Re: chkrootkit - possible bad news`
31337 - are your runing portsentry on that machine ? Quote from the www.chkrootkit.org site: I'm running PortSentry/klaxon. What's wrong with the bindshell test? If you're running PortSentry/klaxon or another program that binds itself to unused ports probably chkrootkit will give you a false positive on the bindshell test (ports 114/tcp, 465/tcp, 511/tcp, 1008/tcp, 1524/tcp, 1999/tcp, 3879/tcp, 5665/tcp, 10008/tcp, 12321/tcp, 23132/tcp, 27374/tcp, 29364/tcp, 31336/tcp, 31337/tcp, 45454/tcp, 47017/tcp, 47889/tcp, 60001/tcp). - Original Message - From: "Greg" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, February 24, 2004 8:53 AM Subject: chkrootkit - possible bad news` > I am running Debian on a Dec Alpha PC164. > > I decided to run chkrootkit and was surprised by the following line. > > Checking `bindshell'... INFECTED (PORTS: 1524 31337) > > I am not sure how no interpret this. I have checked logs, as well as binary > checks and everything "seems" fine. Can someone help me interpret the logs. > I will attach them at the tail of the email in case the may be helpful. > > > I don't know what my next step would be. If in deed I have been 'rooted' > then I should obviously format and rebuild the server. > > Thanks in advance. > > Greg MEATPLOW > > # > #chkrootkit > > alpha:~# chkrootkit > ROOTDIR is `/' > Checking `amd'... not found > Checking `basename'... not infected > Checking `biff'... not found > Checking `chfn'... not infected > Checking `chsh'... not infected > Checking `cron'... not infected > Checking `date'... not infected > Checking `du'... not infected > Checking `dirname'... not infected > Checking `echo'... not infected > Checking `egrep'... not infected > Checking `env'... not infected > Checking `find'... not infected > Checking `fingerd'... not found > Checking `gpm'... not found > Checking `grep'... not infected > Checking `hdparm'... not found > Checking `su'... not infected > Checking `ifconfig'... not infected > Checking `inetd'... not infected > Checking `inetdconf'... not infected > Checking `identd'... not found > Checking `killall'... not found > Checking `ldsopreload'... not infected > Checking `login'... not infected > Checking `ls'... not infected > Checking `lsof'... not found > Checking `mail'... not infected > Checking `mingetty'... not found > Checking `netstat'... not infected > Checking `named'... not infected > Checking `passwd'... not infected > Checking `pidof'... not infected > Checking `pop2'... not found > Checking `pop3'... not found > Checking `ps'... not infected > Checking `pstree'... not found > Checking `rpcinfo'... not infected > Checking `rlogind'... not found > Checking `rshd'... not found > Checking `slogin'... not infected > Checking `sendmail'... not infected > Checking `sshd'... not infected > Checking `syslogd'... not infected > Checking `tar'... not infected > Checking `tcpd'... not infected > Checking `top'... not infected > Checking `telnetd'... not found > Checking `timed'... not found > Checking `traceroute'... not infected > Checking `write'... not infected > Checking `aliens'... > /dev/st- /dev/sto > Searching for sniffer's logs, it may take a while... nothing found > Searching for HiDrootkit's default dir... nothing found > Searching for t0rn's default files and dirs... nothing found > Searching for t0rn's v8 defaults... nothing found > Searching for Lion Worm default files and dirs... nothing found > Searching for RSHA's default files and dir... nothing found > Searching for RH-Sharpe's default files... nothing found > Searching for Ambient's rootkit (ark) default files and dirs... nothing > found > Searching for suspicious files and dirs, it may take a while... nothing > found > Searching for LPD Worm files and dirs... nothing found > Searching for Ramen Worm files and dirs... nothing found > Searching for Maniac files and dirs... nothing found > Searching for RK17 files and dirs... nothing found > Searching for Ducoci rootkit... nothing found > Searching for Adore Worm... nothing found > Searching for ShitC Worm... nothing found > Searching for Omega Worm... nothing found > Searching for Sadmind/IIS Worm... nothing found > Searching for MonKit... nothing found > Searching for anomalies in shell history files... nothing found > Checking `asp'... not infected > Checking `bindshell'... INFECTED (PORTS: 1524 31337) > Checking `lkm'... nothing detected > Checking `rexedcs'... not found > Checking `sniffer'... eth0 is not promisc > Checking `wted'... nothing deleted > Checking `z2'... > nothing deleted > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: chkrootkit - possible bad news`
May be you have installed "fakebo"? Billy -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: chkrootkit - possible bad news`
