 Tel: +61-3-9820-5443 Fax: +61-3-9820-0407 [EMAIL PROTECTED] The information transmitted may be confidential, is intended only for the person to which it is addressed, and may not be reviewed, retransmitted, disseminated or relied upon by any other persons. If you received this message in error, please contact the sender and destroy any paper or electronic copies of this message. Any views expressed in this email communication are those of the individual sender, except where the sender specifically states otherwise. Sinewave Interactive Pty Ltd does not represent, warrant or guarantee that the communication is free of errors, virus or interference. --
RE: i've been port scanned. now what
Well, as a network administrator, I feel thusly: > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf > Of Tim Haynes > Subject: Re: i've been port scanned. now what > > > Nathan E Norman <[EMAIL PROTECTED]> writes: > > [snip] [...] > Sure, but I hope you didn't let rip with them on other networks > or sections > of network over which you didn't have control. If I get a scathing phone call about someone scanning, say, <1024, one time through, I'm a gonna be pissed. > What I'd suggest is that the OP applies a scale to it: a few ports scanned > in succession is not worthwhile waking a net-admin up for; a few ports > scanned multiple times over is getting more interesting; a large range of > points also bumps up the `score'; a repetitive attack on many sensitive > ports (111/tcp, 53/tcp, 21/tcp, you know the sort of thing) would have me > on the 'phone to whoever was listed in `whois`. 1-1024 one time through = whatever, dude.. >1024 || (<1024 more than once) = This is more interesting Poking at specific ports = more interesting DoS coming from my system = Dammit, you had better wake me up! > > You could always send an email to the ISP in question and ask them what > > they think; whether they want a copy of the logs, etc. > > Agreed. By the above scaling system, it could be worse. Still, it's > worthwhile asking `oi you, what's up, d'you mind?' or somesuch. A polite email at any level would be appreciated, I do agree.. Something along the lines of "Hey, I noticed something funny..." -- T. Alex Swavely "So I though to myself, 'if this were the coolest place in the world, would they have only one pair of rubber party pants?'"
Re: i've been port scanned. now what
On Tue, Mar 06, 2001 at 01:12:46AM +, Tim Haynes wrote: > > It's also possible that someone is just exploring. > > Then they need educating that scanning such a vast range of ports is an > unacceptable definition of `exploring'. Well, that's your opinion. I don't know that I agree ... presumably I've already tied down my services; why do I care if someone is checking which ports are open? When I did see an extensive portscan I usually fired off one of my own to see what was up at that end. More often than not it turned out to be a misconfigured monitoring box (ever seen Whatsup at work?) OTOH I'll always defend your right to apply your opinion to your machines; if you want to get after someone who's portscanning your machines I won't stop you :) > > As a former network administrator I wasn't too worried about portscans > > unless they were followed up with actual connections. I also used > > portscans when needed to discover what users on the network were up to. > > Sure, but I hope you didn't let rip with them on other networks or sections > of network over which you didn't have control. We had a /18; I had plenty of IPs to keep an eye on. Some people were less cooperative than others. -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Inc. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton pgpJIvxJu7O3y.pgp Description: PGP signature
Re: i've been port scanned. now what
On Mon, Mar 05, 2001 at 11:37:17PM +0100, Szab? D?niel <[EMAIL PROTECTED]> wrote: > My packet filter ruleset catched somebody on port scanning one of our host. > He or she tryed to scan a very big port range from tcp 1 up to 32000 (think > with nmap), but my packet filter denied his/her queries (the kernel > generated 1 mb log in 3 minutes with the denied packets). I have his/her > ipv4 address, and i would like to ask, what should i do know? i figured out > from the ripe.net whois db, that the ip is owned by one of the ISP's from my > country, is it possible, that the scanner cracked the isp's machine, then > pushed the scan from there? The scanner is probably connected to the internet through that ISP. Your response to the scan should probably depend on your opinion on portscans in general. Some people believe portscans are only used by crackers. If you agree with them a possible response to the scan is sending a mail with the IP of the scanner, the exact time of the scan and any other information you think might be relevant to [EMAIL PROTECTED] On the other hand, if you agree with people who believe portscans have legitimate uses (like finding out if someone is providing an ftp-server) you should probably do nothing since the scan was very general and not targeted at ports that are likely to have exploitable services on them). This is my current point of view. There's been a discussion about portscans not to long ago on debian-security (and probably any security related mailinglist) btw. Finally, one note of warning: whatever you do, don't try to think of portscans in terms of what I'd call the '(breaking in to)/(looking at a) house'-metaphor. IMHO it does not provide a suitable mapping of the situation to one in real life at all and I find it rapidly becoming very anoying. Tim ps. This is *not* an invitation to start another discussion about portscans. The issue has been beaten to death already and I'm convinced a simple google search will provide excellent writings about all views on the subject. -- Tim van Erven [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: i've been port scanned. now what
Nathan E Norman <[EMAIL PROTECTED]> writes: [snip] > Well, that all depends ... do you consider port scanning criminal > activity or not? > > I do not - I think you should view a port scan as a possible indication > that someone intends to attack you. Agreed. > It's also possible that someone is just exploring. Then they need educating that scanning such a vast range of ports is an unacceptable definition of `exploring'. > As a former network administrator I wasn't too worried about portscans > unless they were followed up with actual connections. I also used > portscans when needed to discover what users on the network were up to. Sure, but I hope you didn't let rip with them on other networks or sections of network over which you didn't have control. What I'd suggest is that the OP applies a scale to it: a few ports scanned in succession is not worthwhile waking a net-admin up for; a few ports scanned multiple times over is getting more interesting; a large range of points also bumps up the `score'; a repetitive attack on many sensitive ports (111/tcp, 53/tcp, 21/tcp, you know the sort of thing) would have me on the 'phone to whoever was listed in `whois`. > You could always send an email to the ISP in question and ask them what > they think; whether they want a copy of the logs, etc. Agreed. By the above scaling system, it could be worse. Still, it's worthwhile asking `oi you, what's up, d'you mind?' or somesuch. ~Tim -- Roobarb and Custard let fly |[EMAIL PROTECTED] with their secret weapon.|http://spodzone.org.uk/
