Re: Port 113 (auth) accept or deny?
On 2002-02-09, Brandon High wrote: >> >> should I open(accept) or close(deny, perhaps reject?) the port 113??? [...] >I just don't know what you might need the ident server for. That's why you should read that thread. It was explained there several times, IIRC. s. -- (0> Jakub Jankowski [url]: s.atn.pl "Life is a bitch, //\ [EMAIL PROTECTED] [rlu]: 174516 and then you die" V_/_ [EMAIL PROTECTED] [ekg]: 921514
Re: Port 113 (auth) accept or deny?
On 2002-02-09, Brandon High wrote: [...] >> should I open(accept) or close(deny, perhaps reject?) the port 113??? > >I've got it closed on my machines. I don't know what you might need it >for. We've been through at least once, haven't we? *sigh* Please read the whole thread: http://lists.debian.org/debian-security/2001/debian-security-200108/msg00297.html s. -- (0> Jakub Jankowski [url]: s.atn.pl "Life is a bitch, //\ [EMAIL PROTECTED] [rlu]: 174516 and then you die" V_/_ [EMAIL PROTECTED] [ekg]: 921514
Re: Port 113 (auth) accept or deny?
On 2002-02-09, Brandon High wrote: >> >> should I open(accept) or close(deny, perhaps reject?) the port 113??? [...] >I just don't know what you might need the ident server for. That's why you should read that thread. It was explained there several times, IIRC. s. -- (0> Jakub Jankowski [url]: s.atn.pl "Life is a bitch, //\ shasta@IRCnet [rlu]: 174516 and then you die" V_/_ [EMAIL PROTECTED] [ekg]: 921514 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Port 113 (auth) accept or deny?
On 2002-02-09, Brandon High wrote: [...] >> should I open(accept) or close(deny, perhaps reject?) the port 113??? > >I've got it closed on my machines. I don't know what you might need it >for. We've been through at least once, haven't we? *sigh* Please read the whole thread: http://lists.debian.org/debian-security/2001/debian-security-200108/msg00297.html s. -- (0> Jakub Jankowski [url]: s.atn.pl "Life is a bitch, //\ shasta@IRCnet [rlu]: 174516 and then you die" V_/_ [EMAIL PROTECTED] [ekg]: 921514 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Layne (was: Re: Is ident secure?)
On 2001-08-31, Layne wrote: >SEND ME NO MORE E-MAIL YOU SPERM BURPING GUTTER SLUT. FUCK YOU. Couldn't list-admins blackhole this moron? Please? :) shasta -- (0> Jakub Jankowski [url]: s.atn.pl "Beauty is skin deep; //\ [EMAIL PROTECTED] ugly goes right V_/_ [EMAIL PROTECTED] to the bone."
Layne (was: Re: Is ident secure?)
On 2001-08-31, Layne wrote: >SEND ME NO MORE E-MAIL YOU SPERM BURPING GUTTER SLUT. FUCK YOU. Couldn't list-admins blackhole this moron? Please? :) shasta -- (0> Jakub Jankowski [url]: s.atn.pl "Beauty is skin deep; //\ shasta@IRCnet ugly goes right V_/_ [EMAIL PROTECTED] to the bone." -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: strangelog
On 2001-08-12, Rudy Gevaert wrote: >This weekend I got a strange log: [...] >Aug 11 06:25:03 alhandra su[3584]: + ??? root-nobody >Aug 11 06:25:03 alhandra PAM_unix[3584]: (su) session opened for user >nobody by >+(uid=0) [...] >I'm sure I was asleep at that time... What is this? Did someone log in? Nope, noone logged in. >Or was it a service who su'ed? (I doubt it). It was one of your cron jobs, I suppose. Jakub. -- (0> Jakub Jankowski "Beauty is skin deep; //\ [EMAIL PROTECTED]ugly goes right V_/_ [EMAIL PROTECTED]to the bone."
