Re: Log file IDS package?
On Wednesday, 2005-01-12 at 16:57:41 +1100, Andrew Pollock wrote: > Is there software in Debian that will do something along the lines of a tail > -f of a given logfile, looking for supplied regexs and do custom actions on > matches? I'm using swatch. But swatch can only limit the number of actions performed on a match, not perform an action if a count is exceeded. That would need to be done in the script called when a match is found. HTH, Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Ask not what your computer can do for you | | ask what you can do for your computer. | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Log file IDS package?
Hi, I've done some cursory apt-cache searching, and nothing's jumped out at me... Is there software in Debian that will do something along the lines of a tail -f of a given logfile, looking for supplied regexs and do custom actions on matches? I want to tarpit excessive SSH login failures. regards Andrew -- linux.conf.au 2005 - http://linux.conf.au/ - Birthplace of Tux April 18th to 23rd - http://linux.conf.au/ - LINUX Canberra, Australia - http://linux.conf.au/ -Get bitten! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
kdelibs3 security update with new dependencies?!
Hello list, I'm running a Woody box here with a partial KDE install. It seems like the security team messed up the dependencies of kdelibs3 when they built the recent security update for CAN-2004-1165: $ sudo apt-get upgrade Reading Package Lists... Building Dependency Tree... The following packages have been kept back kdelibs3 0 packages upgraded, 0 newly installed, 0 to remove and 1 not upgraded. $ sudo apt-get -s install kdelibs3 Reading Package Lists... Building Dependency Tree... The following extra packages will be installed: libarts libglib2.0-0 nas-lib The following NEW packages will be installed: libarts libglib2.0-0 nas-lib 1 packages upgraded, 3 newly installed, 0 to remove and 0 not upgraded. $ dpkg -s kdelibs3 Package: kdelibs3 Status: install ok installed Priority: optional Section: libs Installed-Size: 23972 Maintainer: Christopher L Cheney <[EMAIL PROTECTED]> Source: kdelibs Version: 4:2.2.2-13.woody.12 Depends: libbz2-1.0, libc6 (>= 2.2.4-4), libfam0, libjpeg62, libpcre3, libpng2 (>= 1.0.12), libqt2 (>= 3:2.3.1-1), libstdc++2.10-glibc2.2 (>= 1:2.95.4-0.010810), libtiff3g, libxml2 (>= 2.4.19-4), libxslt1 (>= 1.0.16), xlibs (>> 4.1.0), zlib1g (>= 1:1.1.4), kdelibs3-bin | kdelibs-bin, xbase-clients Suggests: libarts | libarts-alsa | libarts-bin, libkmid | libkmid-alsa | libkmid-bin, kdelibs3-cups, aspell | ispell, anti-aliasing-howto, gdb, libsocksd | libsocks4, libssl0.9.6 $ wget $ dpkg -I /tmp/kdelibs3_2.2.2-13.woody.13_i386.deb Package: kdelibs3 Version: 4:2.2.2-13.woody.13 Section: libs Priority: optional Architecture: i386 Depends: libarts (>= 4:2.2.2-1) | libarts-alsa (>= 4:2.2.2-1), libbz2-1.0, libc6 (>= 2.2.4-4), libfam0, libglib2.0-0 (>= 2.0.1), libjpeg62, libpcre3, libpng2(>=1.0.12), libqt2 (>= 3:2.3.1-1), libstdc++2.10-glibc2.2 (>= 1:2.95.4-0.010810), libtiff3g, libxml2 (>= 2.4.19-4), libxslt1 (>= 1.0.16), xlibs (>> 4.1.0), zlib1g (>= 1:1.1.4), kdelibs3-bin | kdelibs-bin, xbase-clients Suggests: libarts | libarts-alsa | libarts-bin, libkmid | libkmid-alsa | libkmid-bin, kdelibs3-cups, aspell | ispell, anti-aliasing-howto, gdb, libsocksd | libsocks4, libssl0.9.6 Installed-Size: 24032 Maintainer: Christopher L Cheney <[EMAIL PROTECTED]> Source: kdelibs Description: KDE core libraries (runtime files) KDE core libraries. You need these files to run kde applications. $ What do you think is the appropriate course of action? TIA, Nikolaus Schulz PS: Please note that I'm not subscribed to debian-security. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: local root exploit