Re: i've been port scanned. now what
On Mon, Mar 05, 2001 at 11:37:17PM +0100, Szabó Dániel wrote: > Hello. > My packet filter ruleset catched somebody on port scanning one of our host. > He or she tryed to scan a very big port range from tcp 1 up to 32000 (think > with nmap), but my packet filter denied his/her queries (the kernel > generated 1 mb log in 3 minutes with the denied packets). I have his/her > ipv4 address, and i would like to ask, what should i do know? i figured out > from the ripe.net whois db, that the ip is owned by one of the ISP's from my > country, is it possible, that the scanner cracked the isp's machine, then > pushed the scan from there? Well, that all depends ... do you consider port scanning criminal activity or not? I do not - I think you should view a port scan as a possible indication that someone intends to attack you. It's also possible that someone is just exploring. As a former network administrator I wasn't too worried about portscans unless they were followed up with actual connections. I also used portscans when needed to discover what users on the network were up to. You could always send an email to the ISP in question and ask them what they think; whether they want a copy of the logs, etc. -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Inc. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton pgpOvFEmd6J8R.pgp Description: PGP signature
Re: i've been port scanned. now what
On Mon, Mar 05, 2001 at 11:37:17PM +0100, Szab? D?niel wrote: > Hello. > My packet filter ruleset catched somebody on port scanning one of our host. > He or she tryed to scan a very big port range from tcp 1 up to 32000 (think > with nmap), but my packet filter denied his/her queries (the kernel > generated 1 mb log in 3 minutes with the denied packets). I have his/her > ipv4 address, and i would like to ask, what should i do know? i figured out > from the ripe.net whois db, that the ip is owned by one of the ISP's from my > country, is it possible, that the scanner cracked the isp's machine, then > pushed the scan from there? It's a lot more likely that the person that scanned you is simply one of the ISP's customers. The ISP owns the IPs they assign to their customers' machines. If all the guy did was scan, then don't do anything unless he does it again or something. If there were any signs of an actual attack, like sending nastygrams to your web server or something, then you should contact his ISP and show them the log. (My philosophy is that portscanning is more or less innocent and curiosity driven, and so shouldn't be punished unless it causes a DoS or something. If you feel otherwise, you might want to show the logs you have to the scanner's ISP, with timestamp, so they can figure out who had that IP at that time. I think that would be going to more trouble than it's worth, though.) -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BCE
Re: Kernel 2.2.15 hole ?
On Mon, Mar 05, 2001 at 08:36:28AM +, [EMAIL PROTECTED] wrote: > > I purposely have a policy of not upgrading software (including the > kernel) unless there is a good reason to do so, either with new > functionality that is required, or for security reasons. I have > no objections to upgrading in this instance, but I was more > concerned that a search on Debians archives did not show this > as a security issue. you will want to upgrade to 2.2.19 when its available since 2.2.18 and below have another security hole (actually two). the first being a race condition that allows suid executables to be ptraced, this is potentially allows for root compromise. the other allows users to read arbitrary memory through a bug in sysctl() (depending on the attackers luck they could potentially grab a password or other sensitive information). both are only locally exploitable. (i know of no exploit for the ptrace race at this time, there is a proof of concept exploit for the sysctl() bug). -- Ethan Benson http://www.alaska.net/~erbenson/ pgpJFOWmhZDjb.pgp Description: PGP signature
i've been port scanned. now what
Hello. My packet filter ruleset catched somebody on port scanning one of our host. He or she tryed to scan a very big port range from tcp 1 up to 32000 (think with nmap), but my packet filter denied his/her queries (the kernel generated 1 mb log in 3 minutes with the denied packets). I have his/her ipv4 address, and i would like to ask, what should i do know? i figured out from the ripe.net whois db, that the ip is owned by one of the ISP's from my country, is it possible, that the scanner cracked the isp's machine, then pushed the scan from there? Thanks, Daniel
Re: Anti Virus for Debian
I think your best bet is here: http://www.sophos.com/downloads/products/unix.html They're pricey (~$1,000/yr for 10 workstations) and don't support Linux/SPARC, but support Linux/i386, Linux/Alpha, and Solaris/SPARC, so if you're willing to pony up the $$$ they may be the most likely source. Chris Mario Zuppini wrote: > > I would also like to know of virus scanners especially for mail servers ie > sendmail > that will work on a SPARC ??? > > there are a few that work under i386 ie like amavris etc can be found on > freshmeat.net > but nothing will work under a sparc > > - Original Message - > From: "Matthew Sherborne" <[EMAIL PROTECTED]> > To: > Sent: Tuesday, February 20, 2001 1:41 PM > Subject: Anti Virus for Debian > > > Are there any gpl or similar anti-virus programs for linux ? > > > > Any reccomendations ? > > > > GBY > > > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Anti Virus for Debian
When I started here we had a copy of McAfee for linux (ie I don't know how much it cost) but they weren't using it - as I use it on my desktop I was going to put it on my machine.the idea being that I could remotely scan my users machines from my machine (I have found the windows McAfee has problems seeing some virus files when run on an already infected machine - anti McAfee viruses). But instead I saw this really cool project: http://www.amavis.org/ It is an opensource tool that you can install on your companies mail server, that adds an extra queue to either sendmail, or postfix, or qmail and another one (can't remember atm), which scans all mail before delivering it or sending it out to another server. We didn't have 1 AnnaK virus hit (although I got quite a few messages from the server). It will integrate with just about any virus scanning product available for Linux (and they have a list of about 10 to choose from). Just make sure the process limit for scanning is appropriate for your hardware - the default is 50and we had to lower that for our poor little server..it didn't crash, but was acting really weird after recovering from a load = 75 :) But yeah - it is a great tool - and it works :))) oh the docs kinda suck a little bit.but just use your head when