You might not be hacked after all. Read this: http://www.webhostgear.com/25.html Also some googling might help ;-) http://www.google.ro/search?q=%27bindshell%27...+INFECTED+%28PORTS%3A++1524+31337&ie=UTF-8&oe=UTF-8&hl=ro&btnG=Caut%C4%83&meta= Looks like there are a lot of false positives on it. Still, you should do a tripwire (or any other file checking) test if you have a previous record to match against. Nmap should give you a good idea about opened ports. Logs? Probably there are some other things you can do...but this is what crosses my mind now. Regards, S At 08:53 AM 2/24/2004, Greg wrote: I am running Debian on a Dec Alpha PC164. I decided to run chkrootkit and was surprised by the following line. Checking `bindshell'... INFECTED (PORTS: 1524 31337) I am not sure how no interpret this. I have checked logs, as well as binary checks and everything "seems" fine. Can someone help me interpret the logs. I will attach them at the tail of the email in case the may be helpful. I don't know what my next step would be. If in deed I have been 'rooted' then I should obviously format and rebuild the server. Thanks in advance. Greg MEATPLOW # #chkrootkit alpha:~# chkrootkit ROOTDIR is `/' Checking `amd'... not found Checking `basename'... not infected Checking `biff'... not found Checking `chfn'... not infected Checking `chsh'... not infected Checking `cron'... not infected Checking `date'... not infected Checking `du'... not infected Checking `dirname'... not infected Checking `echo'... not infected Checking `egrep'... not infected Checking `env'... not infected Checking `find'... not infected Checking `fingerd'... not found Checking `gpm'... not found Checking `grep'... not infected Checking `hdparm'... not found Checking `su'... not infected Checking `ifconfig'... not infected Checking `inetd'... not infected Checking `inetdconf'... not infected Checking `identd'... not found Checking `killall'... not found Checking `ldsopreload'... not infected Checking `login'... not infected Checking `ls'... not infected Checking `lsof'... not found Checking `mail'... not infected Checking `mingetty'... not found Checking `netstat'... not infected Checking `named'... not infected Checking `passwd'... not infected Checking `pidof'... not infected Checking `pop2'... not found Checking `pop3'... not found Checking `ps'... not infected Checking `pstree'... not found Checking `rpcinfo'... not infected Checking `rlogind'... not found Checking `rshd'... not found Checking `slogin'... not infected Checking `sendmail'... not infected Checking `sshd'... not infected Checking `syslogd'... not infected Checking `tar'... not infected Checking `tcpd'... not infected Checking `top'... not infected Checking `telnetd'... not found Checking `timed'... not found Checking `traceroute'... not infected Checking `write'... not infected Checking `aliens'... /dev/st- /dev/sto Searching for sniffer's logs, it may take a while... nothing found Searching for HiDrootkit's default dir... nothing found Searching for t0rn's default files and dirs... nothing found Searching for t0rn's v8 defaults... nothing found Searching for Lion Worm default files and dirs... nothing found Searching for RSHA's default files and dir... nothing found Searching for RH-Sharpe's default files... nothing found Searching for Ambient's rootkit (ark) default files and dirs... nothing found Searching for suspicious files and dirs, it may take a while... nothing found Searching for LPD Worm files and dirs... nothing found Searching for Ramen Worm files and dirs... nothing found Searching for Maniac files and dirs... nothing found Searching for RK17 files and dirs... nothing found Searching for Ducoci rootkit... nothing found Searching for Adore Worm... nothing found Searching for ShitC Worm... nothing found Searching for Omega Worm... nothing found Searching for Sadmind/IIS Worm... nothing found Searching for MonKit... nothing found Searching for anomalies in shell history files... nothing found Checking `asp'... not infected Checking `bindshell'... INFECTED (PORTS: 1524 31337) Checking `lkm'... nothing detected Checking `rexedcs'... not found Checking `sniffer'... eth0 is not promisc Checking `wted'... nothing deleted Checking `z2'... nothing deleted -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] --- Cauta-ti perechea pe http://dating.acasa.ro --- Cauta-ti perechea pe http://dating.acasa.ro -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: chkrootkit - possible bad news`