Robert Vangel wrote: It says it did exploit but it didn't... A. Try doing something that would require root (eg.. mount something, create a file in /, etc) Yep I tried that but I don't have root permissions [EMAIL PROTECTED]:~$ ./a.out [+] SLAB cleanup child 1 VMAs 9019 [+] moved stack bfffe000, task_size=0xc000, map_base=0xbf80 [+] vmalloc area 0xc500 - 0xc9d17000 Wait... \ [+] race won maps=14088 expanded VMA (0xbfffc000-0xe000) [!] try to exploit 0xc594b000 [+] gate modified ( 0xffec9094 0x0804ec00 ) [+] exploited, uid=0 sh-2.05a$ whoami ; echo $UID arnaud 0 sh-2.05a$ rm -rf /root/* rm: cannot remove `/root/*': Permission denied sh-2.05a$ I didn't get the original code working either with a tmpfs mounted... :( Same result... 2.4.18-1-586tsc A. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: local root exploit
A.J. Loonstra wrote: I tried modifying the exploit not to use /dev/shm... but this is wat happens: ~$ ./a.out [+] SLAB cleanup child 1 VMAs 287 [+] moved stack bfffe000, task_size=0xc000, map_base=0xbf80 [+] vmalloc area 0xc500 - 0xc9d17000 Wait... | [+] race won maps=6768 expanded VMA (0xbfffc000-0xe000) [!] try to exploit 0xc594b000 [+] gate modified ( 0xffec94bf 0x0804ec00 ) [+] exploited, uid=0 sh-2.05a$ whoami arnaud sh-2.05a$ mount /dev/hda1 on / type ext2 (rw,errors=remount-ro) proc on /proc type proc (rw) devpts on /dev/pts type devpts (rw,gid=5,mode=620) /dev/hda2 on /home type ext3 (rw) $sh-2.05a$ echo $UID 0 It says it did exploit but it didn't... A. Try doing something that would require root (eg.. mount something, create a file in /, etc) smime.p7s Description: S/MIME Cryptographic Signature
Re: local root exploit
On Tue, Jan 11, 2005 at 10:18:46AM +0100, A.J. Loonstra wrote: > I tried modifying the exploit not to use /dev/shm... but this is wat > happens: > > ~$ ./a.out > > [+] SLAB cleanup > child 1 VMAs 287 > [+] moved stack bfffe000, task_size=0xc000, map_base=0xbf80 > [+] vmalloc area 0xc500 - 0xc9d17000 > Wait... | > [+] race won maps=6768 > expanded VMA (0xbfffc000-0xe000) > [!] try to exploit 0xc594b000 > [+] gate modified ( 0xffec94bf 0x0804ec00 ) > [+] exploited, uid=0 > > sh-2.05a$ whoami > arnaud > sh-2.05a$ mount > /dev/hda1 on / type ext2 (rw,errors=remount-ro) > proc on /proc type proc (rw) > devpts on /dev/pts type devpts (rw,gid=5,mode=620) > /dev/hda2 on /home type ext3 (rw) > $sh-2.05a$ echo $UID > 0 > > It says it did exploit but it didn't... UID of 0 looks like it has to me, but I could be wrong. Cheers, -- Brett Parker -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: local root exploit
I tried modifying the exploit not to use /dev/shm... but this is wat happens: ~$ ./a.out [+] SLAB cleanup child 1 VMAs 287 [+] moved stack bfffe000, task_size=0xc000, map_base=0xbf80 [+] vmalloc area 0xc500 - 0xc9d17000 Wait... | [+] race won maps=6768 expanded VMA (0xbfffc000-0xe000) [!] try to exploit 0xc594b000 [+] gate modified ( 0xffec94bf 0x0804ec00 ) [+] exploited, uid=0 sh-2.05a$ whoami arnaud sh-2.05a$ mount /dev/hda1 on / type ext2 (rw,errors=remount-ro) proc on /proc type proc (rw) devpts on /dev/pts type devpts (rw,gid=5,mode=620) /dev/hda2 on /home type ext3 (rw) $sh-2.05a$ echo $UID 0 It says it did exploit but it didn't... A. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: local root exploit
A.J. Loonstra a écrit : I tried modifying the exploit not to use /dev/shm... but this is wat happens: (...) It says it did exploit but it didn't... I just modify it the same way (without /dev/shm tmpfs-mounted). And it worked as expected (uid 0 and root access). Perhaps you inadvertly entered the Twilight zone? Christophe
Re: local root exploit
What about this: ./elflbl [+] SLAB cleanup child 1 VMAs 87 [+] moved stack bfffe000, task_size=0xc000, map_base=0xbf80 [+] vmalloc area 0xe040 - 0xd000 [-] FAILED: uselib (Exec format error) this is on woody, with vulnerable kernel (2.4.28 with ow1 and vserver), I don't quite understand why it isn't working though... -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]