following them (their FAQ I think mentions they need to write better install instructions) - come to think of it I should have written down what I did and emailed it to the maintainers. If anyone wants to even do a test install and email them with those steps - I think sendmail is already done.. Luke Christopher Curtis wrote: > > I think your best bet is here: > > http://www.sophos.com/downloads/products/unix.html > > They're pricey (~$1,000/yr for 10 workstations) and don't support > Linux/SPARC, but support Linux/i386, Linux/Alpha, and Solaris/SPARC, so > if you're willing to pony up the $$$ they may be the most likely source. > > Chris > > Mario Zuppini wrote: > > > > I would also like to know of virus scanners especially for mail servers ie > > sendmail > > that will work on a SPARC ??? > > > > there are a few that work under i386 ie like amavris etc can be found on > > freshmeat.net > > but nothing will work under a sparc > > > > - Original Message - > > From: "Matthew Sherborne" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Tuesday, February 20, 2001 1:41 PM > > Subject: Anti Virus for Debian > > > > > Are there any gpl or similar anti-virus programs for linux ? > > > > > > Any reccomendations ? > > > > > > GBY > > > > > > > > > > > > -- > > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > > with a subject of "unsubscribe". Trouble? Contact > > [EMAIL PROTECTED] > > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Luke Worthy, Systems Administrator Sinewave Interactive Pty Ltd Level 3, 493 St Kilda Road, Melbourne Victoria, Australia 3004 Tel: +61-3-9820-5443 Fax: +61-3-9820-0407 [EMAIL PROTECTED] The information transmitted may be confidential, is intended only for the person to which it is addressed, and may not be reviewed, retransmitted, disseminated or relied upon by any other persons. If you received this message in error, please contact the sender and destroy any paper or electronic copies of this message. Any views expressed in this email communication are those of the individual sender, except where the sender specifically states otherwise. Sinewave Interactive Pty Ltd does not represent, warrant or guarantee that the communication is free of errors, virus or interference. -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: i've been port scanned. now what
Well, as a network administrator, I feel thusly: > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf > Of Tim Haynes > Subject: Re: i've been port scanned. now what > > > Nathan E Norman <[EMAIL PROTECTED]> writes: > > [snip] [...] > Sure, but I hope you didn't let rip with them on other networks > or sections > of network over which you didn't have control. If I get a scathing phone call about someone scanning, say, <1024, one time through, I'm a gonna be pissed. > What I'd suggest is that the OP applies a scale to it: a few ports scanned > in succession is not worthwhile waking a net-admin up for; a few ports > scanned multiple times over is getting more interesting; a large range of > points also bumps up the `score'; a repetitive attack on many sensitive > ports (111/tcp, 53/tcp, 21/tcp, you know the sort of thing) would have me > on the 'phone to whoever was listed in `whois`. 1-1024 one time through = whatever, dude.. >1024 || (<1024 more than once) = This is more interesting Poking at specific ports = more interesting DoS coming from my system = Dammit, you had better wake me up! > > You could always send an email to the ISP in question and ask them what > > they think; whether they want a copy of the logs, etc. > > Agreed. By the above scaling system, it could be worse. Still, it's > worthwhile asking `oi you, what's up, d'you mind?' or somesuch. A polite email at any level would be appreciated, I do agree.. Something along the lines of "Hey, I noticed something funny..." -- T. Alex Swavely "So I though to myself, 'if this were the coolest place in the world, would they have only one pair of rubber party pants?'" -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: i've been port scanned. now what
On Tue, Mar 06, 2001 at 01:12:46AM +, Tim Haynes wrote: > > It's also possible that someone is just exploring. > > Then they need educating that scanning such a vast range of ports is an > unacceptable definition of `exploring'. Well, that's your opinion. I don't know that I agree ... presumably I've already tied down my services; why do I care if someone is checking which ports are open? When I did see an extensive portscan I usually fired off one of my own to see what was up at that end. More often than not it turned out to be a misconfigured monitoring box (ever seen Whatsup at work?) OTOH I'll always defend your right to apply your opinion to your machines; if you want to get after someone who's portscanning your machines I won't stop you :) > > As a former network administrator I wasn't too worried about portscans > > unless they were followed up with actual connections. I also used > > portscans when needed to discover what users on the network were up to. > > Sure, but I hope you didn't let rip with them on other networks or sections > of network over which you didn't have control. We had a /18; I had plenty of IPs to keep an eye on. Some people were less cooperative than others. -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Inc. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton PGP signature
Re: i've been port scanned. now what
On Mon, Mar 05, 2001 at 11:37:17PM +0100, Szab? D?niel <[EMAIL PROTECTED]> wrote: > My packet filter ruleset catched somebody on port scanning one of our host. > He or she tryed to scan a very big port range from tcp 1 up to 32000 (think > with nmap), but my packet filter denied his/her queries (the kernel > generated 1 mb log in 3 minutes with the denied packets). I have his/her > ipv4 address, and i would like to ask, what should i do know? i figured out > from the ripe.net whois db, that the ip is owned by one of the ISP's from my > country, is it possible, that the scanner cracked the isp's machine, then > pushed the scan from there? The scanner is probably connected to the internet through that ISP. Your response to the scan should probably depend on your opinion on portscans in general. Some people believe portscans are only used by crackers. If you agree with them a possible response to the scan is sending a mail with the IP of the scanner, the exact time of the scan and any other information you think might be relevant to [EMAIL PROTECTED] On the other hand, if you agree with people who believe portscans have legitimate uses (like finding out if someone is providing an ftp-server) you should probably do nothing since the scan was very general and not targeted at ports that are likely to have exploitable services on them). This is my current point of view. There's been a discussion about portscans not to long ago on debian-security (and probably any security related mailinglist) btw. Finally, one note of warning: whatever you do, don't try to think of portscans in terms of what I'd call the '(breaking in to)/(looking at a) house'-metaphor. IMHO it does not provide a suitable mapping of the situation to one in real life at all and I find it rapidly becoming very anoying. Tim ps. This is *not* an invitation to start another discussion about portscans. The issue has been beaten to death already and I'm convinced a simple google search will provide excellent writings about all views on the subject. -- Tim van Erven [EMAIL PROTECTED] [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: i've been port scanned. now what