On Tuesday 24 February 2004 07:53, Greg wrote: > I am running Debian on a Dec Alpha PC164. > > I decided to run chkrootkit and was surprised by the following line. > > Checking `bindshell'... INFECTED (PORTS: 1524 31337) Try a nmap port scan from the outside to your ip address. If those ports are open but netstat doesn't show them as LISTENING chances are your netstat is modified to hide the connections. You may also want to run chkrootkit when booted from single user mode. Regards, Ricardo. > > I am not sure how no interpret this. I have checked logs, as well as > binary checks and everything "seems" fine. Can someone help me interpret > the logs. I will attach them at the tail of the email in case the may be > helpful. > > > I don't know what my next step would be. If in deed I have been 'rooted' > then I should obviously format and rebuild the server. > > Thanks in advance. > > Greg MEATPLOW > > # > #chkrootkit > > alpha:~# chkrootkit > ROOTDIR is `/' > Checking `amd'... not found > Checking `basename'... not infected > Checking `biff'... not found > Checking `chfn'... not infected > Checking `chsh'... not infected > Checking `cron'... not infected > Checking `date'... not infected > Checking `du'... not infected > Checking `dirname'... not infected > Checking `echo'... not infected > Checking `egrep'... not infected > Checking `env'... not infected > Checking `find'... not infected > Checking `fingerd'... not found > Checking `gpm'... not found > Checking `grep'... not infected > Checking `hdparm'... not found > Checking `su'... not infected > Checking `ifconfig'... not infected > Checking `inetd'... not infected > Checking `inetdconf'... not infected > Checking `identd'... not found > Checking `killall'... not found > Checking `ldsopreload'... not infected > Checking `login'... not infected > Checking `ls'... not infected > Checking `lsof'... not found > Checking `mail'... not infected > Checking `mingetty'... not found > Checking `netstat'... not infected > Checking `named'... not infected > Checking `passwd'... not infected > Checking `pidof'... not infected > Checking `pop2'... not found > Checking `pop3'... not found > Checking `ps'... not infected > Checking `pstree'... not found > Checking `rpcinfo'... not infected > Checking `rlogind'... not found > Checking `rshd'... not found > Checking `slogin'... not infected > Checking `sendmail'... not infected > Checking `sshd'... not infected > Checking `syslogd'... not infected > Checking `tar'... not infected > Checking `tcpd'... not infected > Checking `top'... not infected > Checking `telnetd'... not found > Checking `timed'... not found > Checking `traceroute'... not infected > Checking `write'... not infected > Checking `aliens'... > /dev/st- /dev/sto > Searching for sniffer's logs, it may take a while... nothing found > Searching for HiDrootkit's default dir... nothing found > Searching for t0rn's default files and dirs... nothing found > Searching for t0rn's v8 defaults... nothing found > Searching for Lion Worm default files and dirs... nothing found > Searching for RSHA's default files and dir... nothing found > Searching for RH-Sharpe's default files... nothing found > Searching for Ambient's rootkit (ark) default files and dirs... nothing > found > Searching for suspicious files and dirs, it may take a while... nothing > found > Searching for LPD Worm files and dirs... nothing found > Searching for Ramen Worm files and dirs... nothing found > Searching for Maniac files and dirs... nothing found > Searching for RK17 files and dirs... nothing found > Searching for Ducoci rootkit... nothing found > Searching for Adore Worm... nothing found > Searching for ShitC Worm... nothing found > Searching for Omega Worm... nothing found > Searching for Sadmind/IIS Worm... nothing found > Searching for MonKit... nothing found > Searching for anomalies in shell history files... nothing found > Checking `asp'... not infected > Checking `bindshell'... INFECTED (PORTS: 1524 31337) > Checking `lkm'... nothing detected > Checking `rexedcs'... not found > Checking `sniffer'... eth0 is not promisc > Checking `wted'... nothing deleted > Checking `z2'... > nothing deleted -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
chkrootkit - possible bad news`