Re: auth.log
On 2001-06-20, Matthias Fritschi wrote: > > Jun 20 06:25:02 blacksun su[2095]: + ??? root-nobody > > Jun 20 06:25:02 blacksun PAM_unix[2095]: (su) session opened for user > > nobody by (uid=0) > >could that mean somebody got into the server using a security leak in >a process running as nobody? at this time, i was still sleepeing [...] No. It means that some process running with root privileges switched its uid to nobody's. There is some cron job executed at 6:25am probably, this is the most common reason of 'automatic' su'ing from root to nobody. Look for files containing string "25 6 *" somewhere under /var. Their contents should explain you many things. I hope it'll help. >matthias fritschi Jakub Jankowski -- (0> Jakub Jankowski [url]: s.atn.pl "Beauty is skin deep; //\ [EMAIL PROTECTED] [uin]: 70171776ugly goes right V_/_ [EMAIL PROTECTED] [cell]: 502110186 to the bone."
Re: auth.log
On 2001-06-20, Matthias Fritschi wrote: > > Jun 20 06:25:02 blacksun su[2095]: + ??? root-nobody > > Jun 20 06:25:02 blacksun PAM_unix[2095]: (su) session opened for user nobody by >(uid=0) > >could that mean somebody got into the server using a security leak in >a process running as nobody? at this time, i was still sleepeing [...] No. It means that some process running with root privileges switched its uid to nobody's. There is some cron job executed at 6:25am probably, this is the most common reason of 'automatic' su'ing from root to nobody. Look for files containing string "25 6 *" somewhere under /var. Their contents should explain you many things. I hope it'll help. >matthias fritschi Jakub Jankowski -- (0> Jakub Jankowski [url]: s.atn.pl "Beauty is skin deep; //\ shasta@IRCnet [uin]: 70171776ugly goes right V_/_ [EMAIL PROTECTED] [cell]: 502110186 to the bone." -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Exploit
On 2001-06-09, Tomasz Olszewski wrote: >Could you please tell me how I can prevent from following exploit: Do you really think it's an 'exploit'? ;> [EMAIL PROTECTED] admin$ cat l33t.sh #!/bin/sh echo "1|nux r007 3xp10|7 by 1c4m7uf" cd /tmp cat >ex.c < s. -- (0> Jakub Jankowski [url]: s.atn.pl "Beauty is skin deep; //\ [EMAIL PROTECTED] [uin]: 70171776ugly goes right V_/_ [EMAIL PROTECTED] [cell]: 502110186 to the bone."
Re: Exploit
On 2001-06-09, Tomasz Olszewski wrote: >Could you please tell me how I can prevent from following exploit: Do you really think it's an 'exploit'? ;> shasta@quasimodo admin$ cat l33t.sh #!/bin/sh echo "1|nux r007 3xp10|7 by 1c4m7uf" cd /tmp cat >ex.c < s. -- (0> Jakub Jankowski [url]: s.atn.pl "Beauty is skin deep; //\ shasta@IRCnet [uin]: 70171776ugly goes right V_/_ [EMAIL PROTECTED] [cell]: 502110186 to the bone." -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Strange output from "last" command
On 2001-03-21, William R. Ward wrote: >My wtmp file seems to have some rather strange entries... > >xx pts/3xxx.xxx.xxx.xxx Wed Mar 21 14:17 still logged in >date { Wed Mar 21 02:00 still logged in >date | Wed Mar 21 02:00 still logged in [...] On my debian box, rdate -s some.time.server adds similar entries to my wtmp. I guess you synchronize your system clock using rdate, don't you? I hope it will help. >--Bill. Regards, Jakub. -- (0> Jakub Jankowski [url]: none //\ [EMAIL PROTECTED] [uin]: 70771776 V_/_ [EMAIL PROTECTED] [cell]: 502110186
Re: Strange output from "last" command
On 2001-03-21, William R. Ward wrote: >My wtmp file seems to have some rather strange entries... > >xx pts/3xxx.xxx.xxx.xxx Wed Mar 21 14:17 still logged in >date { Wed Mar 21 02:00 still logged in >date | Wed Mar 21 02:00 still logged in [...] On my debian box, rdate -s some.time.server adds similar entries to my wtmp. I guess you synchronize your system clock using rdate, don't you? I hope it will help. >--Bill. Regards, Jakub. -- (0> Jakub Jankowski [url]: none //\ shasta@IRCnet [uin]: 70771776 V_/_ [EMAIL PROTECTED] [cell]: 502110186 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]