Nathan E Norman <[EMAIL PROTECTED]> writes: [snip] > Well, that all depends ... do you consider port scanning criminal > activity or not? > > I do not - I think you should view a port scan as a possible indication > that someone intends to attack you. Agreed. > It's also possible that someone is just exploring. Then they need educating that scanning such a vast range of ports is an unacceptable definition of `exploring'. > As a former network administrator I wasn't too worried about portscans > unless they were followed up with actual connections. I also used > portscans when needed to discover what users on the network were up to. Sure, but I hope you didn't let rip with them on other networks or sections of network over which you didn't have control. What I'd suggest is that the OP applies a scale to it: a few ports scanned in succession is not worthwhile waking a net-admin up for; a few ports scanned multiple times over is getting more interesting; a large range of points also bumps up the `score'; a repetitive attack on many sensitive ports (111/tcp, 53/tcp, 21/tcp, you know the sort of thing) would have me on the 'phone to whoever was listed in `whois`. > You could always send an email to the ISP in question and ask them what > they think; whether they want a copy of the logs, etc. Agreed. By the above scaling system, it could be worse. Still, it's worthwhile asking `oi you, what's up, d'you mind?' or somesuch. ~Tim -- Roobarb and Custard let fly |[EMAIL PROTECTED] with their secret weapon.|http://spodzone.org.uk/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: i've been port scanned. now what
On Mon, Mar 05, 2001 at 11:37:17PM +0100, Szabó Dániel wrote: > Hello. > My packet filter ruleset catched somebody on port scanning one of our host. > He or she tryed to scan a very big port range from tcp 1 up to 32000 (think > with nmap), but my packet filter denied his/her queries (the kernel > generated 1 mb log in 3 minutes with the denied packets). I have his/her > ipv4 address, and i would like to ask, what should i do know? i figured out > from the ripe.net whois db, that the ip is owned by one of the ISP's from my > country, is it possible, that the scanner cracked the isp's machine, then > pushed the scan from there? Well, that all depends ... do you consider port scanning criminal activity or not? I do not - I think you should view a port scan as a possible indication that someone intends to attack you. It's also possible that someone is just exploring. As a former network administrator I wasn't too worried about portscans unless they were followed up with actual connections. I also used portscans when needed to discover what users on the network were up to. You could always send an email to the ISP in question and ask them what they think; whether they want a copy of the logs, etc. -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Inc. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton PGP signature
Re: i've been port scanned. now what
On Mon, Mar 05, 2001 at 11:37:17PM +0100, Szab? D?niel wrote: > Hello. > My packet filter ruleset catched somebody on port scanning one of our host. > He or she tryed to scan a very big port range from tcp 1 up to 32000 (think > with nmap), but my packet filter denied his/her queries (the kernel > generated 1 mb log in 3 minutes with the denied packets). I have his/her > ipv4 address, and i would like to ask, what should i do know? i figured out > from the ripe.net whois db, that the ip is owned by one of the ISP's from my > country, is it possible, that the scanner cracked the isp's machine, then > pushed the scan from there? It's a lot more likely that the person that scanned you is simply one of the ISP's customers. The ISP owns the IPs they assign to their customers' machines. If all the guy did was scan, then don't do anything unless he does it again or something. If there were any signs of an actual attack, like sending nastygrams to your web server or something, then you should contact his ISP and show them the log. (My philosophy is that portscanning is more or less innocent and curiosity driven, and so shouldn't be punished unless it causes a DoS or something. If you feel otherwise, you might want to show the logs you have to the scanner's ISP, with timestamp, so they can figure out who had that IP at that time. I think that would be going to more trouble than it's worth, though.) -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BCE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Kernel 2.2.15 hole ?
On Mon, Mar 05, 2001 at 08:36:28AM +, [EMAIL PROTECTED] wrote: > > I purposely have a policy of not upgrading software (including the > kernel) unless there is a good reason to do so, either with new > functionality that is required, or for security reasons. I have > no objections to upgrading in this instance, but I was more > concerned that a search on Debians archives did not show this > as a security issue. you will want to upgrade to 2.2.19 when its available since 2.2.18 and below have another security hole (actually two). the first being a race condition that allows suid executables to be ptraced, this is potentially allows for root compromise. the other allows users to read arbitrary memory through a bug in sysctl() (depending on the attackers luck they could potentially grab a password or other sensitive information). both are only locally exploitable. (i know of no exploit for the ptrace race at this time, there is a proof of concept exploit for the sysctl() bug). -- Ethan Benson http://www.alaska.net/~erbenson/ PGP signature
i've been port scanned. now what
Hello. My packet filter ruleset catched somebody on port scanning one of our host. He or she tryed to scan a very big port range from tcp 1 up to 32000 (think with nmap), but my packet filter denied his/her queries (the kernel generated 1 mb log in 3 minutes with the denied packets). I have his/her ipv4 address, and i would like to ask, what should i do know? i figured out from the ripe.net whois db, that the ip is owned by one of the ISP's from my country, is it possible, that the scanner cracked the isp's machine, then pushed the scan from there? Thanks, Daniel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Anti Virus for Debian