I am running Debian on a Dec Alpha PC164. I decided to run chkrootkit and was surprised by the following line. Checking `bindshell'... INFECTED (PORTS: 1524 31337) I am not sure how no interpret this. I have checked logs, as well as binary checks and everything "seems" fine. Can someone help me interpret the logs. I will attach them at the tail of the email in case the may be helpful. I don't know what my next step would be. If in deed I have been 'rooted' then I should obviously format and rebuild the server. Thanks in advance. Greg MEATPLOW # #chkrootkit alpha:~# chkrootkit ROOTDIR is `/' Checking `amd'... not found Checking `basename'... not infected Checking `biff'... not found Checking `chfn'... not infected Checking `chsh'... not infected Checking `cron'... not infected Checking `date'... not infected Checking `du'... not infected Checking `dirname'... not infected Checking `echo'... not infected Checking `egrep'... not infected Checking `env'... not infected Checking `find'... not infected Checking `fingerd'... not found Checking `gpm'... not found Checking `grep'... not infected Checking `hdparm'... not found Checking `su'... not infected Checking `ifconfig'... not infected Checking `inetd'... not infected Checking `inetdconf'... not infected Checking `identd'... not found Checking `killall'... not found Checking `ldsopreload'... not infected Checking `login'... not infected Checking `ls'... not infected Checking `lsof'... not found Checking `mail'... not infected Checking `mingetty'... not found Checking `netstat'... not infected Checking `named'... not infected Checking `passwd'... not infected Checking `pidof'... not infected Checking `pop2'... not found Checking `pop3'... not found Checking `ps'... not infected Checking `pstree'... not found Checking `rpcinfo'... not infected Checking `rlogind'... not found Checking `rshd'... not found Checking `slogin'... not infected Checking `sendmail'... not infected Checking `sshd'... not infected Checking `syslogd'... not infected Checking `tar'... not infected Checking `tcpd'... not infected Checking `top'... not infected Checking `telnetd'... not found Checking `timed'... not found Checking `traceroute'... not infected Checking `write'... not infected Checking `aliens'... /dev/st- /dev/sto Searching for sniffer's logs, it may take a while... nothing found Searching for HiDrootkit's default dir... nothing found Searching for t0rn's default files and dirs... nothing found Searching for t0rn's v8 defaults... nothing found Searching for Lion Worm default files and dirs... nothing found Searching for RSHA's default files and dir... nothing found Searching for RH-Sharpe's default files... nothing found Searching for Ambient's rootkit (ark) default files and dirs... nothing found Searching for suspicious files and dirs, it may take a while... nothing found Searching for LPD Worm files and dirs... nothing found Searching for Ramen Worm files and dirs... nothing found Searching for Maniac files and dirs... nothing found Searching for RK17 files and dirs... nothing found Searching for Ducoci rootkit... nothing found Searching for Adore Worm... nothing found Searching for ShitC Worm... nothing found Searching for Omega Worm... nothing found Searching for Sadmind/IIS Worm... nothing found Searching for MonKit... nothing found Searching for anomalies in shell history files... nothing found Checking `asp'... not infected Checking `bindshell'... INFECTED (PORTS: 1524 31337) Checking `lkm'... nothing detected Checking `rexedcs'... not found Checking `sniffer'... eth0 is not promisc Checking `wted'... nothing deleted Checking `z2'... nothing deleted -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: 2.2 Kernel Fix
On Fri, Feb 20, 2004 at 09:56:12AM +0100, Dariush Pietrzak wrote: > > 2.2 series of kernels, sincee they're apparently vulnerable too? > You can find the patch on bugtraq/isec/etc, attached is a peek at it Don't use this one! This one produces kernel panics after a few hours on my systems. I suggest to use the one from the 2.2.25-ow2 patch. You can find it at http://www.openwall.com/linux (mentioned that also in another thread). Sven -- If God passed a mic to me to speak I'd say stay in bed, world Sleep in peace [The Cardigans - No sleep]
Re: 2.2 Kernel Fix
On Fri, Feb 20, 2004 at 09:56:12AM +0100, Dariush Pietrzak wrote: > > 2.2 series of kernels, sincee they're apparently vulnerable too? > You can find the patch on bugtraq/isec/etc, attached is a peek at it Don't use this one! This one produces kernel panics after a few hours on my systems. I suggest to use the one from the 2.2.25-ow2 patch. You can find it at http://www.openwall.com/linux (mentioned that also in another thread). Sven -- If God passed a mic to me to speak I'd say stay in bed, world Sleep in peace [The Cardigans - No sleep] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Could DSA 438 apply to 2.4.22 images from woody-proposed-updates
On Mon, Feb 23, 2004 at 12:01:02PM +0100, Xavier Poinsard wrote: I suppose the DSA-438 is applying to kernel 2.4.22 images from woody-proposed-updates which have not been updated. Is this planned or is it safer not to use images from woody-proposed-updates ? The security team doesn't update proposed-updates. (p-u is a "use at your own risk" section of the archive) Talk to whoever put the package together. Mike Stone
Re: Tripwire (clone) which would you prefer?