I think your best bet is here: http://www.sophos.com/downloads/products/unix.html They're pricey (~$1,000/yr for 10 workstations) and don't support Linux/SPARC, but support Linux/i386, Linux/Alpha, and Solaris/SPARC, so if you're willing to pony up the $$$ they may be the most likely source. Chris Mario Zuppini wrote: > > I would also like to know of virus scanners especially for mail servers ie > sendmail > that will work on a SPARC ??? > > there are a few that work under i386 ie like amavris etc can be found on > freshmeat.net > but nothing will work under a sparc > > - Original Message - > From: "Matthew Sherborne" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, February 20, 2001 1:41 PM > Subject: Anti Virus for Debian > > > Are there any gpl or similar anti-virus programs for linux ? > > > > Any reccomendations ? > > > > GBY > > > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: promiscuous eth0
On Mon, Mar 05, 2001 at 09:51:07AM -0800, Jeff Coppock wrote: > Hi, > > Turning on Multicast works. I like this better than turning on promiscuous. > I need to figure out why this isn't turning on automagically at startup. If > multicast is not set in the kernel, will that cause this? Makes sense to me. Depending on your NIC, multicast might be implemented by running in promisc mode, since some NICs can't filter multicast packets, so the kernel has to get them all and do the filtering itself. If you want to test this, run watch -n1 cat /proc/interrupts while you aren't doing anything with the network. See if your card is generating interrupts when there is network traffic that isn't to or from you (and isn't broadcast.) If it is, then the hardware is in promiscuous mode. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BCE
Re: promiscuous eth0
On Mon, Mar 05, 2001 at 09:51:07AM -0800, Jeff Coppock wrote: > Hi, > > Turning on Multicast works. I like this better than turning on promiscuous. I need >to figure out why this isn't turning on automagically at startup. If multicast is >not set in the kernel, will that cause this? Makes sense to me. Depending on your NIC, multicast might be implemented by running in promisc mode, since some NICs can't filter multicast packets, so the kernel has to get them all and do the filtering itself. If you want to test this, run watch -n1 cat /proc/interrupts while you aren't doing anything with the network. See if your card is generating interrupts when there is network traffic that isn't to or from you (and isn't broadcast.) If it is, then the hardware is in promiscuous mode. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BCE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: commandlogging
from the secret journal of Izak Burger ([EMAIL PROTECTED]):
> I think you're thinking about BSD process accounting. It provides a way
> to tell the kernel to write process information to a file. I have never
> worked with it before, but now you have a bit more to go on :)
almost. since bsd process accounting only comes into effect when a process
exits, a trojan could exec("/bin/ls") and escape being logged. (IIRC)
--
Jacob Kuntz
[EMAIL PROTECTED]
http://underworld.net/~jake
Re: promiscuous eth0
Hi, Turning on Multicast works. I like this better than turning on promiscuous. I need to figure out why this isn't turning on automagically at startup. If multicast is not set in the kernel, will that cause this? Makes sense to me. jc On Fri, Mar 02, 2001 at 10:01:06PM +0100, Kristian F. H?gh wrote: > Hi Jeff. > > My pcmcia netcard also don't work when i switch on my laptop. > When i type ifconfig it prints: > UP BROADCAST RUNNING > then I enable multicast (ifconfig eth0 multicast) > It works and ifconfig prints > UP BROADCAST RUNNING MULTICAST > > Kristian F. Høgh. > > > Jeff Coppock wrote: > > > I recently install snort on my laptop to check it out and now my pcmcia > > network card will pass IP only when snort is running (daemon mode or not), > > or I have to put my network card in promiscuous mode [#ifconfig eth0 > > -promisc]. > > > > I can't find any configuration that is obvious to me that would cause this, > > but I'm an intermediate linux user. Any suggestions on where to look and > > what to look for? > > > > Also, are what problems might using promiscuous mode cause? > > > > thanks, > > jc
Re: commandlogging
On Mon, Mar 05, 2001 at 09:12:36AM -0500, Steve M. Robbins wrote: > There is a package "snoopy" that uses a preloaded shared library to > log each "exec()" call before performing it. If it is not yet in > Debian, you can get a package from > > deb-src http://www.punknews.org/debian ./ If someone wanted to, they could run commands without them getting logged by snoopy. All you need to do is statically link the program that calls exec. It would probably be easy to put a printk in the kernel's execve() handler, though, and AFAIK that would get everything. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BCE
Re: [OT] install openssh 2.5.x
On Mon, Mar 05, 2001 at 10:48:23AM -0500, K 0 wrote: > i un tarred-gziiped it and saw no installation instructions nor configure > scripts ... a straight make does work too. Sounds like you got the wrong tarball. Did you get it from this page? http://www.openssh.com/portable.html
Re: [OT] install openssh 2.5.x
On Mon, Mar 05, 2001 at 10:48:23AM -0500, K 0 wrote: > anyone know how to compile and install the tgz source from openssh for > openssh 2.5.1 > > i un tarred-gziiped it and saw no installation instructions nor configure > scripts ... a straight make does work too. You could apt-get source openssh, then from the directory, do a debian/rules binary... I have a question along these lines. I grabbed the openssh-2.5.1p1 sources and put them on a potato box. I compiled libssl096 successfully and installed the debs. I was able to compile ssh-2.5.1p1, but on install, it groused that it could not find libssl095a, even though libssl096 was installed. On my potato and woody boxes, requesting libssl095a gets libssl094, and on my sid boxes, it gets libssl096. What can I do to change this dependency? Thanks, -- --Brad Bradley M. Alexander, CISSP | Co-Chairman, Beowulf System Admin/Security Specialist |NoVALUG/DCLUG Security SIG Winstar Telecom | [EMAIL PROTECTED] (703) 889-1049 | [EMAIL PROTECTED] Good judgment comes from experience. Unfortunately, the experience usually comes from bad judgment. --Rules of the Air, #20
Re: Kernel 2.2.15 hole ?
Quoting [EMAIL PROTECTED] ([EMAIL PROTECTED]): > On Mon, Mar 05, 2001 at 03:31:07AM -0900, Ethan Benson wrote: > > On Thu, Mar 01, 2001 at 03:34:21AM +, Stephen Walton wrote: > > > Has anyone seen the announcement about a root exploit > > > in the 2.2.15 and earlier kernel versions as posted > > > yes ages ago. > > > > Does this apply to the debian kernels? > > > > depends what debian kernel, i think some of them had backported > > patches, but really there is no reason to be running anything that > > old. upgrade to 2.2.18. > > I purposely have a policy of not upgrading software (including the > kernel) unless there is a good reason to do so, either with new > functionality that is required, or for security reasons. I have > no objections to upgrading in this instance, but I was more > concerned that a search on Debians archives did not show this > as a security issue. Perhaps it's at http://www.uk.debian.org/security/2000/2612 ? i.e. 2.2.15-3 is patched. Cheers, -- Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA Disclaimer: These addresses are only for reaching me, and do not signify official stationery. Views expressed here are either my own or plagiarised.
Re: commandlogging
from the secret journal of Izak Burger ([EMAIL PROTECTED]):
> I think you're thinking about BSD process accounting. It provides a way
> to tell the kernel to write process information to a file. I have never
> worked with it before, but now you have a bit more to go on :)
almost. since bsd process accounting only comes into effect when a process
exits, a trojan could exec("/bin/ls") and escape being logged. (IIRC)
--
Jacob Kuntz
[EMAIL PROTECTED]
http://underworld.net/~jake
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: promiscuous eth0
Hi, Turning on Multicast works. I like this better than turning on promiscuous. I need to figure out why this isn't turning on automagically at startup. If multicast is not set in the kernel, will that cause this? Makes sense to me. jc On Fri, Mar 02, 2001 at 10:01:06PM +0100, Kristian F. H?gh wrote: > Hi Jeff. > > My pcmcia netcard also don't work when i switch on my laptop. > When i type ifconfig it prints: > UP BROADCAST RUNNING > then I enable multicast (ifconfig eth0 multicast) > It works and ifconfig prints > UP BROADCAST RUNNING MULTICAST > > Kristian F. Høgh. > > > Jeff Coppock wrote: > > > I recently install snort on my laptop to check it out and now my pcmcia network >card will pass IP only when snort is running (daemon mode or not), or I have to put >my network card in promiscuous mode [#ifconfig eth0 -promisc]. > > > > I can't find any configuration that is obvious to me that would cause this, but >I'm an intermediate linux user. Any suggestions on where to look and what to look >for? > > > > Also, are what problems might using promiscuous mode cause? > > > > thanks, > > jc -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
[OT] install openssh 2.5.x
anyone know how to compile and install the tgz source from openssh for openssh 2.5.1 i un tarred-gziiped it and saw no installation instructions nor configure scripts ... a straight make does work too. anyone got anyideas ..? Kim
Re: commandlogging
On Mon, Mar 05, 2001 at 09:12:36AM -0500, Steve M. Robbins wrote: > There is a package "snoopy" that uses a preloaded shared library to > log each "exec()" call before performing it. If it is not yet in > Debian, you can get a package from > > deb-src http://www.punknews.org/debian ./ If someone wanted to, they could run commands without them getting logged by snoopy. All you need to do is statically link the program that calls exec. It would probably be easy to put a printk in the kernel's execve() handler, though, and AFAIK that would get everything. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BCE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [OT] install openssh 2.5.x
On Mon, Mar 05, 2001 at 10:48:23AM -0500, K 0 wrote: > i un tarred-gziiped it and saw no installation instructions nor configure > scripts ... a straight make does work too. Sounds like you got the wrong tarball. Did you get it from this page? http://www.openssh.com/portable.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [OT] install openssh 2.5.x
On Mon, Mar 05, 2001 at 10:48:23AM -0500, K 0 wrote: > anyone know how to compile and install the tgz source from openssh for > openssh 2.5.1 > > i un tarred-gziiped it and saw no installation instructions nor configure > scripts ... a straight make does work too. You could apt-get source openssh, then from the directory, do a debian/rules binary... I have a question along these lines. I grabbed the openssh-2.5.1p1 sources and put them on a potato box. I compiled libssl096 successfully and installed the debs. I was able to compile ssh-2.5.1p1, but on install, it groused that it could not find libssl095a, even though libssl096 was installed. On my potato and woody boxes, requesting libssl095a gets libssl094, and on my sid boxes, it gets libssl096. What can I do to change this dependency? Thanks, -- --Brad Bradley M. Alexander, CISSP | Co-Chairman, Beowulf System Admin/Security Specialist |NoVALUG/DCLUG Security SIG Winstar Telecom | [EMAIL PROTECTED] (703) 889-1049 | [EMAIL PROTECTED] Good judgment comes from experience. Unfortunately, the experience usually comes from bad judgment. --Rules of the Air, #20 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Kernel 2.2.15 hole ?
On Mon, Mar 05, 2001 at 03:31:07AM -0900, Ethan Benson wrote: > On Thu, Mar 01, 2001 at 03:34:21AM +, Stephen Walton wrote: > > Hi, > > > > Has anyone seen the announcement about a root exploit > > in the 2.2.15 and earlier kernel versions as posted > yes ages ago. > > Does this apply to the debian kernels? > > depends what debian kernel, i think some of them had backported > patches, but really there is no reason to be running anything that > old. upgrade to 2.2.18. I purposely have a policy of not upgrading software (including the kernel) unless there is a good reason to do so, either with new functionality that is required, or for security reasons. I have no objections to upgrading in this instance, but I was more concerned that a search on Debians archives did not show this as a security issue. -- Stephen Walton
Re: Kernel 2.2.15 hole ?