> samhain (in unstable, should be easy to backport) which has some > interesting features. And those interesting features should make you cautious before you deploy samhain in production environment. I find it rather intrusive. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Could DSA 438 apply to 2.4.22 images from woody-proposed-updates
Hi all, I suppose the DSA-438 is applying to kernel 2.4.22 images from woody-proposed-updates which have not been updated. Is this planned or is it safer not to use images from woody-proposed-updates ? Thanks.
Re: Tripwire (clone) which would you prefer?
On Mon, Feb 23, 2004 at 10:42:05AM +0100, Jan Lühr wrote: > Greetings, > > well, I looking for an open source intrusion detection. At first, tripwire > caputures my attention, but the last open source version seems to be three > years old - is it still in development or badly vulnerable? > Then I searched for tripwire in the woody packages and found integrit and > bsign - so which would you prefer and why? > Are there any interesting other projekt that worth looking for? Besides aide (which is nice, and has already been mentioned) there is also samhain (in unstable, should be easy to backport) which has some interesting features. Regards Javi signature.asc Description: Digital signature
Re: Tripwire (clone) which would you prefer?
Also see this page for a useful comparison between AIDE and tripwire: http://www.fbunet.de/aide.shtml Cheers, Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯
Re: Tripwire (clone) which would you prefer?
> I did a survey of intergity checkers. I didn't find bsign then, but I'd vote against bsign - it modifies original binaries, thus rendering debian md5 sums useless. ( It would be great if one could get packages with bsign-signed binaries, signed by DDs or release team ). I prefer integrit it's very convienient - and convenience comes with a price - in default mode of operation it updates your md5sums, so you can run it and get incremental notifies about what changes in your system. That might not be want you want. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: Could DSA 438 apply to 2.4.22 images from woody-proposed-updates
On Mon, Feb 23, 2004 at 12:01:02PM +0100, Xavier Poinsard wrote: I suppose the DSA-438 is applying to kernel 2.4.22 images from woody-proposed-updates which have not been updated. Is this planned or is it safer not to use images from woody-proposed-updates ? The security team doesn't update proposed-updates. (p-u is a "use at your own risk" section of the archive) Talk to whoever put the package together. Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Tripwire (clone) which would you prefer?
Hello, Actually Im using Integrit with Coda. I store the binary and the database on a read only coda mount (you can't mount it rw unless you know the coda password), and its really fast and reliable. So my vote is Integrit, btw you should check all of them and then make a decision for you needs. Best regards, Domonkos Czinke -Original Message- From: Jan Lühr [mailto:[EMAIL PROTECTED] Sent: Monday, February 23, 2004 10:42 AM To: debian-security@lists.debian.org Subject: Tripwire (clone) which would you prefer? Greetings, well, I looking for an open source intrusion detection. At first, tripwire caputures my attention, but the last open source version seems to be three years old - is it still in development or badly vulnerable? Then I searched for tripwire in the woody packages and found integrit and bsign - so which would you prefer and why? Are there any interesting other projekt that worth looking for? Keep smiling yanosz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Hey My girl Bought me the patch
http://beboy66.info/p3/?id=lgherbs Q9arrack
Re: Tripwire (clone) which would you prefer?
On Monday, 2004-02-23 at 10:42:05 +0100, Jan Lühr wrote: > well, I looking for an open source intrusion detection. At first, tripwire > caputures my attention, but the last open source version seems to be three > years old - is it still in development or badly vulnerable? > Then I searched for tripwire in the woody packages and found integrit and > bsign - so which would you prefer and why? > Are there any interesting other projekt that worth looking for? Stable != bad, ask the Debian project :-P I'm using a combination of Tripwire and AIDE. Before I decided on that, I did a survey of intergity checkers. I didn't find bsign then, but integrit. At that time 3.00.05 was most current. It did not offer a variety of hashes, only SHA1. It offered no database integrity like Tripwire does (and seemingly AIDE now, too). In general it was one of the better tools, but not as flexible and versatile as AIDE and Tripwire. HTH, Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | "Violence is the resort of the violent" Lu Tze | | "Thief of Time", Terry Pratchett |
Re: Tripwire (clone) which would you prefer?