Quoting [EMAIL PROTECTED] ([EMAIL PROTECTED]): > On Mon, Mar 05, 2001 at 03:31:07AM -0900, Ethan Benson wrote: > > On Thu, Mar 01, 2001 at 03:34:21AM +, Stephen Walton wrote: > > > Has anyone seen the announcement about a root exploit > > > in the 2.2.15 and earlier kernel versions as posted > > > yes ages ago. > > > > Does this apply to the debian kernels? > > > > depends what debian kernel, i think some of them had backported > > patches, but really there is no reason to be running anything that > > old. upgrade to 2.2.18. > > I purposely have a policy of not upgrading software (including the > kernel) unless there is a good reason to do so, either with new > functionality that is required, or for security reasons. I have > no objections to upgrading in this instance, but I was more > concerned that a search on Debians archives did not show this > as a security issue. Perhaps it's at http://www.uk.debian.org/security/2000/2612 ? i.e. 2.2.15-3 is patched. Cheers, -- Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA Disclaimer: These addresses are only for reaching me, and do not signify official stationery. Views expressed here are either my own or plagiarised. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: commandlogging
On Mon, Mar 05, 2001 at 10:25:21AM +0100, Niklas Höglund wrote: > Hi! > I've heard that there is an kernelmodule that logs all commands executed > on a machine. Anyone know where to find it? > > Or maybe someone has some other idea, how to log all commands exec...? There is a package "snoopy" that uses a preloaded shared library to log each "exec()" call before performing it. If it is not yet in Debian, you can get a package from deb-src http://www.punknews.org/debian ./ -Steve
[OT] install openssh 2.5.x
anyone know how to compile and install the tgz source from openssh for openssh 2.5.1 i un tarred-gziiped it and saw no installation instructions nor configure scripts ... a straight make does work too. anyone got anyideas ..? Kim -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: commandlogging
On Mon, Mar 05, 2001 at 12:18:38PM +0200, Izak Burger wrote: > I think you're thinking about BSD process accounting. It provides a way > to tell the kernel to write process information to a file. I have never > worked with it before, but now you have a bit more to go on :) accton(8), sa(8) et al, are in the debian 'acct' package. Greetings, Chris Niekel
Re: commandlogging
Hi. Install acct-*.deb, then you can start accounting with # accton /var/log/pacct sa shows statistics pr day/month ... # sa -m | cut -c 1-10,37- kfh 560 5937.27re 1.56cp 0avio 350k user cmdclock-time cpu i/o mem Another one to try.. lastcom [user] [command] Accounting is not audit. You will see the command only (and statistics) no arguments. Kristian Høgh. Izak Burger wrote: > I think you're thinking about BSD process accounting. It provides a way > to tell the kernel to write process information to a file. I have never > worked with it before, but now you have a bit more to go on :) > > regards, > Izak Burger > > On Mon, 5 Mar 2001, Miguel Ángel Varó Giner wrote: > > > Niklas Höglund wrote: > > > > > > Hi! > > > I've heard that there is an kernelmodule that logs all commands executed > > > on a machine. Anyone know where to find it? > > > > > > Or maybe someone has some other idea, how to log all commands exec...? > > > > > > -- > > > //Regards, > > > Niklas Höglund > > > echo 'Win CE, Win ME, Win NT' | sed 's/.in//g;s/,//g;s/ //g' > > > > > > -- > > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > > You can see all commands executed using 'lastcomm' (in the 'acct' package). > > > > -- > > Miguel Ángel Varó > > http://www.dlsi.ua.es/ > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > > > > -- > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > Izak Burger ([EMAIL PROTECTED]) > http://www.linuxuser.co.za/ > Tel. +27 21 808 4863 > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > Every time Microsoft use the word "smart," look out for something dumb. > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Kernel 2.2.15 hole ?
On Mon, Mar 05, 2001 at 03:31:07AM -0900, Ethan Benson wrote: > On Thu, Mar 01, 2001 at 03:34:21AM +, Stephen Walton wrote: > > Hi, > > > > Has anyone seen the announcement about a root exploit > > in the 2.2.15 and earlier kernel versions as posted > yes ages ago. > > Does this apply to the debian kernels? > > depends what debian kernel, i think some of them had backported > patches, but really there is no reason to be running anything that > old. upgrade to 2.2.18. I purposely have a policy of not upgrading software (including the kernel) unless there is a good reason to do so, either with new functionality that is required, or for security reasons. I have no objections to upgrading in this instance, but I was more concerned that a search on Debians archives did not show this as a security issue. -- Stephen Walton -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Kernel 2.2.15 hole ?
On Thu, Mar 01, 2001 at 03:34:21AM +, Stephen Walton wrote: > Hi, > > Has anyone seen the announcement about a root exploit > in the 2.2.15 and earlier kernel versions as posted > on sendmail's site at > > http://www.sendmail.org/sendmail.8.10.1.LINUX-SECURITY.txt yes ages ago. > Does this apply to the debian kernels? depends what debian kernel, i think some of them had backported patches, but really there is no reason to be running anything that old. upgrade to 2.2.18. -- Ethan Benson http://www.alaska.net/~erbenson/ pgpxrkzDilE1P.pgp Description: PGP signature
Re: commandlogging
On Mon, Mar 05, 2001 at 10:25:21AM +0100, Niklas Höglund wrote: > Hi! > I've heard that there is an kernelmodule that logs all commands executed > on a machine. Anyone know where to find it? > > Or maybe someone has some other idea, how to log all commands exec...? There is a package "snoopy" that uses a preloaded shared library to log each "exec()" call before performing it. If it is not yet in Debian, you can get a package from deb-src http://www.punknews.org/debian ./ -Steve -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: commandlogging
On Mon, Mar 05, 2001 at 12:18:38PM +0200, Izak Burger wrote: > I think you're thinking about BSD process accounting. It provides a way > to tell the kernel to write process information to a file. I have never > worked with it before, but now you have a bit more to go on :) accton(8), sa(8) et al, are in the debian 'acct' package. Greetings, Chris Niekel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: commandlogging
Hi. Install acct-*.deb, then you can start accounting with # accton /var/log/pacct sa shows statistics pr day/month ... # sa -m | cut -c 1-10,37- kfh 560 5937.27re 1.56cp 0avio 350k user cmdclock-time cpu i/o mem Another one to try.. lastcom [user] [command] Accounting is not audit. You will see the command only (and statistics) no arguments. Kristian Høgh. Izak Burger wrote: > I think you're thinking about BSD process accounting. It provides a way > to tell the kernel to write process information to a file. I have never > worked with it before, but now you have a bit more to go on :) > > regards, > Izak Burger > > On Mon, 5 Mar 2001, Miguel Ángel Varó Giner wrote: > > > Niklas Höglund wrote: > > > > > > Hi! > > > I've heard that there is an kernelmodule that logs all commands executed > > > on a machine. Anyone know where to find it? > > > > > > Or maybe someone has some other idea, how to log all commands exec...? > > > > > > -- > > > //Regards, > > > Niklas Höglund > > > echo 'Win CE, Win ME, Win NT' | sed 's/.in//g;s/,//g;s/ //g' > > > > > > -- > > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > > You can see all commands executed using 'lastcomm' (in the 'acct' package). > > > > -- > > Miguel Ángel Varó > > http://www.dlsi.ua.es/ > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > > > > -- > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > Izak Burger ([EMAIL PROTECTED]) > http://www.linuxuser.co.za/ > Tel. +27 21 808 4863 > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > Every time Microsoft use the word "smart," look out for something dumb. > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Kernel 2.2.15 hole ?