> samhain (in unstable, should be easy to backport) which has some > interesting features. And those interesting features should make you cautious before you deploy samhain in production environment. I find it rather intrusive. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Tripwire (clone) which would you prefer?
I have used AIDE (Advanced Intrusion Detection Environment) both in production use and when I've been an instructor on unix security courses I've made the students learn to use it, because it's really simple and easy to use. Even though it's quite simple, I don't see it lacking anything important in qualities. TONI HEINONEN TELEWARE OY Tel. +358 40 836 1815 Itäkeskuksen Maamerkki 00930 Helsinki, Finland [EMAIL PROTECTED] * www.teleware.fi > -Original Message- > From: Jan Lühr [mailto:[EMAIL PROTECTED] > Sent: Monday, February 23, 2004 11:42 AM > To: debian-security@lists.debian.org > Subject: Tripwire (clone) which would you prefer? > > > Greetings, > > well, I looking for an open source intrusion detection. At > first, tripwire > caputures my attention, but the last open source version > seems to be three > years old - is it still in development or badly vulnerable? > Then I searched for tripwire in the woody packages and found > integrit and > bsign - so which would you prefer and why? > Are there any interesting other projekt that worth looking for? > > Keep smiling > yanosz > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > >
Tripwire (clone) which would you prefer?
Greetings, well, I looking for an open source intrusion detection. At first, tripwire caputures my attention, but the last open source version seems to be three years old - is it still in development or badly vulnerable? Then I searched for tripwire in the woody packages and found integrit and bsign - so which would you prefer and why? Are there any interesting other projekt that worth looking for? Keep smiling yanosz
Could DSA 438 apply to 2.4.22 images from woody-proposed-updates
Hi all, I suppose the DSA-438 is applying to kernel 2.4.22 images from woody-proposed-updates which have not been updated. Is this planned or is it safer not to use images from woody-proposed-updates ? Thanks. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Tripwire (clone) which would you prefer?
On Mon, Feb 23, 2004 at 10:42:05AM +0100, Jan Lühr wrote: > Greetings, > > well, I looking for an open source intrusion detection. At first, tripwire > caputures my attention, but the last open source version seems to be three > years old - is it still in development or badly vulnerable? > Then I searched for tripwire in the woody packages and found integrit and > bsign - so which would you prefer and why? > Are there any interesting other projekt that worth looking for? Besides aide (which is nice, and has already been mentioned) there is also samhain (in unstable, should be easy to backport) which has some interesting features. Regards Javi signature.asc Description: Digital signature
Re: Tripwire (clone) which would you prefer?
Also see this page for a useful comparison between AIDE and tripwire: http://www.fbunet.de/aide.shtml Cheers, Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Tripwire (clone) which would you prefer?
> I did a survey of intergity checkers. I didn't find bsign then, but I'd vote against bsign - it modifies original binaries, thus rendering debian md5 sums useless. ( It would be great if one could get packages with bsign-signed binaries, signed by DDs or release team ). I prefer integrit it's very convienient - and convenience comes with a price - in default mode of operation it updates your md5sums, so you can run it and get incremental notifies about what changes in your system. That might not be want you want. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Tripwire (clone) which would you prefer?
Hello, Actually Im using Integrit with Coda. I store the binary and the database on a read only coda mount (you can't mount it rw unless you know the coda password), and its really fast and reliable. So my vote is Integrit, btw you should check all of them and then make a decision for you needs. Best regards, Domonkos Czinke -Original Message- From: Jan Lühr [mailto:[EMAIL PROTECTED] Sent: Monday, February 23, 2004 10:42 AM To: [EMAIL PROTECTED] Subject: Tripwire (clone) which would you prefer? Greetings, well, I looking for an open source intrusion detection. At first, tripwire caputures my attention, but the last open source version seems to be three years old - is it still in development or badly vulnerable? Then I searched for tripwire in the woody packages and found integrit and bsign - so which would you prefer and why? Are there any interesting other projekt that worth looking for? Keep smiling yanosz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Call for testers (putting SSP in Debian)
On Mon, Feb 23, 2004 at 12:46:59AM +0100, Thomas Sj?gren wrote: > with gcc-3.3 (1:3.3.3ds4-0pre4) the maintainers updated the SSP patch. That's great news. > It is not however applied by default. > I submitted a bug report [1] about this, but the problem is that my > experience with GCC w. SSP in only on the x86 arch. So if you got any > experience with it on different archs please read the bug reports (see > the urls below) and send your info so that the Debian GCC-maintainers has > enough info to make a good decision about applying the patch. For what it's worth I've made a version of GCC with the SSP patches enabled available for Debian here: http://people.debian.org/~skx/apt.html Description here: http://shellcode.org/Cat/ I'll try to get these updated with the new patch included in case people wish to try these out in a simple manner. (i386 only, sadly). Steve -- # Debian Security Audit Project http://www.shellcode.org/Audit/ pgpHunalFeL80.pgp Description: PGP signature
Hey My girl Bought me the patch
http://beboy66.info/p3/?id=lgherbs Q9arrack
Re: Tripwire (clone) which would you prefer?