On Thu, Mar 01, 2001 at 03:34:21AM +, Stephen Walton wrote: > Hi, > > Has anyone seen the announcement about a root exploit > in the 2.2.15 and earlier kernel versions as posted > on sendmail's site at > > http://www.sendmail.org/sendmail.8.10.1.LINUX-SECURITY.txt yes ages ago. > Does this apply to the debian kernels? depends what debian kernel, i think some of them had backported patches, but really there is no reason to be running anything that old. upgrade to 2.2.18. -- Ethan Benson http://www.alaska.net/~erbenson/ PGP signature
Re: commandlogging
I think you're thinking about BSD process accounting. It provides a way to tell the kernel to write process information to a file. I have never worked with it before, but now you have a bit more to go on :) regards, Izak Burger On Mon, 5 Mar 2001, Miguel Ángel Varó Giner wrote: > Niklas Höglund wrote: > > > > Hi! > > I've heard that there is an kernelmodule that logs all commands executed > > on a machine. Anyone know where to find it? > > > > Or maybe someone has some other idea, how to log all commands exec...? > > > > -- > > //Regards, > > Niklas Höglund > > echo 'Win CE, Win ME, Win NT' | sed 's/.in//g;s/,//g;s/ //g' > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > You can see all commands executed using 'lastcomm' (in the 'acct' package). > > -- > Miguel Ángel Varó > http://www.dlsi.ua.es/ > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Izak Burger ([EMAIL PROTECTED]) http://www.linuxuser.co.za/ Tel. +27 21 808 4863 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Every time Microsoft use the word "smart," look out for something dumb.
Re: commandlogging
Niklas Höglund wrote: > > Hi! > I've heard that there is an kernelmodule that logs all commands executed > on a machine. Anyone know where to find it? > > Or maybe someone has some other idea, how to log all commands exec...? > > -- > //Regards, > Niklas Höglund > echo 'Win CE, Win ME, Win NT' | sed 's/.in//g;s/,//g;s/ //g' > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] You can see all commands executed using 'lastcomm' (in the 'acct' package). -- Miguel Ángel Varó http://www.dlsi.ua.es/
Kernel 2.2.15 hole ?
Hi, Has anyone seen the announcement about a root exploit in the 2.2.15 and earlier kernel versions as posted on sendmail's site at http://www.sendmail.org/sendmail.8.10.1.LINUX-SECURITY.txt Does this apply to the debian kernels? -- Stephen Walton
commandlogging
Hi! I've heard that there is an kernelmodule that logs all commands executed on a machine. Anyone know where to find it? Or maybe someone has some other idea, how to log all commands exec...? -- //Regards, Niklas Höglund echo 'Win CE, Win ME, Win NT' | sed 's/.in//g;s/,//g;s/ //g'
Re: commandlogging
I think you're thinking about BSD process accounting. It provides a way to tell the kernel to write process information to a file. I have never worked with it before, but now you have a bit more to go on :) regards, Izak Burger On Mon, 5 Mar 2001, Miguel Ángel Varó Giner wrote: > Niklas Höglund wrote: > > > > Hi! > > I've heard that there is an kernelmodule that logs all commands executed > > on a machine. Anyone know where to find it? > > > > Or maybe someone has some other idea, how to log all commands exec...? > > > > -- > > //Regards, > > Niklas Höglund > > echo 'Win CE, Win ME, Win NT' | sed 's/.in//g;s/,//g;s/ //g' > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > You can see all commands executed using 'lastcomm' (in the 'acct' package). > > -- > Miguel Ángel Varó > http://www.dlsi.ua.es/ > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Izak Burger ([EMAIL PROTECTED]) http://www.linuxuser.co.za/ Tel. +27 21 808 4863 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Every time Microsoft use the word "smart," look out for something dumb. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: promiscuous eth0
> Also, paranoid network administrators might be a little upset by it, since > Linux sends out a frame indicating it is switching into (or out > of) promiscuous mode. This is possible evidence that you're running a > sniffer of some kind (such as snort). Hi, How can I recognize such frames/packets? I know this isn't very effective method when trying to discover sniffers, but worth a shot. Is there a way to disable those frames/packets? Jaan a bit paranoid :)
Re: commandlogging
Niklas Höglund wrote: > > Hi! > I've heard that there is an kernelmodule that logs all commands executed > on a machine. Anyone know where to find it? > > Or maybe someone has some other idea, how to log all commands exec...? > > -- > //Regards, > Niklas Höglund > echo 'Win CE, Win ME, Win NT' | sed 's/.in//g;s/,//g;s/ //g' > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] You can see all commands executed using 'lastcomm' (in the 'acct' package). -- Miguel Ángel Varó http://www.dlsi.ua.es/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Kernel 2.2.15 hole ?
Hi, Has anyone seen the announcement about a root exploit in the 2.2.15 and earlier kernel versions as posted on sendmail's site at http://www.sendmail.org/sendmail.8.10.1.LINUX-SECURITY.txt Does this apply to the debian kernels? -- Stephen Walton -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
commandlogging
Hi! I've heard that there is an kernelmodule that logs all commands executed on a machine. Anyone know where to find it? Or maybe someone has some other idea, how to log all commands exec...? -- //Regards, Niklas Höglund echo 'Win CE, Win ME, Win NT' | sed 's/.in//g;s/,//g;s/ //g' -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