On Monday, 2004-02-23 at 10:42:05 +0100, Jan Lühr wrote: > well, I looking for an open source intrusion detection. At first, tripwire > caputures my attention, but the last open source version seems to be three > years old - is it still in development or badly vulnerable? > Then I searched for tripwire in the woody packages and found integrit and > bsign - so which would you prefer and why? > Are there any interesting other projekt that worth looking for? Stable != bad, ask the Debian project :-P I'm using a combination of Tripwire and AIDE. Before I decided on that, I did a survey of intergity checkers. I didn't find bsign then, but integrit. At that time 3.00.05 was most current. It did not offer a variety of hashes, only SHA1. It offered no database integrity like Tripwire does (and seemingly AIDE now, too). In general it was one of the better tools, but not as flexible and versatile as AIDE and Tripwire. HTH, Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | "Violence is the resort of the violent" Lu Tze | | "Thief of Time", Terry Pratchett | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Tripwire (clone) which would you prefer?
I have used AIDE (Advanced Intrusion Detection Environment) both in production use and when I've been an instructor on unix security courses I've made the students learn to use it, because it's really simple and easy to use. Even though it's quite simple, I don't see it lacking anything important in qualities. TONI HEINONEN TELEWARE OY Tel. +358 40 836 1815 ItÃkeskuksen Maamerkki 00930 Helsinki, Finland [EMAIL PROTECTED] * www.teleware.fi > -Original Message- > From: Jan LÃhr [mailto:[EMAIL PROTECTED] > Sent: Monday, February 23, 2004 11:42 AM > To: [EMAIL PROTECTED] > Subject: Tripwire (clone) which would you prefer? > > > Greetings, > > well, I looking for an open source intrusion detection. At > first, tripwire > caputures my attention, but the last open source version > seems to be three > years old - is it still in development or badly vulnerable? > Then I searched for tripwire in the woody packages and found > integrit and > bsign - so which would you prefer and why? > Are there any interesting other projekt that worth looking for? > > Keep smiling > yanosz > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > èPÔ ‘ ™¨¥¶‡^n&§±ç.®+rê®zËeŠËluæâjz+ƒ…«.n7œ¶‡îžË±Êâmäë¢æåx*'µ§-–+-™«-z¹b²Ûy¸šžŠà
Tripwire (clone) which would you prefer?
Greetings, well, I looking for an open source intrusion detection. At first, tripwire caputures my attention, but the last open source version seems to be three years old - is it still in development or badly vulnerable? Then I searched for tripwire in the woody packages and found integrit and bsign - so which would you prefer and why? Are there any interesting other projekt that worth looking for? Keep smiling yanosz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Call for testers (putting SSP in Debian)
On Mon, Feb 23, 2004 at 12:46:59AM +0100, Thomas Sj?gren wrote: > with gcc-3.3 (1:3.3.3ds4-0pre4) the maintainers updated the SSP patch. That's great news. > It is not however applied by default. > I submitted a bug report [1] about this, but the problem is that my > experience with GCC w. SSP in only on the x86 arch. So if you got any > experience with it on different archs please read the bug reports (see > the urls below) and send your info so that the Debian GCC-maintainers has > enough info to make a good decision about applying the patch. For what it's worth I've made a version of GCC with the SSP patches enabled available for Debian here: http://people.debian.org/~skx/apt.html Description here: http://shellcode.org/Cat/ I'll try to get these updated with the new patch included in case people wish to try these out in a simple manner. (i386 only, sadly). Steve -- # Debian Security Audit Project http://www.shellcode.org/Audit/ pgp0.pgp Description: PGP signature